This looks like it's to do with WASM. ahaas: you landed 3 WASM related CLs in the diff, do you mind taking a look please?

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/59bb18867addf9f1d4b64eb6e1f0cf3996da07e0

commit 59bb18867addf9f1d4b64eb6e1f0cf3996da07e0
Author: Andreas Haas <ahaas@chromium.org>
Date: Wed Feb 08 10:27:45 2017

[x64] Consider both operands when emitting the REX prefix for testb.

The testb instruction requires the REX prefix when either of its
operands uses a register with the high bit set. The existing code only
considered the register operand. In the test case the REX prefix was not
emitted because the testb instruction had the register operand RAX which
does not have the high bit set. The REX prefix was necessary though
because the memory operand used R8, which has the high bit set.

R=bmeurer@chromium.org
BUG= chromium:688876 

Change-Id: Ib214bebbe75965664f2aea530e29afa95a54f44f
Reviewed-on: https://chromium-review.googlesource.com/439145
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43030}
[modify] https://crrev.com/59bb18867addf9f1d4b64eb6e1f0cf3996da07e0/src/x64/assembler-x64.cc
[add] https://crrev.com/59bb18867addf9f1d4b64eb6e1f0cf3996da07e0/test/mjsunit/regress/wasm/regression-688876.js

ClusterFuzz has detected this issue as fixed in range 447007:452906.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6729761343930368

Fuzzer: afl_v8_wasm_call_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000fffff040
Crash State:
  v8::internal::Invoke
  CallInternal
  v8::internal::Execution::Call
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=446316:446370
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=447007:452906

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv953zaWEHYm4Nmy9buaXPYGpTKHryo5AVD37u8kvWfzXyxo5JzIGAIv6qift1zUYZ8fBLPtbnNMbonwHdYENS8DpD516ZseoeVdHm2pQ3xK7iikLlMzU5whbAN8ttOQR_fyK1rDD5K15Lt_bSJgGEAcScJlJ1cazcZsbKsrCOi2l1nyb6D0hjItIgmqTC5_wIGH5bT_1iztRTWA2FcO5_mqlh4ykB1530UfyWR4nhuBKuk53VADczwblQjKvtAjoaNN7bjMTGtSI8PM1I6HzZxRYzrZ69eCMe4bEQJzb2K7lHTskAoFaFumhEBzeb-upZH0taS6EaTuALp2nULoW0J3p08CO1C7XfhbkCwG8Zls6fqA6KnB9VUiO3IcWAVxsPG0hyhIGkq7mvjIjkr0gR6IIuYY5oA?testcase_id=6729761343930368


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6729761343930368 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot