Crash in WebAssembly while growing memory. Report generated by WebAssembly fuzzer.

Hi Deepti,
this crash seems GrowMemory related, can you take a look?

I was able to reproduce it both with the v8-wasm-fuzzer. I tried to create an mjsunit test by using --wasm-code-fuzzer-gen-test and combine the output with an existing regression test, but that failed, so maybe something in the module header has influence on the bug.
Cheers, Andreas

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c8b2656622faff4d0ee53c251c859deaa87f7e7a

commit c8b2656622faff4d0ee53c251c859deaa87f7e7a
Author: gdeepti <gdeepti@chromium.org>
Date: Mon Mar 27 22:59:55 2017

[wasm] Detach memory buffer only when GrowMemory is called from the JS API

BUG= chromium:699485 

R=ahaas@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2772973002
Cr-Commit-Position: refs/heads/master@{#44166}

[modify] https://crrev.com/c8b2656622faff4d0ee53c251c859deaa87f7e7a/src/wasm/wasm-js.cc
[modify] https://crrev.com/c8b2656622faff4d0ee53c251c859deaa87f7e7a/src/wasm/wasm-module.cc
[modify] https://crrev.com/c8b2656622faff4d0ee53c251c859deaa87f7e7a/src/wasm/wasm-module.h
[add] https://crrev.com/c8b2656622faff4d0ee53c251c859deaa87f7e7a/test/mjsunit/regress/wasm/regression-699485.js

Added Merge Request to 58, because this patch fixes a customer-observed failure: Autodesk's Stingray project crashes without it. (https://autodesk.box.com/s/8pezgbd6o090lj7lftr0ktswiz0d0i6f)

Verified by cherry-picking this CL onto Chrome 58 (v8 5.8.283.1)

This bug requires manual review: We are only 2 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue v8:6289  has been merged into this issue.

+hablich@ for M58 merge review. Please note M58 is already in stable and we're only taking absolutely critical and safe CL for next M58 refresh if any. 

Safe (only WASM) and fixes a real world use-case.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ed5c5a6b0450e980191dac58222574c824822e63

commit ed5c5a6b0450e980191dac58222574c824822e63
Author: Deepti Gandluri <gdeepti@google.com>
Date: Mon Apr 24 23:07:18 2017

Merged: [wasm] Detach memory buffer only when GrowMemory is called from the JS API

Revision: c8b2656622faff4d0ee53c251c859deaa87f7e7a

BUG= chromium:699485 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=bradnelson@chromium.org, mtrofin@chromium.org

Change-Id: I53a4a81cf592d05974e621f602d7a5814ed21d06
Reviewed-on: https://chromium-review.googlesource.com/486125
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Cr-Commit-Position: refs/branch-heads/5.8@{#71}
Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1}
Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429}
[modify] https://crrev.com/ed5c5a6b0450e980191dac58222574c824822e63/src/wasm/wasm-js.cc
[modify] https://crrev.com/ed5c5a6b0450e980191dac58222574c824822e63/src/wasm/wasm-module.cc
[modify] https://crrev.com/ed5c5a6b0450e980191dac58222574c824822e63/src/wasm/wasm-module.h
[add] https://crrev.com/ed5c5a6b0450e980191dac58222574c824822e63/test/mjsunit/regress/wasm/regression-699485.js

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Removing "Merge-Approved-58" label as change is already merged to M58 at #14.

per hablich@, this merge is fine because customer issue and it affects only wasm and it is baked for a long time.