This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

rmcilroy@, I saw that you might solve a similar crash before (#616064). I wonder if you know who can handle this crash. Thank you.

Detailed report: https://clusterfuzz.com/testcase?key=4510888234319872

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x625000010109
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::materialized
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::GetEquivalen
  v8::internal::interpreter::BytecodeRegisterOptimizer::CreateMaterializedEquivale
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: V8: 43757:43758

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95FywHn9740pRk2YFskmYEo1MX0AGsWLutHhn3ftHzTo--XshzPjH1y4AZNXyD1Z7u-EUrvHPQKY71qC7TDQ-YlN66fAYhcsFUgAXkrn8CRRtj1CM2WZMxULcRYT_zM8eXgYVAOqpOnKQbFRWaQ5f0ZLTCF0w7gYA9zlUE7G3vYz_w4lWQVrclNQX-urWStRwJIg9eDWGs9rgn92KsX0CfwcKlpF9O12pbOpfS1T1u4iZUNxfv_OYpxX6CCQ0sCJF10Vc5d4Fc7p1hkYyg-OF6AcpCj-lBZWxTbawBfiPSarji9aEeDHJBpLSSKSPeDd8kAyP__5YSO5lEzdCveqROh0pzvGreO2x1ksWANdaTyADqTTS2F0VePrUFFDcgkPNUil0QDLRlf93jE8NS3rBGRJHWxHw?testcase_id=4510888234319872


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://clusterfuzz.com/testcase?key=5780132305567744

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x625000010009
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::materialized
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  v8::internal::interpreter::BytecodeArrayBuilder::StoreAccumulatorInRegister
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43757:43758

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94Etf4rHXS2u3BrFT1AtIzxpItzPsoP0hZWRADaubEwDNCzYuPu9Z4bSeQPY9zRiG8vNtcdBmkKlmnzn9PVDokX0_Or5-KbBmAJqIxLRrl_ffCPwbVULoySEcJ427EtuyMvnmr3b-p5TQOF4tPHPb9YYsyu8fN5W-1gXVs02vm_KRsviovRCVp_BZUwfnJwHWL6i5E7Hb5_nyYugpWPM8b9_rNDjGY9RpOsgcKqAG4yIEocy88BPUPs8kFXE9eyKY7Z0tcYptpV-sVxUxf4kdcinpcLvUkfBtOZgO5yyPW-QYADSTxhjsA82mPoJT2bejL6pm0mQZmM0SWgsZhj9x7r3NG8usKg-_-wCChfoinkWqFtRdMk58u0P5eusOqzwSsNToMxRC7cWKXTBkBQndqvGh0_LQ?testcase_id=5780132305567744


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

CF points to 65200967b735be0cd91593ffb03fb96ee90df1a0

Detailed report: https://clusterfuzz.com/testcase?key=4884440766742528

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x625000014ce8
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::GetRegisterInfo
  v8::internal::interpreter::BytecodeRegisterOptimizer::DoStar
  v8::internal::interpreter::BytecodeArrayBuilder::StoreAccumulatorInRegister
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 40662:40663

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97hMSA7GQDjIdTiR2CfZfUGis0wrjgvIJAp-oKt9dH8JVZUTc2SAja3Lkl1VOlqQDUi6Xk84OAbhz_h7Gu5YPsISToVdMLRM5FTQQyeREFJ7UkRi0Lpnoruq4RH-s3cIyfmbC2WKbQavXQoNzJvXqxGX9AjucxfekVl-J8dqhMtkmPUlVj2yaCKn0ApFBkCp_uqOn8uh5oztbvucr-oDbfMaTy4FoA9lMZJmHcnZNnrze2bljZYoOswBGGEfVuhao5ny_b-o_a-zi6NT1har1WTwu5CELsqMLqo-Uj-XQjgbAZOgL6T5SxPzjHx1K_fB-uEozcRGw1JtmVpvIjGwxsZ3XVrsuB5Uin67FMSY9lX0Dlook2BEvz8B6n-_cN1kqTImyQLTNhf2xfZUGPyVssMJiHGJQ?testcase_id=4884440766742528


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://clusterfuzz.com/testcase?key=5198973737631744

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 4
Crash Address: 0x6250000216bc
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::equivalence_
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::IsInSameEqui
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96lj2PjxdJqRsTy3rNB622XPE9M0G7PHzOuUTZkrHB1YmuXFvrTWhTbNxUstZIv-zzEw-2z7dUDCNZyKb60kZcV4t5ob5MWi3uoPFgqsS9F6hNkEqpACoWFapfVU3qXcN0LhlsAozlXyZ3RPfvR0rae8RPlRL56ywNLV6J5UK-WsFuNPNICLYP4V0SCvaVykXAs1LXEKxjESpoFIz5cJktYBQPns0rW03pl3YAMkNSBq3MFysJu4SNCBRbwb9hPnXcfNPMyJ8OUml3JQzOGYBwYEldteZEEX_GnWeZlt-CEXGFe3I2UzRUM7oRNMGUUn9RNgfJbfl_h_06hvFAmqZwh2AA9NgxvD008mh1dGBWmbVK2wfcN3ytO4gt-bOxCuO6gha78Lpko2qGKkUzdaStJob1yNg?testcase_id=5198973737631744


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://clusterfuzz.com/testcase?key=4645033920954368

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x6250000174e8
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::GetEquivalen
  v8::internal::interpreter::BytecodeRegisterOptimizer::CreateMaterializedEquivale
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95k9zg9mYJcpO6udo7XBcSlWItGrRrR2V-q9mDgiGeP63-J-ESbxS6OwF4vV768Vu9DIQmt265T1rNWCKgfEuscle5dl9G5LxDyc2SVKKrqMrHBZnZkRNTjj2cijTg6vOj7WWdfH7C3oUed9tRLAWehPCMyVEwVqiBnw8hO8rZuTx63MvU_6tCxMW7kcfgNfJBiff5dKWAraHjgJHad8PT1qQ2eH8WmmH3NaLJ6MNPpMuaHSWiKIy-5pUjSmMTPP6_rHKFHS1Veqa9RrBIobSGB80d6LX-bNtcLGkAZ5QJ3BZpd9cjg92DZXEIBHrt0iEFEmbeYB0OlS3ACMv7V9eHVakrkcJ8SMs7MPeTJ7uFDlaUkwLRNnb2TukO7GAycnngi6JeWFITfHyYaOZFJNGyndBmCHg?testcase_id=4645033920954368


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://clusterfuzz.com/testcase?key=6162755473375232

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x625000017890
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::AddToEquival
  v8::internal::interpreter::BytecodeRegisterOptimizer::AddToEquivalenceSet
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97Sy8XbyvroQG3CBcjg_79iTptMcTvdJ25OYSZicVtaV-hiVOKVwoT6zFvco5o4-IZdrlRJhMvZPgwcNacc7xDBsOyrZmjAK4rgRevLdh0Z1TGFcx5sEsMGAjbxHTTj4a1qP-gKgDzm4pdOfLWBEowdxVxvCRavolLdH5oD9WfB1ZcYCBlA7l3AYscNxd3D8cpItXBXNXjYocM79qceTr90GkpnhJEZ9A10nW4DIy157ych7gDd0MSog0dNU-u1ZJEMv4yusBb29cPXryAzz0kF0_VDDwIgpqAmMWbA1nsMlnqlHAO6g79gUiNEX7mP_gpLc_9Yd0grmtKK5sZ4-l2C8c2UhYG9dKrr6COA_fvuN0qv8IPW48FoRin8Mfq-9WUMf8oLOU3_1OikHJh-KcoWQ2eewQ?testcase_id=6162755473375232


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://clusterfuzz.com/testcase?key=6727012036378624

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison WRITE 4
Crash Address: 0x6250000177bc
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::MoveToNewEqu
  v8::internal::interpreter::BytecodeRegisterOptimizer::Flush
  PrepareForBytecode<v8::internal::interpreter::Bytecode::kJumpIfToBooleanTrue,
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97ZCjNVXxZOQj2dUWd59XHFF7riSTMjrjy8ekWfiBtJ9lIl8k-uqbu41f1Eix3UZVM0y1qogaAYoz8pcYX376sxjxK-P5GzXT--1vcQZn1cbvOmjMaLiEMsQgHXKNW_FV6xBIP0x3uthxm1MzqYKFqB0qeYObYZ6no91cRbe9QlpHI0wkvaGiIn_haBAwyOQwnfB_QKWTxMp4ZfldOsSXtj-2j-JsRYQEzgghsvxaO_qjuMZ7mKBD0PucZmZTKGbfh8smYxi_Batyp_H5heecYn-jqZmYXEQc2YXp_0lx_PcEWhG4nLrpAGU1x8fexpddHRqjcgl-BQxk5BRJii0DFuuF_0XNyh51S-nPpQXxPZoOm6hMU083JzQ4Ia8dU7hF2uZnS6a6Pi8aQu_whIm60scWclQQ?testcase_id=6727012036378624


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

More of these issues happened after we shipped Ignition+Turbofan: 0f716acadaed1d9e194593543dbe1340d600d6fc.

Not sure how 65200967b735be0cd91593ffb03fb96ee90df1a0 could have caused it. I'll take a look.

Crashes with the following code in Debug mode:

try {
  var {} = {};
  (({foo = {} = {}}) => {return foo;})();
  ({x = {} = {}}) => {};
  ({x = {} = {}}) => {};
  ({x = {} = {}}) => {};
  ({x = {} = {}}) => {};
} catch(e) {; }

Seems to be due to the default parameter variable not being reparented to the inner arrow function.

This is probably regression only because Parser used to crash with this before: https://bugs.chromium.org/p/chromium/issues/detail?id=704811

That crash was old (afaics, it never worked).

Not sure if a quick fix is possible - should we revert the parser fix and let this crash?

Ross showed me that the ast + scopes created are wrong, so this is not an ignition bug but a parser bug.

Anything that creates temporaries in the outer scope seems to do, so simplifying the repro a bit:

if (true) {
  var {} = {};
  var {} = {};
  var {} = {};
  var {} = {};
  var {} = {};
  (({foo = {} = {}}) => {return foo;})();
}

With https://chromium-review.googlesource.com/c/464768/ the repo reduces to:

try {
  var {} = {};
  var {} = {};
  var {} = {};
  (({foo = {} = {}}) => {return foo;})();
} catch(e) {; }

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a4c6126a836bae6af70220ce90386d322885e958

commit a4c6126a836bae6af70220ce90386d322885e958
Author: Ross McIlroy <rmcilroy@chromium.org>
Date: Fri Mar 31 13:11:17 2017

[Interpreter] Add check that local registers are valid.

Check that a register used as a local is within the bytecode array's
local count.

BUG= chromium:706234 

Change-Id: I51f6a0a8be065b93b9a4e1dca623e98c51685b51
Reviewed-on: https://chromium-review.googlesource.com/464768
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44308}
[modify] https://crrev.com/a4c6126a836bae6af70220ce90386d322885e958/src/interpreter/bytecode-array-builder.cc
[modify] https://crrev.com/a4c6126a836bae6af70220ce90386d322885e958/src/interpreter/bytecode-array-builder.h
[modify] https://crrev.com/a4c6126a836bae6af70220ce90386d322885e958/src/interpreter/bytecode-generator.cc

Detailed report: https://clusterfuzz.com/testcase?key=5660786170265600

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Stack-use-after-return READ 1
Crash Address: 0x7f6e43781ef8
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::materialized
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  v8::internal::interpreter::BytecodeArrayBuilder::StoreAccumulatorInRegister
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97ZL47E12_zctIy18EU7653uoKNRby0RpbRX0jo3htW_JxSiZZp8dN4razyePK_s-DF8YQ2eiAUkOZLqQ8MuuZ7E01ZIQcD-UX5znfFsNCNvdFpzrpzbrmsrgdrUxjUVxOGTsOKOVAiLRqDb_Ji5_J2nBwyzj4CccsX_PV8whruYI1N6aGvB510pzNfgNJwvtnm_Dj06JlGQ1SpDPwTopFkzogovwADJk5bkPLOSY7nlWQ4gEaGdf22DTixvpB_gEKZlhY_zvHnT5M-hsgVlhu4xsIWUBzXC-ISDyzocW1s-Ao4AJEAfvcv-x1bE-W7uQDasII8D7SIfpD01a7dr_1kVXbPDTWiJe3HD2UFcDGYq55rcQesdb42dGSrHx2CbVVwxR9bhp7_eQKRk3G4TdtSOBigRg?testcase_id=5660786170265600


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://clusterfuzz.com/testcase?key=6737323984420864

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 1
Crash Address: 0x625000014d30
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::materialized
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  v8::internal::interpreter::BytecodeArrayBuilder::StoreAccumulatorInRegister
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95qwos-K2HHTeYEXsMZcWRT1dMYkYbwXWpHzc8G4x3AP85tdIlY_4ZbRHjNIuR87sP_0P0C2wj3eTv-7AmzppLH1Hd_n6HwuBBtQ4jPH6gcSn-pK-1OSWPmaD4rIRQ7SJgukvPFM1V_1EGawfFnbH9PQGTm0mMZeNF7lXWITSrRvXVTWMEM-3oz0EHJMif3pgFn1CY_XzOCWdce-XdZ7eoO-BkAri1GOASbKTjh3TDMBMSB49ABb4SVIrXeCTWDrp8pyFPQNODkjufbp4LZd81te6CyCPJqWqUXxz8B2n07ZyPxcnC9VB2TucmDVRtVzbkrL9oLff5W-O9O-jCPC-KbeTiHA0E_MulxxyPrFqhOzr67jPzgMDsHbdNG9uWfdV9B7S6kprLCYD5gOoT7lhkS7phd7A?testcase_id=6737323984420864


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Here's what happens (roughly):

- Rewritable expressions in the arrow function param list are in the parent's FunctionState.
- We reparent the expression which is the arrow function parameter list, so it's inside the arrow function in the AST.
- ParseProgram rewrites destructuring assignments, and that creates the offending AST nodes: at that point the arrow function Scope is no longer active and we just create temporaries in the paren't scope.
- We end up in a situation where an arrow function body uses temporaries that live in the outer function. This should never happen.

However, I don't understand why the reparenting usually works. Maybe because the normal case where the param has a default value goes through a different code path.

---

In addition to the fix, we (I) should add a sanity check that AST nodes don't refer to non-context-allocated variables in the parent function.

Forgot to say, that this failure is independent of my fix https://chromium-review.googlesource.com/459618 ; it's just being discovered now that the test I added enables clusterfuzz to discover more interesting cases.

Afaics the lazy case was masked by the fact that Parser crashed. The --no-lazy failure was potentially always there.

So, this works:

if (true) {
  var {} = {};
  var {} = {};
  var {} = {};
  var {} = {};
  var {} = {};
  ((foo = {} = {}) => {return foo;})();
}

(And the produced AST is legit.)

I guess that works since the InitializerRewriter does its thing, while for the 
{foo = {} = {} } it just doesn't see there's anything to rewrite at a deeper level.

Afaics the right fix would be to process the { foo = ... } case too at the same place where initializer rewriting is done. At that point in time we have the right context for doing the rewriting. (However, IDK yet how to implement that. I'll let my under-consciousness process it over the weekend.)

Re: clusterfuzz figuring out the I + TF commit is to blame; I guess FCG + CS used to do *something* (not crash) even though the Parser outputs illegal ASTs. Maybe they even did something correct sometimes but that was by accident.

+ caitp for destructuring insights

----

And some logs from --print-scopes --print-ast:

Global scope:
global { // (0, 308)
  // will be compiled
  // 7 stack slots
  // temporary vars:
  TEMPORARY .0x7fb4076e6818;  // local[0]
  TEMPORARY .0x7fb4076e6be0;  // local[1]
  TEMPORARY .0x7fb4076e6f60;  // local[2]
  TEMPORARY .0x7fb4076e72e0;  // local[3]
  TEMPORARY .0x7fb4076e7660;  // local[4]
  TEMPORARY .0x7fb4076ecc78;  // local[5]
  TEMPORARY .result;  // local[6]

  arrow (.0x7fb4076e7ce8) { // (90, 124)
    // will be compiled
    // 3 stack slots
    // temporary vars:
    TEMPORARY .0x7fb4076e7ce8;  // parameter[0]
    TEMPORARY .0x7fb4076ec530;  // local[0]
    TEMPORARY .0x7fb4076ec808;  // local[1]
    // local vars:
    LET foo;  // local[2], never assigned
  }
}

--- AST ---
FUNC at 90
. KIND 1
. SUSPEND COUNT 0
. NAME ""
. INFERRED NAME ""
. PARAMS
. . VAR (mode = TEMPORARY) ""
. DECLS
. . VARIABLE (mode = LET) "foo"
. BLOCK NOCOMPLETIONS at -1
. . EXPRESSION STATEMENT at -1
. . . ASSIGN at -1
. . . . VAR PROXY local[0] (mode = TEMPORARY) ""
. . . . VAR PROXY parameter[0] (mode = TEMPORARY) ""
. . IF at -1
. . . CONDITION at -1
. . . . OR at -1
. . . . . EQ_STRICT at -1
. . . . . . VAR PROXY local[0] (mode = TEMPORARY) ""
. . . . . . LITERAL undefined
. . . . . EQ_STRICT at -1
. . . . . . VAR PROXY local[0] (mode = TEMPORARY) ""
. . . . . . LITERAL null
. . . THEN at -1
. . . . EXPRESSION STATEMENT at -1
. . . . . THROW at -1
. . . . . . CALL RUNTIME NewTypeError at -1
. . . . . . . LITERAL 61
. . . . . . . LITERAL ""
. . EXPRESSION STATEMENT at -1
. . . ASSIGN at -1
. . . . VAR PROXY local[1] (mode = TEMPORARY) ""
. . . . PROPERTY Slot(2) at -1
. . . . . VAR PROXY local[0] (mode = TEMPORARY) ""
. . . . . NAME foo
. . EXPRESSION STATEMENT at 92
. . . INIT at 92
. . . . VAR PROXY local[2] (mode = LET) "foo"
. . . . CONDITIONAL at -1
. . . . . CONDITION at -1
. . . . . . EQ_STRICT at -1
. . . . . . . VAR PROXY local[1] (mode = TEMPORARY) ""
. . . . . . . LITERAL undefined
. . . . . THEN at 101
. . . . . . DO EXPRESSION at 101
. . . . . . . EXPRESSION STATEMENT at -1
. . . . . . . . ASSIGN at -1
. . . . . . . . . VAR PROXY local[5] (mode = TEMPORARY) "" << HERE!!!!
. . . . . . . . . OBJ LITERAL at 103
. . . . . . . . . . literal_slot = 5
. . . . . . . IF at -1
. . . . . . . . CONDITION at -1
. . . . . . . . . OR at -1
. . . . . . . . . . EQ_STRICT at -1
. . . . . . . . . . . VAR PROXY local[5] (mode = TEMPORARY) ""
. . . . . . . . . . . LITERAL undefined
. . . . . . . . . . EQ_STRICT at -1
. . . . . . . . . . . VAR PROXY local[5] (mode = TEMPORARY) ""
. . . . . . . . . . . LITERAL null
. . . . . . . . THEN at -1
. . . . . . . . . EXPRESSION STATEMENT at -1
. . . . . . . . . . THROW at -1
. . . . . . . . . . . CALL RUNTIME NewTypeError at -1
. . . . . . . . . . . . LITERAL 61
. . . . . . . . . . . . LITERAL ""
. . . . . ELSE at -1
. . . . . . VAR PROXY local[1] (mode = TEMPORARY) ""
. BLOCK NOCOMPLETIONS at -1
. . RETURN at 112
. . . VAR PROXY local[2] (mode = LET) "foo"

Here's a strawman fix which doesn't move DestructuringAssignments around but just fixes the Scope for those who end up being in the arrow function:

https://chromium-review.googlesource.com/464769

However, it doesn't work if arrow functions can be lazy; at that point we've already discarded the Scope which we would've wanted to use for rewriting. Meh. Probably we need to rewrite the assignments right there.

ClusterFuzz has detected this issue as fixed in range 44307:44308.

Detailed report: https://clusterfuzz.com/testcase?key=5660786170265600

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Stack-use-after-return READ 1
Crash Address: 0x7f6e43781ef8
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::materialized
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  v8::internal::interpreter::BytecodeArrayBuilder::StoreAccumulatorInRegister
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684
Fixed: V8: 44307:44308

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97ZL47E12_zctIy18EU7653uoKNRby0RpbRX0jo3htW_JxSiZZp8dN4razyePK_s-DF8YQ2eiAUkOZLqQ8MuuZ7E01ZIQcD-UX5znfFsNCNvdFpzrpzbrmsrgdrUxjUVxOGTsOKOVAiLRqDb_Ji5_J2nBwyzj4CccsX_PV8whruYI1N6aGvB510pzNfgNJwvtnm_Dj06JlGQ1SpDPwTopFkzogovwADJk5bkPLOSY7nlWQ4gEaGdf22DTixvpB_gEKZlhY_zvHnT5M-hsgVlhu4xsIWUBzXC-ISDyzocW1s-Ao4AJEAfvcv-x1bE-W7uQDasII8D7SIfpD01a7dr_1kVXbPDTWiJe3HD2UFcDGYq55rcQesdb42dGSrHx2CbVVwxR9bhp7_eQKRk3G4TdtSOBigRg?testcase_id=5660786170265600


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 461207:461223.

Detailed report: https://clusterfuzz.com/testcase?key=5465767912144896

Fuzzer: mbarbella_js_mutation
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  v8::internal::interpreter::BytecodeArrayBuilder::StoreAccumulatorInRegister
  v8::internal::interpreter::BytecodeGenerator::BuildVariableAssignment
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=459483:459538
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=461207:461223

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94nXmj9hZ7IOtmpzw-LzvU5TEWpUIle_ebpJRbQXqVvp4YJqIgJYeOONeykTu6QcDQxveYjetf6t-yarNRUQrG4DNcadvx7VML2_Q3YvnVF3hLo-aLR94JOeWjlROlL-0o-lQVYxXG8pOuW3aEQHsVgfKkJKP1WzDhDFR3hy31gJwltfFeWkJsRf36cgM_MsW4DZ6UVt5o9rOgktsUAp7v4G5O78dP8b1CLhkbgRGW0TkCFcNhbmcvm4WiGs-J4TYhL4W-FcUt3PGcAnWqf5Yn1auuu7jPw7MXa65k3d3v5fn5sh2iuVSwnSftZcEUTnFTUpOXUv72K93C-E68xsi3Ow0IpwPPXv12AQVurPF61wIcIgiYby4pEiDluHZLyow2mckUJ1aR0wOFJX1iezjCRaY3Ynw?testcase_id=5465767912144896


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 44307:44308.

Detailed report: https://clusterfuzz.com/testcase?key=4510888234319872

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x625000010109
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::materialized
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::GetEquivalen
  v8::internal::interpreter::BytecodeRegisterOptimizer::CreateMaterializedEquivale
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: V8: 43757:43758
Fixed: V8: 44307:44308

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95FywHn9740pRk2YFskmYEo1MX0AGsWLutHhn3ftHzTo--XshzPjH1y4AZNXyD1Z7u-EUrvHPQKY71qC7TDQ-YlN66fAYhcsFUgAXkrn8CRRtj1CM2WZMxULcRYT_zM8eXgYVAOqpOnKQbFRWaQ5f0ZLTCF0w7gYA9zlUE7G3vYz_w4lWQVrclNQX-urWStRwJIg9eDWGs9rgn92KsX0CfwcKlpF9O12pbOpfS1T1u4iZUNxfv_OYpxX6CCQ0sCJF10Vc5d4Fc7p1hkYyg-OF6AcpCj-lBZWxTbawBfiPSarji9aEeDHJBpLSSKSPeDd8kAyP__5YSO5lEzdCveqROh0pzvGreO2x1ksWANdaTyADqTTS2F0VePrUFFDcgkPNUil0QDLRlf93jE8NS3rBGRJHWxHw?testcase_id=4510888234319872


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 44307:44308.

Detailed report: https://clusterfuzz.com/testcase?key=4884440766742528

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x625000014ce8
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::GetRegisterInfo
  v8::internal::interpreter::BytecodeRegisterOptimizer::DoStar
  v8::internal::interpreter::BytecodeArrayBuilder::StoreAccumulatorInRegister
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 40662:40663
Fixed: V8: 44307:44308

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97hMSA7GQDjIdTiR2CfZfUGis0wrjgvIJAp-oKt9dH8JVZUTc2SAja3Lkl1VOlqQDUi6Xk84OAbhz_h7Gu5YPsISToVdMLRM5FTQQyeREFJ7UkRi0Lpnoruq4RH-s3cIyfmbC2WKbQavXQoNzJvXqxGX9AjucxfekVl-J8dqhMtkmPUlVj2yaCKn0ApFBkCp_uqOn8uh5oztbvucr-oDbfMaTy4FoA9lMZJmHcnZNnrze2bljZYoOswBGGEfVuhao5ny_b-o_a-zi6NT1har1WTwu5CELsqMLqo-Uj-XQjgbAZOgL6T5SxPzjHx1K_fB-uEozcRGw1JtmVpvIjGwxsZ3XVrsuB5Uin67FMSY9lX0Dlook2BEvz8B6n-_cN1kqTImyQLTNhf2xfZUGPyVssMJiHGJQ?testcase_id=4884440766742528


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 44307:44308.

Detailed report: https://clusterfuzz.com/testcase?key=5780132305567744

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x625000010009
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::materialized
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  v8::internal::interpreter::BytecodeArrayBuilder::StoreAccumulatorInRegister
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43757:43758
Fixed: V8: 44307:44308

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94Etf4rHXS2u3BrFT1AtIzxpItzPsoP0hZWRADaubEwDNCzYuPu9Z4bSeQPY9zRiG8vNtcdBmkKlmnzn9PVDokX0_Or5-KbBmAJqIxLRrl_ffCPwbVULoySEcJ427EtuyMvnmr3b-p5TQOF4tPHPb9YYsyu8fN5W-1gXVs02vm_KRsviovRCVp_BZUwfnJwHWL6i5E7Hb5_nyYugpWPM8b9_rNDjGY9RpOsgcKqAG4yIEocy88BPUPs8kFXE9eyKY7Z0tcYptpV-sVxUxf4kdcinpcLvUkfBtOZgO5yyPW-QYADSTxhjsA82mPoJT2bejL6pm0mQZmM0SWgsZhj9x7r3NG8usKg-_-wCChfoinkWqFtRdMk58u0P5eusOqzwSsNToMxRC7cWKXTBkBQndqvGh0_LQ?testcase_id=5780132305567744


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 44307:44308.

Detailed report: https://clusterfuzz.com/testcase?key=5198973737631744

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 4
Crash Address: 0x6250000216bc
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::equivalence_
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::IsInSameEqui
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684
Fixed: V8: 44307:44308

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96lj2PjxdJqRsTy3rNB622XPE9M0G7PHzOuUTZkrHB1YmuXFvrTWhTbNxUstZIv-zzEw-2z7dUDCNZyKb60kZcV4t5ob5MWi3uoPFgqsS9F6hNkEqpACoWFapfVU3qXcN0LhlsAozlXyZ3RPfvR0rae8RPlRL56ywNLV6J5UK-WsFuNPNICLYP4V0SCvaVykXAs1LXEKxjESpoFIz5cJktYBQPns0rW03pl3YAMkNSBq3MFysJu4SNCBRbwb9hPnXcfNPMyJ8OUml3JQzOGYBwYEldteZEEX_GnWeZlt-CEXGFe3I2UzRUM7oRNMGUUn9RNgfJbfl_h_06hvFAmqZwh2AA9NgxvD008mh1dGBWmbVK2wfcN3ytO4gt-bOxCuO6gha78Lpko2qGKkUzdaStJob1yNg?testcase_id=5198973737631744


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 44307:44308.

Detailed report: https://clusterfuzz.com/testcase?key=6737323984420864

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 1
Crash Address: 0x625000014d30
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::materialized
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  v8::internal::interpreter::BytecodeArrayBuilder::StoreAccumulatorInRegister
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684
Fixed: V8: 44307:44308

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95qwos-K2HHTeYEXsMZcWRT1dMYkYbwXWpHzc8G4x3AP85tdIlY_4ZbRHjNIuR87sP_0P0C2wj3eTv-7AmzppLH1Hd_n6HwuBBtQ4jPH6gcSn-pK-1OSWPmaD4rIRQ7SJgukvPFM1V_1EGawfFnbH9PQGTm0mMZeNF7lXWITSrRvXVTWMEM-3oz0EHJMif3pgFn1CY_XzOCWdce-XdZ7eoO-BkAri1GOASbKTjh3TDMBMSB49ABb4SVIrXeCTWDrp8pyFPQNODkjufbp4LZd81te6CyCPJqWqUXxz8B2n07ZyPxcnC9VB2TucmDVRtVzbkrL9oLff5W-O9O-jCPC-KbeTiHA0E_MulxxyPrFqhOzr67jPzgMDsHbdNG9uWfdV9B7S6kprLCYD5gOoT7lhkS7phd7A?testcase_id=6737323984420864


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 44307:44308.

