// PTAL. Results are different as long as there's an empty eval call in the function. Repros with ignition/ignition_turbo and with fullcode/default. Simple repro:

var v = 0;
function foo() {
  for (var i = 0; i < 136000; i++) {
    v += i;
  }
  eval();
}
foo()
print(v);

// Output:

# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft
# Flags of x64,ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --ignition-staging --turbo --validate-asm
#
# Difference:
- 9247932000
+ 9247866458
#
# Source file:
none
#
### Start of configuration x64,ignition:
9247932000

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:
9247866458

### End of configuration x64,ignition_turbo

Looks like a TurboFan issue (potentially related to OSR). I'll investigate.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/efc8cb16d783c923c690be93cd55ae37f947edca

commit efc8cb16d783c923c690be93cd55ae37f947edca
Author: mstarzinger <mstarzinger@chromium.org>
Date: Wed Jan 25 09:14:41 2017

[turbofan] Fix accumulator use in bytecode analysis.

This fixes the checks of accumulator usage flags in the computation of
the interpreter register liveness during bytecode analysis. The usage
flags at hand are bit patterns as opposed to flat enum values. Use the
safe accessors instead of plain comparison.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-683581
BUG= chromium:683581 

Review-Url: https://codereview.chromium.org/2651653005
Cr-Commit-Position: refs/heads/master@{#42648}

[modify] https://crrev.com/efc8cb16d783c923c690be93cd55ae37f947edca/src/compiler/bytecode-analysis.cc
[add] https://crrev.com/efc8cb16d783c923c690be93cd55ae37f947edca/test/mjsunit/regress/regress-crbug-683581.js

ClusterFuzz has detected this issue as fixed in range 42647:42648.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6399810044428288

Fuzzer: foozzie_js_mutation
Job Type: foozzie_fullcode_ignition_turbo
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,fullcode:x64,ignition_turbo
  sources: eb3
  
Sanitizer: address (ASAN)

Fixed: V8: 42647:42648

Minimized Testcase (0.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97qa-4KE2Dm4kQBalW1jRtAm1spIjsXa7D_Xk1YYm-b5FLdJNxi3hsbW2nvilyjHnJdmT9H1WAQraUkWD9ZDzD4qBX8uicwShUYj0qrOHzUOGYby6cmGEkgsi2vtxZ5olEVOSiIXMusjU0Bx70dBBS_xOerT9Xz_mlBCd3ai6C9e9y3LXlUQt2-Phjn5BpjJcxgxrQlS5yVD7Ni70bNVmn43Ihjqt7ezj2lwtLWgkxRd1YvVoZ-4gBaRn6bGCDUIofd5nq3B8ShUUyE9NLrUN9XJuxdeZQCOI4l-FHQuTZ_RBkR5IcDx_alvohCJ41csDlxGMRa5Es2_QNGtuISJFES62BzWUrUVZjpRkgHv2KdihNa0BY?testcase_id=6399810044428288

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.