Representation selection picks TaggedSigned for NumberConstant 0.1 with this simplified repro:

===========================================================================
// Flags: --allow-natives-syntax

function foo(a) {
  this.a = a;
  // Note that any call would do, it doesn't need to be %MaxSmi()
  this.x = this.a + %MaxSmi();
}
for (var i = 0; i < 3; i++) {
  new foo(i + 2);
  if (i === 2) %OptimizeOsr();
}
for (var i = 0.1; i < 1.1; i++) {
  new foo(i);
}
===========================================================================

Needs some hammering.

ClusterFuzz has detected this issue as fixed in range 42755:42756.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5625300693286912

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IsSmiDouble(constant.ToFloat64()) in code-generator.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 41057:41058
Fixed: V8: 42755:42756

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94rEjQWACIYr57hMlOEY16jQesroNAngsZ3-5F2jg1XXHnbNeqNwW5Lip2fgORm45DloefMY7AEEFu6_CjJS2VIaRIMymRtkepNsEwDyAqzBrByxMW1SWmUr6N6vRL5rZcSHjxZImbh6T3DNENLJ4LSdwrSnw?testcase_id=5625300693286912
var __v_2 = {};
try {
(function() {
}());
} catch(e) {; }
function __f_0(a, b) {
  this.a = a;
  this.x = this["a"] + this[__v_2];
}
for (var __v_0 = -1073741825; __v_0 < 1073741823; __v_0++) {
  var __v_3 = new __f_0( __v_0 + 2);
}
for (var __v_0 = 0.25; __v_0 < 6.25; __v_0++) {
  var __v_3 = new __f_0(__v_0);
}


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5625300693286912 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.