Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/ff64dfa09207208d3cae0b0a0745b9397adaf9cc ([wasm] Improve patching behavior for lazy compilation).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/903d87312e1e7cd145a6baa0c77696f1288e2a89

commit 903d87312e1e7cd145a6baa0c77696f1288e2a89
Author: Ben L. Titzer <titzer@chromium.org>
Date: Fri Apr 27 08:27:56 2018

[wasm] Fix target instance for indirect calls to imports

In the case of an indirect call to an imported function, the target
instance stored in the IFT was actually wrong.

Bug:  chromium:834619 
Change-Id: Id2ac4158335ecf2b58e1983ce37df852a9ebd1b2
Reviewed-on: https://chromium-review.googlesource.com/1030174
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52831}
[modify] https://crrev.com/903d87312e1e7cd145a6baa0c77696f1288e2a89/src/wasm/function-compiler.cc
[modify] https://crrev.com/903d87312e1e7cd145a6baa0c77696f1288e2a89/src/wasm/module-compiler.cc
[modify] https://crrev.com/903d87312e1e7cd145a6baa0c77696f1288e2a89/src/wasm/wasm-code-manager.cc
[add] https://crrev.com/903d87312e1e7cd145a6baa0c77696f1288e2a89/test/mjsunit/regress/wasm/regress-834619.js
[modify] https://crrev.com/903d87312e1e7cd145a6baa0c77696f1288e2a89/test/mjsunit/wasm/indirect-tables.js

+awhalley@ for M67 merge review (Pls note CL listed at #8 is not yet baked in canary).

ClusterFuzz has detected this issue as fixed in range 52830:52831.

Detailed report: https://clusterfuzz.com/testcase?key=4629797553307648

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  func_index == code->index() in wasm-code-manager.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=52525:52526
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=52830:52831

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4629797553307648

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4629797553307648 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M67 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

awhalley@ for M67 merge review.

The NextAction date has arrived: 2018-04-30

govind - good for 67

Approving merge to M67 branch 3396 based on comment #17. Please merge ASAP so we can pick it up for tomorrow's beta release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/977a8341fc8385c90cd89f89052fe70abc39f51f

commit 977a8341fc8385c90cd89f89052fe70abc39f51f
Author: Ben L. Titzer <titzer@google.com>
Date: Wed May 02 11:01:43 2018

Merged: [wasm] Fix target instance for indirect calls to imports

Revision: 903d87312e1e7cd145a6baa0c77696f1288e2a89

BUG= chromium:834619 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=clemensh@chromium.org

Change-Id: Ic268091c467ad8f131a247b501b38d12d76c93fa
Reviewed-on: https://chromium-review.googlesource.com/1039198
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.7@{#49}
Cr-Branched-From: 8457e810efd34381448d51d93f50079cf1f6a812-refs/heads/6.7.288@{#2}
Cr-Branched-From: e921be5c4f2c6407936bde750992dedbf47c1016-refs/heads/master@{#52547}
[modify] https://crrev.com/977a8341fc8385c90cd89f89052fe70abc39f51f/src/wasm/module-compiler.cc
[modify] https://crrev.com/977a8341fc8385c90cd89f89052fe70abc39f51f/src/wasm/wasm-code-manager.cc
[add] https://crrev.com/977a8341fc8385c90cd89f89052fe70abc39f51f/test/mjsunit/regress/wasm/regress-834619.js
[modify] https://crrev.com/977a8341fc8385c90cd89f89052fe70abc39f51f/test/mjsunit/wasm/indirect-tables.js

Already merged to M67 at #19.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot