Reproduces on TOT, bisects to "[crankshaft] Support inlining of function calls in tail position (in ES6 sense)" (https://codereview.chromium.org/1782743003).

The fix: https://codereview.chromium.org/1876753002

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/26c480d13c19e598103067576a05008319a7b7ac

commit 26c480d13c19e598103067576a05008319a7b7ac
Author: ishell <ishell@chromium.org>
Date: Mon Apr 11 12:19:23 2016

[deoptimizer] Extend assert to also expect kTailCallerFunction as bottommost frame when accessing arguments for inlined function.

BUG= chromium:601617 , v8:4698
LOG=N

Review URL: https://codereview.chromium.org/1876753002

Cr-Commit-Position: refs/heads/master@{#35385}

[modify] https://crrev.com/26c480d13c19e598103067576a05008319a7b7ac/src/deoptimizer.cc
[add] https://crrev.com/26c480d13c19e598103067576a05008319a7b7ac/test/mjsunit/regress/regress-crbug-601617.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/1e1e59f5cf1c8b7e4152339016226b3d67281019

commit 1e1e59f5cf1c8b7e4152339016226b3d67281019
Author: ishell@chromium.org <ishell@chromium.org>
Date: Thu Apr 14 10:48:08 2016

Version 5.1.281.7 (cherry-pick)

Merged 26c480d13c19e598103067576a05008319a7b7ac

[deoptimizer] Extend assert to also expect kTailCallerFunction as bottommost frame when accessing arguments for inlined function.

BUG= chromium:601617 ,v8:4698
LOG=N
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1884123002 .

Cr-Commit-Position: refs/branch-heads/5.1@{#10}
Cr-Branched-From: 167dc63b4c9a1d0f0fe1b19af93644ac9a561e83-refs/heads/5.1.281@{#1}
Cr-Branched-From: 03953f52bd4a184983a551927c406be6489ef89b-refs/heads/master@{#35282}

[modify] https://crrev.com/1e1e59f5cf1c8b7e4152339016226b3d67281019/include/v8-version.h
[modify] https://crrev.com/1e1e59f5cf1c8b7e4152339016226b3d67281019/src/deoptimizer.cc
[add] https://crrev.com/1e1e59f5cf1c8b7e4152339016226b3d67281019/test/mjsunit/regress/regress-crbug-601617.js

This is already merged to M51 as per comment #9. So removing "Merge-Approved-51" label.

ClusterFuzz has detected this issue as fixed in range 386397:386428.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5574995270434816

Fuzzer: decoder_langfuzz
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  frames_[0].kind() == TranslatedFrame::kFunction || frames_[0].kind() == Translat
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=382588:382751
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=386397:386428

Minimized Testcase (7.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96KKnUqEtbEFQ_HTzFdsnqaRGovyS4X3uy9Kp1JAyODuz0D1Sq-lf3HPXyliPYt1yqTX6mXC3KH7fyHSN0tz4pU4qnD_Q7ARWj-I-9nduXU0nH0pKdJr2JWiSwiXGYBQDp5atWyJeK9tpY3JPS5CRO7fgwoDQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot