-fno-tree-fre "fixes" the issue.

g++ -MMD -MF obj/third_party/WebKit/Source/core/layout/webcore_rendering.LayoutObject.o.d -DV8_DEPRECATION_WARNINGS -DCLD_VERSION=2 -D_FILE_OFFSET_BITS=64 -DDISABLE_NACL -DCHROMIUM_BUILD -DUI_COMPOSITOR_IMAGE_TRANSPORT -DUSE_AURA=1 -DUSE_ASH=1 -DUSE_PANGO=1 -DUSE_CAIRO=1 -DUSE_DEFAULT_RENDER_THEME=1 -DUSE_LIBJPEG_TURBO=1 -DUSE_X11=1 -DUSE_CLIPBOARD_AURAX11=1 -DENABLE_ONE_CLICK_SIGNIN -DENABLE_WEBRTC=1 -DENABLE_MEDIA_ROUTER=1 -DUSE_PROPRIETARY_CODECS -DENABLE_PEPPER_CDMS -DENABLE_CONFIGURATION_POLICY -DENABLE_NOTIFICATIONS -DENABLE_HIDPI=1 -DENABLE_TOPCHROME_MD=1 -DUSE_UDEV -DDONT_EMBED_BUILD_METADATA -DFIELDTRIAL_TESTING_ENABLED -DENABLE_TASK_MANAGER=1 -DENABLE_EXTENSIONS=1 -DENABLE_PDF=1 -DENABLE_PLUGINS=1 -DENABLE_SESSION_SERVICE=1 -DENABLE_THEMES=1 -DENABLE_AUTOFILL_DIALOG=1 -DENABLE_BACKGROUND=1 -DENABLE_PRINTING=1 -DENABLE_BASIC_PRINTING=1 -DENABLE_PRINT_PREVIEW=1 -DENABLE_SPELLCHECK=1 -DENABLE_CAPTIVE_PORTAL_DETECTION=1 -DENABLE_APP_LIST=1 -DENABLE_SETTINGS_APP=1 -DENABLE_SUPERVISED_USERS=1 -DENABLE_MDNS=1 -DENABLE_SERVICE_DISCOVERY=1 -DV8_USE_EXTERNAL_STARTUP_DATA -DFULL_SAFE_BROWSING -DSAFE_BROWSING_CSD -DSAFE_BROWSING_DB_LOCAL -DGL_GLEXT_PROTOTYPES -DBLINK_IMPLEMENTATION=1 -DINSIDE_BLINK -DENABLE_LAYOUT_UNIT_IN_INLINE_BOXES=0 -DWTF_USE_CONCATENATED_IMPULSE_RESPONSES=1 -DENABLE_INPUT_MULTIPLE_FIELDS_UI=1 -DENABLE_WEB_AUDIO=1 -DWTF_USE_WEBAUDIO_FFMPEG=1 -DWTF_USE_DEFAULT_RENDER_THEME=1 -DU_USING_ICU_NAMESPACE=0 -DU_ENABLE_DYLOAD=0 -DU_STATIC_IMPLEMENTATION -DSK_SUPPORT_GPU=1 -DSK_IGNORE_LINEONLY_AA_CONVEX_PATH_OPTS -DCHROME_PNG_WRITE_SUPPORT -DPNG_USER_CONFIG -DLIBXML_STATIC -DLIBXSLT_STATIC -DUSE_LIBPCI=1 -DUSE_OPENSSL=1 -DUSE_GLIB=1 -DUSE_NSS_CERTS=1 -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -D_FORTIFY_SOURCE=2 -Igen -I../.. -I../../skia/config -I../../third_party/WebKit/Source -I../../third_party/khronos -I../../gpu -Igen/angle -Igen/blink -I../../third_party/angle/include -I../../third_party/ffmpeg -I../../third_party/icu/source/i18n -I../../third_party/icu/source/common -I../../third_party/WebKit -I../../third_party/skia/include/core -I../../third_party/skia/include/effects -I../../third_party/skia/include/pdf -I../../third_party/skia/include/gpu -I../../third_party/skia/include/lazy -I../../third_party/skia/include/pathops -I../../third_party/skia/include/pipe -I../../third_party/skia/include/ports -I../../third_party/skia/include/utils -I../../skia/ext -I../../third_party/iccjpeg -I../../third_party/libpng -I../../third_party/libwebp -I../../third_party/libxml/linux/include -I../../third_party/libxml/src/include -I../../third_party/libxslt -I../../third_party/npapi -I../../third_party/npapi/bindings -I../../third_party/ots/include -I../../third_party/qcms/src -I../../third_party/zlib -I../../v8/include -fstack-protector --param=ssp-buffer-size=4 -pthread -fno-strict-aliasing -Wall -Wno-unused-parameter -Wno-missing-field-initializers -fvisibility=hidden -pipe -fPIC -Wno-unused-local-typedefs -fno-strict-aliasing -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/harfbuzz -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -m64 -march=x86-64 -O3 -fno-ident -fdata-sections -ffunction-sections -funwind-tables -fno-exceptions -fno-rtti -fno-threadsafe-statics -fvisibility-inlines-hidden -Wsign-compare -Wno-c++0x-compat -std=gnu++11 -Wno-narrowing -Wno-literal-suffix -c ../../third_party/WebKit/Source/core/layout/LayoutObject.cpp -o obj/third_party/WebKit/Source/core/layout/webcore_rendering.LayoutObject.o 

