The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/acd674db100339f1364358825763b2021c814ad9

commit acd674db100339f1364358825763b2021c814ad9
Author: ishell <ishell@chromium.org>
Date: Mon Jul 04 09:58:22 2016

[crankshaft] Use canonical nan_value or minus_zero_value objects instead of constant heap numbers with NaN or -0.0 values.

BUG= chromium:625547 

Review-Url: https://codereview.chromium.org/2115413002
Cr-Commit-Position: refs/heads/master@{#37495}

[modify] https://crrev.com/acd674db100339f1364358825763b2021c814ad9/src/crankshaft/hydrogen-instructions.cc
[add] https://crrev.com/acd674db100339f1364358825763b2021c814ad9/test/mjsunit/regress/regress-crbug-625547.js

ClusterFuzz has detected this issue as fixed in range 37494:37495.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6124514551529472

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  ho->GetHeap()->Contains(ho) in objects-debug.cc
  
Regressed: V8: r30120:30121
Fixed: V8: r37494:37495

Minimized Testcase (0.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97nA8mtjWqZ4cp_Ye1NhuQl1FK3f8M0z-CSO5zT005eHyg5U40yUj7RBHvTT7XPXa8uN5B8B-_9xf_0U83wAUJ3FVw2oSmsaNFSVv-FdI7sEbtUlBVkVEy6s6cm9zfrMvctTrbTCKCExaeAgG_T6WL2NXEiYA?testcase_id=6124514551529472

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot