Bisects to:

commit 36c635131fbddd8fac1128cf08948bb4ba837dba
Author: mstarzinger <mstarzinger@chromium.org>
Date:   Wed Jun 29 05:53:56 2016 -0700

    Reland of [turbofan] Implicitly emit eager checkpoint at graph building. (patchset #1 id:1 of https://codereview.chromium.org/2104973004/ )
    
    Reason for revert:
    Can be cleanly relanded without any changes after a fix to redundancy elimination. Kudos go to Benedikt.

...
    
    TBR=jarin@chromium.org
    BUG= v8:5021 
    
    Review-Url: https://codereview.chromium.org/2107163002
    Cr-Commit-Position: refs/heads/master@{#37395}

Reduced repro ...

// Flags: --allow-natives-syntax --es-staging

"use strict";

function bar() {
  try {
    xxx;
  } catch (e) {
    return (1 instanceof TypeError) && zzz();
  }
}

function foo() {
  return bar();
}

%OptimizeFunctionOnNextCall(foo);
foo();

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a757a62bf5106086250e61eb3a17db888c8a37e3

commit a757a62bf5106086250e61eb3a17db888c8a37e3
Author: mstarzinger <mstarzinger@chromium.org>
Date: Fri Jul 01 13:51:51 2016

[turbofan] Broaden checkpoint elimination on returns.

This makes the elimination of checkpoints flowing effect-wise into nodes
having the {Return} operator more permissive. We can cut out checkpoints
even when they are not wholly owned by the return. This also alleviates
a problem where TCO no longer applies.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-624747
BUG= chromium:624747 

Review-Url: https://codereview.chromium.org/2118793002
Cr-Commit-Position: refs/heads/master@{#37480}

[modify] https://crrev.com/a757a62bf5106086250e61eb3a17db888c8a37e3/src/compiler/checkpoint-elimination.cc
[add] https://crrev.com/a757a62bf5106086250e61eb3a17db888c8a37e3/test/mjsunit/regress/regress-crbug-624747.js

ClusterFuzz has detected this issue as fixed in range 37479:37483.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4780641933852672

Fuzzer: mbarbella_js_mutation_test262
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IrOpcode::kFrameState == state->op()->opcode() in instruction-selector.cc
  
Regressed: V8: r37385:37405
Fixed: V8: r37479:37483

Minimized Testcase (0.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94QBpGh3h2WxLL2XtEXT_I8BljUoORBrH5L7F7DYGv6CbcUI5Fz9dvYaUBTeRrT10IkrIzZ0HsQmnMmtHkPBfUCs3v4pjzVjFBPXRTKlWcIS9rPzEo3Vp3F72113b_-Z-jwn4jljCltdOkGWFhrGS6yfzDmxA?testcase_id=4780641933852672

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This is done.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot