This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

A friendly reminder that M57 Beta launch is coming soon on February 2nd! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!

Stack-use-after-scope? Never seen that one before!

scottmg@: Could you look into whether Parser::AssignComments() is actually accessing the byte() of a location that was on the stack?

Probably, it's a pretty crappy function. Removing some tags because this code is build-time only.

ClusterFuzz has detected this issue as fixed in range 445327:445340.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5263927694065664

Fuzzer: libfuzzer_gn_parser_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Stack-use-after-scope READ 4
Crash Address: 0x7fbe02ea0ad0
Crash State:
  Location::byte
  Parser::AssignComments
  Parser::ParseFile
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=445086:445126
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=445327:445340

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv9438pRAVFULXfxh_OYaA0N_iP_SoZKqxunvvJMxGU0jEdIa3XJml4UNylg9VRbvf11DIWBJ9Uj9rqDBX6DhVLxCmip-A8MRWQ-3g0AreSZssY14DzI9evt8Kel1x896EAEjd8wOpbljrCbI6szXvI5GbdPVv9tCdnRvDahjIPEM68ywYNM1HEvEZ4Q8ROeqmFbq8YAR3yNBNFX8zMiMVqQw-cmrHhZ9wyJ2eMwHtJZ0-MnkBP92JsgvJ974rEj9V16q06jmbRz4aHOwJY8YwLOlsnTLcJ9Pww1xpzp2tdnfBfGGKokcOBVEM9WogiFK2ZmvvY_b5Ac1gdbLvL9C1shgDcTzmssV3t_AZ04k5q5-j3LRF9M?testcase_id=5263927694065664
#
#




See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5263927694065664 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0fcc08c5d93f2e8128d5e583c236dd2a81e70a7b

commit 0fcc08c5d93f2e8128d5e583c236dd2a81e70a7b
Author: scottmg <scottmg@chromium.org>
Date: Fri Jan 27 01:48:52 2017

gn: fix fuzzer bug in parser for stack local

ParseNode::GetRange() returns a LocationRange by value, so the reference taken
is invalid at the next ;. Copy the Location by value instead.

R=brettw@chromium.org
BUG= 683454 

Review-Url: https://codereview.chromium.org/2654143005
Cr-Commit-Position: refs/heads/master@{#446528}

[modify] https://crrev.com/0fcc08c5d93f2e8128d5e583c236dd2a81e70a7b/tools/gn/parser.cc

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.