Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/62d1f78245b552ce7cb806de15d35ff29c867647 ([bigint] Fix throwing in Exponentiate()).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This seems to create a RangeError that doesn't honor FLAG_abort_on_stack_or_string_length_overflow as e.g.:
https://cs.chromium.org/chromium/src/v8/src/heap/factory.cc?type=cs&q=abort_on+file:%5Esrc/v8/src/+package:%5Echromium$&g=0&l=2365

Seems with the regression commit, the RangeError creation changes somehow. Could you add a condition that aborts on FLAG_abort_on_stack_or_string_length_overflow in the right place, or go through a path creating the RangeError that already does it?

Reduced repro:
__v_4 = 1073741823n ** 1n;
__v_5 = 2n ** 31n - 1n;
__v_6 = __v_5 - 64n - 2n;
try {
  (() => { var __v_9 = 2n ** __v_4; var __v_0 = 2n ** __v_6; })();
  print('boom');
} catch (e) {
  print('caught');
}

On x64 we get a "RangeError: Maximum BigInt size exceeded" while on ia32 this passes. It's unspeced, but we suppress this kind of difference for correctness fuzzing by passing the flag above.

Maximum BigInt size should be the same on all platforms. I'm surprised to find out that it isn't (right now, interestingly, ia32 allows slightly larger BigInts than x64!). https://chromium-review.googlesource.com/c/v8/v8/+/833876/ introduced kPointerSize into the calculation. I'll fix that.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9d51166419bbdfa774782766798a91c6d13e33ce

commit 9d51166419bbdfa774782766798a91c6d13e33ce
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Fri Nov 30 23:43:29 2018

[bigint] Make kMaxLength platform-independent.

Taking kSystemPointerSize into account when determining the maximum
allowed BigInt size accidentally made the limit platform-specific.
This patch chooses a platform-independent constant (1<<30) instead.

Bug:  chromium:909614 
Change-Id: I4717969bc56e6dd5f1eed70b7e60e621989d0719
Reviewed-on: https://chromium-review.googlesource.com/c/1355625
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57983}
[modify] https://crrev.com/9d51166419bbdfa774782766798a91c6d13e33ce/src/objects/bigint.h
[modify] https://crrev.com/9d51166419bbdfa774782766798a91c6d13e33ce/test/mjsunit/harmony/bigint/regressions.js
[add] https://crrev.com/9d51166419bbdfa774782766798a91c6d13e33ce/test/mjsunit/regress/regress-crbug-909614.js

Should be fixed with #4.

ClusterFuzz has detected this issue as fixed in range 57982:57983.

Detailed report: https://clusterfuzz.com/testcase?key=5526800769482752

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition_turbo:ia32,ignition_turbo
  sources: 170
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=51710:51711
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=57982:57983

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5526800769482752

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5526800769482752 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.