This still reproduces with ToT Chrome (V8 5.2.175) during initial load of http://afisha.mosreg.ru/. In Debug mode, I get:

#                                                                                                                                                            
# Fatal error in ../../v8/src/compiler/verifier.cc, line 95                                                                                                  
# TypeError: node #1266:NumberLessThan(input @1 = LoadField:LoadField) type Any/Tagged is not NumberOrUndefined/(Tagged | UntaggedNumber)                    
#

Alternate repro: http://www.findingvegan.com/

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6399969665220608

Fuzzer: inferno_webbot
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  RepresentationChangerError: node #NUMBER:LoadField of kRepTagged (Any) cannot be
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=387894:387957

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95h7q-Y84FxJ45Z9qHGfCDRwuFsdWbW7rG1duCm6YWlCRt4ldlYZ024M-iOP2QQg-VBhobsBlVY7V0VUB47lIfqxquJH8RRCfQddQ16TEf_DIDV31Yye-zkJWp6jj2Zi-LPG4iUZG5ylgh3VhO3zYnlUEkJxg
<script>
window.open("http://findingvegan.com");
window.location = "http://codetutr.com";</script>


Filer: jkummerow

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c0e65ea85d09780a13685ff06a83b38cef0b279a

commit c0e65ea85d09780a13685ff06a83b38cef0b279a
Author: bmeurer <bmeurer@chromium.org>
Date: Mon May 02 11:28:35 2016

[turbofan] Extend the type fixup to LoadField as well.

For LoadElimination we must not replace LoadField nodes with other nodes
whose types are not a subtype of the original LoadField type, as that
breaks the verifier. We already fixed that earlier for store to load
forwarding, but the fix didn't cover LoadField forwarding.

This actually still generates the correct code even w/o the fix, but
since recently fails due to stronger checking in representation
selection. So this makes clusterfuzz happy again.

R=mvstanton@chromium.org
BUG= chromium:607899 
LOG=n

Review-Url: https://codereview.chromium.org/1934973002
Cr-Commit-Position: refs/heads/master@{#35930}

[modify] https://crrev.com/c0e65ea85d09780a13685ff06a83b38cef0b279a/src/compiler/load-elimination.cc

ClusterFuzz has detected this issue as fixed in range 390990:391082.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6399969665220608

Fuzzer: inferno_webbot
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  RepresentationChangerError: node #NUMBER:LoadField of kRepTagged (Any) cannot be
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=387894:387957
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=390990:391082

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95h7q-Y84FxJ45Z9qHGfCDRwuFsdWbW7rG1duCm6YWlCRt4ldlYZ024M-iOP2QQg-VBhobsBlVY7V0VUB47lIfqxquJH8RRCfQddQ16TEf_DIDV31Yye-zkJWp6jj2Zi-LPG4iUZG5ylgh3VhO3zYnlUEkJxg
<script>
window.open("http://findingvegan.com");
window.location = "http://codetutr.com";</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot