/ PTAL. Repros in fullcode/default. Maybe duplicate of  issue 683676 ? Crunched it down to:

count = 0;

function bar(test_double, length) {
  var a = new Array();
  count++;
  for (var i = 0; i < length; i++) {
    if (i == length - 5 && test_double) {
      a.__defineGetter__(0, function() { return bar(); });
    } else if (i != length - 7) {
      a[i] = 0;
    }
  }
  for (var i = 0; i < length; i++) {
    if (i == length - 5 && test_double) {
    } else if (i != length - 7) {
      a[i];
    }
  }
}
function foo(test_double, length) {
  bar(test_double, length);
}

foo(true, 10000);
foo(false, 10000);
foo(true, 10000);
print(count);

// Output:

# Compared x64,fullcode with x64,default
#
# Flags of x64,fullcode:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --nocrankshaft --turbo-filter=~ --validate-asm
# Flags of x64,default:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --validate-asm
#
# Difference:
- 5
+ 6
#
# Source file:
none
#
### Start of configuration x64,fullcode:
5

### End of configuration x64,fullcode
#
### Start of configuration x64,default:
6

### End of configuration x64,default

Only reproduces flakily. But looks like a Crankshaft issue.

ClusterFuzz has detected this issue as fixed in range 43654:43655.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5819196467576832

Fuzzer: foozzie_js_mutation
Job Type: foozzie_ignition_staging
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,fullcode:x64,ignition_staging
  sources: 20a
  
Sanitizer: address (ASAN)

Regressed: V8: 42370:42371
Fixed: V8: 43654:43655

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97bpzfmZoCfbRo4dFR8jXATG-rljX0EsviErFlcqgnsKuR00qspSKLrE83897kHeIMXa8cz8i884f8NfTyRDUO7DRfqVJDGdTo8j-1Psz7McTfiKT11PJLIGt2b3NKyR6goMQl0hUzs9ZS3bJQI4yzlYWqKp6LNqJJMXVsDS1jRe6YWVCT-RDNBLKBCFwwEa1NhNt4h_f2chFU4FO77RGLfwlnSyUdUg6LNLCsaPOannbTjZ6rSlO6zzUMKR_TA3c2Me2DQ_Y6Z8KRYLqwerEnrWCKeTnMpMldoaSiOD3KzzOb724pIHaICeen6Tr37X1kbzJkTzkH_R0DBqbioChkKahKAsO0WrfDI1hhX4gxtUwlp9Jo?testcase_id=5819196467576832


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The flag negation implication CL seems to have an impact on those old issues.
https://chromium.googlesource.com/v8/v8/+/f774d8c56f00de92614886fc4cb541411eff7aa1

The real issue is still there, but we probably don't care.

ClusterFuzz testcase 5819196467576832 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.