Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/56fe24372cbba2a6ef8a2934e6410eb432d8c92f ([wasm][streaming] Do not reject promise upon abort without reason).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

I got the same bug assigned already earlier this week (https://bugs.chromium.org/p/chromium/issues/detail?id=804665), but I think it is still unrelated to my CL.

Georg, can you take a look? It seems to be crashing in ES6 module instantiation.

Leszek, PTAL. Seems to be caused by https://chromium-review.googlesource.com/857463. Just remove the html tags from the test case and run with d8 --module to reproduce the crash. I get a CSA assertion failure in SwitchOnSmiNoFeedback (the accumulator is not a Smi).

I can repro, will take a look.

Strange, looks like the generator's resume mode is <undefined>.

Ah, looks like the wide version of SuspendGenerator doesn't actually return. I'll think on a fix.

 Issue 806206  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/830e39abae8306b88d3b3f1a609f0250924c8844

commit 830e39abae8306b88d3b3f1a609f0250924c8844
Author: Leszek Swirski <leszeks@chromium.org>
Date: Mon Jan 29 12:38:33 2018

[ignition] Fix wide suspends to also return

Wide suspends have a "wide" (or "extra-wide") bytecode at their offset,
rather than the suspend itself, so they were failing the return check.

Bug:  chromium:805765 
Change-Id: Iabfc2a2167d09eda2f6885d9100287aadcd8fee9
Reviewed-on: https://chromium-review.googlesource.com/887082
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50923}
[modify] https://crrev.com/830e39abae8306b88d3b3f1a609f0250924c8844/src/bailout-reason.h
[modify] https://crrev.com/830e39abae8306b88d3b3f1a609f0250924c8844/src/builtins/arm/builtins-arm.cc
[modify] https://crrev.com/830e39abae8306b88d3b3f1a609f0250924c8844/src/builtins/arm64/builtins-arm64.cc
[modify] https://crrev.com/830e39abae8306b88d3b3f1a609f0250924c8844/src/builtins/ia32/builtins-ia32.cc
[modify] https://crrev.com/830e39abae8306b88d3b3f1a609f0250924c8844/src/builtins/mips/builtins-mips.cc
[modify] https://crrev.com/830e39abae8306b88d3b3f1a609f0250924c8844/src/builtins/mips64/builtins-mips64.cc
[modify] https://crrev.com/830e39abae8306b88d3b3f1a609f0250924c8844/src/builtins/x64/builtins-x64.cc
[add] https://crrev.com/830e39abae8306b88d3b3f1a609f0250924c8844/test/mjsunit/regress/regress-crbug-805765.js

ClusterFuzz has detected this issue as fixed in range 532487:532500.

Detailed report: https://clusterfuzz.com/testcase?key=5298110595858432

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (location_) != nullptr in handles.h
  Check
  ToHandleChecked
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=530865:530867
Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=532487:532500

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5298110595858432

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5298110595858432 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 804715  has been merged into this issue.