Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/2f5d90a816fc4cb3b45eb1f56a900a1a654edc18 ([d8] Add a stress-background-compile mode).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

This is a lookup error in the asm.js source position table.
Will take a look.

This also reproduces on linux, for different stack sizes. The minimized test case fails e.g. for --stack-size=40.
The problem is that the stack check in a loop header fires, in a function without function-entry stack check. The loop header stack check does not have a source position associated though.
Working on a fix.

Also reproduces in 64.

CL: https://crrev.com/c/856338

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/54cb64ac94e86472d581728906681b6f1ea9bb00

commit 54cb64ac94e86472d581728906681b6f1ea9bb00
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Tue Jan 09 13:56:28 2018

[asm] Store source position for all loops

Loop headers contain a stack check in wasm, hence an exception can be
thrown at the position of the loop instruction. This means that for
asm.js, we need to store a source position for each loop instruction.

R=mstarzinger@chromium.org

Bug:  chromium:799690 
Change-Id: I129abef11461992e2f10af8e6afc28ce1cf83341
Reviewed-on: https://chromium-review.googlesource.com/856338
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50443}
[modify] https://crrev.com/54cb64ac94e86472d581728906681b6f1ea9bb00/src/asmjs/asm-parser.cc
[add] https://crrev.com/54cb64ac94e86472d581728906681b6f1ea9bb00/test/mjsunit/regress/regress-799690.js

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

As this can result in an out-of-bounds read from a FixedArray, I suggest backmerging this to 64.

This bug requires manual review: We are only 13 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This will hit Canary tonight. Let's wait until tomorrow to verify the change in Canary, and then we can decide on merge.

ClusterFuzz has detected this issue as fixed in range 50442:50444.

Detailed report: https://clusterfuzz.com/testcase?key=5976562116853760

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8_dbg
Platform Id: windows

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  total_offset == offset_table->get_int(kOTESize * left) in wasm-objects.cc
  v8::platform::PrintStackTrace
  v8::internal::WasmSharedModuleData::GetSourcePosition
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=49375:49376
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=50442:50444

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5976562116853760

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5976562116853760 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

abdulsyed@ - good for 64

Approving merge for M64. Branch:3282

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a9dee2e298a0869d3db1e9075f53c4ba4867ab0c

commit a9dee2e298a0869d3db1e9075f53c4ba4867ab0c
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Tue Jan 16 09:41:54 2018

Merged: [asm] Store source position for all loops

Loop headers contain a stack check in wasm, hence an exception can be
thrown at the position of the loop instruction. This means that for
asm.js, we need to store a source position for each loop instruction.

R=​mstarzinger@chromium.org

Bug:  chromium:799690 

NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Change-Id: I4b095d81becae9cd218f068cbeeb8a5d24f8e341
Reviewed-on: https://chromium-review.googlesource.com/867850
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.4@{#59}
Cr-Branched-From: 0407506af3d9d7e2718be1d8759296165b218fcf-refs/heads/6.4.388@{#1}
Cr-Branched-From: a5fc4e085ee543cb608eb11034bc8f147ba388e1-refs/heads/master@{#49724}
[modify] https://crrev.com/a9dee2e298a0869d3db1e9075f53c4ba4867ab0c/src/asmjs/asm-parser.cc
[add] https://crrev.com/a9dee2e298a0869d3db1e9075f53c4ba4867ab0c/test/mjsunit/regress/regress-799690.js

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot