Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/516c25b412d57003d7d406d637f2de26591bd876 ([turbofan] Move Number.isFinite to JSCallReducer).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/21dad34f9320af14353014371af287975ca33b68

commit 21dad34f9320af14353014371af287975ca33b68
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Mon Mar 19 09:50:52 2018

[turbofan] Don't treat INFINITY as integer

The fast-path of Number.isInteger and Number.isFinite
both returned true for (-)INFINITY, because kInteger
in the type cache includes both infinities. This CL
uses kSafeInteger range to statically optimize those
two operators.

Bug:  chromium:823151 ,  chromium:823100 
Change-Id: Icab7f305e8c38f25a4b34b88414f0b515bd7a0fb
Reviewed-on: https://chromium-review.googlesource.com/968201
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52010}
[modify] https://crrev.com/21dad34f9320af14353014371af287975ca33b68/src/compiler/simplified-lowering.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/dfc2805ccf7e9fc6795191d0431ed87ba28e37d4

commit dfc2805ccf7e9fc6795191d0431ed87ba28e37d4
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Mon Mar 19 11:44:56 2018

[turbofan] Add test for Number.{isFinite,isInteger} inlining

This adds variants of tests already in our test-suite that
exercise inlining fast-paths of Number.{isFinite,isInteger}.

Bug:  chromium:823151 ,  chromium:823100 
Change-Id: Ibf1192b1325fb4f015acea94053fd51a7a7811a9
Reviewed-on: https://chromium-review.googlesource.com/968361
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52021}
[add] https://crrev.com/dfc2805ccf7e9fc6795191d0431ed87ba28e37d4/test/mjsunit/compiler/number-isfinite-inl.js
[add] https://crrev.com/dfc2805ccf7e9fc6795191d0431ed87ba28e37d4/test/mjsunit/compiler/number-isinteger-inl.js

ClusterFuzz has detected this issue as fixed in range 52009:52010.

Detailed report: https://clusterfuzz.com/testcase?key=5762459114405888

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 9c0
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=51979:51980
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=52009:52010

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5762459114405888

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5762459114405888 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.