Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on suspected regression changelists:

[dataview] Implement Torque/CSA getters for DataView by theotime@google.com - https://chromium.googlesource.com/v8/v8/+/22fab0bad8a759e530910cd6a66b97cf9cbc94d7

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

Cannot assign to theotime@google.com (not a project member).

Assigning to reviewer instead.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3656b4656ed3b4c4f424f77e5b43fdebbd77b3c2

commit 3656b4656ed3b4c4f424f77e5b43fdebbd77b3c2
Author: Théotime Grohens <theotime@google.com>
Date: Fri Aug 03 13:21:16 2018

[dataview] Fix too tight TNode type in DataView getters

This CL fixes a bug found by Clusterfuzz, in which the functions
LoadDataViewByteOffset and -ByteLength incorrectly had a return
type of TNode<Smi> instead of TNode<Number>.

This caused a CAST() call to fail when the requested byte offset
or byte length did not fit inside a Smi, i.e. when the underlying
ArrayBuffer of the DataView had a length longer than 2^30 on
32-bit platforms.

The CL also includes a new test in mjsunit to test against this.

Bug:  chromium:869313 
Change-Id: Ibb7d29bda5782a12c4b506c070bb03fef8c3ec70
Reviewed-on: https://chromium-review.googlesource.com/1158582
Commit-Queue: Théotime Grohens <theotime@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54900}
[modify] https://crrev.com/3656b4656ed3b4c4f424f77e5b43fdebbd77b3c2/src/builtins/base.tq
[modify] https://crrev.com/3656b4656ed3b4c4f424f77e5b43fdebbd77b3c2/src/builtins/builtins-data-view-gen.h
[modify] https://crrev.com/3656b4656ed3b4c4f424f77e5b43fdebbd77b3c2/src/builtins/data-view.tq
[add] https://crrev.com/3656b4656ed3b4c4f424f77e5b43fdebbd77b3c2/test/mjsunit/regress/regress-crbug-869313.js

ClusterFuzz has detected this issue as fixed in range 54899:54900.

Detailed report: https://clusterfuzz.com/testcase?key=5926756985602048

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Type cast failed in CAST(LoadObjectField(data_view, JSDataView::kByteLengthOffse
  v8::internal::CheckObjectType
  v8::internal::Simulator::SoftwareInterrupt
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=53552:53553
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=54899:54900

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5926756985602048

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5926756985602048 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@ (Security TPM) for M69 merge review. 

govind@ - good for 69

Approving merge to M69 branch 3497 based on comment #14. Please merge ASAP so we can pick it up for this week Beta release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f075e32f3fcd5205b37a4283d0773b36ecbe8c30

commit f075e32f3fcd5205b37a4283d0773b36ecbe8c30
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Tue Aug 07 13:19:23 2018

Merged: [dataview] Fix too tight TNode type in DataView getters

Revision: 3656b4656ed3b4c4f424f77e5b43fdebbd77b3c2

BUG= chromium:869313 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=mvstanton@chromium.org

Change-Id: Ia71f6318ee07356d74e1badb49c5c1402fb0815b
Reviewed-on: https://chromium-review.googlesource.com/1165230
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.9@{#25}
Cr-Branched-From: d7b61abe7b48928aed739f02bf7695732d359e7e-refs/heads/6.9.427@{#1}
Cr-Branched-From: b7e108d6016bf6b7de3a34e6d61cb522f5193460-refs/heads/master@{#54504}
[modify] https://crrev.com/f075e32f3fcd5205b37a4283d0773b36ecbe8c30/src/builtins/base.tq
[modify] https://crrev.com/f075e32f3fcd5205b37a4283d0773b36ecbe8c30/src/builtins/builtins-data-view-gen.h
[modify] https://crrev.com/f075e32f3fcd5205b37a4283d0773b36ecbe8c30/src/builtins/data-view.tq
[add] https://crrev.com/f075e32f3fcd5205b37a4283d0773b36ecbe8c30/test/mjsunit/regress/regress-crbug-869313.js

Merged to V8 6.9, will be rolled to M69.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot