Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/8a95da24150bee6b8b5d63e08f21af756bfe24c4 ([wasm] Reimplement WebAssembly.instantiate without desugaring).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Andreas created a CL to fix this: https://crrev.com/c/1092234
It does not pass the bots yet, I will work on fixing this.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e0dc3d29626673b74144ebb65390c24808fab18e

commit e0dc3d29626673b74144ebb65390c24808fab18e
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Wed Jun 13 09:01:48 2018

[wasm] Reject an exception in the start function on the promise

We assumed that if the ErrorThrower is empty after instantiation, then
instantiation succeeded and an instance exists which we can return.
However, if the start function throws, no instance exists, which caused
a crash. With this CL we handle execeptions thrown by the start
function correctly.


R=clemensh@chromium.org

Bug:  chromium:848966 
Change-Id: I51dc94e6bc563aa4a4b88c44a14e831af913fbd8
Reviewed-on: https://chromium-review.googlesource.com/1092234
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53687}
[modify] https://crrev.com/e0dc3d29626673b74144ebb65390c24808fab18e/src/wasm/wasm-engine.cc
[modify] https://crrev.com/e0dc3d29626673b74144ebb65390c24808fab18e/test/mjsunit/wasm/start-function.js

Should be fixed by #4. Will request backmerge once we have canary coverage and clusterfuzz verification.

ClusterFuzz has detected this issue as fixed in range 53686:53687.

Detailed report: https://clusterfuzz.com/testcase?key=4748518699565056

Fuzzer: ochang_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x562ad51ea63e
Crash State:
  Check
  ToHandleChecked
  v8::internal::wasm::WasmEngine::AsyncInstantiate
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=53346:53347
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=53686:53687

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4748518699565056

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4748518699565056 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The NextAction date has arrived: 2018-06-15

This is in the last three canaries (>=69.0.3460.0). Requesting backmerge to 68.

This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge to M68. BRanch:3440

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b364ba5741122bcafb631acca994f10c869940ec

commit b364ba5741122bcafb631acca994f10c869940ec
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Mon Jun 18 09:58:49 2018

Merged: [wasm] Reject an exception in the start function on the promise

We assumed that if the ErrorThrower is empty after instantiation, then
instantiation succeeded and an instance exists which we can return.
However, if the start function throws, no instance exists, which caused
a crash. With this CL we handle execeptions thrown by the start
function correctly.

R=mstarzinger@chromium.org

Bug:  chromium:848966 
No-Try: true
No-Presubmit: true
No-Treechecks: true
Change-Id: If044e62ebe45b5598bf5ef6787e7dde873a21f11
Originally-reviewed-on: https://chromium-review.googlesource.com/1092234
Reviewed-on: https://chromium-review.googlesource.com/1103566
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.8@{#27}
Cr-Branched-From: 44d7d7d6b1041b57644400a00cb3fee35f6c51b2-refs/heads/6.8.275@{#1}
Cr-Branched-From: 5754f66f75136dc17b4c63fec84f31dfdb89186e-refs/heads/master@{#53286}
[modify] https://crrev.com/b364ba5741122bcafb631acca994f10c869940ec/src/wasm/wasm-engine.cc
[modify] https://crrev.com/b364ba5741122bcafb631acca994f10c869940ec/test/mjsunit/wasm/start-function.js