providing Findit results for internal purpose:


Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: dcarney@chromium.org
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/499b31e222b15cfcc01f0ef54f02508c299e3ca3
Time: Tue Feb 25 13:53:06 2014
The CL last changed line 230 of file platform-posix.cc, which is stack frame 0.

Author: jochen@chromium.org
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/a4506cd3f2e6735b07b31e26ed0916eb253ced27
Time: Mon Jun 30 13:25:46 2014
The CL last changed line 67 of file logging.cc, which is stack frame 1.

Author: mstarzinger
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/627ffe9af217e413f878bc025dbcf282dd709151
Time: Fri Feb 27 11:15:35 2015
The CL last changed line 1068 of file isolate.cc, which is stack frame 2.

Author: jbroman
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/3a14fc91b90b94b02af8ecdcae20951e4848f6a8
Time: Thu Oct 06 15:12:32 2016
The CL last changed line 1750 of file value-serializer.cc, which is stack frame 3.

Author: jbroman
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/58cac6501f6b17d9cc8fb84ce65e7c89416dd9af
Time: Thu Aug 25 15:59:44 2016
The CL last changed line 3125 of file api.cc, which is stack frame 4.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 62 of file V8ScriptValueDeserializer.cpp, which is stack frame 5.

Author: tasak@google.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/84cf8e3183e2a67f373269fb690da91059c3b2bb
Time: Thu Nov 27 06:00:44 2014
The CL last changed line 46 of file SerializedScriptValueForModulesFactory.cpp, which is stack frame 6.

Suspected Project: chromium-v8
Suspected Component: Blink>JavaScript

requesting v8 team to check the issue.

Jochen, if you aren't a good person to look at this, feel free to re-assign.

Yeah, I think I just forgot to account for the fact that setting properties in the legacy path could throw an exception early. Seems straightforward.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/054e17796df10ed65e0381691ab092794f9aee2e

commit 054e17796df10ed65e0381691ab092794f9aee2e
Author: jbroman <jbroman@chromium.org>
Date: Tue Nov 15 15:16:20 2016

ValueSerializer: Don't throw an exception after SetPropertiesFromKeyValuePairs fails.

It always throws an exception in the cases that it fails, so throwing another
doesn't help things.

BUG= chromium:664416 

Review-Url: https://codereview.chromium.org/2495393002
Cr-Commit-Position: refs/heads/master@{#40999}

[modify] https://crrev.com/054e17796df10ed65e0381691ab092794f9aee2e/src/value-serializer.cc

ClusterFuzz has detected this issue as fixed in range 432256:432327.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6707038798479360

Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x7f69acbc19e8
Crash State:
  v8::internal::Isolate::Throw
  v8::internal::ValueDeserializer::ReadObjectUsingEntireBufferForLegacyFormat
  v8::ValueDeserializer::ReadValue
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=424448:424514
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=432256:432327

Minimized Testcase (0.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96nrQSqZLJC-m5WqwyczQrwVc3uugACBqQtWbQLSc66hE5DkmASf8mBOP0g3UyIzwuucSBEvA70xBEkP2MrMe2hyt6HtlBTS98aX71KtLRBvtjlRhcFdFlP85fWbnNwmtUukmQ3RfBAJpxGPmD-e4I-sWbzxw?testcase_id=6707038798479360

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/054e17796df10ed65e0381691ab092794f9aee2e

commit 054e17796df10ed65e0381691ab092794f9aee2e
Author: jbroman <jbroman@chromium.org>
Date: Tue Nov 15 15:16:20 2016

ValueSerializer: Don't throw an exception after SetPropertiesFromKeyValuePairs fails.

It always throws an exception in the cases that it fails, so throwing another
doesn't help things.

BUG= chromium:664416 

Review-Url: https://codereview.chromium.org/2495393002
Cr-Commit-Position: refs/heads/master@{#40999}

[modify] https://crrev.com/054e17796df10ed65e0381691ab092794f9aee2e/src/value-serializer.cc

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot