CF points to 65ad1e35d9a97c1126a55cc9d3014598fd224259.

Reproduces on TOT on a linux dbg build:

out/debug/d8 ~/mutant17478_string-replace-gc.js

Simplified test case:

---

var foo = "01234567";

foo += foo;
foo += foo;
foo += foo;
foo += foo;
foo += foo;  // foo.length = 256;

var bar = foo.replace('x', 'y', 'z');

---

#0  v8::base::OS::Abort () at ../../src/base/platform/platform-posix.cc:253
#1  0x00007ffff7fb5baf in V8_Fatal (file=0x7ffff77a8e39 "../../src/runtime/runtime-scopes.cc", line=213, 
    format=0x7ffff7704b57 "Check failed: %s.") at ../../src/base/logging.cc:66
#2  0x00007ffff732ae4e in v8::internal::__RT_impl_Runtime_InitializeVarGlobal (args=..., isolate=0x5555555d3f60)
    at ../../src/runtime/runtime-scopes.cc:213
#3  0x00007ffff732ac20 in v8::internal::Runtime_InitializeVarGlobal (args_length=3, args_object=0x7fffffffcf90, isolate=0x5555555d3f60)
    at ../../src/runtime/runtime-scopes.cc:210
#4  0x00003d3fce50420e in ?? ()
#5  0x0000000300000000 in ?? ()
#6  0x00003d3fce504141 in ?? ()
#7  0x00007fffffffcf50 in ?? ()
#8  0x0000000300000000 in ?? ()
#9  0x00007fffffffcfb8 in ?? ()
#10 0x00003d3fce6859dd in ?? ()
#11 0x000031684af8cf61 in ?? ()
#12 0x000031d712898bc9 in ?? ()
#13 0x0000000000000000 in ?? ()

Looks like the crash is caused by TailCallRuntime not handling argument adaptor frames correctly.

Quick fix for String.p.replace at https://codereview.chromium.org/2675133003/. reassigning to ishell for TailCallRuntime investigation.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9576d08c92d30b49361e662113643b782e45ee49

commit 9576d08c92d30b49361e662113643b782e45ee49
Author: jgruber <jgruber@chromium.org>
Date: Mon Feb 06 09:47:55 2017

[string] Don't tail-call into runtime with adaptor frames

TailCallRuntime currently does not seem to handle adaptor frames
correctly.

BUG= chromium:688690 

Review-Url: https://codereview.chromium.org/2675133003
Cr-Commit-Position: refs/heads/master@{#42950}

[modify] https://crrev.com/9576d08c92d30b49361e662113643b782e45ee49/src/builtins/builtins-string.cc
[add] https://crrev.com/9576d08c92d30b49361e662113643b782e45ee49/test/mjsunit/regress/regress-688690.js

ClusterFuzz has detected this issue as fixed in range 42949:42950.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5166003077251072

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[0]->IsString() in runtime-scopes.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 42880:42881
Fixed: V8: 42949:42950

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96ADmRvKFGqimqQMVEnBNBtUttgLq3Eh55Y4Q01_sc6Zaf9Rl9-cdtpnT9NGFcns733g41a_10Y3wch6BddaAboCjrcHVEI9xKtDZOa3q29uReHzrTVmAPc9UC1schSL6lmRm8P43MiZNmtGqBMFSl6MFhj9tIhYqM8eBuA7yGOuKUQ917BEof6prDxdKrCCXP2EJBZsh7izK1h_Byp1EFUYlTgDWhixrbXI-_DhpL6SDlcFVpwh7j6Mg7skZ6_8_0wxiealdIRCze0BcmW52K8-hUWpzaWDGHZ3_sPT4athpxcdvjXWcVBr_uX8QFITfgEOSPbEHLG8tEwUAXGOEMN-l4fecnh0HAKM0EqC99Za9KDqv_81iyDKoW_QQoKFx5LmK2jghO3VHKD0AtV7IAtFC5lpg?testcase_id=5166003077251072


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Opened crbug.com/v8/5939 for the general TailCallRuntime issue.