This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sathya, the failing DCHECK was introduced in 62a7c080d5348bf35a9e1dd3a84449bc51d154b1. The failure still reproduces on ToT with:

out/x64.debug/d8 -e "async A=>{s.await i}"

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/58bbc6bf774b419361b61c89d556aed79207a902

commit 58bbc6bf774b419361b61c89d556aed79207a902
Author: Sathya Gunasekaran <gsathya@chromium.org>
Date: Wed Aug 09 23:43:52 2017

[parser] Check if async function before throwing error

This changes the DCHECK (which could correctly fail) to be part of the
conditional that checks if we're in an async function.

Bug:  chromium:751789 
Change-Id: I3b8c1239ac93190055622c41fa1122e83b69d255
Reviewed-on: https://chromium-review.googlesource.com/607356
Reviewed-by: Daniel Ehrenberg <littledan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47261}
[modify] https://crrev.com/58bbc6bf774b419361b61c89d556aed79207a902/src/parsing/parser-base.h
[add] https://crrev.com/58bbc6bf774b419361b61c89d556aed79207a902/test/mjsunit/regress/regress-751789.js

ClusterFuzz has detected this issue as fixed in range 493236:493306.

Detailed report: https://clusterfuzz.com/testcase?key=4547312893558784

Fuzzer: libFuzzer_v8_script_parser_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !is_async_function() in parser-base.h
  v8::internal::ParserBase<v8::internal::PreParser>::ExpectSemicolon
  v8::internal::ParserBase<v8::internal::PreParser>::ParseExpressionOrLabelledStat
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=489626:489690
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=493236:493306

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4547312893558784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4547312893558784 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Already in M62

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot