// Parts of this attributes to stable vs. non-stable sorting but the following repro might hide another bug. It's strange that we see -1 twice in the 64 bits version:

Object.prototype[1] = -1;
Object.prototype.length = 2;
Object.prototype.sort = Array.prototype.sort;
__v_1 = {1073741824:0};

var count = 0;
function a(x,y){
  count++;
  return x - y;
}
__v_1.sort(a);

print("Count: " + count)
print(__v_1[0]);
print(__v_1[1]);
print(__v_1[2]);
print(__v_1[1073741824]);

// Output:
# Compared x64,ignition_turbo with ia32,ignition_turbo
#
# Flags of x64,ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo
# Flags of ia32,ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo
#
# Difference:
- -1
+ undefined
#
### Start of configuration x64,ignition_turbo:
Count: 0
-1
-1
undefined
0

### End of configuration x64,ignition_turbo
#
### Start of configuration ia32,ignition_turbo:
Count: 0
-1
undefined
undefined
0

### End of configuration ia32,ignition_turbo

ClusterFuzz has detected this issue as fixed in range 46872:46873.

Detailed report: https://clusterfuzz.com/testcase?key=6496755054280704

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition_turbo:ia32,ignition_turbo
  sources: cb4
  
Sanitizer: address (ASAN)

Fixed: V8: 46872:46873

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6496755054280704


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6496755054280704 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.