Suspected CL
https://chromium.googlesource.com/v8/v8/+/78b048c0773380b2cc602a38cce09d68c5ac6274%5E%21/test/fuzzer/wasm-code.cc

ahaas@, could you please take a look and help us to find correct owner if it is not related your changes.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2c12a9a42d454a36fcd2931fa458d72832eeb689

commit 2c12a9a42d454a36fcd2931fa458d72832eeb689
Author: ahaas <ahaas@chromium.org>
Date: Wed Oct 05 06:06:45 2016

[wasm] Call a runtime function for a MemorySize instruction.

The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.

R=titzer@chromium.org
BUG= chromium:651961 
TEST=mjsunit/regress/wasm/regression-651961

Review-Url: https://codereview.chromium.org/2386183004
Cr-Commit-Position: refs/heads/master@{#39972}

[modify] https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689/src/compiler/wasm-compiler.cc
[modify] https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689/src/runtime/runtime-wasm.cc
[modify] https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689/src/runtime/runtime.h
[modify] https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689/test/cctest/wasm/test-run-wasm-module.cc
[modify] https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689/test/cctest/wasm/test-run-wasm.cc
[add] https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689/test/mjsunit/regress/wasm/regression-651961.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9701e79127c75a41d870745192dd1b63c6cbc63b

commit 9701e79127c75a41d870745192dd1b63c6cbc63b
Author: ahaas <ahaas@chromium.org>
Date: Wed Oct 05 06:12:03 2016

Revert of [wasm] Call a runtime function for a MemorySize instruction. (patchset #2 id:20001 of https://codereview.chromium.org/2386183004/ )

Reason for revert:
Patch problem

Original issue's description:
> [wasm] Call a runtime function for a MemorySize instruction.
>
> The implementation of MemorySize with RelocatableInt32Constants is
> problematic if MemorySize is placed close to a GrowMemory instruction in
> the code. The use of a runtime function guarantees that the order in
> which MemorySize and GrowMemory is executed is correct.
>
> R=titzer@chromium.org
> BUG= chromium:651961 
> TEST=mjsunit/regress/wasm/regression-651961
>
> Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
> Cr-Commit-Position: refs/heads/master@{#39972}

TBR=titzer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= chromium:651961 

Review-Url: https://codereview.chromium.org/2391223002
Cr-Commit-Position: refs/heads/master@{#39973}

[modify] https://crrev.com/9701e79127c75a41d870745192dd1b63c6cbc63b/src/compiler/wasm-compiler.cc
[modify] https://crrev.com/9701e79127c75a41d870745192dd1b63c6cbc63b/src/runtime/runtime-wasm.cc
[modify] https://crrev.com/9701e79127c75a41d870745192dd1b63c6cbc63b/src/runtime/runtime.h
[modify] https://crrev.com/9701e79127c75a41d870745192dd1b63c6cbc63b/test/cctest/wasm/test-run-wasm-module.cc
[modify] https://crrev.com/9701e79127c75a41d870745192dd1b63c6cbc63b/test/cctest/wasm/test-run-wasm.cc
[delete] https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689/test/mjsunit/regress/wasm/regression-651961.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/aa93e6ca95123ccd176c392a2b5b8772ee5eb5c4

commit aa93e6ca95123ccd176c392a2b5b8772ee5eb5c4
Author: ahaas <ahaas@chromium.org>
Date: Wed Oct 05 09:11:54 2016

[wasm] Call a runtime function for a MemorySize instruction.

The implementation of MemorySize with RelocatableInt32Constants is
problematic if MemorySize is placed close to a GrowMemory instruction in
the code. The use of a runtime function guarantees that the order in
which MemorySize and GrowMemory is executed is correct.

R=titzer@chromium.org
BUG= chromium:651961 
TEST=mjsunit/regress/wasm/regression-651961

Committed: https://crrev.com/2c12a9a42d454a36fcd2931fa458d72832eeb689
Review-Url: https://codereview.chromium.org/2386183004
Cr-Original-Commit-Position: refs/heads/master@{#39972}
Cr-Commit-Position: refs/heads/master@{#39980}

[modify] https://crrev.com/aa93e6ca95123ccd176c392a2b5b8772ee5eb5c4/src/compiler/wasm-compiler.cc
[modify] https://crrev.com/aa93e6ca95123ccd176c392a2b5b8772ee5eb5c4/src/runtime/runtime-wasm.cc
[modify] https://crrev.com/aa93e6ca95123ccd176c392a2b5b8772ee5eb5c4/src/runtime/runtime.h
[modify] https://crrev.com/aa93e6ca95123ccd176c392a2b5b8772ee5eb5c4/src/wasm/wasm-module.cc
[modify] https://crrev.com/aa93e6ca95123ccd176c392a2b5b8772ee5eb5c4/src/wasm/wasm-module.h
[modify] https://crrev.com/aa93e6ca95123ccd176c392a2b5b8772ee5eb5c4/test/cctest/wasm/test-run-wasm-module.cc
[modify] https://crrev.com/aa93e6ca95123ccd176c392a2b5b8772ee5eb5c4/test/cctest/wasm/test-run-wasm.cc
[add] https://crrev.com/aa93e6ca95123ccd176c392a2b5b8772ee5eb5c4/test/mjsunit/regress/wasm/regression-651961.js
[add] https://crrev.com/aa93e6ca95123ccd176c392a2b5b8772ee5eb5c4/test/mjsunit/wasm/memory-size.js

ClusterFuzz has detected this issue as fixed in range 423155:423213.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6280324499898368

Fuzzer: libfuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Disposing the isolate that is entered by a thread in wasm-code.cc
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=423155:423213

Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv955C_98NtJ_viKSGDUYFodetGLxXzxgcIEl9kzA4tfdH4-xYwY6TO6Op5LDnrkyqGFmPROsNBPZsp3DSvFXoXobzkPW4F8lt2XUAv0BoLH8v_TXPjiR7CE3y-2wM3fEPzFxomfteBU6-tXIaCRKY5WnsWw5pg?testcase_id=6280324499898368

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5053920881934336

Fuzzer: libfuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Disposing the isolate that is entered by a thread in wasm-code.cc
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423091:423120

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv9528h9CVjVl1PuFTfoW0rvU7OgGWMN0l0Tz_f6ggpAL7an4-BJ6G5D1lBWhGchRJIIKzN9hPxIYihpnbO729ppf0HkrbspM4vVLSiKgfQCQksKNlWnM9P2jNhJZk9tSoznHac-MIQz9VuRiwna5m8KfnSkhRQ?testcase_id=5053920881934336
;;N9


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

ClusterFuzz has detected this issue as fixed in range 423988:424034.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5053920881934336

Fuzzer: libfuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Disposing the isolate that is entered by a thread in wasm-code.cc
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423091:423120
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423988:424034

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv9528h9CVjVl1PuFTfoW0rvU7OgGWMN0l0Tz_f6ggpAL7an4-BJ6G5D1lBWhGchRJIIKzN9hPxIYihpnbO729ppf0HkrbspM4vVLSiKgfQCQksKNlWnM9P2jNhJZk9tSoznHac-MIQz9VuRiwna5m8KfnSkhRQ?testcase_id=5053920881934336
;;N9


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot