Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/03f203bdf35aff0da84f702b27a6ebb702e29cc8 ([foozzie] Fix Date proxy mocking).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

// Reduced repro:
function __f_3(x) {
  return 1e-1 * x;
}
function __f_2() {
  return Object.is(-0, __f_3(-1e-308));
}
__f_2();
%OptimizeFunctionOnNextCall(__f_2);
print(__f_2());


# Compared x64,ignition with x64,ignition_turbo
#
# Difference:
- false
+ true

Looks like this is something for compiler folks.

Clusterfuzz bisect is still pending the automatic minimization.

The division to check for minus zero in TurboFan is wrong for these edge cases.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/56f6a763c27d77afbee997a50baa34996e97ba40

commit 56f6a763c27d77afbee997a50baa34996e97ba40
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Fri Nov 09 12:04:30 2018

[turbofan] Fix -0 check for subnormals.

Previously we'd check `x` for -0 by testing `(1.0 / x) == -Infinity`,
but this will yield the wrong results when `x` is a subnormal, i.e.
really close to 0.

In CSA we already perform bit checks to test for -0, so teach TurboFan
to do the same for comparisons to -0 (via `Object.is`). We introduce a
new NumberIsMinusZero simplified operator to handle the case where
SimplifiedLowering already knows that the input is a number.

Bug:  chromium:903043 ,  v8:6882 
Change-Id: I0cb7c568029b461a92fc183104d5f359b4bfe7f4
Reviewed-on: https://chromium-review.googlesource.com/c/1328802
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57382}
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/effect-control-linearizer.h
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/opcodes.h
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/simplified-operator.cc
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/simplified-operator.h
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/typer.cc
[modify] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/src/compiler/verifier.cc
[add] https://crrev.com/56f6a763c27d77afbee997a50baa34996e97ba40/test/mjsunit/regress/regress-crbug-903043.js

ClusterFuzz has detected this issue as fixed in range 57381:57382.

Detailed report: https://clusterfuzz.com/testcase?key=6059329424457728

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 927
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=51538:51539
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57381:57382

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6059329424457728

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6059329424457728 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.