Thanks for adding this Nico. Please reassign as needed. Removing security impact labels.

Probably doesn't have to be restricted either, right? Or is cluster-fuzz secret?

I'll take a look, since I added the fuzzer.

Removing security restrictions.

$ cat  ~/Downloads/fuzz-3-gn_parser_fuzzer 

#(t!((


What's happening here is that there are no non-comment tokens. So Parser::ParseFile() creates a new BlockNode but doesn't insert anything, and then AssignComments() calls GetRange().begin() on that BlockNode. BlockNode::GetRange() just returns LocationRange() if it doesn't have begin and end tokens and contains no statements, and the default constructor of LocationRange calls the default constructor of Location(), and that doesn't initialize byte_.

An easy fix would be to initialize byte_ to something (0?) but that might paper over other problems. But since there are no tokens, there's no token we could call BlockNode::set_begin_token with. Another possible fix would be to set byte_ to 0 in BlockNode::GetRange() at the bottom, then we'd still find other uninit locations.

But I think just initializing byte_ to 0 might be fine. Opinions?

byte_ should probably be initialized in the default Location() constructor for completeness. But I think AssignComments() should probably check that it's getting a valid range? I'm not totally sure though.

diff --git a/tools/gn/parser.cc b/tools/gn/parser.cc
index 57a398e..ab92071 100644
--- a/tools/gn/parser.cc
+++ b/tools/gn/parser.cc
@@ -819,6 +819,8 @@ void Parser::AssignComments(ParseNode* file) {
   // Assign line comments to syntax immediately following.
   int cur_comment = 0;
   for (auto* node : pre) {
+    if (node->GetRange().is_null())
+      continue;
     const Location& start = node->GetRange().begin();
     while (cur_comment < static_cast<int>(line_comment_tokens_.size())) {
       if (start.byte() >= line_comment_tokens_[cur_comment].location().byte()) {

?

https://codereview.chromium.org/2271383003/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c3b455922b7ddb748e9a7b351cac7a4586c7e374

commit c3b455922b7ddb748e9a7b351cac7a4586c7e374
Author: thakis <thakis@chromium.org>
Date: Thu Aug 25 20:21:35 2016

gn: Don't read unitialized memory on files containing just a comment.

The BlockNode::GetRange() of a block containing nothing doesn't have
an initialized bytes_ member.  Skip empty nodes, they'll be assinged
to the file block further down.

Patch sketch by scottmg.

BUG= 640856 

Review-Url: https://codereview.chromium.org/2271383003
Cr-Commit-Position: refs/heads/master@{#414522}

[modify] https://crrev.com/c3b455922b7ddb748e9a7b351cac7a4586c7e374/tools/gn/parser.cc

ClusterFuzz has detected this issue as fixed in range 414520:414607.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4926244569481216

Fuzzer: libfuzzer_gn_parser_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  Parser::AssignComments
  Parser::ParseFile
  Parser::Parse
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=413827:414117
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=414520:414607

Minimized Testcase (0.01 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94DLNRJSicgd4RVTStrukzzoZwXwKefez8jwzPAF5jRtxE2FIDt2ZOl708Rmo4Vugc8FfY0ApccR3OM1FUqTnsNFjNz12CWfx5Zrw1bimBckHw3qJ1JA_BgsDhYv_MJs1NYMt10wZl4NprWSDKQyBx1QP8jnQ?testcase_id=4926244569481216

#(t!((


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.