Runtime_DeserializeWasmModule either needs to be robustified to accept any type of object as input (and throw if it's not a JSArrayBuffer), or blacklisted from fuzzers (I forget where that configuration lives though).

My uninformed guess is that the former is the better fix, as it seems like a potentially useful fuzzing target, but I don't know the constraints/considerations here.

The function is only called from tests, so this has no impact in the wild.

 Issue 850081  has been merged into this issue.

I'd argue we should just blacklist, as we fuzz modules separately, and we have a mode that serializes/deserializes modules as they go through the compilation pipeline. The deserializer will probably explode in innumerable ways when fed arbitrary bytes.

The runtime function in question is already blacklisted (or to be more precise it is not whitelisted). The problem here is that the fuzzer is too smart and produces a string that is the eval'ed, which defeats our whitelist recognition. There used to be a tracking issue for this, but I cannot seem to find it right now.

One example is  issue 786362 .

Just realized that the string in question actually appears verbatim in our test corpus, the fuzzer just picked up the existing string. I'll remove it from the corpus.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/25ec9d833b8a6ac3ef6eb130f58562a4e3628f88

commit 25ec9d833b8a6ac3ef6eb130f58562a4e3628f88
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Fri Jul 13 10:07:22 2018

[test] Remove eval string confusing the fuzzer.

This removes an occurrence where the "%Foo" native syntax appears as part
of a string. Such strings are picked up by the fuzzer and recombined in
unsupported ways, producing false-positive crash reports. Simply avoid
having those strings in the fuzzing corpus.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-808848
BUG= chromium:844842 

Change-Id: I017c1552578f0d26033e58b11353e87e27a69ebf
Reviewed-on: https://chromium-review.googlesource.com/1136300
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54432}
[modify] https://crrev.com/25ec9d833b8a6ac3ef6eb130f58562a4e3628f88/test/mjsunit/regress/wasm/regress-808848.js

ClusterFuzz testcase 4830874529693696 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

See comments above as to why %DeserializeWasmModule is not intended to be called directly. The "fix" in comment #10 was just to remove the eval string from our corpus. Nothing actionable left here. Moving on.

 Issue 868386  has been merged into this issue.

 Issue 869786  has been merged into this issue.

 Issue 880093  has been merged into this issue.

 Issue 879993  has been merged into this issue.

This crash occurs very frequently on android and windows platforms and is likely preventing the fuzzer ochang_js_fuzzer_win from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.

 Issue 881268  has been merged into this issue.

 Issue 882149  has been merged into this issue.

 Issue 884151  has been merged into this issue.

 Issue 884535  has been merged into this issue.