This looks interesting, I'll investigate ...

Probably a dupe of  issue 694492 . Please check also that one.

Note that range detection claims it's introduced by:
https://chromium.googlesource.com/v8/v8/+/fc3312255f44eefac0677a9c0267095858c7c799

Reduced repro ...

function f(primitive) {
  return primitive.__proto__;
}
assertEquals(Number.prototype, f(0));
assertEquals(Symbol.prototype, f(Symbol()));
%OptimizeFunctionOnNextCall(f);
assertEquals(Symbol.prototype, f(Symbol()));

Re comment #3: Nah, that is a red herring, the "refactoring" in that CL just made the analysis more powerful and apply to more cases. It flushed out an existing bug.

 Issue 694492  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/beb94c5e874706734732851bc9f4ae177c553b6b

commit beb94c5e874706734732851bc9f4ae177c553b6b
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Wed Feb 22 15:07:49 2017

[turbofan] Fix Object.prototype.__proto__ getter reduction.

This fixes a corner-case where the call reduction of the aforementioned
getter did not simulate the {ToObject} conversion of the receiver value
as required by the spec. This caused the wrong prototype to be constant
promoted (i.e. {null} instead of wrapper object prototype).

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-694709
BUG= chromium:694709 

Change-Id: Idf3a37071949d9ddaf5ef43974570c06fd31c0c9
Reviewed-on: https://chromium-review.googlesource.com/445818
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43376}
[modify] https://crrev.com/beb94c5e874706734732851bc9f4ae177c553b6b/src/compiler/js-call-reducer.cc
[add] https://crrev.com/beb94c5e874706734732851bc9f4ae177c553b6b/test/mjsunit/regress/regress-crbug-694709.js

ClusterFuzz has detected this issue as fixed in range 43375:43376.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5797767248347136

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: b7e
  
Sanitizer: address (ASAN)

Regressed: V8: 43317:43318
Fixed: V8: 43375:43376

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94d8AO7OAwKUT4Q1mshTAmVVKS51TT6aj6U85Yc-Jz6IOgEalMENMGwJ4LDTXSo0iEk5fNKpNL49Aq3ZKsjf-5B5lFy6q1bfev8DEGzHdnTk7abbWRr9dr7R9NjAx7RWXWq7tTSuqBLUkiN4GNb4pINdpoE8M9pAIzIaKQvZPMAbnQdsmRBwE1SzFWAHN98o2JmD7YwWAueuRvUiQOvrTvnpjr3nvMrAVXuX-3K0KFGc3H1NArKO6J5G8rZk5Y3HH6E51tL_qm8NDrPK0297xKUFIpK83ITDbvzaBpqB6FhNdk9LAUz43BKqAvCEYeF9rRNhRrMYwuMFbUDs-xZEvyCBjLLCNIZ05mNqJuEzD1DpUme9bz4pGriQeMkQoNouUCU_lvFt1d_wDXqNbTn4XlPYlZ-vg?testcase_id=5797767248347136


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.