adding V8 sheriffs, could you please check the issue.
------------------------------------------

Providing Findit info for internal purpose:

Findit could not find any suspected CLs.

Suspected Component: chromium-v8
Suspected Cr- Label: Cr-Blink-JavaScript

PTAL cf sheriffs.

Remove legacy label cr-blink-javascript.

Reproduces on TOT, bisected to "[es6] implement destructuring assignment" (https://codereview.chromium.org/1309813007).

The body in FunctionLiteral happend to be null.

To reproduce it in d8, just remove <script> tags from the minimized testcase.

Thanks for the bisect, will take a look.

If you can post the repro here, I can probably have a patch for this today

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f60048c5563761863463a5b685685ee1af8de04a

commit f60048c5563761863463a5b685685ee1af8de04a
Author: caitpotter88 <caitpotter88@gmail.com>
Date: Tue Apr 05 18:41:44 2016

[destructuring] don't attempt to visit contents of FunctionLiterals

The parser eagerly rewrites destructuring assignments occuring
in formal parameter initializers, because not doing so would
cause the BindingPattern rewriting to be confused and do the
wrong thing.

This change prevents this rewriting from descending into the
bodies of lazily parsed functions.

In general, it's a mistake to descend into the bodies of function
literals anyways, since they are rewritten separately on their
own time, so there is no distinction made between lazily
"throw away" eagerly parsed functions in the temporary parser
arena, or "real" eagerly parsed functions that will be compiled.

BUG= chromium:594084 ,  v8:811 
LOG=N
R=adamk@chromium.org, littledan@chromium.org

Review URL: https://codereview.chromium.org/1864553002

Cr-Commit-Position: refs/heads/master@{#35277}

[modify] https://crrev.com/f60048c5563761863463a5b685685ee1af8de04a/src/parsing/parser.cc
[add] https://crrev.com/f60048c5563761863463a5b685685ee1af8de04a/test/mjsunit/es6/regress/regress-594084.js

ClusterFuzz has detected this issue as fixed in range 385386:385441.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6517287525285888

Fuzzer: attekett_surku_fuzzer
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x00000000000c
Crash State:
  v8::internal::AstExpressionVisitor::VisitStatements
  v8::internal::AstExpressionVisitor::VisitFunctionLiteral
  v8::internal::AstExpressionVisitor::VisitFunctionDeclaration
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=385386:385441

Minimized Testcase (14.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97xVT9flejbA9JVEud5Ds52Z2WhMnzM52us1neszZcGfcFQSn5aHR2LZhy4Hkg-2yb4CLVZSsRcI5QDP27gr31QDZNAIcvOBbVG0t_1YE-s017eF6R-RiVvStz-6uJc27klwwh8qr1Ztp-KAG5cTFFXC7lfvA

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

I believe this can be closed as resolved

Do we need to merge this back to M50 or M51?

It's in M51, and since that's going stable relatively soon (according to https://www.chromium.org/developers/calendar), and usage in the wild still mostly depends on compile-to-js languages, it might not be necessary to merge to M50.

What do you think?

Please merge to M50.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a219ca9f68811c8f8a0d87a56fffcb41e5143c52

commit a219ca9f68811c8f8a0d87a56fffcb41e5143c52
Author: Adam Klein <adamk@chromium.org>
Date: Tue May 10 17:48:48 2016

Version 5.0.71.48 (cherry-pick)

Merged f60048c5563761863463a5b685685ee1af8de04a

[destructuring] don't attempt to visit contents of FunctionLiterals

BUG= chromium:594084 , v8:811 
LOG=N
R=littledan@chromium.org

Review URL: https://codereview.chromium.org/1969443002 .

Cr-Commit-Position: refs/branch-heads/5.0@{#57}
Cr-Branched-From: ad16e6c2cbd2c6b0f2e8ff944ac245561c682ac2-refs/heads/5.0.71@{#1}
Cr-Branched-From: bd9df50d75125ee2ad37b3d92c8f50f0a8b5f030-refs/heads/master@{#34215}

[modify] https://crrev.com/a219ca9f68811c8f8a0d87a56fffcb41e5143c52/include/v8-version.h
[modify] https://crrev.com/a219ca9f68811c8f8a0d87a56fffcb41e5143c52/src/parsing/parser.cc
[add] https://crrev.com/a219ca9f68811c8f8a0d87a56fffcb41e5143c52/test/mjsunit/es6/regress/regress-594084.js

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Already merged.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot