VM crash with SEGV_MAPERR on dart-fuzz bot

[alexmarkov]

From dart-fuzz bot:

===== CRASH =====
si_signo=Segmentation fault(11), si_code=SEGV_MAPERR(1), si_addr=0x27daadd



-- BEGIN REPRODUCE  --

DART SDK REVISION: 

dart runtime/tools/dartfuzz/dartfuzz.dart --no-fp --no-ffi --flat --seed 656373376 fuzz.dart

-- RUN 1 --

out/ReleaseX64C/dart --profiler --force_evacuation --no_array_bounds_check_elimination --old_gen_heap_size=128 /b/s/w/it31rrdx0s/dart_fuzzUACCYQ/fuzz.dart

-- RUN 2 --

out/DebugSIMARM/dart --profiler --profile_vm=false --profile_vm=false --verify_after_gc --compactor_tasks=2 --no_enable_peephole --inlining_hotness=15 --old_gen_heap_size=128 /b/s/w/it31rrdx0s/dart_fuzzUACCYQ/fuzz.dart

-- END REPRODUCE  --

Log: https://logs.chromium.org/logs/dart/buildbucket/cr-buildbucket/8713113813214013105/+/u/collect_shards/dartfuzz_-_generated_programs_shard_3/task_stdout_stderr:_dartfuzz_-_generated_programs_shard_3

Another dart-fuzz shard crashed differently, but these crashes could be related: #60809 (comment)

[alexmarkov]

The crash is reproducible via

out/DebugSIMARM/dart --profiler --profile_vm=false --profile_vm=false --verify_after_gc --compactor_tasks=2 --no_enable_peephole --inlining_hotness=15 --old_gen_heap_size=128 fuzz.dart

Stack trace from gdb:

Thread 15 "DartWorker" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xf0e7fb40 (LWP 1440214)]
dart::ProfilerDartStackWalker::CallerPC (this=0xf0e7d178) at out/DebugSIMARM/../../runtime/vm/profiler.cc:1110
1110	    return reinterpret_cast<uword*>(*caller_pc_ptr);
(gdb) bt
#0  dart::ProfilerDartStackWalker::CallerPC (this=0xf0e7d178) at out/DebugSIMARM/../../runtime/vm/profiler.cc:1110
#1  dart::ProfilerDartStackWalker::walk (this=0xf0e7d178) at out/DebugSIMARM/../../runtime/vm/profiler.cc:1098
#2  0x5902a9c1 in dart::CollectSample (isolate=<optimized out>, exited_dart_code=<optimized out>, in_dart_code=<optimized out>, sample=0xf6b28fc0, native_stack_walker=0xf0e7d140, dart_stack_walker=0xf0e7d178, pc=4025156384, 
    fp=<optimized out>, sp=4131384612, counters=<optimized out>) at ../../buildtools/linux-x64/clang/bin/../include/c++/v1/__atomic/support/c11.h:181
#3  0x5902a80b in dart::Profiler::SampleThread (thread=0x594ed360, state=...) at out/DebugSIMARM/../../runtime/vm/profiler.cc:1469
#4  0x590c2dab in dart::ThreadInterrupterLinux::ThreadInterruptSignalHandler (signal=27, info=0xf0e7d28c, context_=0xf0e7d30c) at out/DebugSIMARM/../../runtime/vm/thread_interrupter_linux.cc:44
#5  <signal handler called>
#6  0x590922ff in dart::Simulator::HandleRList (this=0x594e0b90, instr=0xefeb0320, load=<optimized out>) at out/DebugSIMARM/../../runtime/vm/simulator_arm.cc:1354
#7  0x5909637f in dart::Simulator::DecodeType4 (instr=<optimized out>, this=<optimized out>) at ../../runtime/vm/constants_arm.h:1295
#8  dart::Simulator::InstructionDecodeImpl (instr=<optimized out>, this=<optimized out>) at out/DebugSIMARM/../../runtime/vm/simulator_arm.cc:3429
#9  dart::Simulator::ExecuteNoTrace (this=0x594e0b90) at out/DebugSIMARM/../../runtime/vm/simulator_arm.cc:3489
#10 0x59097c42 in dart::Simulator::Execute (this=0x594e0b90) at out/DebugSIMARM/../../runtime/vm/simulator_arm.cc:3473
#11 dart::Simulator::Call (this=0x594e0b90, entry=-146261336, parameter0=-270235455, parameter1=-145710623, parameter2=-271981547, parameter3=1498338144, fp_return=<optimized out>, fp_args=<optimized out>)
    at out/DebugSIMARM/../../runtime/vm/simulator_arm.cc:3615
#12 0x58e4ed36 in dart::InvokeDartCode(unsigned int, dart::Array const&, dart::Array const&, dart::Thread*)::$_0::operator()(unsigned int, unsigned int, unsigned int, dart::Thread*) const (entry_point=<optimized out>, 
    arguments_descriptor=<optimized out>, arguments=4022985749, thread=0x594ed360, this=<optimized out>) at out/DebugSIMARM/../../runtime/vm/dart_entry.cc:109
#13 dart::InvokeDartCode (entry_point=<optimized out>, arguments_descriptor=..., arguments=..., thread=0x594ed360) at out/DebugSIMARM/../../runtime/vm/dart_entry.cc:117
#14 dart::DartEntry::InvokeFunction (function=..., arguments=..., arguments_descriptor=...) at out/DebugSIMARM/../../runtime/vm/dart_entry.cc:160
#15 0x58e4eb2a in dart::DartEntry::InvokeFunction (function=..., arguments=...) at out/DebugSIMARM/../../runtime/vm/dart_entry.cc:39
#16 0x58e51000 in dart::DartLibraryCalls::InstanceCreate (lib=..., class_name=..., constructor_name=..., arguments=...) at out/DebugSIMARM/../../runtime/vm/dart_entry.cc:625
#17 0x58e77c0a in dart::Exceptions::Create (type=dart::Exceptions::kRange, arguments=...) at out/DebugSIMARM/../../runtime/vm/exceptions.cc:1285
#18 0x58e765dc in dart::Exceptions::ThrowByType (type=dart::Exceptions::kRange, arguments=...) at out/DebugSIMARM/../../runtime/vm/exceptions.cc:1097
#19 0x5904fe50 in dart::DRT_HelperRangeError (zone=<optimized out>, arguments=..., isolate=<optimized out>, thread=<optimized out>) at out/DebugSIMARM/../../runtime/vm/runtime_entry.cc:232
#20 DRT_RangeError (arguments=...) at out/DebugSIMARM/../../runtime/vm/runtime_entry.cc:204
#21 0x590925c8 in dart::Simulator::SupervisorCall (this=0x594e0b90, instr=0x594e581c) at out/DebugSIMARM/../../runtime/vm/simulator_arm.cc:1438
#22 0x59093e61 in dart::Simulator::DecodeType7 (this=0x594e0b90, instr=0x594e581c) at out/DebugSIMARM/../../runtime/vm/simulator_arm.cc:2503
#23 0x590963f9 in dart::Simulator::InstructionDecodeImpl (instr=<optimized out>, this=<optimized out>) at out/DebugSIMARM/../../runtime/vm/simulator_arm.cc:3441
#24 dart::Simulator::ExecuteNoTrace (this=0x594e0b90) at out/DebugSIMARM/../../runtime/vm/simulator_arm.cc:3489
#25 0x59097c42 in dart::Simulator::Execute (this=0x594e0b90) at out/DebugSIMARM/../../runtime/vm/simulator_arm.cc:3473
#26 dart::Simulator::Call (this=0x594e0b90, entry=-146261336, parameter0=-175816055, parameter1=-145710719, parameter2=-171442059, parameter3=1498338144, fp_return=<optimized out>, fp_args=<optimized out>)
    at out/DebugSIMARM/../../runtime/vm/simulator_arm.cc:3615
#27 0x58e4ed36 in dart::InvokeDartCode(unsigned int, dart::Array const&, dart::Array const&, dart::Thread*)::$_0::operator()(unsigned int, unsigned int, unsigned int, dart::Thread*) const (entry_point=<optimized out>, 
    arguments_descriptor=<optimized out>, arguments=4123525237, thread=0x594ed360, this=<optimized out>) at out/DebugSIMARM/../../runtime/vm/dart_entry.cc:109
#28 dart::InvokeDartCode (entry_point=<optimized out>, arguments_descriptor=..., arguments=..., thread=0x594ed360) at out/DebugSIMARM/../../runtime/vm/dart_entry.cc:117
#29 dart::DartEntry::InvokeFunction (function=..., arguments=..., arguments_descriptor=...) at out/DebugSIMARM/../../runtime/vm/dart_entry.cc:160
#30 0x58e4eb2a in dart::DartEntry::InvokeFunction (function=..., arguments=...) at out/DebugSIMARM/../../runtime/vm/dart_entry.cc:39
#31 0x58e518bf in dart::DartLibraryCalls::HandleMessage (port_id=4689016238103787, message=...) at out/DebugSIMARM/../../runtime/vm/dart_entry.cc:735
#32 0x58e8f971 in dart::IsolateMessageHandler::HandleMessage (this=<optimized out>, message=...) at out/DebugSIMARM/../../runtime/vm/isolate.cc:1539
#33 0x58ed1df0 in dart::MessageHandler::HandleMessages (this=0x594e0a70, ml=0xf0e7f118, allow_normal_messages=<optimized out>, allow_multiple_normal_messages=<optimized out>) at out/DebugSIMARM/../../runtime/vm/message_handler.cc:229
#34 0x58ed2aa3 in dart::MessageHandler::TaskCallback (this=0x594e0a70) at out/DebugSIMARM/../../runtime/vm/message_handler.cc:443
#35 0x58ed3999 in dart::MessageHandlerTask::Run (this=0x594dd080) at out/DebugSIMARM/../../runtime/vm/message_handler.cc:31
#36 0x590c4288 in dart::ThreadPool::WorkerLoop (this=0x594de2c0, worker=0x594dc4e0) at out/DebugSIMARM/../../runtime/vm/thread_pool.cc:207
#37 0x590c4b70 in dart::ThreadPool::Worker::Main (args=1498268896) at out/DebugSIMARM/../../runtime/vm/thread_pool.cc:367
#38 0x590210eb in dart::ThreadStart (data_ptr=0x594dfe30) at out/DebugSIMARM/../../runtime/vm/os_thread_linux.cc:97
#39 0xf7cd2781 in ?? () from /lib/i386-linux-gnu/libc.so.6
#40 0xf7d68df8 in ?? () from /lib/i386-linux-gnu/libc.so.6

Given the location of the crash, this is probably the same as #60810.

/cc @rmacnak-google @bkonyi