Running this input with ASan gives:

==55338==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000034 (pc 0x0000018bac07 bp 0x7fff88b127e0 sp 0x7fff88b12790 T0)

with the following stacktrace: https://paste.googleplex.com/5502136540463104

I guess that CF will find it soon with ASan build too, but I'm filing this one for now.

rossberg@, could you please take a look and help to find an owner for this?

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6661115622981632

Fuzzer: libfuzzer_v8_script_parser_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  v8::Isolate::Dispose
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=399229:399350

Minimized Testcase (0.63 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96jwb0p8vDGjghBfOd-dwDk0VHIq_vuaXnj1wtvXMHmrTzbGpsjO1YwMiW-AkwZWa_CIy0mzIMqYnDrmmzi_yObkCZfoB5tp-7Wbw1nvAEpJYcyfWDvkRyXi-J-BRyudpwk9cpvud8DcUGkhmxHZfUQ3WYrLg?testcase_id=6661115622981632

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Nikos, this CL of yours,

https://chromium.googlesource.com/v8/v8/+/dfb8d3331e7cb2c3e67ef820cbcb6cfbae7159e5

is in the revision range of this regression, and looks like the most likely candidate considering the stack trace of the failure:

https://paste.googleplex.com/5502136540463104

Can you please investigate and/or roll back the change?

This is not easy to reproduce with JS source.  Neither d8 nor the parser fuzzer *with the following patch* complain about it.  The bug only shows if the script is scanned as a one byte string, not UTF-8 (as d8 and, I assume, chrome, would probably do).

I don't know what to make of it yet, it's probably something that needs to be fixed, whether it is related to my CL or not.  But I doubt that the given test could crash chrome, if injected in a JS script, because V8 would scan it as UTF-8.

I'm still looking at it.


diff --git a/test/fuzzer/parser.cc b/test/fuzzer/parser.cc
index 4035ade..b4385d8 100644
--- a/test/fuzzer/parser.cc
+++ b/test/fuzzer/parser.cc
@@ -27,8 +27,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
   if (size > INT_MAX) return 0;
   v8::internal::MaybeHandle<v8::internal::String> source =
-      factory->NewStringFromOneByte(
-          v8::internal::Vector<const uint8_t>(data, static_cast<int>(size)));
+      factory->NewStringFromUtf8(
+          v8::internal::Vector<const char>(reinterpret_cast<const char*>(data),
+                                           static_cast<int>(size)));
   if (source.is_null()) return 0;
 
   v8::internal::Handle<v8::internal::Script> script =

The following crashes d8 with a segfault.  It is a shrinked version of the script that was reported.  I'm investigating it.

  out/Debug/d8 -e '(y = 1[1, [...[]]]) => 1'

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2cabc866eca6e2f52ff339bf0307f390e712bf1e

commit 2cabc866eca6e2f52ff339bf0307f390e712bf1e
Author: nikolaos <nikolaos@chromium.org>
Date: Tue Jun 21 16:40:22 2016

Fix classifier related bug

R=adamk@chromium.org
BUG= chromium:621111 
LOG=N

Review-Url: https://codereview.chromium.org/2086513002
Cr-Commit-Position: refs/heads/master@{#37150}

[modify] https://crrev.com/2cabc866eca6e2f52ff339bf0307f390e712bf1e/src/parsing/parser-base.h
[add] https://crrev.com/2cabc866eca6e2f52ff339bf0307f390e712bf1e/test/mjsunit/harmony/regress/regress-crbug-621111.js

Fix already in M53, removing ReleaseBlock-Beta.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot