// Bisects to: https://chromium.googlesource.com/v8/v8/+/015edc60ff86b51a4bbf9ce11732ee5bb36245b2  Repro:
var __v_0 = {};
function __f_0(constructor, closure) {
  var __v_2 = { value:-2147483648 };
  __v_4 = closure(constructor, 1073741823, __v_0, __v_2);
  print(__v_2.value);
}
function __f_1(constructor, val, deopt, __v_2) {
  if (!new constructor(val, deopt, __v_2)) {
  }
}
function __f_10(constructor) {
  __f_0(constructor, __f_1);
  __f_0(constructor, __f_1);
  __f_0(constructor, __f_1);
}
function __f_12(val, deopt, __v_2) {
  __v_2.value++;
}
__f_10(__f_12);

// Output:
# Compared x64,ignition with ia32,ignition
#
# Flags of x64,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo-filter=~ --hydrogen-filter=~ --noopt
# Flags of ia32,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo-filter=~ --hydrogen-filter=~ --noopt
#
# Difference:
- -2147483647
+ -2147483646
#
# Source file:
none
#
### Start of configuration x64,ignition:
-2147483647
-2147483647
-2147483647

### End of configuration x64,ignition
#
### Start of configuration ia32,ignition:
-2147483647
-2147483647
-2147483646

### End of configuration ia32,ignition

Note, the commit is also in a reverted V8 roll that causes test failures on ia32 only:
https://chromium-review.googlesource.com/c/538440/

 Issue 734185  has been merged into this issue.

 Issue 734305  has been merged into this issue.

 Issue 734338  has been merged into this issue.

 Issue 734343  has been merged into this issue.

 Issue 734359  has been merged into this issue.

 Issue 734411  has been merged into this issue.

 Issue 734416  has been merged into this issue.

 Issue 734429  has been merged into this issue.

 Issue 734503  has been merged into this issue.

 Issue 734320  has been merged into this issue.

 Issue 734655  has been merged into this issue.

 Issue 734659  has been merged into this issue.

 Issue 734842  has been merged into this issue.

[literals] Perform a deep boilerplate copy for MutableHeapNumber fields

Bug:  chromium:734162 , chromium:734051,  v8:6211 
Change-Id: I5c3e7578e9278b8f19ff16ad4d963f490dcc6c8c
Reviewed-on: https://chromium-review.googlesource.com/541415
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46033}

ClusterFuzz has detected this issue as fixed in range 46032:46033.

Detailed report: https://clusterfuzz.com/testcase?key=6721976394842112

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:ia32,ignition
  sources: 2ed
  
Sanitizer: address (ASAN)

Regressed: V8: 45974:45975
Fixed: V8: 46032:46033

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6721976394842112


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.