bradnelson, can you or someone in your crew please take a look?

Running in v8_simple_wasm_code_fuzzer, I get:

:~/work/v8 (master) $ out/Debug/v8_simple_wasm_code_fuzzer ~/Downloads/clusterfuzz-testcase-minimized-6733421956300800 


#
# Fatal error in ../../src/wasm/wasm-interpreter.cc, line 770
# Check failed: stack_height >= stack_effect.first (1 vs. 2).
#

==== C stack trace ===============================

    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x1e) [0x7f1a6818747e]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8_libplatform.so(+0x175c7) [0x7f1a681405c7]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8_libbase.so(V8_Fatal+0x1bd) [0x7f1a68180f7d]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(+0x12f44d0) [0x7f1a676064d0]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(+0x13057dc) [0x7f1a676177dc]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(+0x1300f8a) [0x7f1a67612f8a]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(+0x12f3990) [0x7f1a67605990]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(+0x12f2403) [0x7f1a67604403]
    /usr/local/google/home/mtrofin/work/v8/out/Debug/./libv8.so(v8::internal::wasm::WasmInterpreter::Thread::InitFrame(v8::internal::wasm::WasmFunction const*, v8::internal::wasm::WasmVal*)+0x2d) [0x7f1a6760434d]
    out/Debug/v8_simple_wasm_code_fuzzer(v8::internal::wasm::testing::InterpretWasmModule(v8::internal::Isolate*, v8::internal::wasm::ErrorThrower*, v8::internal::wasm::WasmModule const*, v8::internal::wasm::ModuleWireBytes const&, int, v8::internal::wasm::WasmVal*, bool*)+0x271) [0x557e6bdaade1]
    out/Debug/v8_simple_wasm_code_fuzzer(LLVMFuzzerTestOneInput+0x791) [0x557e6bda5141]
    out/Debug/v8_simple_wasm_code_fuzzer(main+0x1e1) [0x557e6bda4991]
    /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f1a65c67f45]
    out/Debug/v8_simple_wasm_code_fuzzer(+0x66b9) [0x557e6bda46b9]
Received signal 4 ILL_ILLOPN 7f1a68185401
Illegal instruction (core dumped)

 Issue 715990  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/66f69540641f47c7078e77daf649788d6c50670f

commit 66f69540641f47c7078e77daf649788d6c50670f
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Tue May 02 17:03:02 2017

[wasm] [interpreter] Fix fall-through loop with value

Executing the |end| opcode of a loop assumed that the stack height was
being reset to the height at start of the loop. Hence we were ignoring
the arity of the loop.
During computation of the side table, the arity of the label associated
with the loop was explicitly set to 0, such that a |br| instruction to
that label would not transfer any values.
It turns out though that we need to remember the arity in order to
precompute the correct stack height when executing the |end| opcode of
a loop.
Also, add a regression test.

R=rossberg@chromium.org
BUG= chromium:716936 

Change-Id: Ib3a559998f1ce5f8fcd7b94af1426637b3e48f86
Reviewed-on: https://chromium-review.googlesource.com/493286
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45041}
[modify] https://crrev.com/66f69540641f47c7078e77daf649788d6c50670f/src/wasm/wasm-interpreter.cc
[modify] https://crrev.com/66f69540641f47c7078e77daf649788d6c50670f/test/cctest/wasm/test-run-wasm.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4423c9cc099d639e774023e9cb7aa90bccb0d364

commit 4423c9cc099d639e774023e9cb7aa90bccb0d364
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Wed May 03 11:35:09 2017

[wasm] [interpreter] Ignore stack effects after unreachable

During computation of the side table, ignore stack effects of
instructions following any unconditional jump in the same block
(|unreachable|, |br|, |br_table| or |return| jump out of the block).
Without this fix, the current stack height might underflow, or we compute an
unnecessarily large max_stack_height_. Note that those instruction will
never get executed anyway.
Hence, we don't need to store any side table information for such
unreachable code.

R=rossberg@chromium.org
BUG= chromium:716936 ,  chromium:715990 

Change-Id: I282f7f18ba1b972a112210e692f6cd05cf32308c
Reviewed-on: https://chromium-review.googlesource.com/493266
Reviewed-by: Andreas Rossberg <rossberg@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45059}
[modify] https://crrev.com/4423c9cc099d639e774023e9cb7aa90bccb0d364/src/wasm/wasm-interpreter.cc
[modify] https://crrev.com/4423c9cc099d639e774023e9cb7aa90bccb0d364/src/wasm/wasm-opcodes.cc
[modify] https://crrev.com/4423c9cc099d639e774023e9cb7aa90bccb0d364/src/wasm/wasm-opcodes.h
[modify] https://crrev.com/4423c9cc099d639e774023e9cb7aa90bccb0d364/test/cctest/wasm/test-run-wasm.cc
[modify] https://crrev.com/4423c9cc099d639e774023e9cb7aa90bccb0d364/test/unittests/wasm/control-transfer-unittest.cc

 Issue 717908  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 468951:468981.

Detailed report: https://clusterfuzz.com/testcase?key=6733421956300800

Fuzzer: libfuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Use-after-poison WRITE 4
Crash Address: 0x62500001e450
Crash State:
  v8::internal::wasm::ThreadImpl::Push
  v8::internal::wasm::ThreadImpl::Execute
  v8::internal::wasm::ThreadImpl::Run
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=468951:468981

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6733421956300800


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot