for_scope == nullptr in src/parsing/parser.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5369053845127168 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: for_scope == nullptr in src/parsing/parser.cc Regressed: V8: r34469:34470 Minimized Testcase (6.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ykIBFVHsv5zlrjRertQHsVEt26mPK8com85oiKnMRow2nX2GzMoECp7NayDpxlz7j4L6w80BHuQzx62-JCv92xkQuvLgX17d7yBsott8VhZf9IxhmyKzsVw8-entN7FTCRpETfWXOEPmiA5b420vJ3pwnaA Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 17 2016
Huh, interestingly, this traces back to a spec issue, which I reported at https://github.com/tc39/ecma262/issues/480 . Minimal test case: for (a in b) x: function y() {} As for a temporary fix, I can think of a few, but the easiest and most conservative would be to roll back the part of the patch https://codereview.chromium.org/1757543003 which stopped introducing an extra scope in certain cases. But the long-term fix would be to implement whatever the committee decides, which shouldn't require this extra scope to be introduced.
,
Mar 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7f108b655bce12f922b5b2cec6652cefe1d6a245 commit 7f108b655bce12f922b5b2cec6652cefe1d6a245 Author: littledan <littledan@chromium.org> Date: Thu Mar 24 01:57:53 2016 Implement ES2015 labelled function declaration restrictions ES#sec-islabelledfunction specifies that labelled function declarations may not occur as the body of a control flow construct such as an if statement. This patch implements those restrictions, which also eliminates a previous case resulting in a DCHECK failure which is now a SyntaxError. BUG= chromium:595309 R=adamk LOG=Y Review URL: https://codereview.chromium.org/1808373003 Cr-Commit-Position: refs/heads/master@{#35049} [modify] https://crrev.com/7f108b655bce12f922b5b2cec6652cefe1d6a245/src/messages.h [modify] https://crrev.com/7f108b655bce12f922b5b2cec6652cefe1d6a245/src/parsing/parser-base.h [modify] https://crrev.com/7f108b655bce12f922b5b2cec6652cefe1d6a245/src/parsing/parser.cc [modify] https://crrev.com/7f108b655bce12f922b5b2cec6652cefe1d6a245/src/parsing/parser.h [modify] https://crrev.com/7f108b655bce12f922b5b2cec6652cefe1d6a245/src/parsing/preparser.cc [modify] https://crrev.com/7f108b655bce12f922b5b2cec6652cefe1d6a245/src/parsing/preparser.h [modify] https://crrev.com/7f108b655bce12f922b5b2cec6652cefe1d6a245/test/cctest/test-parsing.cc
,
Mar 24 2016
ClusterFuzz has detected this issue as fixed in range 35048:35049. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5369053845127168 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: for_scope == nullptr in src/parsing/parser.cc Regressed: V8: r34469:34470 Fixed: V8: r35048:35049 Minimized Testcase (6.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ykIBFVHsv5zlrjRertQHsVEt26mPK8com85oiKnMRow2nX2GzMoECp7NayDpxlz7j4L6w80BHuQzx62-JCv92xkQuvLgX17d7yBsott8VhZf9IxhmyKzsVw8-entN7FTCRpETfWXOEPmiA5b420vJ3pwnaA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 25 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by habl...@google.com
, Mar 16 2016Status: Assigned (was: Available)