ahaas @ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/57b14b0606e43d0ab023caf0514d0a252f72cae1

commit 57b14b0606e43d0ab023caf0514d0a252f72cae1
Author: ahaas <ahaas@chromium.org>
Date: Thu Oct 20 14:27:23 2016

[wasm] Track in the interpreter if a NaN could have been produced.

The wasm specification does not fully specify the binary representation
of NaN: the sign bit can be non-deterministic. The wasm-code fuzzer
found a test case where the wasm interpreter and the compiled code
produce a different sign bit for a NaN, and as a consequence they
produce different results.

With this CL the interpreter tracks whether it executed an instruction
which can produce a NaN, which are div and sqrt instructions. The
fuzzer uses this information and compares the result of the interpreter
with the result of the compiled code only if there was no instruction
which could have produced a NaN.

R=titzer@chromium.org

TEST=cctest/test-run-wasm-interpreter/TestMayProduceNaN
BUG= chromium:657481 

Review-Url: https://chromiumcodereview.appspot.com/2438603003
Cr-Commit-Position: refs/heads/master@{#40474}

[modify] https://crrev.com/57b14b0606e43d0ab023caf0514d0a252f72cae1/src/wasm/wasm-interpreter.cc
[modify] https://crrev.com/57b14b0606e43d0ab023caf0514d0a252f72cae1/src/wasm/wasm-interpreter.h
[modify] https://crrev.com/57b14b0606e43d0ab023caf0514d0a252f72cae1/test/cctest/wasm/test-run-wasm-interpreter.cc
[modify] https://crrev.com/57b14b0606e43d0ab023caf0514d0a252f72cae1/test/cctest/wasm/wasm-run-utils.h
[modify] https://crrev.com/57b14b0606e43d0ab023caf0514d0a252f72cae1/test/common/wasm/wasm-module-runner.cc
[modify] https://crrev.com/57b14b0606e43d0ab023caf0514d0a252f72cae1/test/common/wasm/wasm-module-runner.h
[modify] https://crrev.com/57b14b0606e43d0ab023caf0514d0a252f72cae1/test/fuzzer/wasm-code.cc

ClusterFuzz has detected this issue as fixed in range 426487:426557.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6387698397085696

Fuzzer: libfuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Disposing the isolate that is entered by a thread in wasm-code.cc
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=418007:418113
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=426487:426557

Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97U2uc3kTuusTIaQ6bvag8d11Y_loh9Y8A9yB1OKwQ_dmwO4E0o0vf4xbwOv1pL4ByBgj7rl6nl3vtMHfbF829fQSxVF_G0JXYk-NY5wem_VL_KldA_vdHsfboGP-88BWZWjLpGsv11-OR9TvsRSAIBwjUeTw?testcase_id=6387698397085696

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot