Unreachable code hit in v8::internal::Parser::PatternRewriter with --harmony-function-tostring |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6191356228927488 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Fatal error Crash Address: Crash State: NULL Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=460866:460935 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6191356228927488 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 10 2017
,
Jul 10 2017
Assigning to jwolfe who's working on this feature.
,
Jul 11 2017
I don't think this is really a Function.prototype.toString bug but rather an async function parsing bug. The old Function constructor blocked the case, but it's available in the parser generally. Here's a more minimal test case:
(function (async function() {}) {})()
,
Jul 11 2017
This is a really quick fix; I have a patch coming.
,
Jul 11 2017
See the patch at https://chromium-review.googlesource.com/c/567002/
,
Jul 12 2017
,
Jul 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/cad3c5a1665594c611ade0deb918447b1fee083f commit cad3c5a1665594c611ade0deb918447b1fee083f Author: Daniel Ehrenberg <littledan@chromium.org> Date: Wed Jul 12 13:21:54 2017 [parser] Disallow async functions as destructuring targets This patch teaches the parser that async functions are not valid destructuring targets so that it can cleanly exit with a SyntaxError. Previously, async functions used in the wrong position would lead to a check failure. Bug: chromium:740366 Change-Id: Ie5b0cf50326c3f96174c6b29d0ccedb5da4f75a2 Reviewed-on: https://chromium-review.googlesource.com/567002 Reviewed-by: Adam Klein <adamk@chromium.org> Reviewed-by: Caitlin Potter <caitp@igalia.com> Commit-Queue: Daniel Ehrenberg <littledan@chromium.org> Cr-Commit-Position: refs/heads/master@{#46587} [modify] https://crrev.com/cad3c5a1665594c611ade0deb918447b1fee083f/src/parsing/parser-base.h [modify] https://crrev.com/cad3c5a1665594c611ade0deb918447b1fee083f/test/cctest/test-parsing.cc
,
Jul 13 2017
ClusterFuzz has detected this issue as fixed in range 486166:486194. Detailed report: https://clusterfuzz.com/testcase?key=6191356228927488 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Fatal error Crash Address: Crash State: NULL Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=460866:460935 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=486166:486194 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6191356228927488 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 13 2017
ClusterFuzz testcase 6191356228927488 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by mstarzinger@chromium.org
, Jul 10 2017Status: Assigned (was: Untriaged)