Reduced the repro to this:

------------------------------------------
function baz(a, b) {
  for (var i = 0; i < a.length; i++) {
    if (a[i], b[i]) return false;
  }
}
function bar(expected, found) {
  if (!baz(found, expected)) {
  }
};
bar([{}, 6, NaN], [1.8, , NaN]);
function foo() {
  var a = [1,2,3,4];
  bar(a.length, a.length);
}
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
------------------------------------------

This is actually dead code; the LoadElimination combines LoadElement[kFloat64] and LoadElement[kTagged] for an element of type Number\/Hole, but the RepresentationChanger doesn't support converting a float64 value with this type to a tagged value yet.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d412cade2a889f6b208c7c7c078209ea81538013

commit d412cade2a889f6b208c7c7c078209ea81538013
Author: bmeurer <bmeurer@chromium.org>
Date: Tue May 09 10:16:13 2017

[turbofan] Don't mix element accesses with incompatible representations.

Due to speculative optimizations, the compiler can run into situations
where it's asked perform impossible operations, like loading a tagged
element as a float64 instead. All of this is guaranteed to be in dead
code (unless there's a bug), but leads to confusion and violates
assumptions in the compiler (that make perfect sense for code that is
not dead). So teach LoadElimination not to mix up element accesses with
incompatible representations.

BUG= chromium:719479 
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2866233002
Cr-Commit-Position: refs/heads/master@{#45185}

[modify] https://crrev.com/d412cade2a889f6b208c7c7c078209ea81538013/src/compiler/load-elimination.cc
[modify] https://crrev.com/d412cade2a889f6b208c7c7c078209ea81538013/src/compiler/load-elimination.h
[add] https://crrev.com/d412cade2a889f6b208c7c7c078209ea81538013/test/mjsunit/regress/regress-crbug-719479.js

ClusterFuzz has detected this issue as fixed in range 470461:470489.

Detailed report: https://clusterfuzz.com/testcase?key=5443705157976064

Fuzzer: mbarbella_js_mutation
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  LoadElement of kRepFloat64 (NumberOrHole) cannot be changed to kRepTagged in rep
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=469616:469622
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=470461:470489

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5443705157976064


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5443705157976064 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.