bmeurer seems to have worked on `VisitNode` most recently. Could you please take a look?I can't easily tell which DCHECK in VisitNode might have been hit (if that's even the right place to look).

This is big was caused by 

commit 37aa13fe3b434f5fe778ab4bc69c56c6bd526383
Author: Mike Stanton <mvstanton@chromium.org>
Date:   Fri Sep 15 14:48:36 2017 +0200

    [Turbofan] Array.prototype.filter inlining.

We have reverted that since than because we suspected it crashed on Canary:

commit 47b63806fcf544cacc779fc08694dacdd9886e26
Author: Jaroslav Sevcik <jarin@chromium.org>
Date:   Tue Sep 19 13:59:15 2017 +0000

    Revert "[Turbofan] Array.prototype.filter inlining."
    
    This reverts commit 37aa13fe3b434f5fe778ab4bc69c56c6bd526383.
    
    Reason for revert: Suspected to break 63.0.3219 Canary
    
    Original change's description:
    > [Turbofan] Array.prototype.filter inlining.
    >
    > Support inlining of Array.prototype.filter in TurboFan.
    >
    > Bug: v8:1956
    > Change-Id: Iba4d683aaa86c6104e8a1cf4d0f549a0c516576a
    > Reviewed-on: https://chromium-review.googlesource.com/657021
    > Commit-Queue: Michael Stanton <mvstanton@chromium.org>
    > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
    > Cr-Commit-Position: refs/heads/master@{#48040}
    
    TBR=mvstanton@chromium.org,mstarzinger@chromium.org
    
    # Not skipping CQ checks because original CL landed > 1 day ago.
    
    Bug: v8:1956
    Change-Id: I125a8caf128890d788e040adfe2fc76bd8d1fbea
    Reviewed-on: https://chromium-review.googlesource.com/672783
    Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
    Reviewed-by: Michael Stanton <mvstanton@chromium.org>
    Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
    Commit-Queue: Michael Stanton <mvstanton@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#48083}

ClusterFuzz has detected this issue as fixed in range 503077:503094.

Detailed report: https://clusterfuzz.com/testcase?key=4567213502889984

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Representation inference: unsupported opcode 59 (Dead), node #336 in simplified-
  v8::platform::PrintStackTrace
  v8::internal::compiler::RepresentationSelector::VisitNode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=502564:502580
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=503077:503094

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4567213502889984

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot