PTAL. Tracks back to inlining of Array.prototype.forEach in TurboFan:
https://codereview.chromium.org/2926123002

// Repro:
function foo(callback) { [].forEach(callback); }

foo(function () {});
foo(function () {});

%OptimizeFunctionOnNextCall(foo);
foo(undefined);

// Output:
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123 --turbo-filter=~ --noopt
# Flags of x64,ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 123
#
# Difference:
- /usr/local/google/home/machenbach/v8/v8/repro.js:1: TypeError: undefined is not a function
#
### Start of configuration x64,ignition:
/usr/local/google/home/machenbach/v8/v8/repro.js:1: TypeError: undefined is not a function
function foo(callback) { [].forEach(callback); }
                            ^



### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:

### End of configuration x64,ignition_turbo

This due to a non-callable callback function being applied to an empty array. In the inlined version we a missing the callability check according to section 22.1.3.10 step 3 of the spec.

function foo() { [].forEach(undefined); }
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, TypeError);

Same applies to Array.prototype.map as well ...

function foo() { [].map(undefined); }
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
%OptimizeFunctionOnNextCall(foo);
assertThrows(foo, TypeError);

 Issue 747606  has been merged into this issue.

I am cooking up a fix.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/44f88dcd8734fcef1581d01c362fc66c977998ef

commit 44f88dcd8734fcef1581d01c362fc66c977998ef
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Thu Jul 27 14:49:58 2017

[turbofan] Fix missing callability check on Array callbacks

This fixes the second-order Array.prototype function {forEach} and {map}
to now perform a callability check of the given callback function. For
empty arrays it is observable whether such a check outside the loop has
been elided or not.

R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-747062
BUG= chromium:747062 

Change-Id: I1bbe7f44b3b3d18e9b41ad0436975434adf84321
Reviewed-on: https://chromium-review.googlesource.com/588893
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46942}
[modify] https://crrev.com/44f88dcd8734fcef1581d01c362fc66c977998ef/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/44f88dcd8734fcef1581d01c362fc66c977998ef/src/compiler/effect-control-linearizer.h
[modify] https://crrev.com/44f88dcd8734fcef1581d01c362fc66c977998ef/src/compiler/escape-analysis.cc
[modify] https://crrev.com/44f88dcd8734fcef1581d01c362fc66c977998ef/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/44f88dcd8734fcef1581d01c362fc66c977998ef/src/compiler/opcodes.h
[modify] https://crrev.com/44f88dcd8734fcef1581d01c362fc66c977998ef/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/44f88dcd8734fcef1581d01c362fc66c977998ef/src/compiler/simplified-operator.cc
[modify] https://crrev.com/44f88dcd8734fcef1581d01c362fc66c977998ef/src/compiler/simplified-operator.h
[modify] https://crrev.com/44f88dcd8734fcef1581d01c362fc66c977998ef/src/compiler/typer.cc
[modify] https://crrev.com/44f88dcd8734fcef1581d01c362fc66c977998ef/src/compiler/verifier.cc
[add] https://crrev.com/44f88dcd8734fcef1581d01c362fc66c977998ef/test/mjsunit/regress/regress-crbug-747062.js

ClusterFuzz has detected this issue as fixed in range 46941:46942.

Detailed report: https://clusterfuzz.com/testcase?key=5614262511992832

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 243
  
Sanitizer: address (ASAN)

Regressed: V8: 45770:45771
Fixed: V8: 46941:46942

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5614262511992832


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5389368360697856 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.