Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/afb7bdc46a086f2e43779a5f7c1c06746285517c ([wasm] Move compilation methods to module-compiler.h).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

 Issue v8:8347  has been merged into this issue.

Looking into this now.

Not a security bug. Runs into the CHECK reliably.

This is the minimal reproducer I could come up with:

function asm (global, env, buffer) {
  'use asm';
  var HEAPF64 = new global.Float64Array(buffer);
  var Math_fround = global.Math.fround;
  function main() {
    HEAPF64[0] = Math_fround(+HEAPF64[0]);
  }
  return {main: main};
};
let module = asm(this, undefined, new ArrayBuffer(16*1024*1024));
module.main();

Michi, can you take this over?

Yes, I'll take a look. Thanks for the minification, super useful!

Actually, the special casing we have in place for assigning "double?" to a "Float32Array" view is also incomplete. It misses to insert the proper conversion when the value is "double?" instead of "double". This can be reproduced as follows ...

function Module(global, env, buffer) {
  "use asm";
  var HEAPF64 = new global.Float64Array(buffer);
  var HEAPF32 = new global.Float32Array(buffer);
  var Math_fround = global.Math.fround;
  function main_d_f() {
    HEAPF64[0] = Math_fround(+HEAPF64[0]);
  }
  function main_d_fq() {
    HEAPF64[1] = HEAPF32[16777216];
  }
  function main_f_dq() {
    HEAPF32[4] = HEAPF64[16777216];
  }
  return {main_d_f: main_d_f, main_d_fq: main_d_fq, main_f_dq: main_f_dq};
};
let buffer = new ArrayBuffer(16*1024*1024);
let module = Module(this, undefined, buffer);

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/545fa6e51ad584aad07e4dd247d50459d7bcc3f4

commit 545fa6e51ad584aad07e4dd247d50459d7bcc3f4
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Fri Oct 26 11:33:23 2018

[asm.js] Fix storing float32 value into float64 heap view.

The valid store types of a {Float64Array} heap view are specified to be
"float?" and "double?". We correctly accepted both types but forgot to
emit the appropriate conversion in the "float?" case. This just adds the
missing conversion expression.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-898974
BUG= chromium:898974 , v8:8347 

Change-Id: I306b10e2088185b1522da29b1a113908ef9925f2
Reviewed-on: https://chromium-review.googlesource.com/c/1301499
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57025}
[modify] https://crrev.com/545fa6e51ad584aad07e4dd247d50459d7bcc3f4/src/asmjs/asm-parser.cc
[add] https://crrev.com/545fa6e51ad584aad07e4dd247d50459d7bcc3f4/test/mjsunit/regress/regress-crbug-898974.js

This should be fixed now. Thanks Alon for the report.

ClusterFuzz has detected this issue as fixed in range 57024:57025.

Detailed report: https://clusterfuzz.com/testcase?key=6266049102872576

Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !unit.failed() in module-compiler.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=48203:48204
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=57024:57025

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6266049102872576

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6266049102872576 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.