Looks like an issue with the JS-API to WASM. ClusterFuzz is still crunching on the bisect to see if it is a recent thing. Simplified repro ...

var size = Math.floor(0xFFFFFFFF / 4) + 1;
WebAssembly.validate(new Uint16Array(size));

Had to run a manual bisect, because ClusterFuzz seems to not be in the mood right now. Bisects to ...

commit df834f3ff293d2c5e342335a71d17f0af6b0f648
Author: titzer <titzer@chromium.org>
Date:   Mon Feb 20 02:41:57 2017 -0800

    [wasm] Split the compilation and instantiation API into sync and async methods.
    
    This makes it easier to implement asynchronous compilation by hiding all the implementation details of both synchronous and asynchronous compilation within wasm-module.cc, whereas before the code in wasm-js.cc actually implemented asynchronous compilation in terms of synchronous.
    
    BUG=
    
    Review-Url: https://codereview.chromium.org/2695813005
    Cr-Commit-Position: refs/heads/master@{#43310}

It's in the ModuleWireBytes constructor, where we set up the Vector<const byte>:
  ModuleWireBytes(const byte* start, const byte* end)
      : module_bytes_(start, static_cast<int>(end - start)) {
    DCHECK_GE(kMaxInt, end - start);
  }

module_bytes_ is a Vector, and its length is an int, which becomes negative here.
We could just check the length of the given buffer before calling this constructor in wasm.js.cc, and throw an Error.
The question would again be which error. RangeError?

RangeError sounds OK to me. Thanks for looking into this. 

Ahaas raises concerns. Adding rossberg for the error decision.

FYI: "new Uint16Array(0x80000000)" also throws RangeError ("RangeError: Invalid typed array length").

We have a limit in wasm-limits.h for the module size:

const size_t kV8MaxWasmModuleSize = 1024 * 1024 * 1024;  // = 1 GiB

It's enforced in module-decoder.cc but probably needs to be enforced earlier.

It sounds like a design error if we feed array buffers into something that cannot handle all possible sizes. But short of fixing that, I agree that RangeError is the right exception to raise.

Fixed in http://crrev.com/2705233002. Looks like a forgot the "chromium:" prefix on the BUG line.

ClusterFuzz has detected this issue as fixed in range 43351:43352.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5095632168812544

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  length == 0 || (length > 0 && data != __null) in vector.h
  
Sanitizer: address (ASAN)

Fixed: V8: 43351:43352

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97iB5LHbh-PpqDiIxfpiBoZ81mOVN4AXU8PRxTEcjQP9GD4ZAKAqlKPnMkEqaNAknNu5RdnAjPqYYhrCdhPrpcinLbIvXear1CoRTw_-0-zutg41GzlXaKn_22l6FobbEpPFcO5Hpz5Wo-jotq9xdtLmXI6K8doJFwP5AsAAQjiSqsrFLVqMVfpBXXGzuKwd18HJ7F3ex6_zML5NB_139N-V1C6Oa19De4Q3zReqj9EcU9vB3DDFsTAW3_Cc6LbkPMi5XafpVYJaGzB8NK-rekUPdpYZ5JTUSAA7BEQXBG4tTLbjgOKTzE0KY641aDWiYJyj0ibalUmVNfWquJ2OCGEUYLZLm34lxmLZ0ApTGTbSn0j7tTaxvp81g_jHYduOSeyDGL-ZUvNZB9rpwJyRJphAmm7qA?testcase_id=5095632168812544


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 43351:43352.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5095632168812544

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  length == 0 || (length > 0 && data != __null) in vector.h
  
Sanitizer: address (ASAN)

Fixed: V8: 43351:43352

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97iB5LHbh-PpqDiIxfpiBoZ81mOVN4AXU8PRxTEcjQP9GD4ZAKAqlKPnMkEqaNAknNu5RdnAjPqYYhrCdhPrpcinLbIvXear1CoRTw_-0-zutg41GzlXaKn_22l6FobbEpPFcO5Hpz5Wo-jotq9xdtLmXI6K8doJFwP5AsAAQjiSqsrFLVqMVfpBXXGzuKwd18HJ7F3ex6_zML5NB_139N-V1C6Oa19De4Q3zReqj9EcU9vB3DDFsTAW3_Cc6LbkPMi5XafpVYJaGzB8NK-rekUPdpYZ5JTUSAA7BEQXBG4tTLbjgOKTzE0KY641aDWiYJyj0ibalUmVNfWquJ2OCGEUYLZLm34lxmLZ0ApTGTbSn0j7tTaxvp81g_jHYduOSeyDGL-ZUvNZB9rpwJyRJphAmm7qA?testcase_id=5095632168812544


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 43351:43352.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5095632168812544

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  length == 0 || (length > 0 && data != __null) in vector.h
  
Sanitizer: address (ASAN)

Fixed: V8: 43351:43352

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97iB5LHbh-PpqDiIxfpiBoZ81mOVN4AXU8PRxTEcjQP9GD4ZAKAqlKPnMkEqaNAknNu5RdnAjPqYYhrCdhPrpcinLbIvXear1CoRTw_-0-zutg41GzlXaKn_22l6FobbEpPFcO5Hpz5Wo-jotq9xdtLmXI6K8doJFwP5AsAAQjiSqsrFLVqMVfpBXXGzuKwd18HJ7F3ex6_zML5NB_139N-V1C6Oa19De4Q3zReqj9EcU9vB3DDFsTAW3_Cc6LbkPMi5XafpVYJaGzB8NK-rekUPdpYZ5JTUSAA7BEQXBG4tTLbjgOKTzE0KY641aDWiYJyj0ibalUmVNfWquJ2OCGEUYLZLm34lxmLZ0ApTGTbSn0j7tTaxvp81g_jHYduOSeyDGL-ZUvNZB9rpwJyRJphAmm7qA?testcase_id=5095632168812544


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.