suspected cl https://chromium.googlesource.com/v8/v8/+/4bce03b69c953498cf17bd70aaac7ab25525ed60%5E%21/src/wasm/asm-wasm-builder.cc

titzer@ could you please look into this. Thanks

Looks I got blamed for cleaning up the CHECK macros :-)

 Issue 629001  has been merged into this issue.

This is caused as the function table declaration occurs after the return statement. Hence, it seems it is ignored. asm-wasm-builder gets stuck trying to lookup the function table when building __f_21 (it will throw in debug mode with a null check). The typer should catch this and throw an error.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d50998c48015b4fccd564b84a26c99069e3c6b21

commit d50998c48015b4fccd564b84a26c99069e3c6b21
Author: jpp <jpp@chromium.org>
Date: Thu Jul 21 15:32:05 2016

V8. ASM-2-WASM. Enforces source code layout.

BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=628450
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
TEST= cctest/asmjs/test-asm-typer.cc
TEST= mjsunit/wasm/*
LOG= N

Review-Url: https://codereview.chromium.org/2164273002
Cr-Commit-Position: refs/heads/master@{#37950}

[modify] https://crrev.com/d50998c48015b4fccd564b84a26c99069e3c6b21/src/asmjs/asm-typer.cc
[modify] https://crrev.com/d50998c48015b4fccd564b84a26c99069e3c6b21/test/cctest/asmjs/test-asm-typer.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d50998c48015b4fccd564b84a26c99069e3c6b21

commit d50998c48015b4fccd564b84a26c99069e3c6b21
Author: jpp <jpp@chromium.org>
Date: Thu Jul 21 15:32:05 2016

V8. ASM-2-WASM. Enforces source code layout.

BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=628450
BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
TEST= cctest/asmjs/test-asm-typer.cc
TEST= mjsunit/wasm/*
LOG= N

Review-Url: https://codereview.chromium.org/2164273002
Cr-Commit-Position: refs/heads/master@{#37950}

[modify] https://crrev.com/d50998c48015b4fccd564b84a26c99069e3c6b21/src/asmjs/asm-typer.cc
[modify] https://crrev.com/d50998c48015b4fccd564b84a26c99069e3c6b21/test/cctest/asmjs/test-asm-typer.cc

ClusterFuzz has detected this issue as fixed in range 37949:37950.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4771719055409152

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (entry) != nullptr in asm-wasm-builder.cc
  
Regressed: V8: r37728:37729
Fixed: V8: r37949:37950

Minimized Testcase (0.34 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95ehB_ZL5rHygQGpDJEVhzOL633LamltzUmcTBIxjHlhhQ11t4QY9alCKphGfn1Ot1aLet9MGwpIqbV0vv5vcx38dYKqDjb4i1UCEn8kDdZWTbJhiUEST7RPVLdltQkgZVftxBWsOFt6eetFs0wIuKgLfKtFw?testcase_id=4771719055409152
function __f_61(expected, __f_78, __f_9) {
 Wasm.instantiateModuleFromAsm( __f_78.toString());
}
(function () {
})();
function __f_59() {
  "use asm";
  function __f_110() {
    return 71;
  }
  function __f_21() {
    var __v_38 = 0;
    return __v_23[__v_38&0]() | 0;
  }
  return {__f_21:__f_21};
  var __v_23 = [__f_110]
}
__f_61(71, __f_59);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot