ClusterFuzz points at 
https://chromium.googlesource.com/v8/v8/+/698bbe418aaab8c7e41090eab9400440ce7a498f

Taking a quick look, these lines (https://chromium.googlesource.com/v8/v8/+blame/master/src/wasm/wasm-js.cc#422) 
look somewhat suspicious:

  GetIntegerProperty(isolate, &thrower, context, descriptor,
                     v8_str(isolate, "initial"), &initial, 0, 65536);

Elsewhere in the file (e.g. https://chromium.googlesource.com/v8/v8/+blame/master/src/wasm/wasm-js.cc#370), the result of the GetIntegerProperty call is checked and if the call fails appropriate action is taken.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7bffaaac2c2d3c638475ade4adba60f1b01dd66f

commit 7bffaaac2c2d3c638475ade4adba60f1b01dd66f
Author: ahaas <ahaas@chromium.org>
Date: Mon Sep 26 13:07:44 2016

[wasm] Do a proper HasProperty() check in the memory and table setup.

The WebAssembly spec requires a HasProperty() check for the maximum
property of the descriptor object which is used to set up a
WebAssembly.Memory object or a WebAssembly.Table object.

The original implementation only approximated the HasProperty() check.
It used Get() to get the value of the maximum property of the descriptor
object and compared the resulting value to {undefined}. However, this
approximation is incorrect if the property exists but its value is
{undefined}.

R=titzer@chromium.org, franzih@chromium.org
BUG= chromium:649461 
TEST=mjsunit/wasm/memory

Review-Url: https://codereview.chromium.org/2367673003
Cr-Commit-Position: refs/heads/master@{#39722}

[modify] https://crrev.com/7bffaaac2c2d3c638475ade4adba60f1b01dd66f/src/wasm/wasm-js.cc
[modify] https://crrev.com/7bffaaac2c2d3c638475ade4adba60f1b01dd66f/test/mjsunit/wasm/memory.js
[modify] https://crrev.com/7bffaaac2c2d3c638475ade4adba60f1b01dd66f/test/mjsunit/wasm/table.js

ClusterFuzz has detected this issue as fixed in range 420859:421045.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5400246610034688

Fuzzer: mbarbella_js_mutation
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  v8::internal::JSArrayBuffer::SetupAllocatingData
  v8::WebAssemblyMemory
  v8::internal::FunctionCallbackArguments::Call
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=420270:420294
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=420859:421045

Minimized Testcase (0.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97jrfvMNH1w4JJKzTY2jJc0tka8qp_uMwbqxqqZmVDCsZ_D19Tk95UbMPm6wBBDykXPQwRfwBlj7-wVFLr4ik1mTpSFG1-8atgpWML0d0PgwS-63dmTOKWE5nkMwWD5rUUS0gRTwM_esCfMlzRhipwxbsHOpg?testcase_id=5400246610034688

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot