[wasm] Track in the interpreter if a NaN could have been produced.

test/fuzzer/wasm-code.cc

Index: test/fuzzer/wasm-code.cc
diff --git a/test/fuzzer/wasm-code.cc b/test/fuzzer/wasm-code.cc
index 5a8261685a904976aeddc66f6d03c2b75ce4915e..3f010fbb51a84c1e3d0759a8a601fbf99f66196b 100644
--- a/test/fuzzer/wasm-code.cc
+++ b/test/fuzzer/wasm-code.cc
@@ -63,10 +63,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     return 0;
   }
   int32_t result_interpreted;
+  bool may_produced_nan = false;
   {
     WasmVal args[] = {WasmVal(1), WasmVal(2), WasmVal(3)};
-    result_interpreted = testing::InterpretWasmModule(
-        i_isolate, &interpreter_thrower, module.get(), 0, args);
+    result_interpreted =
+        testing::InterpretWasmModule(i_isolate, &interpreter_thrower,
+                                     module.get(), 0, args, &may_produced_nan);
   }
 
   ErrorThrower compiler_thrower(i_isolate, "Compiler");
@@ -93,7 +95,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     CHECK(i_isolate->has_pending_exception());
     i_isolate->clear_pending_exception();
   } else {
-    if (result_interpreted != result_compiled) {
+    // The WebAssembly spec allows the sign bit of NaN to be non-deterministic.
+    // This sign bit may cause result_interpreted to be different than
+    // result_compiled. Therefore we do not check the equality of the results
+    // if the execution may have produced a NaN at some point.
+    if (!may_produced_nan && (result_interpreted != result_compiled)) {
       V8_Fatal(__FILE__, __LINE__, "WasmCodeFuzzerHash=%x",
                v8::internal::StringHasher::HashSequentialString(
                    data, static_cast<int>(size), WASM_CODE_FUZZER_HASH_SEED));