Issue 617884  has been merged into this issue.

 Issue 620248  has been merged into this issue.

Aseem, see if you can repro and fix. Thanks!

This is due to a bug in the typer. Integer literals in range [2^31, 2^32) should be marked as unsigned and not fixednum.

Fixed in:
https://chromium.googlesource.com/v8/v8/+/fa5cb207a16896b0cf598fbcaef8e121d0ad4fd1

ClusterFuzz has detected this issue as fixed in range 37353:37354.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5980006698450944

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: Unreachable code
Crash Address: 
Crash State:
  asm-wasm-builder.cc
  
Regressed: V8: r35045:35048
Fixed: V8: r37353:37354

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95PR8Zw1aHaGY1-IzHBZsS6y1cKWigPosn_kSWY3F8WAXCqUlOB9Y0jiBdX9Ov4AF-i4Aa2VQelJdnngjlDsJIyeyKmYz4yssMIgulpXXzWRu1kon_k8CBCs-081c_G4jleWmvAYi178-jKFNUaxzXKHWj-zA?testcase_id=5980006698450944
function __f_55(expected, __f_71, __f_7) {
 Wasm.instantiateModuleFromAsm( __f_71.toString());
}
function __f_109() {
  "use asm";
  function __f_18() {
     while(2147483648);
  }
  return {__f_18: __f_18};
}
__f_55(12, __f_109);
( {
})();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot