Smaller repro:

out/x64.debug/d8 --predictable --harmony-tailcalls test.js

===== test.js =====
"use strict";

function h() {
  return f();
}

function g() {
  return h();
}

function f() {
  var o = {};
  o.__defineGetter__('p', g);
  o.p;
}

g();

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197

commit e17a283f92c99d4ba7daee0dbb2e7d9e65b91197
Author: ishell <ishell@chromium.org>
Date: Fri May 06 12:36:23 2016

[es6] Properly handle the case when an inlined getter/setter/constructor does a tail call.

Deoptimizer is now able to reconstruct topmost accessor and constructor frames.

BUG= chromium:608278 , v8:4698
LOG=N
TBR=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/1936043002
Cr-Commit-Position: refs/heads/master@{#36075}

[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/arm/lithium-arm.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/arm64/lithium-arm64.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/hydrogen-instructions.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/ia32/lithium-ia32.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/lithium.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/lithium.h
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/mips/lithium-mips.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/mips64/lithium-mips64.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/ppc/lithium-ppc.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/s390/lithium-s390.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/x64/lithium-x64.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/crankshaft/x87/lithium-x87.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/src/deoptimizer.cc
[modify] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/test/mjsunit/es6/tail-call.js
[add] https://crrev.com/e17a283f92c99d4ba7daee0dbb2e7d9e65b91197/test/mjsunit/regress/regress-crbug-608278.js

ClusterFuzz has detected this issue as fixed in range 36074:36075.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4578960389701632

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  1 == translation_size in src/crankshaft/lithium-codegen.cc
  
Regressed: V8: r35762:35763
Fixed: V8: r36074:36075

Minimized Testcase (6.93 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96v1CVzKWLOLCaRY9w83RDlKvjzMxZUrLOj81y-xMixiMOKW3gkSfSV5mfalgoKf1yiz11mqYrPhpUsCnzk9tXtPc1ETU2qQFKw_WfplSXHmJL3Iw_0S5Hw_uf6D6HEd-209HSlmz7ZZhCCCK2uBMb928SA3Q

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b68332d0b5dd6e043daaeed6b7dc0f4761e72168

commit b68332d0b5dd6e043daaeed6b7dc0f4761e72168
Author: ishell@chromium.org <ishell@chromium.org>
Date: Wed May 11 08:19:43 2016

Version 5.1.281.32 (cherry-pick)

Merged e17a283f92c99d4ba7daee0dbb2e7d9e65b91197

[es6] Properly handle the case when an inlined getter/setter/constructor does a tail call.

BUG= chromium:608278 ,v8:4698
LOG=N
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1967733003 .

Cr-Commit-Position: refs/branch-heads/5.1@{#36}
Cr-Branched-From: 167dc63b4c9a1d0f0fe1b19af93644ac9a561e83-refs/heads/5.1.281@{#1}
Cr-Branched-From: 03953f52bd4a184983a551927c406be6489ef89b-refs/heads/master@{#35282}

[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/include/v8-version.h
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/arm/lithium-arm.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/arm64/lithium-arm64.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/hydrogen-instructions.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/ia32/lithium-ia32.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/lithium.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/lithium.h
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/mips/lithium-mips.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/mips64/lithium-mips64.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/ppc/lithium-ppc.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/s390/lithium-s390.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/x64/lithium-x64.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/crankshaft/x87/lithium-x87.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/src/deoptimizer.cc
[modify] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/test/mjsunit/es6/tail-call.js
[add] https://crrev.com/b68332d0b5dd6e043daaeed6b7dc0f4761e72168/test/mjsunit/regress/regress-crbug-608278.js

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot