The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9c47a061cf325addf8bd2ba4b71a4d1ef210c5d6

commit 9c47a061cf325addf8bd2ba4b71a4d1ef210c5d6
Author: jarin <jarin@chromium.org>
Date: Wed Apr 26 10:27:12 2017

[turbofan] Fix impossible type handling for TypeGuard and BooleanNot.

BUG= chromium:715204 

Review-Url: https://codereview.chromium.org/2836203004
Cr-Commit-Position: refs/heads/master@{#44883}

[modify] https://crrev.com/9c47a061cf325addf8bd2ba4b71a4d1ef210c5d6/src/compiler/simplified-lowering.cc
[add] https://crrev.com/9c47a061cf325addf8bd2ba4b71a4d1ef210c5d6/test/mjsunit/compiler/regress-715204.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/397ebb765ca84954d95116c6ac30c0e3d2c2e993

commit 397ebb765ca84954d95116c6ac30c0e3d2c2e993
Author: jgruber <jgruber@chromium.org>
Date: Wed Apr 26 15:24:52 2017

Revert of [turbofan] Fix impossible type handling for TypeGuard and BooleanNot. (patchset #1 id:1 of https://codereview.chromium.org/2836203004/ )

Reason for revert:
Tentative revert for https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/14886

Original issue's description:
> [turbofan] Fix impossible type handling for TypeGuard and BooleanNot.
>
> BUG= chromium:715204 
>
> Review-Url: https://codereview.chromium.org/2836203004
> Cr-Commit-Position: refs/heads/master@{#44883}
> Committed: https://chromium.googlesource.com/v8/v8/+/9c47a061cf325addf8bd2ba4b71a4d1ef210c5d6

TBR=bmeurer@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= chromium:715204 

Review-Url: https://codereview.chromium.org/2842793004
Cr-Commit-Position: refs/heads/master@{#44898}

[modify] https://crrev.com/397ebb765ca84954d95116c6ac30c0e3d2c2e993/src/compiler/simplified-lowering.cc
[delete] https://crrev.com/aaaaa80f02a478520a3556c378920c865d98b09e/test/mjsunit/compiler/regress-715204.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ff2109d53efccb2642df26ae2156f56285822885

commit ff2109d53efccb2642df26ae2156f56285822885
Author: jarin <jarin@chromium.org>
Date: Thu Apr 27 11:35:15 2017

[turbofan] Fix impossible type handling for TypeGuard and BooleanNot.

This also fixes incorrect type for fixed array accesses.

BUG=chromium:715651, v8:6309 , chromium:715204 

Review-Url: https://codereview.chromium.org/2848583002
Cr-Commit-Position: refs/heads/master@{#44926}

[modify] https://crrev.com/ff2109d53efccb2642df26ae2156f56285822885/src/compiler/access-builder.cc
[modify] https://crrev.com/ff2109d53efccb2642df26ae2156f56285822885/src/compiler/simplified-lowering.cc
[add] https://crrev.com/ff2109d53efccb2642df26ae2156f56285822885/test/mjsunit/compiler/regress-715204.js
[add] https://crrev.com/ff2109d53efccb2642df26ae2156f56285822885/test/mjsunit/compiler/regress-715651.js

ClusterFuzz has detected this issue as fixed in range 44925:44926.

Detailed report: https://clusterfuzz.com/testcase?key=5058581931229184

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  CanBeTaggedPointer(input_info->representation()) in simplified-lowering.cc
  v8::internal::compiler::RepresentationSelector::VisitNode
  v8::internal::compiler::RepresentationSelector::Run
  
Sanitizer: address (ASAN)

Regressed: V8: 39410:39427
Fixed: V8: 44925:44926

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5058581931229184


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5058581931229184 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.