Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5762275373219840

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0001bfff8000
Crash State:
  v8::internal::Context::native_context
  v8::internal::Map::TransitionElementsTo
  v8::internal::JSObject::GetElementsTransitionMap
  
Recommended Security Severity: Medium


Minimized Testcase (0.36 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96JKllWiAcu6Y7SOLT7gHkvZWuTFBbRKXKtkb5H6sZx6Yc1ss67dnC4W_IthOMZHx2DSGeBU_h4xx6rHfW-BFDhuGd5jAtR4ZOoiQfsf0F8bp5HzOvg5tbhohMnKY29WCRPLkNChhySCHTNGYIpu3Bemyv7dw
function __f_7() {
  return "  [0, 0, 0];"
}
function __f_6() {
  return eval(__f_7());
}
function __f_10() {
  var __v_1 = __f_6();
  return __v_1;
}
function __f_3() {
  var __v_2 = __f_10();
  __v_2[0] = 1.5;
  return __v_2;
}
function __f_2(array, value) {
  array[1] = value;
}
function __f_9() {
  __f_2( 1.5);
  var __v_4 = __f_3();
  __f_2(__v_4);
}
__f_9();






Filer: hablich

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Hmm, the two crashes look like different bugs that got merged here, don't they?

Yes, my fault. 

This is a reduced repro for the report referenced in the very first comment. Just because reports from the "decoder_langfuzz" fuzzer can be a little tricky to reproduce sometimes:

// Flags: --ignition

function f() {
  with ({}) x: function g() {}
}
f();

I am looking at the first bug where scope->declarations()->is_empty() in src/interpreter/bytecode-generator.cc.

filed another bug (https://bugs.chromium.org/p/chromium/issues/detail?id=597565) for the next bug since it is not related to the first one. 

Re #4: Also note that this no longer reproduces after a recent change:
https://chromium.googlesource.com/v8/v8/+/7f108b655bce12f922b5b2cec6652cefe1d6a245

Sorry about that; there was an issue where some for loops were made with invalid scopes, for example labelled function declarations in with statements as in #c4. A DCHECK would catch this, but they are banned in the language, so now it's a SyntaxError. However, this should not affect the case in #c1.

ClusterFuzz has detected this issue as fixed in range 35048:35049.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4603091323715584

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  scope->declarations()->is_empty() in src/interpreter/bytecode-generator.cc
  
Fixed: V8: r35048:35049

Minimized Testcase (10.10 Kb): https://cluster-fuzz.appspot.com/download/AMIfv957KgOF2LQQin4JadxwQTVyDn7T0y1nlscMiDAxFuXtS6RCSmtX49RLd-3IqHtJZxqVeikN_d44e_YOekKtMmwlxNekORDSw97Vu4TENo9juLzVL8ZkxmzfrtcXpxs8aeiphP041WF6TrAEdUZ41JcGjNnybQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot