vogelheim@, could you please help to triage this?

Bisecting...

Bisected to dfce900d64f2579607705fd2d94c13f28c2e996f.


=== test.js ===
[(...[a+b]) => 42);


#
# Fatal error in ../src/parsing/pattern-rewriter.cc, line 581
# unreachable code
#

==== C stack trace ===============================

 1: V8_Fatal
 2: 0x1188a95
 3: v8::internal::BinaryOperation::Accept(v8::internal::AstVisitor*)
 4: v8::internal::Parser::PatternRewriter::RecurseIntoSubpattern(v8::internal::AstNode*, v8::internal::Expression*)
 5: v8::internal::Parser::PatternRewriter::VisitArrayLiteral(v8::internal::ArrayLiteral*, v8::internal::Variable**)

Possibly minimal test:

out/Debug/d8 -e "(...[42]) => 42)"

But this one works OK:

out/Debug/d8 -e "(a, ...[17]) => 42;"
unnamed:1: SyntaxError: Unexpected number
(a, ...[17]) => 42;
        ^^
SyntaxError: Unexpected number

So, the problem seems to be in the code that handles a single parenthesized spread expression (https://cs.chromium.org/chromium/src/v8/src/parsing/parser-base.h?rcl=0&l=1582).

Fixed here: https://codereview.chromium.org/2084703005/

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b9f682baafb8fee8cca154d6dd66359facc06a69

commit b9f682baafb8fee8cca154d6dd66359facc06a69
Author: nikolaos <nikolaos@chromium.org>
Date: Wed Jun 22 18:05:06 2016

Fix bug with illegal spread as single arrow parameter

R=adamk@chromium.org
BUG= chromium:621496 
LOG=N

Review-Url: https://codereview.chromium.org/2084703005
Cr-Commit-Position: refs/heads/master@{#37196}

[modify] https://crrev.com/b9f682baafb8fee8cca154d6dd66359facc06a69/src/parsing/parser-base.h
[add] https://crrev.com/b9f682baafb8fee8cca154d6dd66359facc06a69/test/mjsunit/harmony/regress/regress-crbug-621496.js

ClusterFuzz has detected this issue as fixed in range 401421:401542.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5969325458718720

Fuzzer: libfuzzer_v8_script_parser_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  
  fuzzer::Fuzzer::CrashCallback
  fuzzer::Fuzzer::StaticCrashSignalCallback
  SignalHandler
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=397679:397736
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=401421:401542

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94_9RCTWxmTMwm7RqQzPQKzNlAoaTLLs_urDMvR5I8DsSc6qYobxavuysuaBBAnVW46SjC9dfqiF1X89HjwtyKxDzZiwBQhsPDr-iuRO5XrEtumu_-YkmnqOCE99abgROHvi6rW_2MWww5n42h3tm8xRA1GyQ?testcase_id=5969325458718720
1,[,�((...[Groarunem+~gevalSe42]) => asserttEquls(42, y[0]))(Gro);


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue v8:5313  has been merged into this issue.

This fix should be merged back to V8 5.2 (although by now it's a little late for that...).

[Automated comment] Request affecting a post-stable build (M52), manual review required.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot