Assigning to the V8 clusterfuzz sheriff.

**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

rossberg: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

Also due to Thanksgiving holidays in US, please make sure all fixes are ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16.

**** Bulk edit -  please ignore if not applicable ****


A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

Also due to Thanksgiving holidays in US, please make sure fix is ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16 (sooner the better).

I can reproduce this on ToT with default flags.

Toon, can you also take a look?

Reduced test case:
assertThrows("class D extends async() =>");

https://codereview.chromium.org/2514893002 addresses the issue. Does anyone who's working this week or next know about function name inference? I'd ask Adam and Marja, but I believe they are both out.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/06f8e877267c9acae10e53e3054bea209dc92b78

commit 06f8e877267c9acae10e53e3054bea209dc92b78
Author: littledan <littledan@chromium.org>
Date: Fri Nov 18 18:31:28 2016

Fix function name inference corruption for async functions

The code which pushes and pops to the function name inference stack
generally checks if the stack is active with the IsOpen method. One
piece of code pertaining to async functions was missing that check.
This patch adds it.

BUG= chromium:658267 
R=gsathya,caitp

Review-Url: https://codereview.chromium.org/2514893002
Cr-Commit-Position: refs/heads/master@{#41120}

[modify] https://crrev.com/06f8e877267c9acae10e53e3054bea209dc92b78/src/parsing/func-name-inferrer.cc
[add] https://crrev.com/06f8e877267c9acae10e53e3054bea209dc92b78/test/mjsunit/regress/regress-cr-658267.js

+awhalley@ for merge review

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Your change meets the bar and is auto-approved for M55 (branch: 2883)

Your change meets the bar and is auto-approved for M56 (branch: 2924)

Your change meets the bar and is auto-approved for M55 (branch: 2883)

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/797c065a6fee9543920e9baab26887373e082c1d

commit 797c065a6fee9543920e9baab26887373e082c1d
Author: Dan Ehrenberg <littledan@chromium.org>
Date: Sat Nov 19 20:26:39 2016

Merged: Fix function name inference corruption for async functions

Revision: 06f8e877267c9acae10e53e3054bea209dc92b78

BUG= chromium:658267 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=gsathya@chromium.org

Review URL: https://codereview.chromium.org/2512413002 .

Cr-Commit-Position: refs/branch-heads/5.6@{#5}
Cr-Branched-From: bdd3886218dfe76e8560eb8a18401942452ae859-refs/heads/5.6.326@{#1}
Cr-Branched-From: 879f6599eee6e1dfcbe9a24bf688b261c03e9558-refs/heads/master@{#41014}

[modify] https://crrev.com/797c065a6fee9543920e9baab26887373e082c1d/src/parsing/func-name-inferrer.cc
[add] https://crrev.com/797c065a6fee9543920e9baab26887373e082c1d/test/mjsunit/regress/regress-cr-658267.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e633c37b356c5d7e18c8c3515361a6f55edd509d

commit e633c37b356c5d7e18c8c3515361a6f55edd509d
Author: Dan Ehrenberg <littledan@chromium.org>
Date: Sat Nov 19 20:41:59 2016

Merged: Fix function name inference corruption for async functions

Revision: 06f8e877267c9acae10e53e3054bea209dc92b78

BUG= chromium:658267 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=gsathya@chromium.org, gsathya

Review URL: https://codereview.chromium.org/2514073003 .

Cr-Commit-Position: refs/branch-heads/5.5@{#50}
Cr-Branched-From: 3cbd5838bd8376103daa45d69dade929ee4e0092-refs/heads/5.5.372@{#1}
Cr-Branched-From: b3c8b0ce2c9af0528837d8309625118d4096553b-refs/heads/master@{#40015}

[modify] https://crrev.com/e633c37b356c5d7e18c8c3515361a6f55edd509d/src/parsing/func-name-inferrer.cc
[add] https://crrev.com/e633c37b356c5d7e18c8c3515361a6f55edd509d/test/mjsunit/regress/regress-cr-658267.js

ClusterFuzz has detected this issue as fixed in range 433453:433455.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6705199190376448

Fuzzer: libfuzzer_v8_script_parser_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x6250000119a0
Crash State:
  v8::internal::List<v8::internal::FuncNameInferrer::Name, v8::internal::ZoneAlloc
  v8::internal::ParserBase<v8::internal::Parser>::ParseLeftHandSideExpression
  v8::internal::ParserBase<v8::internal::Parser>::ParseClassLiteral
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=423381:423433
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=433453:433455

Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94eYGE_ca0gmpeeE34ahuswRrhM-b8LnaPuUtdXI0C-k-1GtlJ1lYmWLLOebyXZUoAzQumAxfFGbS8iR9rCYm62f9RKa36ufDe354a-xmwNUzV3gMnWm8PBfPjOkFCmqyJMMmfcVW2yPuiIBuP1gPFaH5fr2Q?testcase_id=6705199190376448

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6cc91d6a1336fdfcdd0e7ffea307dbd506a80a4f

commit 6cc91d6a1336fdfcdd0e7ffea307dbd506a80a4f
Author: littledan <littledan@chromium.org>
Date: Mon Dec 19 21:25:52 2016

[parser] Harden DCHECK into CHECK in parser

A DCHECK is guarding something which has previously been a memory
integrity issue. It should be cheap to run. This patch makes it
into a CHECK.

BUG= chromium:658267 

Review-Url: https://codereview.chromium.org/2584223002
Cr-Commit-Position: refs/heads/master@{#41825}

[modify] https://crrev.com/6cc91d6a1336fdfcdd0e7ffea307dbd506a80a4f/src/parsing/func-name-inferrer.cc

Backport not necessary for Node.js v7.x (V8 5.4).

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot