Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on suspected regression changelists:

[turbofan][x64] Reduce compare-zero followed by flags-setting binop by kanghua.yu@intel.com - https://chromium.googlesource.com/v8/v8/+/423343635042c2d9b05a850ebc1d2fc3fc9cc4f5

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Andreas, the stack trace does not seem to be particularly deep. Is there anything special about libFuzzer's stack depth?

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/1b11d98f4d097f511b24201595dd703347482565

commit 1b11d98f4d097f511b24201595dd703347482565
Author: Andreas Haas <ahaas@chromium.org>
Date: Mon May 14 10:38:47 2018

[turbofan] Binop Instructions can have up to 5 input operands

The clusterfuzz issue crashes because VisitBinops expected only but 4
input operands but in the generated graph 5 input operands get created
The issue is fixed by increasing the size of the input operand buffer.

R=jarin@chromium.org

Bug:  chromium:842501 
Change-Id: I4bbb09a968e165e6f5a0a02d06eee97333f7aa38
Reviewed-on: https://chromium-review.googlesource.com/1056989
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53147}
[modify] https://crrev.com/1b11d98f4d097f511b24201595dd703347482565/src/compiler/x64/instruction-selector-x64.cc
[add] https://crrev.com/1b11d98f4d097f511b24201595dd703347482565/test/mjsunit/regress/wasm/regress-842501.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3302242667ee30537f9389a4e395f1f5cfa41648

commit 3302242667ee30537f9389a4e395f1f5cfa41648
Author: Kanghua Yu <kanghua.yu@intel.com>
Date: Tue May 15 06:40:13 2018

Reland "[turbofan][x64] Reduce compare-zero followed by flags-setting binop"

On IA architecture, arithmetic and shifting operations set the flags
according to the computation result.

    subl rsi,0x1
    REX.W movq rbx,[rbx+0x17]
    cmpl rsi, 0                       <-- TO BE REDUCED
    jnz 0x3f54d2dcef0
==>
    REX.W movq rbx,[rbx+0x17]
    subl rsi,0x1
    jnz 0x3f54d2dcef0
&
    orl rdx,rbx
    cmpl rdx,0x0                      <-- TO BE REDUCED
    jnz 0x3f54d22b0f5
==>
    orl rdx,rbx
    jnz 0x3f54d22b0f5

Bug:  chromium:842497 ,  chromium:842501 
Change-Id: I4e2c40861b76ac3f508b01ee27249e85eab3222f
Reviewed-on: https://chromium-review.googlesource.com/1057351
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Kanghua Yu <kanghua.yu@intel.com>
Cr-Commit-Position: refs/heads/master@{#53171}
[modify] https://crrev.com/3302242667ee30537f9389a4e395f1f5cfa41648/src/compiler/x64/instruction-selector-x64.cc
[modify] https://crrev.com/3302242667ee30537f9389a4e395f1f5cfa41648/test/cctest/compiler/test-run-machops.cc

ClusterFuzz has detected this issue as fixed in range 558266:558274.

Detailed report: https://clusterfuzz.com/testcase?key=6679494744866816

Fuzzer: libFuzzer_v8_wasm_compile_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Stack-buffer-overflow WRITE 8
Crash Address: 0x7fd2b81818b0
Crash State:
  v8::internal::compiler::VisitBinop
  v8::internal::compiler::VisitCompareZero
  v8::internal::compiler::InstructionSelector::VisitWordCompareZero
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=557856:557860
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=558266:558274

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6679494744866816

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6679494744866816 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/63bd3a88c5461dbb2287bffa431b059d15d91692

commit 63bd3a88c5461dbb2287bffa431b059d15d91692
Author: Andreas Haas <ahaas@chromium.org>
Date: Wed May 16 12:04:34 2018

[turbofan] Increase the number of inputs for Binop instructions further

In WebAssembly benchmarks I saw Binop instructions with 6 inputs. We
don't know how many inputs there can actually be, so we conservatively
increase the number to 8 now.

R=jarin@chromium.org
Bug= chromium:842501 

Change-Id: Id087481e7e524006c2f03fc545f9e35d1cad1fe8
Reviewed-on: https://chromium-review.googlesource.com/1061114
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53207}
[modify] https://crrev.com/63bd3a88c5461dbb2287bffa431b059d15d91692/src/compiler/x64/instruction-selector-x64.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot