Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/8ead5698180721fb2fa5254e0696aebc50cb7c27 ([turbofan] Unify handling of zeros.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

// Reduced repro:
function foo() {
  return Math.abs(Math.min(-{}, 18 ** -2941));
}
print(foo());
%OptimizeFunctionOnNextCall(foo);
print(foo());

// Output:
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-num-compilation-tasks=0 --suppress-asm-messages --random-seed 1743351996 --turbo-filter=~ --noopt --liftoff --no-wasm-tier-up
# Flags of x64,ignition_turbo:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-num-compilation-tasks=0 --suppress-asm-messages --random-seed 1743351996
#
# Difference:
- NaN
+ 0
#
# Source file:
none
#
### Start of configuration x64,ignition:
NaN
NaN

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:
NaN
0

### End of configuration x64,ignition_turbo

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a2f7867da7add4aec5b8a732ffdf97b2f21c6d73

commit a2f7867da7add4aec5b8a732ffdf97b2f21c6d73
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Thu Nov 15 12:32:03 2018

[turbofan] Preserve NaN properly for NumberMin and NumberMax.

When one of the inputs to NumberMin or NumberMax is NaN we need to
return NaN, ignoring whatever else was passed. Specifically we cannot
lower `NumberMin(x,y)` to `(x < y) ? x : y` if `x` can be NaN. So
limit this optimization to only perform the above lowering if we
know that `x` is an OrderedNumber and `y` is a PlainNumber (or if
the difference between zeros doesn't matter, an OrderedNumber as
well).

Bug:  chromium:905457 
Change-Id: If05f19255e14789ab0e277e072469c40e161b85b
Reviewed-on: https://chromium-review.googlesource.com/c/1337576
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57535}
[modify] https://crrev.com/a2f7867da7add4aec5b8a732ffdf97b2f21c6d73/src/compiler/simplified-lowering.cc
[add] https://crrev.com/a2f7867da7add4aec5b8a732ffdf97b2f21c6d73/test/mjsunit/regress/regress-crbug-905457.js

ClusterFuzz has detected this issue as fixed in range 57534:57535.

Detailed report: https://clusterfuzz.com/testcase?key=4921765505269760

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path
  sources: a14
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=56324:56325
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57534:57535

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4921765505269760

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4921765505269760 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.