Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/3f4536894ac3001c53256d08d1e85aa442eb0f02 (d8: Make in process stack dumping optional).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Simplified and cleaned up repro ...

Object.defineProperty(Promise, Symbol.species, {
  value: function(f) {
    f(function() {}, function() {})
  }
});
WebAssembly.instantiate(new ArrayBuffer());

I dug a little bit further and I think the underlying problem is actually in the signature of {v8::Promise::Then} which has return type {MaybeLocal<Promise>}. This was written before Species have been added. If I read the spec correctly then it is perfectly OK for this return value to be an arbitrary other object (i.e. not an instance of Promise). WebAssembly just happens to be the only use of this API in V8 itself.

The repro above triggers a DCHECK when the implementation of {v8::Promise::Then} casts the result to a Promise. Otherwise the rest of V8 should be perfectly fine with a Local<Object> there. But changing the return type of the signature is probably a tedious process. Adamk, WDYT? Am I missing something?

FWIW, this shouldn't be a security issue in release mode, hence lowering priority.

Michi, you are right, the API signature is incorrect. It should just be MaybeLocal<Object>, instead of of MaybeLocal<Promise>.

I'll fix the WebAssembly issue, but not the API inconsistency. I'll file a separate issue for the API inconsistency on the V8 issue tracker.

 Issue 842549  has been merged into this issue.

Andreas is re-working the promise-chaining in WebAssembly.instantiate (due to unrelated observability issues) which should in turn also address this problem. Here is a beefed up regression test that we should add before closing this issue:

// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

var sentinel = {};
Object.defineProperty(Promise, Symbol.species, {
  value: function(f) {
    f(function() {}, function() {})
    return sentinel;
  }
});
var promise = WebAssembly.instantiate(new ArrayBuffer());
assertSame(sentinel, promise);

ClusterFuzz testcase 5027697701683200 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 53346:53347.

Detailed report: https://clusterfuzz.com/testcase?key=5005127487586304

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Ill
Crash Address: 0x7f91a1f54f88
Crash State:
  v8::Utils::ReportApiFailure
  ApiCheck
  CheckCast
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=45141:45142
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=53346:53347

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5005127487586304

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f4b23239dfdcba20939a53ee98a4df0750408321

commit f4b23239dfdcba20939a53ee98a4df0750408321
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Tue May 29 10:37:32 2018

[wasm] Add missing WebAssembly.instantiate regression test.

R=titzer@chromium.org
TEST=mjsunit/regress/wasm/regress-799952
BUG= chromium:799952 

Change-Id: Idb4a1938cc04f2f5b1ea33ba390c5917fea2c0c1
Reviewed-on: https://chromium-review.googlesource.com/1075967
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53402}
[add] https://crrev.com/f4b23239dfdcba20939a53ee98a4df0750408321/test/mjsunit/regress/wasm/regress-799952.js