Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/a2f7867da7add4aec5b8a732ffdf97b2f21c6d73 ([turbofan] Preserve NaN properly for NumberMin and NumberMax.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

// Repro:
function __f_0() {
  print(Infinity / Math.min(-0, +0));
}
__f_0();
%OptimizeFunctionOnNextCall(__f_0);
__f_0();

// Output:
# Difference:
- -Infinity
+ Infinity
#
### Start of configuration x64,ignition:
-Infinity
-Infinity

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:
-Infinity
Infinity

### End of configuration x64,ignition_turbo

Fix in flight already.

https://chromium-review.googlesource.com/c/v8/v8/+/1342920

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/154cb3f3182fcb4277021c4794e53a936758ba7d

commit 154cb3f3182fcb4277021c4794e53a936758ba7d
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Tue Nov 20 11:00:41 2018

[turbofan] Properly turn `Number.min(-0,+0)` into `-0`.

Previously the simplified operation `Number.min(x,y)` would lower to
`Select(Float64LessThan(x, y), x, y)` which would yield `y` when both
`x` and `y` are zeros, specifically when `x` was -0 and `y` was +0.
For `NumberMin` we need to use `Float64LessThanOrEqual` since we
generally allow -0 on the left hand side (in SimplifiedLowering).

Bug:  chromium:906870 
Change-Id: I25ae8fb19608b77c90ed130e69d9d9fa93fcea9d
Reviewed-on: https://chromium-review.googlesource.com/c/1342920
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57633}
[modify] https://crrev.com/154cb3f3182fcb4277021c4794e53a936758ba7d/src/compiler/simplified-lowering.cc
[add] https://crrev.com/154cb3f3182fcb4277021c4794e53a936758ba7d/test/mjsunit/regress/regress-crbug-906870.js

ClusterFuzz has detected this issue as fixed in range 57632:57633.

Detailed report: https://clusterfuzz.com/testcase?key=4877602269167616

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 05c
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57534:57535
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57632:57633

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4877602269167616

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4877602269167616 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.