Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/b61b715c18604ebf8528ee4c2d735ed6100458c7 ([Liftoff] Add f64 support).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This is obviously mine. I was sick for two days, will start working on this hopefully today.
It's not a release blocker nor security relevant though, since Liftoff is disabled by default.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6ac2579f23eb9e13be426cd863c13a8eedcc1af6

commit 6ac2579f23eb9e13be426cd863c13a8eedcc1af6
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Mon Feb 19 16:12:30 2018

[Liftoff] Fix result type of f64 binops

The result of an f64 binop was marked as f32 on Liftoffs value stack.
This lead to errors and is fixed in this CL.
I plan to clean up all binop implementions in a follow-up CL.

R=titzer@chromium.org

Bug:  chromium:812005 , v8:6600
Change-Id: I5bcd5c2e7d2b6170ef60f5e83cf2876b3475c38a
Reviewed-on: https://chromium-review.googlesource.com/924025
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51375}
[modify] https://crrev.com/6ac2579f23eb9e13be426cd863c13a8eedcc1af6/src/wasm/baseline/liftoff-compiler.cc
[add] https://crrev.com/6ac2579f23eb9e13be426cd863c13a8eedcc1af6/test/mjsunit/regress/wasm/regress-812005.js

ClusterFuzz has detected this issue as fixed in range 537717:537724.

Detailed report: https://clusterfuzz.com/testcase?key=4717891753345024

Fuzzer: libFuzzer_v8_wasm_compile_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  dst.type() == src.type() in liftoff-assembler.cc
  v8::internal::wasm::StackTransferRecipe::TransferStackSlot
  v8::internal::wasm::LiftoffAssembler::MergeFullStackWith
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=536319:536337
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=537717:537724

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4717891753345024

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4717891753345024 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.