Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/bf1e47e6ff10734045b2d6a501da49d20980f742 ([ptr-compr] Switch Smis to 31-bit on 64-bit platforms.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

From the fail site: https://cs.chromium.org/chromium/src/v8/src/layout-descriptor.cc?l=244&rcl=0c05bf73b422ca9c849cec08fa23cf4589b0b508 :

  // It must not become fast-mode descriptor here, because otherwise it has to
  // be fast pointer layout descriptor already but it's is slow mode now.
  DCHECK_LT(kSmiValueSize, layout_descriptor_length);

I don't see any reason to believe that this would cause a security problem so currently thinking of SecurityImpactNone.

ishell@ -- can you please comment on what would have happened in the absence of this DCHECK? 

This DCHECK should be updated for the 31-bit Smis: https://chromium-review.googlesource.com/c/v8/v8/+/1185186

Security_Impact-None, based on #c4 and the CL.

ClusterFuzz has detected this issue as fixed in range 55332:55333.

Detailed report: https://clusterfuzz.com/testcase?key=5767277283377152

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  kSmiValueSize < layout_descriptor_length in layout-descriptor.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55268:55269
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55332:55333

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5767277283377152

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5767277283377152 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/57c8c85b9f06d4be03ce3c12d1b286b8f2245030

commit 57c8c85b9f06d4be03ce3c12d1b286b8f2245030
Author: Igor Sheludko <ishell@chromium.org>
Date: Fri Aug 24 09:17:36 2018

[ptr-compr] Fix assert in LayoutDescriptor which failed with 31-bit Smis.

Bug: v8:7703,  chromium:876696 
Change-Id: Ida3243414215b2ef75a9875ca31cf5a68274f7e0
Reviewed-on: https://chromium-review.googlesource.com/1185186
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55383}
[modify] https://crrev.com/57c8c85b9f06d4be03ce3c12d1b286b8f2245030/src/layout-descriptor.cc

@awhalley I don't see the duped bug here. When did the internal fuzzers find this?

Sorry, double checking - had some automation hiccups.

Hi decoder.oh@ - pardon the previous confusion.

The VRP panel did, however, decline to reward as the bug was just in the DCHECK itself, so there was no actual security impact.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot