UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36

Steps to reproduce the problem:
All is about one case inside Simulator::DecodeSpecialCondition function
src/v8/src/arm/sumilator-arm.cc@5220

Link: https://cs.chromium.org/chromium/src/v8/src/arm/simulator-arm.cc?rcl=d4e622d7a833d1fad110a5c8b5ded67695e27b43&l=5220

...
}
case Neon16: {
  uint16_t src[8];
  get_neon_register(Vm, src);
  for (int i = 0; i < 4; i++) {
    std::swap(src[i * 4], src[i * 4 + 3]);
    std::swap(src[i * 4 + 1], src[i * 4 + 2]);
  }
  set_neon_register(Vd, src);
  break;
}
case Neon8: {
...

Look at the for loop. Indexes are from range 0-15 while array size is only 8 (it is not neccesary to study this example: http://coliru.stacked-crooked.com/view?id=17345bf33c42b7c9 however I made this one to show what happens:))
OOB made!

What is the expected behavior?
I guess loop for this case should be like this:
for (int i = 0; i < 2; i++) {
    ...
}

What went wrong?
OOB happens

Did this work before? N/A 

Chrome version: 60.0.3112.78  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: 

Found during file inspection, not having any repro file.