Detailed report: https://clusterfuzz.com/testcase?key=6727012036378624

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison WRITE 4
Crash Address: 0x6250000177bc
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::MoveToNewEqu
  v8::internal::interpreter::BytecodeRegisterOptimizer::Flush
  PrepareForBytecode<v8::internal::interpreter::Bytecode::kJumpIfToBooleanTrue,
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684
Fixed: V8: 44307:44308

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97ZCjNVXxZOQj2dUWd59XHFF7riSTMjrjy8ekWfiBtJ9lIl8k-uqbu41f1Eix3UZVM0y1qogaAYoz8pcYX376sxjxK-P5GzXT--1vcQZn1cbvOmjMaLiEMsQgHXKNW_FV6xBIP0x3uthxm1MzqYKFqB0qeYObYZ6no91cRbe9QlpHI0wkvaGiIn_haBAwyOQwnfB_QKWTxMp4ZfldOsSXtj-2j-JsRYQEzgghsvxaO_qjuMZ7mKBD0PucZmZTKGbfh8smYxi_Batyp_H5heecYn-jqZmYXEQc2YXp_0lx_PcEWhG4nLrpAGU1x8fexpddHRqjcgl-BQxk5BRJii0DFuuF_0XNyh51S-nPpQXxPZoOm6hMU083JzQ4Ia8dU7hF2uZnS6a6Pi8aQu_whIm60scWclQQ?testcase_id=6727012036378624


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 44307:44308.

Detailed report: https://clusterfuzz.com/testcase?key=4645033920954368

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x6250000174e8
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::GetEquivalen
  v8::internal::interpreter::BytecodeRegisterOptimizer::CreateMaterializedEquivale
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684
Fixed: V8: 44307:44308

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95k9zg9mYJcpO6udo7XBcSlWItGrRrR2V-q9mDgiGeP63-J-ESbxS6OwF4vV768Vu9DIQmt265T1rNWCKgfEuscle5dl9G5LxDyc2SVKKrqMrHBZnZkRNTjj2cijTg6vOj7WWdfH7C3oUed9tRLAWehPCMyVEwVqiBnw8hO8rZuTx63MvU_6tCxMW7kcfgNfJBiff5dKWAraHjgJHad8PT1qQ2eH8WmmH3NaLJ6MNPpMuaHSWiKIy-5pUjSmMTPP6_rHKFHS1Veqa9RrBIobSGB80d6LX-bNtcLGkAZ5QJ3BZpd9cjg92DZXEIBHrt0iEFEmbeYB0OlS3ACMv7V9eHVakrkcJ8SMs7MPeTJ7uFDlaUkwLRNnb2TukO7GAycnngi6JeWFITfHyYaOZFJNGyndBmCHg?testcase_id=4645033920954368


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 44307:44308.

Detailed report: https://clusterfuzz.com/testcase?key=6162755473375232

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x625000017890
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::AddToEquival
  v8::internal::interpreter::BytecodeRegisterOptimizer::AddToEquivalenceSet
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterTransfer
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: V8: 43683:43684
Fixed: V8: 44307:44308

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97Sy8XbyvroQG3CBcjg_79iTptMcTvdJ25OYSZicVtaV-hiVOKVwoT6zFvco5o4-IZdrlRJhMvZPgwcNacc7xDBsOyrZmjAK4rgRevLdh0Z1TGFcx5sEsMGAjbxHTTj4a1qP-gKgDzm4pdOfLWBEowdxVxvCRavolLdH5oD9WfB1ZcYCBlA7l3AYscNxd3D8cpItXBXNXjYocM79qceTr90GkpnhJEZ9A10nW4DIy157ych7gDd0MSog0dNU-u1ZJEMv4yusBb29cPXryAzz0kF0_VDDwIgpqAmMWbA1nsMlnqlHAO6g79gUiNEX7mP_gpLc_9Yd0grmtKK5sZ4-l2C8c2UhYG9dKrr6COA_fvuN0qv8IPW48FoRin8Mfq-9WUMf8oLOU3_1OikHJh-KcoWQ2eewQ?testcase_id=6162755473375232


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4510888234319872 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Not fixed, just hidden with the CHECK I added in the bytecode optimizer. 

 Issue 706548  has been merged into this issue.

I updated my understanding of the issue... the problem is not that the inner function AST contains VariableProxy objects which refer to the outer function TEMPORARIES. The problem is that the part of AST which does the destructuring is in the outer function, not in the inner function.

(At first I thought that that AST is correctly in the inner function, just that the temporaries are created in the outer function, but that's not true.)

Caitlin has a fix: https://chromium-review.googlesource.com/c/465415/ and once we get that in, this should be fixed.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5f782db9541eca72dc6cbe3c6f5e8dc52ff7c16f

commit 5f782db9541eca72dc6cbe3c6f5e8dc52ff7c16f
Author: Caitlin Potter <caitp@igalia.com>
Date: Tue Apr 04 20:35:03 2017

[parser] don't rewrite destructuring assignments in params for lazy top level arrow functions

Remove destructuring assignments (parsed during arrow function formal
parameters) from queue for rewriting if parsing a lazy top-level arrow function.

