Regression range points to 975430161ee1f67b9c21cfaf6129e05cff5a63cf.

Small repro:

// Flags: --turbo --allow-natives-syntax

function g() {
  ({}).o += "x";
  eval("1");
}

function f() {
  g();
}

f();
f();
%OptimizeFunctionOnNextCall(f);
f();

Even simpler repro:

----------------------------------
function g() {
  ({}).a += "";
  if (false) eval();
}

function f() {
  g();
}

f();
f();
%OptimizeFunctionOnNextCall(f);
f();
----------------------------------

Problem is a cycle in EscapeAnalysis, with a path 69:Call->FrameState->StateValues->ObjectState->69:Call, that's obviously not schedulable. Assigning to mstarzinger@ and tebbi@ for investigation.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c1a43ff9960019cba80ea7ab6af24d50e8bca89b

commit c1a43ff9960019cba80ea7ab6af24d50e8bca89b
Author: tebbi <tebbi@chromium.org>
Date: Fri Jan 27 12:40:05 2017

[turbofan] No longer ignore FrameState input to Call

R=mstarzinger@chromium.org

BUG= chromium:683566 

Review-Url: https://codereview.chromium.org/2653953010
Cr-Commit-Position: refs/heads/master@{#42737}

[modify] https://crrev.com/c1a43ff9960019cba80ea7ab6af24d50e8bca89b/src/compiler/escape-analysis.cc
[add] https://crrev.com/c1a43ff9960019cba80ea7ab6af24d50e8bca89b/test/mjsunit/compiler/escape-analysis-11.js

ClusterFuzz has detected this issue as fixed in range 42736:42737.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6517746054725632

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #187:FrameState in B1 is not dominated by input@2 #376:TypedStateValues in 
  
Sanitizer: address (ASAN)

Regressed: V8: 42488:42489
Fixed: V8: 42736:42737

Minimized Testcase (7.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Fdonrx8W8AXP6p4ddJhKCLFb7Hyx6npI-Ua4iiSR-UXRqY6O5B6yJ7ghdSH3GsCwSIGHFgswUjxjA2zONOljLAkz9ySE78rHQi0EKHeCMws4vlycGz7jYpnV8G7IsvCYaERlq1QdBcOnpKUxXMeJwRx2j-77nn5v6X-F0qvwBG0t-S08fdgyu9wLP1DtAz8cg0Eed9j_5EsLeVrbARn0sObFM7B4C1qDC8Nj37zM-cKpy2IJ4TgFJ343Gh6iVdzXtjP3Pa2Yxt_5n2F-AaAmP7NFlIb9WEnitJjgCPMYdC9SI1xFXAwahkFRvDn95olatxjVGphsFkwywVkAJq8_kzro9Qvo-ZcbRzshYtlcouvELQsc?testcase_id=6517746054725632

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6517746054725632 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Issue 684481 has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/221c7f1304aa0ac5ff0ad5c291d2488e046ae71a

commit 221c7f1304aa0ac5ff0ad5c291d2488e046ae71a
Author: tebbi <tebbi@chromium.org>
Date: Mon Jan 30 15:45:13 2017

Merged: [turbofan] No longer ignore FrameState input to Call

Revision: c1a43ff9960019cba80ea7ab6af24d50e8bca89b

BUG= chromium:683566 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2660213002
Cr-Commit-Position: refs/branch-heads/5.7@{#62}
Cr-Branched-From: 975e9a320b6eaf9f12280c35df98e013beb8f041-refs/heads/5.7.492@{#1}
Cr-Branched-From: 8d76f0e3465a84bbf0bceab114900fbe75844e1f-refs/heads/master@{#42426}

[modify] https://crrev.com/221c7f1304aa0ac5ff0ad5c291d2488e046ae71a/src/compiler/escape-analysis.cc
[add] https://crrev.com/221c7f1304aa0ac5ff0ad5c291d2488e046ae71a/test/mjsunit/compiler/escape-analysis-11.js

Per comment #11, this is already merged to M57. Hence, removing "Merge-Approved-57" label.