This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 680960  has been merged into this issue.

Another crash caused by enabled Wasm (9884fb91e15e5e85218886b67af410668a08c38b).

This bug happens because WebAssembly.Memory.grow() doesn't handle the case where there is no instance associated with the memory.

 Issue 680870  has been merged into this issue.

 Issue 680506  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6934db7ca7777db0799ec76b3fae811734e3c5c2

commit 6934db7ca7777db0799ec76b3fae811734e3c5c2
Author: gdeepti <gdeepti@chromium.org>
Date: Wed Jan 18 04:45:07 2017

[wasm] WebAssembly.Memory.grow() should handle the no instance case
 - Currently WebAssembly.Memory.grow() assumes that it always has an instance associated with it,
 fix to grow and reflect new size when no instance is associated with memory object.
 - Correctness fixes for the js api, throw range errors instead of generic errors

BUG= chromium:680938 

R=bradnelson@chromium.org, titzer@chromium.org

Review-Url: https://codereview.chromium.org/2638243002
Cr-Commit-Position: refs/heads/master@{#42432}

[modify] https://crrev.com/6934db7ca7777db0799ec76b3fae811734e3c5c2/src/wasm/wasm-js.cc
[modify] https://crrev.com/6934db7ca7777db0799ec76b3fae811734e3c5c2/src/wasm/wasm-module.cc
[modify] https://crrev.com/6934db7ca7777db0799ec76b3fae811734e3c5c2/src/wasm/wasm-module.h
[add] https://crrev.com/6934db7ca7777db0799ec76b3fae811734e3c5c2/test/mjsunit/regress/wasm/regression-680938.js
[modify] https://crrev.com/6934db7ca7777db0799ec76b3fae811734e3c5c2/test/mjsunit/wasm/js-api.js
[modify] https://crrev.com/6934db7ca7777db0799ec76b3fae811734e3c5c2/test/mjsunit/wasm/memory.js

ClusterFuzz has detected this issue as fixed in range 42431:42432.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5556368460480512

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000b400038
Crash State:
  v8::internal::MemoryChunk::heap
  v8::internal::HeapObject::GetIsolate
  Handle
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: V8: r42266:42267
Fixed: V8: r42431:42432

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95hpIrwbhkHFvzHsn6zrlaosk54zL5MAKc6f6Efpbeu3vaONcQO7xdqdY8sjlnkLCEZfDRhS0V_ranUdUqv3r3YrKbPvgxOrtYb27SX_C7YNHx9fTMdulgNOmCJSu_P2fQp_uMly7qowB_tml87Uo90phIwbu-OSU28tUHpJHIiY_3wafcQXbfzEGOQjGvQq6_bIC_T0gl1I-TTER6ra1JEnxJA1RspHKczU7duYXhx8mynH0xgEfqDyX4b8roT1LmVtDA2MhIf0VHW8w-BB_wlfduSZnLXZh5rFElr-wGfOYLAqJ-QfBdGW2IJosIaV3nDj_yTE0QBwV0yoTsWqDaP-TWNcHSm-uK1kLfFHSZA6CImgJu116Z17WiN8CpmdGpQWcDZmWn8aSSEg7Ikkim2ASS9zg?testcase_id=5556368460480512
var v17 = {};
var v32 = {};
 v39 = new WebAssembly.Memory(v32); 
 v49 = v39.grow(v17); 


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5556368460480512 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This is not on the 5.7 branch. Please merge to 5.7 when you have Canary coverage.

 Issue 679947  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/72fa37e561aea615a2af03ecbefd791b4e8e76d5

commit 72fa37e561aea615a2af03ecbefd791b4e8e76d5
Author: Brad Nelson <bradnelson@chromium.org>
Date: Sat Jan 21 20:06:03 2017

Merged: [wasm] WebAssembly.Memory.grow() should handle the no instance case  - Currently WebAsse ...

Revision: 6934db7ca7777db0799ec76b3fae811734e3c5c2

BUG= chromium:680938 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=hablich@chromium.org,gdeepti@chromium.org

Review-Url: https://codereview.chromium.org/2649743002 .
Cr-Commit-Position: refs/branch-heads/5.7@{#16}
Cr-Branched-From: 975e9a320b6eaf9f12280c35df98e013beb8f041-refs/heads/5.7.492@{#1}
Cr-Branched-From: 8d76f0e3465a84bbf0bceab114900fbe75844e1f-refs/heads/master@{#42426}

[modify] https://crrev.com/72fa37e561aea615a2af03ecbefd791b4e8e76d5/src/wasm/wasm-js.cc
[modify] https://crrev.com/72fa37e561aea615a2af03ecbefd791b4e8e76d5/src/wasm/wasm-module.cc
[modify] https://crrev.com/72fa37e561aea615a2af03ecbefd791b4e8e76d5/src/wasm/wasm-module.h
[add] https://crrev.com/72fa37e561aea615a2af03ecbefd791b4e8e76d5/test/mjsunit/regress/wasm/regression-680938.js
[modify] https://crrev.com/72fa37e561aea615a2af03ecbefd791b4e8e76d5/test/mjsunit/wasm/js-api.js
[modify] https://crrev.com/72fa37e561aea615a2af03ecbefd791b4e8e76d5/test/mjsunit/wasm/memory.js

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot