Benedikt, this bisects to the type-nuking CL. Could you take a look?

Smaller repro (run with --enable-slow-asserts --turbo):

for (var i = 0; i < 100; i++) { }
for (var i = 1E-100; i;) { Math.cbrt(i); }
for (var i = 16 | 0 || 0 || this || 1; i;) { Math.cbrt(i); }

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/33e571ff4b8210161e20d2484650f64809287f72

commit 33e571ff4b8210161e20d2484650f64809287f72
Author: bmeurer <bmeurer@chromium.org>
Date: Wed May 18 05:36:51 2016

[turbofan] Kill type Guard nodes during effect/control linearization.

These guards are useless anyways once you make it throw the
effect/control linearizer because all memory operations and
calls are connected to the control and/or effect chain anyways
afterwards.

Drive-by-fix: Fail in the InstructionSelector if we ever see
a Guard node.

R=jarin@chromium.org
BUG= chromium:612142 

Review-Url: https://codereview.chromium.org/1980383002
Cr-Commit-Position: refs/heads/master@{#36302}

[modify] https://crrev.com/33e571ff4b8210161e20d2484650f64809287f72/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/33e571ff4b8210161e20d2484650f64809287f72/src/compiler/effect-control-linearizer.h
[modify] https://crrev.com/33e571ff4b8210161e20d2484650f64809287f72/src/compiler/instruction-selector.cc
[modify] https://crrev.com/33e571ff4b8210161e20d2484650f64809287f72/src/compiler/instruction-selector.h
[add] https://crrev.com/33e571ff4b8210161e20d2484650f64809287f72/test/mjsunit/regress/regress-crbug-612142.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c5a71f029fb554c6a79a9226a99258c12751bd9b

commit c5a71f029fb554c6a79a9226a99258c12751bd9b
Author: bmeurer <bmeurer@chromium.org>
Date: Wed May 18 06:19:10 2016

[turbofan] Turn common Guard operator into simplified TypeGuard.

The type guard should never be used after the effect/control
linearization pass, so making it a simplified operator better
expresses the intended use. Also this way none of the common
operators actually has any dependency on the type system.

Drive-by-fix: Properly print the type parameter to a TypeGuard operator.

BUG= chromium:612142 
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/1994503002
Cr-Commit-Position: refs/heads/master@{#36304}

[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/common-operator-reducer.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/common-operator-reducer.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/common-operator.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/common-operator.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/effect-control-linearizer.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/escape-analysis.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/js-intrinsic-lowering.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/js-native-context-specialization.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/load-elimination.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/load-elimination.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/opcodes.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/pipeline.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/simplified-operator-reducer.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/simplified-operator-reducer.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/simplified-operator.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/simplified-operator.h
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/typer.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/src/compiler/verifier.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/test/unittests/compiler/js-intrinsic-lowering-unittest.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/test/unittests/compiler/load-elimination-unittest.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/test/unittests/compiler/node-test-utils.cc
[modify] https://crrev.com/c5a71f029fb554c6a79a9226a99258c12751bd9b/test/unittests/compiler/node-test-utils.h

ClusterFuzz has detected this issue as fixed in range 36301:36302.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5611571836878848

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (IsDereferenceAllowed(INCLUDE_DEFERRE
  
Regressed: V8: r35919:35920
Fixed: V8: r36301:36302

Minimized Testcase (6.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96pJkaqDIvLYtl8wOPZtBy4aEcIkV3NSycg1bTarTZyhYqYheyMMsmsv1bFWDK3JvCFyNrxrZ9S8dwMjzDWL2gJNQNWc4opLcoBci2o0-YYdLK2fCBq1O55fqRsvxXSGOqxTtR0Yukl9O-J3P0KV-5gTI0cyw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

[Automated comment] Commit may have occurred before M52 branch point (5/19/2016), needs manual review.

Actually, no merge is necessary, the fix is already in M52.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot