Yang, if you aren't a good person to look at this, feel free to re-assign.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/1fe704e113a9b5a95d65c68b0b3719b4b85d4a56

commit 1fe704e113a9b5a95d65c68b0b3719b4b85d4a56
Author: yangguo <yangguo@chromium.org>
Date: Thu Nov 17 13:28:03 2016

[fuzzing] consistently honor --abort-on-stack-overflow.

R=machenbach@chromium.org
BUG= chromium:664068 

Review-Url: https://codereview.chromium.org/2509843005
Cr-Commit-Position: refs/heads/master@{#41075}

[modify] https://crrev.com/1fe704e113a9b5a95d65c68b0b3719b4b85d4a56/src/isolate.h
[modify] https://crrev.com/1fe704e113a9b5a95d65c68b0b3719b4b85d4a56/src/prototype.h
[modify] https://crrev.com/1fe704e113a9b5a95d65c68b0b3719b4b85d4a56/src/regexp/regexp-parser.cc

Not sure about this one. Range error in fullcode and nothing with validate_asm. Maybe suppression would still be best?

function foo(stdlib, env, heap) {
  "use asm";
  var __v_6 = new stdlib.Int32Array(heap);
  return {};
}
foo(this, {}, 4294967295);

# Compared fullcode with validate_asm

# Flags of fullcode:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging  --random-seed 1446877678 --nocrankshaft --turbo-filter=~
# Flags of validate_asm:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging  --random-seed 1446877678 --validate-asm

Difference:
- /usr/local/google/home/machenbach/v8/clusterfuzz-data/fuzzers/workdir/output32_validate_asm/fuzz-04641.js.minimized:3: RangeError: Invalid typed array length

### Start of configuration fullcode:
/usr/local/google/home/machenbach/v8/clusterfuzz-data/fuzzers/workdir/output32_validate_asm/fuzz-04641.js.minimized:3: RangeError: Invalid typed array length
  var __v_6 = new stdlib.Int32Array(heap);
              ^
RangeError: Invalid typed array length
    at new Int32Array (native)
    at foo (/usr/local/google/home/machenbach/v8/clusterfuzz-data/fuzzers/workdir/output32_validate_asm/fuzz-04641.js.minimized:3:15)
    at /usr/local/google/home/machenbach/v8/clusterfuzz-data/fuzzers/workdir/output32_validate_asm/fuzz-04641.js.minimized:6:1


### End of configuration fullcode

### Start of configuration validate_asm:

### End of configuration validate_asm

Another one with array allocation between ia32 and x64. Is this WAI? If yes, can haz suppression using --abort_on_stack_overflow?

var v = new ArrayBuffer(0xc0000000);

# Compared default with ia32

# Flags of default:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging  --random-seed -749474089
# Flags of ia32:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging  --random-seed -749474089

Difference:
+ /usr/local/google/home/machenbach/v8/clusterfuzz-data/fuzzers/workdir/output33_ia32/fuzz-00320.js:1: RangeError: Array buffer allocation failed

### Start of configuration default:

### End of configuration default

### Start of configuration ia32:
/usr/local/google/home/machenbach/v8/clusterfuzz-data/fuzzers/workdir/output33_ia32/fuzz-00320.js:1: RangeError: Array buffer allocation failed
var v = new ArrayBuffer(0xc0000000);
        ^
RangeError: Array buffer allocation failed
    at new ArrayBuffer (<anonymous>)
    at /usr/local/google/home/machenbach/v8/clusterfuzz-data/fuzzers/workdir/output33_ia32/fuzz-00320.js:1:9


### End of configuration ia32

Another case with this program:

var v = new Uint32Array(1073741824);

Now the output is for ia32:
RangeError: Invalid typed array length

x64 passes.

I wonder whether we should abort on all RangeErrors.

Guess we should. Or are some supposed to be deterministic across architectures and compilers? Those could stay.

Until that's implemented I have the low-tech workaround of ignoring all test cases with "RangeError" in the output. But that might not cover all cases.

 Issue 679885  has been merged into this issue.

ClusterFuzz testcase 5735023732064256 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 688677  has been merged into this issue.

Re #7: Some conditions to throw RangeError are clearly (and deterministically) dictated by the spec (e.g. throw if smaller than zero, or throw of this number greater than that). Other descriptions of when to throw such an error are more lax and can/will diverge between architectures (i.e. throw if impossible to create). I would be cautious about treating those two classes of RangeErrors equally.

I'll work on mocking the arraybuffers with proxies when comparing architectures and just disallow too large buffers.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/851d2001fc6a6947054514999908e34bcb50a215

commit 851d2001fc6a6947054514999908e34bcb50a215
Author: Michael Achenbach <machenbach@chromium.org>
Date: Thu Feb 09 08:33:16 2017

[foozzie] Mock out large typed arrays

BUG= chromium:688856 , chromium:664068 
NOTRY=true

Change-Id: Icf0e7a51693b6d399c8395eb0bbed9a3c373eb0a
Reviewed-on: https://chromium-review.googlesource.com/439164
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43052}
[modify] https://crrev.com/851d2001fc6a6947054514999908e34bcb50a215/tools/foozzie/BUILD.gn
[modify] https://crrev.com/851d2001fc6a6947054514999908e34bcb50a215/tools/foozzie/v8_foozzie.py
[modify] https://crrev.com/851d2001fc6a6947054514999908e34bcb50a215/tools/foozzie/v8_mock.js
[add] https://crrev.com/851d2001fc6a6947054514999908e34bcb50a215/tools/foozzie/v8_mock_archs.js
[modify] https://crrev.com/851d2001fc6a6947054514999908e34bcb50a215/tools/foozzie/v8_suppressions.py

 Issue 690934  has been merged into this issue.

 Issue 696278  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/44debc4f71aaa456f75ee49b5520070f94c9b230

commit 44debc4f71aaa456f75ee49b5520070f94c9b230
Author: Michael Achenbach <machenbach@chromium.org>
Date: Tue Feb 28 13:37:40 2017

[foozzie] Suppress more array buffer range errors

BUG= chromium:664068 
NOTRY=true
TBR=yangguo@chromium.org,jarin@chromium.org

Change-Id: I180153f0cb70e81711e01c9c09060e9af2f85354
Reviewed-on: https://chromium-review.googlesource.com/446363
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43484}
[modify] https://crrev.com/44debc4f71aaa456f75ee49b5520070f94c9b230/tools/foozzie/v8_suppressions.py

 Issue 697449  has been merged into this issue.

 Issue 699963  has been merged into this issue.

 Issue 700668  has been merged into this issue.

Closing this as there were no new reports in the last weeks. Will open a new specific bug if we see a particular range error again.

 Issue 728867  has been merged into this issue.

ClusterFuzz testcase 6113149884563456 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

 Issue 743140  has been merged into this issue.

 Issue 746425  has been merged into this issue.

 Issue 747701  has been merged into this issue.

 Issue 749979  has been merged into this issue.

 Issue 752503  has been merged into this issue.

 Issue 753717  has been merged into this issue.

 Issue 754670  has been merged into this issue.

 Issue 755026  has been merged into this issue.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.