Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/733b7c8258872dbbb44222831694c5f6b69424ab ([wasm] Introduce jump table).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

ClusterFuzz has detected this issue as fixed in range 53806:53807.

Detailed report: https://clusterfuzz.com/testcase?key=4658288801873920

Fuzzer: ochang_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x053900001529
Crash State:
  v8::internal::wasm::WasmDecoder<
  Decode
  v8::internal::wasm::BuildTFGraph
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=53804:53805
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=53806:53807

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4658288801873920

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4658288801873920 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 53832:53833.

Detailed report: https://clusterfuzz.com/testcase?key=4658288801873920

Fuzzer: ochang_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x053900001529
Crash State:
  v8::internal::wasm::WasmDecoder<
  Decode
  v8::internal::wasm::BuildTFGraph
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=53804:53805
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=53832:53833

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4658288801873920

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This crash still exist in latest canary-70.0.3504.0

Magic signature: v8::internal::wasm::WasmDecoder<v8::internal::wasm::Decoder::kValidate>::DecodeLocals

Crash Report   go/crash/719db6daffd38e4c
============
Thread 15 (id: 0x65c) CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x000001e4174d9c50 ] MAGIC SIGNATURE THREAD
Stack Quality100%Show frame trust levels
0x00007ff8734e4155	(chrome_child.dll -function-body-decoder-impl.h:690 )	v8::internal::wasm::WasmDecoder<v8::internal::wasm::Decoder::kValidate>::DecodeLocals
0x00007ff8734fcb67	(chrome_child.dll -function-body-decoder-impl.h:1248 )	v8::internal::wasm::WasmFullDecoder<v8::internal::wasm::Decoder::kValidate,v8::internal::wasm::(anonymous namespace)::WasmGraphBuildingInterface>::Decode
0x00007ff8734fc941	(chrome_child.dll -function-body-decoder.cc:868 )	v8::internal::wasm::BuildTFGraph(v8::internal::AccountingAllocator *,v8::internal::compiler::WasmGraphBuilder *,v8::internal::wasm::FunctionBody &,v8::internal::compiler::NodeOriginTable *)
0x00007ff873284a63	(chrome_child.dll -wasm-compiler.cc:5039 )	v8::internal::compiler::TurbofanWasmCompilationUnit::BuildGraphForWasmFunction(double *,v8::internal::compiler::MachineGraph *,v8::internal::compiler::NodeOriginTable *)
0x00007ff873285042	(chrome_child.dll -wasm-compiler.cc:5122 )	v8::internal::compiler::TurbofanWasmCompilationUnit::ExecuteCompilation()
0x00007ff873510776	(chrome_child.dll -function-compiler.cc:86 )	v8::internal::wasm::WasmCompilationUnit::ExecuteCompilation()
0x00007ff873519343	(chrome_child.dll -module-compiler.cc:541 )	v8::internal::wasm::`anonymous namespace'::FetchAndExecuteCompilationUnit
0x00007ff87351d6d8	(chrome_child.dll -module-compiler.cc:856 )	v8::internal::wasm::`anonymous namespace'::BackgroundCompileTask::RunInternal
0x00007ff8720dd74b	(chrome_child.dll -task_annotator.cc:101 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x00007ff872135a9d	(chrome_child.dll -task_tracker.cc:529 )	base::internal::TaskTracker::RunOrSkipTask(base::internal::Task,base::internal::Sequence *,bool)
0x00007ff872135585	(chrome_child.dll -task_tracker.cc:404 )	base::internal::TaskTracker::RunAndPopNextTask(scoped_refptr<base::internal::Sequence>,base::internal::CanScheduleSequenceObserver *)
0x00007ff8720d57b1	(chrome_child.dll -scheduler_worker.cc:329 )	base::internal::SchedulerWorker::RunWorker()
0x00007ff8720d542f	(chrome_child.dll -scheduler_worker.cc:224 )	base::internal::SchedulerWorker::RunPooledWorker()
0x00007ff8738681a3	(chrome_child.dll -platform_thread_win.cc:91 )	base::`anonymous namespace'::ThreadFunc
0x00007ff8c1c23033	(KERNEL32.DLL + 0x00013033 )	BaseThreadInitThunk
0x00007ff8c3d91430	(ntdll.dll + 0x00071430 )	RtlUserThreadStart

Link to the builds which introduced the crash
=============================================
https://crash.corp.google.com/browse?q=product_name%3D%27Chrome%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27renderer%27+AND+expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3Awasm%3A%3AWasmDecoder%3Cv8%3A%3Ainternal%3A%3Awasm%3A%3ADecoder%3A%3AkValidate%3E%3A%3ADecodeLocals%27#-samplereports,-productname:1000,-magicsignature:50,-magicsignature2:50,-stablesignature:50,-magicsignaturesorted:50

Must be a different issue. The reason for this bug was that the {WasmModule} could die before the {NativeModule}, which was fixed in ad57eec5455b24bc928aa0f58c39a0d04cb9e328.