Built ontop of https://chromium-review.googlesource.com/c/464769/

BUG= chromium:706234 ,  chromium:706761 ,  v8:6182 
R=marja@chromium.org, adamk@chromium.org, vogelheim@chromium.org

Change-Id: Ib35196b907350d1d78e4c3fcbf4cc971bf200948
Reviewed-on: https://chromium-review.googlesource.com/465415
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44393}
[modify] https://crrev.com/5f782db9541eca72dc6cbe3c6f5e8dc52ff7c16f/src/ast/scopes.cc
[modify] https://crrev.com/5f782db9541eca72dc6cbe3c6f5e8dc52ff7c16f/src/parsing/parser-base.h
[modify] https://crrev.com/5f782db9541eca72dc6cbe3c6f5e8dc52ff7c16f/src/parsing/parser.cc
[add] https://crrev.com/5f782db9541eca72dc6cbe3c6f5e8dc52ff7c16f/test/mjsunit/regress/regress-706234-2.js
[add] https://crrev.com/5f782db9541eca72dc6cbe3c6f5e8dc52ff7c16f/test/mjsunit/regress/regress-706234.js

Should we backmerge this to m58? #24 suggests this was always a bug and given the security impact it seems wise to do so.

But the parser crash protects from it, right? Let me see if that fix made it to M58...

The parser crash fix is in M59 ( https://chromium-review.googlesource.com/459618 )

But actually, the fix is only about *lazy* arrow function params whereas this crash, iirc, is about all lazy functions.

So we should merge I guess.. Should we merge both fixes? I'm not sure what this fix does without the other fix...

Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Re #47, I think we should either merge both or neither (just to not have different configs on different branches).

rmcilroy: I might have been confused about what fix you suggest merging. Should we merge just the check you added?

No I think we should merge both - the fix I did only adds a crash in a specific case, but there might be other issues caused by reading variables from a different function's scope. Do you want me to merge mine separately or do it in the same patchset as merging Caitlins?

In that case we should merge all:

https://chromium-review.googlesource.com/459618 << parser crash fix (marja)
https://chromium-review.googlesource.com/464768 << check addition (rmcilroy)
https://chromium-review.googlesource.com/465415 << correctness fix (caitp)

I'll merge them.

Oh noes, the bytecode-generator part of the patch doesn't apply cleanly :(

Even after resolving some trivial patch-does-not-apply problems, a couple of these remain:

-          destination = Register(builder()->Receiver());
+          destination = builder()->Receiver();

I don't dare to try to solve these by hand. :/ Does some other Ignition patch (the one introducing Receiver) need to be merged in too?

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4e9adf7cd9e89d6fdb727cf5860f32b4a44098e2

commit 4e9adf7cd9e89d6fdb727cf5860f32b4a44098e2
Author: Ross McIlroy <rmcilroy@chromium.org>
Date: Mon Apr 10 13:43:29 2017

Merged: [Interpreter] Add check that local registers are valid.

Revision: a4c6126a836bae6af70220ce90386d322885e958

BUG= chromium:706234 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Change-Id: I7bcdc5788373be211c5c563dd974627eedd06719
Reviewed-on: https://chromium-review.googlesource.com/472629
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/branch-heads/5.8@{#53}
Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1}
Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429}
[modify] https://crrev.com/4e9adf7cd9e89d6fdb727cf5860f32b4a44098e2/src/interpreter/bytecode-array-builder.cc
[modify] https://crrev.com/4e9adf7cd9e89d6fdb727cf5860f32b4a44098e2/src/interpreter/bytecode-array-builder.h
[modify] https://crrev.com/4e9adf7cd9e89d6fdb727cf5860f32b4a44098e2/src/interpreter/bytecode-generator.cc

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/01d19f706ceb293d0449d80d0db7389cc509aea0

commit 01d19f706ceb293d0449d80d0db7389cc509aea0
Author: Marja Hölttä <marja@chromium.org>
Date: Tue Apr 11 08:19:48 2017

Merged: Squashed multiple commits.

Merged: [parser] Fix crash when lazy arrow func params contain destructuring assignments.
Revision: bc39a5148a3824ea948fd7725674945ca0b1c56a

Merged: [parser] don't rewrite destructuring assignments in params for lazy top level arrow functions
Revision: 5f782db9541eca72dc6cbe3c6f5e8dc52ff7c16f

BUG= chromium:704811 , chromium:706234 , chromium:706761 , v8:6182 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Change-Id: If5c04c3b9f6ac9c6879052b6a34446f895624200
Reviewed-on: https://chromium-review.googlesource.com/474746
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/branch-heads/5.8@{#58}
Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1}
Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429}
[modify] https://crrev.com/01d19f706ceb293d0449d80d0db7389cc509aea0/src/ast/scopes.cc
[modify] https://crrev.com/01d19f706ceb293d0449d80d0db7389cc509aea0/src/parsing/parser-base.h
[modify] https://crrev.com/01d19f706ceb293d0449d80d0db7389cc509aea0/src/parsing/parser.cc
[add] https://crrev.com/01d19f706ceb293d0449d80d0db7389cc509aea0/test/mjsunit/regress/regress-704811.js
[add] https://crrev.com/01d19f706ceb293d0449d80d0db7389cc509aea0/test/mjsunit/regress/regress-706234-2.js
[add] https://crrev.com/01d19f706ceb293d0449d80d0db7389cc509aea0/test/mjsunit/regress/regress-706234.js

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.