Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/24459dff252d89523931551e9c6c966c1d4b9a10 ([wasm] Disable trap handlers also in d8.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

I don't think this testcase has anything to do with disabling trap handlers, so assigning to current clusterfuzz sheriff for further triage.

Thanks! Going back onto the queue, will triage later today.

I suspect that this is related to  issue 782113 .

Yep, pretty much the same issue, missing stack checks during generator resumption. Here is a somewhat reduced repro ...

function loop() {
  for (let x of []) {}
}
Object.defineProperty(Array.prototype, Symbol.iterator, {
  value: function* () {
    try {
      loop();
      for (let obj of loop()) {}
    } catch (e) {}
  }
});
loop();

 Issue 782113  has been merged into this issue.

Here is a cleaned up regression test that does not require recursion for the generator instantiation. The only thing that recurses here is the resumption.

// Flags: --allow-natives-syntax

function* generator(a) {
  a.pop().next();
}

function prepareGenerators(n) {
  var a = [{ next: () => 0 }];
  for (var i = 0; i < n; ++i) {
    a.push(generator(a));
  }
  return a;
}

var gens1 = prepareGenerators(10);
assertDoesNotThrow(() => gens1.pop().next());

%OptimizeFunctionOnNextCall(generator);

var gens2 = prepareGenerators(100000);
assertThrows(() => gens2.pop().next(), RangeError);

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55

commit 2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon Nov 13 14:52:10 2017

[builtins] Add stack check during generator resumption.

This fixes a corner-case where resuming a suspended generator would not
perform stack overflow checks and hence cause the stack to grow without
bounds.

R=neis@chromium.org
BUG= chromium:781583 

Change-Id: Ib04116e489ac6b962cb821263860497abb57bbae
Reviewed-on: https://chromium-review.googlesource.com/765953
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49327}
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/arm/builtins-arm.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/arm64/builtins-arm64.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/ia32/builtins-ia32.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/mips/builtins-mips.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/mips64/builtins-mips64.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/ppc/builtins-ppc.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/s390/builtins-s390.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/x64/builtins-x64.cc
[add] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/test/mjsunit/regress/regress-crbug-781583.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55

commit 2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon Nov 13 14:52:10 2017

[builtins] Add stack check during generator resumption.

This fixes a corner-case where resuming a suspended generator would not
perform stack overflow checks and hence cause the stack to grow without
bounds.

R=neis@chromium.org
BUG= chromium:781583 

Change-Id: Ib04116e489ac6b962cb821263860497abb57bbae
Reviewed-on: https://chromium-review.googlesource.com/765953
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49327}
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/arm/builtins-arm.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/arm64/builtins-arm64.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/ia32/builtins-ia32.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/mips/builtins-mips.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/mips64/builtins-mips64.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/ppc/builtins-ppc.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/s390/builtins-s390.cc
[modify] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/src/builtins/x64/builtins-x64.cc
[add] https://crrev.com/2bc09c95fb82e6c1bd3baeb20d26cfbcaee18c55/test/mjsunit/regress/regress-crbug-781583.js

ClusterFuzz has detected this issue as fixed in range 49326:49327.

Detailed report: https://clusterfuzz.com/testcase?key=6443387799732224

Fuzzer: ochang_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffd26c31fd8
Crash State:
  v8::internal::KeyAccumulator::CollectOwnElementIndices
  v8::internal::KeyAccumulator::CollectOwnKeys
  v8::internal::KeyAccumulator::CollectKeys
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=48645:48646
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=49326:49327

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6443387799732224

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5979023183446016 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.