Also gets miscompiled:

Program received signal SIGSEGV, Segmentation fault.
0x0000555558ad00a5 in blink::LayoutObject::isDescendantOf(blink::LayoutObject const*) const ()
(gdb) bt
#0  0x0000555558ad00a5 in blink::LayoutObject::isDescendantOf(blink::LayoutObject const*) const ()
#1  0x0000555558b60790 in blink::CompositedLayerMapping::containingSquashedLayer(blink::LayoutObject const*, unsigned int) ()
#2  0x0000555558be0bf6 in blink::CompositingLayerAssigner::assignLayersToBackingsInternal(blink::PaintLayer*, blink::CompositingLayerAssigner::SquashingState&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&) ()
#3  0x0000555558be0769 in blink::CompositingLayerAssigner::assignLayersToBackingsInternal(blink::PaintLayer*, blink::CompositingLayerAssigner::SquashingState&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&) ()
#4  0x0000555558be0769 in blink::CompositingLayerAssigner::assignLayersToBackingsInternal(blink::PaintLayer*, blink::CompositingLayerAssigner::SquashingState&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&) ()
#5  0x0000555558be0e11 in blink::CompositingLayerAssigner::assign(blink::PaintLayer*, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&) ()
#6  0x0000555558b66758 in blink::PaintLayerCompositor::updateIfNeeded() ()
#7  0x0000555558b680a6 in blink::PaintLayerCompositor::updateIfNeededRecursive() ()

However this is a different issue, because -O1 "fixes" it.

Can you bisect it to the alias changes from Honza or is this older?  Is this part of chromium single-threaded?

(In reply to Richard Biener from comment #3)
> Can you bisect it to the alias changes from Honza or is this older?

The first issue is older. At least a few weeks.
I don't have a powerful enough machine to bisect this and the 
compile farm machines cannot build Chromium, because of missing
libraries. 
(I've seen the second issue for the first time today.)

> Is this  part of chromium single-threaded?

If you start chromium with:
 google-chrome --no-sandbox --renderer-cmd-prefix='xterm -title renderer -e gdb -ex run --args'
it will attach a debugger to every started thread.
The segfault happens in one of them.

(In reply to Markus Trippelsdorf from comment #4)
> (In reply to Richard Biener from comment #3)
> > Can you bisect it to the alias changes from Honza or is this older?
> 
> The first issue is older. At least a few weeks.
> I don't have a powerful enough machine to bisect this and the 
> compile farm machines cannot build Chromium, because of missing
> libraries. 

OK. I will run a bisection just on that one object file...

Created attachment 36995 [details]
unreduced testcase

Started with r226861.

The while loop in:

 421 void IncrementalMarking::ActivateIncrementalWriteBarrier() {
 422   ActivateIncrementalWriteBarrier(heap_->old_space());
 423   ActivateIncrementalWriteBarrier(heap_->map_space());
 424   ActivateIncrementalWriteBarrier(heap_->code_space());
 425   ActivateIncrementalWriteBarrier(heap_->new_space());
 426
 427   LargePage* lop = heap_->lo_space()->first_page();
 428   while (lop->is_valid()) {
 429     SetOldSpacePageFlags(lop, true, is_compacting_);
 430     lop = lop->next_page();
 431   }
 432 }


Good:                          Bad:     
    .p2align 4,,10                 .p2align 4,,10
    .p2align 3                     .p2align 3
.L2183:                        .L2176:
    orq $12, 8(%rax)               orq $12, 8(%rax)
    movq    176(%rax), %rax        movq    176(%rax), %rax
    testq   %rax, %rax             jmp .L2176
    jne .L2183                 
    rep ret                    
.L2192:                        
    rep ret

Calling a NULL object is undefined.  


  Address address() { return reinterpret_cast<Address>(this); }

  bool is_valid() { return address() !=
# 475 "../../v8/src/heap/spaces.h" 3 4
                                       __null
# 475 "../../v8/src/heap/spaces.h"
                                           ; }


That will always be true.  That is this can never be NULL.

Thanks Andrew.
Turned out the issue from comment 2 is similar.
Both issues are solved with -fno-delete-null-pointer-checks.
Maybe the chromium devs should add that flag to their default gcc flags...

*** Bug 69234 has been marked as a duplicate of this bug. ***

*** Bug 69234 has been marked as a duplicate of this bug. ***