V8 changelog from the above detailed report:
=============================================
https://chromium.googlesource.com/v8/v8/+log/25d2b2477180ce29467b16408e25a5752592944b..046414169a96b4b5580cecef92908c660c470aaa?pretty=fuller

neis@: Could you please take a look or help in investigating this further as seeing prototype chain related change(https://codereview.chromium.org/1842563004) in the above regression range.

ClusterFuzz has detected this issue as fixed in range 35144:35169.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4851095544791040

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_chrome_v8_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000027
Crash State:
  v8::internal::FixedArray::get
  v8::internal::Isolate::native_context
  v8::internal::Isolate::initial_array_prototype
  
Regressed: V8: r35065:35144
Fixed: V8: r35144:35169

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96_pi6qwe8HyAtUNncU0wQMm2MkTVy-wfA-8mxzkgnl7TQRP3sm3EdTfaKH0AOeA7zyk-pO-sMNaO-Q1BD1PY0gTTiTx8PwC6FK6iUT_si6gLdvY63E-7vpwX99lnKSxfad0nJ7Mafx__gklpGRqk0m8hifzQ
__v_2 = [];
__v_2[Math.pow(2,31)-1] = 0;
    __v_2.push(function () { return __v_5; });


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This was unrelated to my change but got fixed in the meantime.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot