CF points to https://codereview.chromium.org/2396433008

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d0fe942d2304655f587f49a0b6a1c9a079692912

commit d0fe942d2304655f587f49a0b6a1c9a079692912
Author: eholk <eholk@chromium.org>
Date: Mon Nov 21 21:58:35 2016

[wasm] Throw a RangeError if Wasm memory could not be allocated.

This fixes a bug found by the fuzzer where we would attempt to
dereference a null handle if memory allocation failed. In this case,
the failure was because the amount of memory requested was above V8's
hardcoded limit.

BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=666741

Review-Url: https://codereview.chromium.org/2514983002
Cr-Commit-Position: refs/heads/master@{#41158}

[modify] https://crrev.com/d0fe942d2304655f587f49a0b6a1c9a079692912/src/wasm/wasm-js.cc
[add] https://crrev.com/d0fe942d2304655f587f49a0b6a1c9a079692912/test/mjsunit/regress/wasm/regression-666741.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d0fe942d2304655f587f49a0b6a1c9a079692912

commit d0fe942d2304655f587f49a0b6a1c9a079692912
Author: eholk <eholk@chromium.org>
Date: Mon Nov 21 21:58:35 2016

[wasm] Throw a RangeError if Wasm memory could not be allocated.

This fixes a bug found by the fuzzer where we would attempt to
dereference a null handle if memory allocation failed. In this case,
the failure was because the amount of memory requested was above V8's
hardcoded limit.

BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=666741

Review-Url: https://codereview.chromium.org/2514983002
Cr-Commit-Position: refs/heads/master@{#41158}

[modify] https://crrev.com/d0fe942d2304655f587f49a0b6a1c9a079692912/src/wasm/wasm-js.cc
[add] https://crrev.com/d0fe942d2304655f587f49a0b6a1c9a079692912/test/mjsunit/regress/wasm/regression-666741.js

ClusterFuzz has detected this issue as fixed in range 41157:41158.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5087476927692800

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (location_) != nullptr in handles.cc
  
Regressed: V8: r41088:41089
Fixed: V8: r41157:41158

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94lsgXbM71SPAjIK9OooYH_BZhK5I1u4YmbQLSsUwehOBGDEJesljxYmH5EIC8-P4-XymxzAuJgww5DEPvAlBg76eQe2RdsHYwxqhcATl1JaxLPeEpeNXPPS2x0TMKW3_N9KUCWdFjX_0WZ4fg32VCcDI1_cg?testcase_id=5087476927692800
(function __f_7() {
  let memory = new WebAssembly.Memory({initial: 59199});
})();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot