Points to https://chromium.googlesource.com/v8/v8/+/f0e7a3174e4470d04c923db577c6b238b2d20f09

Benedikt, PTAL

// Note this repros with:

var v = 1;
function __f_7() {
  print(Math.floor(-v / 125));
}
__f_7();
%OptimizeFunctionOnNextCall(__f_7);
__f_7();

// Output:
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft
# Flags of x64,ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition-staging --turbo --validate-asm
#
# Difference:
- -1
+ 0
#
# Source file:
none
#
### Start of configuration x64,ignition:
-1
-1

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:
-1
0

### End of configuration x64,ignition_turbo

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/18be5d7057d794dbe3b663dfc17d3e512f2b55e3

commit 18be5d7057d794dbe3b663dfc17d3e512f2b55e3
Author: bmeurer <bmeurer@chromium.org>
Date: Thu Mar 09 13:41:39 2017

[turbofan] Revert invalid optimization of flooring division.

The optimization

  NumberFloor(NumberDivide(lhs, rhs))

to

  NumberToInt32(NumberDivide(lhs, rhs))

for potentially negative lhs is not valid, since Math.floor rounds
towards -infinity, whereas ToInt32 truncates.

BUG= chromium:699282 
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2743673002
Cr-Commit-Position: refs/heads/master@{#43699}

[modify] https://crrev.com/18be5d7057d794dbe3b663dfc17d3e512f2b55e3/src/compiler/typed-optimization.cc
[add] https://crrev.com/18be5d7057d794dbe3b663dfc17d3e512f2b55e3/test/mjsunit/regress/regress-crbug-699282.js

 Issue 699971  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 43698:43699.

Detailed report: https://clusterfuzz.com/testcase?key=6026948817190912

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: ff5
  
Sanitizer: address (ASAN)

Regressed: V8: 43641:43642
Fixed: V8: 43698:43699

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94kU6t-vk52o_owElYnAoHupFTGnmdj9ZuZ94IleD95WzwnVMNjXUqdpQqRnm1Cx7PqAPU2EMJ9lsxGq8mGrbwhb5do6-PF08hFVa8a3ZmisvYs3gkkBDXhRtrIdO3z5bDZ5_IsQ8tGm9pjpznGiTjCvocf18u5qXeoMaDDXdDQsXr4pSBjwIDlVLxMXlNxG6i6sBjIOK90fPnx5NFs386rMSMQy3KlX6jST888epfPIYPMEFM7CsUfPpFmn_4scoOTSamU0brDnnJoBVaTukRsqRUCorA13AOKDdC8vM5LZ-ERP7CUTNZjt-7ZaDWdLnX08rC_-vBls72tUFcBUsm3jaajcmjHWI49-ErCQpPcMTzGdUE?testcase_id=6026948817190912


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6026948817190912 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.