Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on suspected regression changelists:

Only expect new data properties in ValueDeserializer. by yangguo@chromium.org - https://chromium.googlesource.com/v8/v8/+/2603bb051e9b31802419a47bff03bb8ec7bb0641

[wasm] Adjust the traphandler implementation for MacOS by ahaas@chromium.org - https://chromium.googlesource.com/v8/v8/+/9d5dd6dd1959d34e7f1890ee37fb312dbf4e3d84

[ptr-compr] Introduce EmbedderDataArray by ishell@chromium.org - https://chromium.googlesource.com/v8/v8/+/d469fec064da93b4ba3753bbdb4e8f4fd1691a73

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

My CL only affects macOS and potentially Linux, but not windows.

Hooray, Yangs new CHECKs found something.

ClusterFuzz testcase 4670415865380864 appears to be flaky, updating reproducibility label.

Please ignore the last comment about testcase being unreproducible. The testcase is still reproducible. This happened due to a code refactoring on ClusterFuzz side, and the underlying root cause is now fixed. Resetting the label back to Reproducible. Sorry about the inconvenience caused from these incorrect notifications.

I don't think this is actionable. If the structured clone data is corrupted to trigger this code path, we should not recover gracefully. Crashing here is the right thing to do imo.

I'm not sure what we should do here wrt fuzzing.

 Issue 907372  has been merged into this issue.

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Jeremy, what is the expectation for the ValueDeserializer? Does it need to be able to handle all data, even corrupted ones? Issue 905940 happened precisely because of such data that I assume the attacker managed to corrupt. My opinion is that we should simply crash for data that cannot be produced by the ValueSerializer.

If we do not attempt to handle all data gracefully, how do we deal with fuzzing here?

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/cccaa27eca0d8fd3192b7f676b785cb8769b5b2d

commit cccaa27eca0d8fd3192b7f676b785cb8769b5b2d
Author: Yang Guo <yangguo@chromium.org>
Date: Wed Dec 05 11:20:23 2018

Gracefully fail in ValueDeserializer.

Bug: chromium:905940,  chromium:907343 

R=verwaest@chromium.org

Change-Id: Ibe8f06782f8a0bf9a09832d443e1c66c3bda8399
Reviewed-on: https://chromium-review.googlesource.com/c/1362046
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58040}
[modify] https://crrev.com/cccaa27eca0d8fd3192b7f676b785cb8769b5b2d/src/value-serializer.cc
[modify] https://crrev.com/cccaa27eca0d8fd3192b7f676b785cb8769b5b2d/test/unittests/value-serializer-unittest.cc

ClusterFuzz testcase 4934449349001216 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 613948:613957.

Detailed report: https://clusterfuzz.com/testcase?key=4670415865380864

Fuzzer: libFuzzer_v8_serialized_script_value_fuzzer
Fuzz target binary: v8_serialized_script_value_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Fatal error
Crash Address: 
Crash State:
  
  gin::PrintStackTrace
  v8::internal::ValueDeserializer::ReadJSObjectProperties
  v8::internal::ValueDeserializer::ReadJSObject
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=609819:609826
Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=613948:613957

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4670415865380864

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing_on_windows.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The documentation for reproducing bugs on Windows was moved to: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md