Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/63b46569b8d2f03adf688bbf07b01e40bb13da25 ([turbofan] Move Number.parseInt to JSCallReducer).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

// Minimizer didn't do a good job. Better repro:

function foo(x) {
  x = x | 2147483648;
  return Number.parseInt(x + 65535, 8);
}
print(foo());
%OptimizeFunctionOnNextCall(foo);
print(foo());

// Output:
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-num-compilation-tasks=0 --random-seed -1655104323 --turbo-filter=~ --noopt --suppress-asm-messages
# Flags of x64,ignition_turbo:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-num-compilation-tasks=0 --random-seed -1655104323 --suppress-asm-messages
#
# Difference:
- -72161
+ -2147418113
#
# Source file:
none
#
### Start of configuration x64,ignition:
-72161
-72161

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:
-72161
-2147418113

### End of configuration x64,ignition_turbo

Thanks for the nice repro, fix in flight.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d9c9b003531ce837d3c61b97fc23d8a41f15ef73

commit d9c9b003531ce837d3c61b97fc23d8a41f15ef73
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Wed May 02 12:24:07 2018

[turbofan] Fix wrong optimization of Number.parseInt

We incorrectly used a TurboFan typer check for {0,10,undefined} on the
radix argument on Number.parseInt, which was internally widened to the
checking whether radix is in range 0-10 or undefined. This CL introduces
two separate checks.

Bug:  chromium:838766 
Change-Id: I5ebfc1c82bad5b9794b4f844e79e4df01f541a83
Reviewed-on: https://chromium-review.googlesource.com/1039197
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52914}
[modify] https://crrev.com/d9c9b003531ce837d3c61b97fc23d8a41f15ef73/src/compiler/js-typed-lowering.cc
[modify] https://crrev.com/d9c9b003531ce837d3c61b97fc23d8a41f15ef73/src/compiler/type-cache.h
[add] https://crrev.com/d9c9b003531ce837d3c61b97fc23d8a41f15ef73/test/mjsunit/regress/regress-838766.js

ClusterFuzz has detected this issue as fixed in range 52913:52914.

Detailed report: https://clusterfuzz.com/testcase?key=4689042416074752

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 18b
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=52798:52799
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=52913:52914

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4689042416074752

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4689042416074752 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.