The hunt for Chromium issue 1072171

This blog post describes discovering and analyzing a V8 engine type-confusion vulnerability triggered by -0 values in Math.max/Math.min which caused the Turbofan typer to lose the MinusZero type and produce incorrect optimized code (leading to crashes and divergent behavior after optimization). The author details fuzzing setup (Fuzzilli, AFL++), instrumentation steps to target the typer, triage of crashes, debugger-assisted root-cause analysis in NumberMax/NumberMin, and the patch approach that preserves -0 in the computed types to avoid the erroneous optimization.