The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b994ad45b089c64eb253f63526723ffc2a0c86c6

commit b994ad45b089c64eb253f63526723ffc2a0c86c6
Author: titzer <titzer@chromium.org>
Date: Wed Apr 20 09:34:22 2016

[turbofan] Length and index2 are unsigned in CheckedLoad/CheckedStore.

Also factor out test cases from test-run-machops.cc into test-run-load-store.cc

BUG= chromium:599717 
LOG=Y

Review URL: https://codereview.chromium.org/1858323003

Cr-Commit-Position: refs/heads/master@{#35651}

[modify] https://crrev.com/b994ad45b089c64eb253f63526723ffc2a0c86c6/src/compiler/code-generator-impl.h
[modify] https://crrev.com/b994ad45b089c64eb253f63526723ffc2a0c86c6/src/compiler/x64/code-generator-x64.cc
[modify] https://crrev.com/b994ad45b089c64eb253f63526723ffc2a0c86c6/test/cctest/cctest.gyp
[add] https://crrev.com/b994ad45b089c64eb253f63526723ffc2a0c86c6/test/cctest/compiler/test-run-load-store.cc
[modify] https://crrev.com/b994ad45b089c64eb253f63526723ffc2a0c86c6/test/cctest/compiler/test-run-machops.cc
[add] https://crrev.com/b994ad45b089c64eb253f63526723ffc2a0c86c6/test/mjsunit/regress/regress-599717.js
[add] https://crrev.com/b994ad45b089c64eb253f63526723ffc2a0c86c6/test/mjsunit/regress/regress-599719.js

ClusterFuzz has detected this issue as fixed in range 35650:35651.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5488816483205120

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  index2 <= length in src/compiler/x64/code-generator-x64.cc
  
Fixed: V8: r35650:35651

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv965psTZgEZYOIB7ltV_yWfvUkuFy3rUHsZFuuqDovkEd1f9A_rgqGRHq1Elo0HL1MhOxpkXn6jv3cRx1TYsXVN1GCOG5pUdt8o7hcpGQaPfapWTQQzJJ43jZjDlC0UcekBK6DRRGWHc_60a0AuW9d_mZYe7Nw
function __f_61(stdlib, buffer) {
  "use asm";
  var __v_14 = new stdlib.Float64Array(buffer);
  function __f_74() {
    var __v_35 = 6.0;
    __v_14[2] = __v_35 + 1.0;
  }
  return {__f_74: __f_74};
}
  var __v_12 = new ArrayBuffer(2147483648);
  var module = Wasm.instantiateModuleFromAsm( __f_61.toString(), null, __v_12);
( {
})();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7551eca9816a7386282789e806bafedb9d4817bd

commit 7551eca9816a7386282789e806bafedb9d4817bd
Author: balazs.kilvady <balazs.kilvady@imgtec.com>
Date: Wed May 04 11:42:12 2016

MIPS64: Fix [turbofan] Length and index2 are unsigned in CheckedLoad/CheckedStore.

Port b994ad45b089c64eb253f63526723ffc2a0c86c6

Original commit message:
Also factor out test cases from test-run-machops.cc into test-run-load-store.cc

TEST=cctest/test-run-load-store/RunLoadStoreZeroExtend64, cctest/test-run-load-store/RunOobCheckedLoadT_pseudo7, cctest/test-run-load-store/RunOobCheckedLoad_pseudo7
BUG= chromium:599717 
LOG=Y

Review-Url: https://codereview.chromium.org/1907363002
Cr-Commit-Position: refs/heads/master@{#36017}

[modify] https://crrev.com/7551eca9816a7386282789e806bafedb9d4817bd/src/compiler/mips64/code-generator-mips64.cc
[modify] https://crrev.com/7551eca9816a7386282789e806bafedb9d4817bd/src/compiler/mips64/instruction-codes-mips64.h
[modify] https://crrev.com/7551eca9816a7386282789e806bafedb9d4817bd/src/compiler/mips64/instruction-selector-mips64.cc

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot