Regression range points to bff3b266d23cf0054e687b150f949acc6ce2e1a9. Probably just flushes out an existing issue. Reproduces nicely though.

Simplified repro:

---------------------------------------------------------------
// Flags: --allow-natives-syntax
function foo() {
  return {0xd: {}, b: {}, c: {}, d: {}, e: {}, f: {}, g: {}};
}
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
---------------------------------------------------------------

Also explodes in Crankshaft (with --noturbo), which has the old limit of 8. So it's not my CL. Problem is fixed by replacing 0xd with a, so probably there's some mismatch between the runtime and the compiler.

I'll take a look at this.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/1f3a863bbdb972f3314c9424ff6939152d4dd9ac

commit 1f3a863bbdb972f3314c9424ff6939152d4dd9ac
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Tue Apr 11 11:42:52 2017

[turbofan] Fix traversal order of boilerplate objects.

This fixes {JSCreateLowering} to traverse boilerplate objects in the
same order the runtime uses (i.e. properties first, elements second).
That order is hard-coded in the nesting of {AllocationSite} objects.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-709537
BUG= chromium:709537 

Change-Id: I8f446a0880448ea88a3e242e92d11d611581a42b
Reviewed-on: https://chromium-review.googlesource.com/474028
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44563}
[modify] https://crrev.com/1f3a863bbdb972f3314c9424ff6939152d4dd9ac/src/compiler/js-create-lowering.cc
[modify] https://crrev.com/1f3a863bbdb972f3314c9424ff6939152d4dd9ac/src/crankshaft/hydrogen.cc
[add] https://crrev.com/1f3a863bbdb972f3314c9424ff6939152d4dd9ac/test/mjsunit/regress/regress-crbug-709537.js

ClusterFuzz has detected this issue as fixed in range 44562:44563.

Detailed report: https://clusterfuzz.com/testcase?key=5505985834909696

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  object.is_null() || *object == scope_site->transition_info() in allocation-site-
  
Sanitizer: address (ASAN)

Regressed: V8: 44423:44424
Fixed: V8: 44562:44563

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv962FFPDAzHkSqpCXr2sAHVxAshLCHri1Fp6yvQmIaQunJD6PN_Ep3mElcHyzSj4YZgvLSOz1gf_Gy2E9P-E9g43kmexm86sqkrD6LM33vvPf9xMnCxTAvRDW5FTpBga0pZ1FW8gR80ZFnC7JOr8Mk-iLLZCCeLor1bdY3fBD6yfu96VnXTJNWUbqt0VaJzPl3K8eEfvmox4QENtrinxFbWv1daI_L9uq-DPYajmy_yzQzJRGksp7NQ1JzrXfZIGhiJf8oXO8nuAWbNEyXsbu4CU7C7xMDRb4E67BUM4lH0FG826zL6GBcziReqGlg5uP0Z6Ttz0rFvaCHf_CFiNlJD94U84dyRzI3xorBITn9-lP0iEsq8?testcase_id=5505985834909696


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.