This still reproduces with ToT Chrome (V8 5.2.175). When I open http://000area-weekly.com with a Debug build I get:

#                                                                                                                                                            
# Fatal error in ../../v8/src/parsing/parser.cc, line 854                                                                                                    
# Check failed: scanner_.peek_location().beg_pos == source->length() (222 vs. 221).                                                                          
#

Assigning to vogelheim@ for parser expertise; feel free to reassign if there's a better owner.

Nicer repro attached, w/ a single-line HTML + 7-line JS. Reproduces with either chrome or content_shell debug builds.

The file ends with a // comment and *no* new-line. That fails the sanity test after parsing, which checks whether all characters gave been read.

Not sure yet what to do, but I guess this is an uncritical bug, probably in how the parser skips over comments.

Deleted: b607903.zip 563 bytes

b607903.zip 563 bytes Download

Also, does not reproduce w/ d8. So probably something "interesting" about how the source string is passed from Chrome to V8.

#3 was wrong. The issue was that end-of-stream is represented as a code point, and ExternalTwobyteStringUtf16CharacterStream::PushBack of that 'magic' code point didn't quite work. The other stream implementations are fine.

D8 uses another stream implementation, which is why this didn't reproduce on d8.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/57f0a521e40a96bab629ca6618c9f939653f8a06

commit 57f0a521e40a96bab629ca6618c9f939653f8a06
Author: vogelheim <vogelheim@chromium.org>
Date: Tue May 03 09:41:34 2016

Fix ExternalTwobyteStringUtf16CharacterStream::PushBack(kEndOfInput)

PushBack(end-of-input) is a little weird, but since
Utf16CharacterStream::Advance will advance pos_m, but not buffer_cursor_
when at the end of the stream, pushing back the end-of-input token needs
to do the exact inverse.

(The reason Advance does not advance buffer_cursor_ is that buffer_cursor_ is often dereferenced
 directly to access memory and so always needs to point to, well, memory.)
(The PushBack implementation for all other streams looks correct.)

R=rossberg@chromium.org
BUG= chromium:607903 
LOG=Y

Review-Url: https://codereview.chromium.org/1941843002
Cr-Commit-Position: refs/heads/master@{#35968}

[modify] https://crrev.com/57f0a521e40a96bab629ca6618c9f939653f8a06/src/parsing/scanner-character-streams.h

ClusterFuzz has detected this issue as fixed in range 391361:391404.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6496618357981184

Fuzzer: inferno_webbot
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  scanner_.peek_location().beg_pos == source->length() in v8/src/parsing/parser.cc
  <unknown>
  v8::base::OS::Abort
  V8_Fatal
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=391361:391404

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95GpFcgRCovJDZqMjn1XWtfsb26t9w9XKoD0U9U7Y2Sh33WMjYYPnWM1-6_Ug6gYdsGop8LMHAtQurfK8zYb-2iXFdy6XNYyBzL-31p87_Z4F2AwEOfv4GTOXKHnZtt5iJQw2ArcAtQduLOAx_Tvodvf-87Ig
<script>
window.open("http://000area-weekly.com");
window.location = "http://inderscience.com";</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot