Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/8ead5698180721fb2fa5254e0696aebc50cb7c27 ([turbofan] Unify handling of zeros.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/513a5bdd040815422ce74536f3415701af8a0ec4

commit 513a5bdd040815422ce74536f3415701af8a0ec4
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Thu Oct 04 09:13:18 2018

[turbofan] Fix Word32 (Signed32OrMinusZero) conversions that identify zeros.

When converting a Signed32\/MinusZero value from Word32 to Float64
representation or just passing it through as Word32 (with potential
type checks on it) we don't need to worry about -0 as long as the uses
identify 0 and -0.

Drive-by-fix: Fix the CheckChange() helper in the representation
changer test to pass Truncation::Any() by default.

Bug:  chromium:891639 ,  chromium:891612 ,  chromium:891627 , v8:8015, v8:8178
Change-Id: I06948ec0cdb8e778cb3678124ef927277a5f40ee
Reviewed-on: https://chromium-review.googlesource.com/c/1258902
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56369}
[modify] https://crrev.com/513a5bdd040815422ce74536f3415701af8a0ec4/src/compiler/representation-change.cc
[modify] https://crrev.com/513a5bdd040815422ce74536f3415701af8a0ec4/test/cctest/compiler/test-representation-change.cc
[add] https://crrev.com/513a5bdd040815422ce74536f3415701af8a0ec4/test/mjsunit/regress/regress-crbug-891627.js

ClusterFuzz has detected this issue as fixed in range 56368:56369.

Detailed report: https://clusterfuzz.com/testcase?key=5670166829203456

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8_dbg
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  NumberModulus of kRepWord32 ((MinusZero | Range(-1, 0))) cannot be changed to kR
  v8::platform::PrintStackTrace
  v8::internal::compiler::RepresentationChanger::TypeError
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=56324:56325
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=56368:56369

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5670166829203456

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot