Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/8c64f614e4c67bb87f9ebe662123ad0495e25569 ([turbofan] Properly re-type CheckBounds.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Another Type::None() bug flushed out by the changes to CheckBounds retyping. TurboFan creates this broken subgraph

=================================================================================================================
  48: Branch[None|NoSafetyCheck](47, 198) -> B13, B12
--- BLOCK B12 <- B11 ---
  49: IfFalse(48)
  Goto -> B14
--- BLOCK B13 <- B11 ---
  51: IfTrue(48)
  170: Int32Constant[63384]
  105: CheckBounds[VectorSlotPair(INVALID)](26, 170, 79, 51)
  106: NewSmiOrObjectElements[NotTenured](105, 105, 51)
  107: BeginRegion[not-observable](106)
  108: Allocate[Any, NotTenured](167, 107, 51)
  109: StoreField[tagged base, 0, OtherInternal, kRepTaggedPointer|kTypeAny, MapWriteBarrier](108, 99, 108, 51)
  110: StoreField[tagged base, 8, Any, kRepTagged|kTypeAny, NoWriteBarrier](108, 96, 109, 51)
  111: StoreField[tagged base, 16, Internal, kRepTaggedPointer|kTypeAny, PointerWriteBarrier](108, 106, 110, 51)
  202: Unreachable(111, 51) : None
  205: DeadValue[kRepTagged](202) : None
  Goto -> B14
--- BLOCK B14 <- B12, B13 ---
  50: Merge(49, 51)
  61: Phi[kRepTagged](25, 205, 50)
  60: EffectPhi(79, 202, 50)
  165: TypedStateValues[kRepWord32|kTypeInt32|dense](26)
  63: TypedStateValues[kRepTagged|kTypeAny|sparse:^...](61)
  64: FrameState[INTERPRETED_FRAME, 56, Ignore, 0x209486da65e9 <SharedFunctionInfo foo>](6, 63, 165, 3, 71, 0)
  206: Int32Constant[-2]
  62: Checkpoint(64, 60, 50)
  65: Int32Add(26, 206)
  80: TypeGuard[Range(-2, 1)](65, 62, 50)
  161: DeadValue[kRepWord32](80)
  Goto -> B7
=================================================================================================================

for this simplified repro:

=================================================================================================================
function foo() {
  var a = new Array(2);
  for (var i = 1; i > -1; i = i - 2) {
    if (i < a.length) a = new Array(i);
  }
}
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
=================================================================================================================

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b6bdd7415c265420dcf7c209d7c6d9d62fbe572a

commit b6bdd7415c265420dcf7c209d7c6d9d62fbe572a
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Tue Sep 18 09:30:26 2018

[turbofan] Fix dead value insertion in simplified lowering.

If type checks in simplified lowering produced dead value (i.e., of
type Type::None()), we have only propagated deadness along value
edges. With this CL, we also insert an Unreachable node after every
effectful node that produces dead value.

This is more consistent with dead code elimination, which also inserts
unreachable nodes after effectful nodes with value output None.

Bug:  chromium:884052 
Change-Id: Idcb168461f05f1811b2c9c16ab8ff179b259fbd3
Reviewed-on: https://chromium-review.googlesource.com/1228125
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55987}
[modify] https://crrev.com/b6bdd7415c265420dcf7c209d7c6d9d62fbe572a/src/compiler/simplified-lowering.cc
[add] https://crrev.com/b6bdd7415c265420dcf7c209d7c6d9d62fbe572a/test/mjsunit/compiler/regress-884052.js

ClusterFuzz has detected this issue as fixed in range 55986:55987.

Detailed report: https://clusterfuzz.com/testcase?key=5764878298775552

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8_dbg
Platform Id: windows

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  RegionObservability::kObservable == region_observability_ in effect-control-line
  v8::platform::PrintStackTrace
  v8::internal::compiler::EffectControlLinearizer::ProcessNode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=55705:55706
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=55986:55987

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5764878298775552

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5764878298775552 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot