Shorter repro:

function getRandomProperty(v) { v.constructor;  }

getRandomProperty([]);
getRandomProperty([]);

function f() {
  var __v_4 = -0;
  getRandomProperty(__v_4 + 1);
}

%OptimizeFunctionOnNextCall(f);

f();

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e0b8707c78b337167d6ba7c42a332be2b6f82d92

commit e0b8707c78b337167d6ba7c42a332be2b6f82d92
Author: bmeurer <bmeurer@chromium.org>
Date: Tue Jul 19 10:07:58 2016

[turbofan] Fix typing rule for number addition.

R=jarin@chromium.org
BUG= chromium:629435 

Review-Url: https://codereview.chromium.org/2161013002
Cr-Commit-Position: refs/heads/master@{#37859}

[modify] https://crrev.com/e0b8707c78b337167d6ba7c42a332be2b6f82d92/src/compiler/operation-typer.cc
[add] https://crrev.com/e0b8707c78b337167d6ba7c42a332be2b6f82d92/test/mjsunit/regress/regress-crbug-629435.js

ClusterFuzz has detected this issue as fixed in range 37851:37885.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4702028270141440

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000ffffffff
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Fixed: V8: r37851:37885

Minimized Testcase (0.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ZF-LpaXgE0nb1OdLhiFJheVib098TPGCotU7GcSkGekWqOb_khoxDDR-zAx9mcX25202dFTDnDmiZWLvHa-3r7s_1A2lfRxte9UiCPckeb0Mrou8P_gIpNL9CSGsOqnVY45no7HWioYCj9QyozuCj_WfojQ?testcase_id=4702028270141440

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot