Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/3a79d5bcc58e2378f76c26c0120b66b23509c20f ([wasm] Move (almost all) constants to wasm-constants.h).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5d69010e269e3161a95de2030e14f0a291d00b42

commit 5d69010e269e3161a95de2030e14f0a291d00b42
Author: Ben L. Titzer <titzer@chromium.org>
Date: Thu Aug 16 14:02:02 2018

[asmjs] Properly validate asm.js heap sizes

Enforce both engine limitations and spec (http://asmjs.org/spec/latest/)
limitations on the size of asm.js heaps.

R=clemensh@chromium.org
CC=​mstarzinger@chromium.org

Bug:  chromium:873600 
Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd
Reviewed-on: https://chromium-review.googlesource.com/1174411
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55163}
[modify] https://crrev.com/5d69010e269e3161a95de2030e14f0a291d00b42/src/asmjs/asm-js.cc
[modify] https://crrev.com/5d69010e269e3161a95de2030e14f0a291d00b42/test/cctest/test-api.cc
[modify] https://crrev.com/5d69010e269e3161a95de2030e14f0a291d00b42/test/message/asm-linking-bogus-heap.out
[add] https://crrev.com/5d69010e269e3161a95de2030e14f0a291d00b42/test/mjsunit/asm/asm-heap.js
[modify] https://crrev.com/5d69010e269e3161a95de2030e14f0a291d00b42/test/mjsunit/mjsunit.status
[modify] https://crrev.com/5d69010e269e3161a95de2030e14f0a291d00b42/test/mjsunit/regress/regress-6700.js
[modify] https://crrev.com/5d69010e269e3161a95de2030e14f0a291d00b42/test/mjsunit/regress/regress-crbug-759327.js
[modify] https://crrev.com/5d69010e269e3161a95de2030e14f0a291d00b42/test/mjsunit/regress/wasm/regress-776677.js
[add] https://crrev.com/5d69010e269e3161a95de2030e14f0a291d00b42/test/mjsunit/regress/wasm/regress-873600.js
[modify] https://crrev.com/5d69010e269e3161a95de2030e14f0a291d00b42/test/mjsunit/wasm/asm-wasm-memory.js
[modify] https://crrev.com/5d69010e269e3161a95de2030e14f0a291d00b42/test/mjsunit/wasm/asm-wasm.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c07c93f3278295e29b3e3e890e5c646e26d45ada

commit c07c93f3278295e29b3e3e890e5c646e26d45ada
Author: Leszek Swirski <leszeks@chromium.org>
Date: Thu Aug 16 16:32:43 2018

Revert "[asmjs] Properly validate asm.js heap sizes"

This reverts commit 5d69010e269e3161a95de2030e14f0a291d00b42.

Reason for revert: New test fails on ARM GC stress bot - https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Arm%20GC%20Stress/8054

Original change's description:
> [asmjs] Properly validate asm.js heap sizes
> 
> Enforce both engine limitations and spec (http://asmjs.org/spec/latest/)
> limitations on the size of asm.js heaps.
> 
> R=​clemensh@chromium.org
> CC=​​mstarzinger@chromium.org
> 
> Bug:  chromium:873600 
> Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd
> Reviewed-on: https://chromium-review.googlesource.com/1174411
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55163}

TBR=mstarzinger@chromium.org,titzer@chromium.org,clemensh@chromium.org

Change-Id: I95ca5306a495bfc0f78d7a29f5d6269fc9c0bdfa
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  chromium:873600 
Reviewed-on: https://chromium-review.googlesource.com/1178141
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55173}
[modify] https://crrev.com/c07c93f3278295e29b3e3e890e5c646e26d45ada/src/asmjs/asm-js.cc
[modify] https://crrev.com/c07c93f3278295e29b3e3e890e5c646e26d45ada/test/cctest/test-api.cc
[modify] https://crrev.com/c07c93f3278295e29b3e3e890e5c646e26d45ada/test/message/asm-linking-bogus-heap.out
[delete] https://crrev.com/49f7687575a6eb8a8cf6a273b16b6ce5cbbe5503/test/mjsunit/asm/asm-heap.js
[modify] https://crrev.com/c07c93f3278295e29b3e3e890e5c646e26d45ada/test/mjsunit/mjsunit.status
[modify] https://crrev.com/c07c93f3278295e29b3e3e890e5c646e26d45ada/test/mjsunit/regress/regress-6700.js
[modify] https://crrev.com/c07c93f3278295e29b3e3e890e5c646e26d45ada/test/mjsunit/regress/regress-crbug-759327.js
[modify] https://crrev.com/c07c93f3278295e29b3e3e890e5c646e26d45ada/test/mjsunit/regress/wasm/regress-776677.js
[delete] https://crrev.com/49f7687575a6eb8a8cf6a273b16b6ce5cbbe5503/test/mjsunit/regress/wasm/regress-873600.js
[modify] https://crrev.com/c07c93f3278295e29b3e3e890e5c646e26d45ada/test/mjsunit/wasm/asm-wasm-memory.js
[modify] https://crrev.com/c07c93f3278295e29b3e3e890e5c646e26d45ada/test/mjsunit/wasm/asm-wasm.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5c3092718e92d123366d0e5d3679c7258bda686c

commit 5c3092718e92d123366d0e5d3679c7258bda686c
Author: Ben L. Titzer <titzer@chromium.org>
Date: Fri Aug 17 12:49:21 2018

Reland "[asmjs] Properly validate asm.js heap sizes"

This is a reland of 5d69010e269e3161a95de2030e14f0a291d00b42

Original change's description:
> [asmjs] Properly validate asm.js heap sizes
> 
> Enforce both engine limitations and spec (http://asmjs.org/spec/latest/)
> limitations on the size of asm.js heaps.
> 
> R=clemensh@chromium.org
> CC=​mstarzinger@chromium.org
> 
> Bug:  chromium:873600 
> Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd
> Reviewed-on: https://chromium-review.googlesource.com/1174411
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55163}

Bug:  chromium:873600 
Change-Id: Id24070bda3aafb9e1a32af0732a1b18f633ef932
Reviewed-on: https://chromium-review.googlesource.com/1179681
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55193}
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/src/asmjs/asm-js.cc
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/src/d8.cc
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/src/flag-definitions.h
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/src/wasm/wasm-objects.cc
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/test/cctest/test-api.cc
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/test/message/asm-linking-bogus-heap.out
[add] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/test/mjsunit/asm/asm-heap.js
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/test/mjsunit/mjsunit.status
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/test/mjsunit/regress/regress-6700.js
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/test/mjsunit/regress/regress-crbug-759327.js
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/test/mjsunit/regress/wasm/regress-776677.js
[add] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/test/mjsunit/regress/wasm/regress-873600.js
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/test/mjsunit/wasm/asm-wasm-memory.js
[modify] https://crrev.com/5c3092718e92d123366d0e5d3679c7258bda686c/test/mjsunit/wasm/asm-wasm.js

ClusterFuzz has detected this issue as fixed in range 55192:55193.

Detailed report: https://clusterfuzz.com/testcase?key=4786452597309440

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  mem_size <= wasm::kV8MaxWasmMemoryBytes in wasm-objects.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50502:50503
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55192:55193

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4786452597309440

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4786452597309440 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/dd65e4b837117205e2198b9765c333bab8fee1e4

commit dd65e4b837117205e2198b9765c333bab8fee1e4
Author: Aseem Garg <aseemgarg@chromium.org>
Date: Tue Aug 21 00:51:54 2018

Revert "Reland "[asmjs] Properly validate asm.js heap sizes""

This reverts commit 5c3092718e92d123366d0e5d3679c7258bda686c.

Reason for revert: Broke fast/workers/worker-shared-asm-buffer.html

Original change's description:
> Reland "[asmjs] Properly validate asm.js heap sizes"
>
> This is a reland of 5d69010e269e3161a95de2030e14f0a291d00b42
>
> Original change's description:
> > [asmjs] Properly validate asm.js heap sizes
> >
> > Enforce both engine limitations and spec (http://asmjs.org/spec/latest/)
> > limitations on the size of asm.js heaps.
> >
> > R=clemensh@chromium.org
> > CC=​mstarzinger@chromium.org
> >
> > Bug:  chromium:873600 
> > Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd
> > Reviewed-on: https://chromium-review.googlesource.com/1174411
> > Commit-Queue: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#55163}
>
> Bug:  chromium:873600 
> Change-Id: Id24070bda3aafb9e1a32af0732a1b18f633ef932
> Reviewed-on: https://chromium-review.googlesource.com/1179681
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55193}

TBR=mstarzinger@chromium.org,titzer@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  chromium:873600 
Change-Id: I5845c584c7ac399b9b7939f5fd50c09b7b2cc3d2
Reviewed-on: https://chromium-review.googlesource.com/1182616
Commit-Queue: Aseem Garg <aseemgarg@chromium.org>
Reviewed-by: Aseem Garg <aseemgarg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55242}
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/src/asmjs/asm-js.cc
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/src/d8.cc
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/src/flag-definitions.h
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/src/wasm/wasm-objects.cc
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/test/cctest/test-api.cc
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/test/message/asm-linking-bogus-heap.out
[delete] https://crrev.com/a4235f0093b930cc4d09117cc5379bff7682cc8f/test/mjsunit/asm/asm-heap.js
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/test/mjsunit/mjsunit.status
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/test/mjsunit/regress/regress-6700.js
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/test/mjsunit/regress/regress-crbug-759327.js
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/test/mjsunit/regress/wasm/regress-776677.js
[delete] https://crrev.com/a4235f0093b930cc4d09117cc5379bff7682cc8f/test/mjsunit/regress/wasm/regress-873600.js
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/test/mjsunit/wasm/asm-wasm-memory.js
[modify] https://crrev.com/dd65e4b837117205e2198b9765c333bab8fee1e4/test/mjsunit/wasm/asm-wasm.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b

commit 438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b
Author: Ben L. Titzer <titzer@chromium.org>
Date: Tue Aug 21 09:00:04 2018

Reland "[asmjs] Properly validate asm.js heap sizes"

This is a reland of 5c3092718e92d123366d0e5d3679c7258bda686c
(the CL was reverted because of a Chromium test that is now fixed)

Original change's description:
> Reland "[asmjs] Properly validate asm.js heap sizes"
>
> This is a reland of 5d69010e269e3161a95de2030e14f0a291d00b42
>
> Original change's description:
> > [asmjs] Properly validate asm.js heap sizes
> >
> > Enforce both engine limitations and spec (http://asmjs.org/spec/latest/)
> > limitations on the size of asm.js heaps.
> >
> > R=clemensh@chromium.org
> > CC=​mstarzinger@chromium.org
> >
> > Bug:  chromium:873600 
> > Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd
> > Reviewed-on: https://chromium-review.googlesource.com/1174411
> > Commit-Queue: Ben Titzer <titzer@chromium.org>
> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#55163}
>
> Bug:  chromium:873600 
> Change-Id: Id24070bda3aafb9e1a32af0732a1b18f633ef932
> Reviewed-on: https://chromium-review.googlesource.com/1179681
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55193}

Bug:  chromium:873600 
Change-Id: I6eca2a89589070837b109278f964fc8e9a0fd6f1
Reviewed-on: https://chromium-review.googlesource.com/1183081
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55249}
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/src/asmjs/asm-js.cc
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/src/d8.cc
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/src/flag-definitions.h
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/src/wasm/wasm-objects.cc
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/test/cctest/test-api.cc
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/test/message/asm-linking-bogus-heap.out
[add] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/test/mjsunit/asm/asm-heap.js
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/test/mjsunit/mjsunit.status
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/test/mjsunit/regress/regress-6700.js
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/test/mjsunit/regress/regress-crbug-759327.js
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/test/mjsunit/regress/wasm/regress-776677.js
[add] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/test/mjsunit/regress/wasm/regress-873600.js
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/test/mjsunit/wasm/asm-wasm-memory.js
[modify] https://crrev.com/438e7ec6dc7e6ab342fe6d109cedf2fbdd3c4b3b/test/mjsunit/wasm/asm-wasm.js

 Issue 876195  has been merged into this issue.

 Issue 876200  has been merged into this issue.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

titzer@, does this bug have any security impacts? And if so, is the severity (High) accurate? 

We need this information for the Chrome VRP panel, thanks!

Friendly ping re #18

I don't there was a security impact, because the check worked to prevent the unsafe situation properly (too large of memory). Earlier validation was needed.

Sorry for not replying earlier, but I agree with the label change in c21 that this was not high security impact.