This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Another fuzzer crash in the interpreter.

This is not a release blocker because it is a crash in testing code.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d2da19c78005c75e0f658be23c28b473dd76b93b

commit d2da19c78005c75e0f658be23c28b473dd76b93b
Author: Andreas Haas <ahaas@chromium.org>
Date: Mon Sep 11 11:44:19 2017

[wasm][fuzzer] Check 'main' export to be a function before execution

In the test case the module contained a memory which got exported by the
name 'main'. The fuzzer crashed when it tried to cast the memory to a
function to execute it. This CL checks that 'main' is a function before
doint the cast.

R=clemensh@chromium.org

Bug:  chromium:763349 
Change-Id: I9a21413c8038a7547f8b59057afea2870b15499a
Reviewed-on: https://chromium-review.googlesource.com/659978
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47941}
[modify] https://crrev.com/d2da19c78005c75e0f658be23c28b473dd76b93b/test/common/wasm/wasm-module-runner.cc

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This is not a release blocker because it is a crash in testing code only.

 Issue 763696  has been merged into this issue.

 Issue 763670  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 500940:500995.

Detailed report: https://clusterfuzz.com/testcase?key=4716603706179584

Fuzzer: libFuzzer_v8_wasm_async_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x603c00002820
Crash State:
  v8::internal::wasm::testing::InterpretWasmModuleForTesting
  v8::internal::wasm::fuzzer::InterpretAndExecuteModule
  v8::internal::wasm::fuzzer::InstantiateCallback
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500374:500444
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500940:500995

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4716603706179584

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4543901460594688 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.