Assigning to the concern owner who worked on wasm-call.cc.
@ahaas -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

 Issue 690397  has been merged into this issue.

 Issue 689121  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5f1661aad71b22028a9e2cedcae0e913ec338946

commit 5f1661aad71b22028a9e2cedcae0e913ec338946
Author: Andreas Haas <ahaas@chromium.org>
Date: Thu Feb 16 12:09:32 2017

[turbofan] For Word32Shl optimizations only consider the last 5 bits of the shift

One optimization in the machine-operator-reducer did not consider that
that word32 shift left instructions only consider the last 5 bits of
the shift input.

The issue only occurs for WebAssembly because in JavaScript we always
add a "& 0xf" on the shift value to the TurboFan graph.

For additional background: The JavaScript and WebAssembly spec both
say that only the last 5 bits of the shift value are used in the
word32-shift-left operation. This means that an "x << 0x29", in the
code is actually executed as "x << 0x09". Therefore the changes in
this CL are okay because they mask the last 5 bit of the shift value.

BUG= chromium:689450 

Change-Id: Id92f298ed6d7f1714b109b3f4fbcecd5ac6d30f7
Reviewed-on: https://chromium-review.googlesource.com/439312
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43245}
[modify] https://crrev.com/5f1661aad71b22028a9e2cedcae0e913ec338946/src/compiler/machine-operator-reducer.cc
[add] https://crrev.com/5f1661aad71b22028a9e2cedcae0e913ec338946/test/mjsunit/regress/wasm/regression-689450.js

ClusterFuzz has detected this issue as fixed in range 450975:451020.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4906796163792896

Fuzzer: libfuzzer_v8_wasm_call_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Disposing the isolate that is entered by a thread in wasm-call.cc
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=435634:435703
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=450975:451020

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94w5x4UUcaruS0fkUgMElRsGXuC6tjTcr_Af6edzRPYYweoVr-bqh2_za4zBGc7QJkTIhKg_AOCuy33kBguq9FUD4gs7--pEI7klHOTWxR0R4sPycEqeop9_rjb4ZoLJ_qHVDQ_rHqvLYHR8JBjYcb5qFprBojgLS2Clxnr2Fxh0rQAmGVV-n6qziXRUP90ELTLBlypSLQmD6kVeHBRTmxBWEiMCY6qYOMeppuyhQhRGxhBZWdqjg0L5pOQcM_jXau7mT7ZtVxuE22wTlZtnshwZurTKmDpqIIJmq_UWgGs_57dfnJN0VtoiDMX14oJ2jOXSmC0EbDC1qoR8gGV1WYVYZP1qRqjtJ2ZezVCzVXP0d8Acdc?testcase_id=4906796163792896


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4906796163792896 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.