Assigning based on ownership of regressing CL. PTAL?

I don't think these have security impact, as the problem affects the v8 shell, d8, which is used only for testing.

A fix is up and ready for review. In general I think the cause is that my CL allows too-large ArrayBuffers to be created, causing problems in other parts of the code that can't handle this size.

https://chromium-review.googlesource.com/c/v8/v8/+/817763

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d15a7e85f9b5fd6138dc1947cc6cf7991e8aa964

commit d15a7e85f9b5fd6138dc1947cc6cf7991e8aa964
Author: Bill Budge <bbudge@chromium.org>
Date: Fri Dec 08 22:00:54 2017

[d8] ArrayBuffer size must be less than 2GB.

- Changes d8 ArrayBuffer::Allocators to restrict size to < 2GB on the
  Allocate/AllocateUninitialized paths. Reserve can still create larger
  ArrayBuffers.

Bug:  chromium:793196 
Change-Id: I662f8c681f715457d630df31039a1ea4d17cfafc
Reviewed-on: https://chromium-review.googlesource.com/817763
Commit-Queue: Bill Budge <bbudge@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49973}
[modify] https://crrev.com/d15a7e85f9b5fd6138dc1947cc6cf7991e8aa964/src/d8.cc

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Detailed report: https://clusterfuzz.com/testcase?key=4602278765133824

Fuzzer: v8_builtins_generator
Job Type: windows_asan_d8_dbg
Platform Id: windows

Crash Type: UNKNOWN WRITE
Crash Address: 0x113fffe0
Crash State:
  v8::internal::Builtin_ArrayBufferPrototypeSlice
  v8::internal::Invoke
  v8::internal::CallInternal
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=49944:49945

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4602278765133824

See https://github.com/google/clusterfuzz-tools for more information.

Removing security tags, as this only affects operation in d8, the test shell. 

Leaving the restrict-view tag for security team review.

Leaving the stable release block as we should get to the bottom of these failures.

Updating Impact to note that this isn't in Chrome itself.

ClusterFuzz testcase 5873348969234432 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 50078:50079.

Detailed report: https://clusterfuzz.com/testcase?key=4602278765133824

Fuzzer: v8_builtins_generator
Job Type: windows_asan_d8_dbg
Platform Id: windows

Crash Type: UNKNOWN WRITE
Crash Address: 0x113fffe0
Crash State:
  v8::internal::Builtin_ArrayBufferPrototypeSlice
  v8::internal::Invoke
  v8::internal::CallInternal
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=49944:49945
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=50078:50079

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4602278765133824

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 50086:50087.

Detailed report: https://clusterfuzz.com/testcase?key=5333692166963200

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  retained_size_ + length >= retained_size_ in array-buffer-tracker-inl.h
  V8_Dcheck
  v8::internal::LocalArrayBufferTracker::Add
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=49944:49945
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=50086:50087

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5333692166963200

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8b4966e906874cc4e740d168a98e62bdbb661b2b

commit 8b4966e906874cc4e740d168a98e62bdbb661b2b
Author: Bill Budge <bbudge@chromium.org>
Date: Fri Dec 15 16:55:36 2017

[d8] Fix potential overflow issue in ArrayBuffer allocator.

Bug:  chromium:793196 
Change-Id: I289653be3968b221bfe4c0f03e8430b2ca76c55c
Reviewed-on: https://chromium-review.googlesource.com/827645
Reviewed-by: Eric Holk <eholk@chromium.org>
Commit-Queue: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50135}
[modify] https://crrev.com/8b4966e906874cc4e740d168a98e62bdbb661b2b/src/d8.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot