Detailed report: https://clusterfuzz.com/testcase?key=4520930553626624

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !node->is_rewritten() in pattern-rewriter.cc
  v8::internal::PatternRewriter::VisitRewritableExpression
  v8::internal::PatternRewriter::Visit
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47381:47382

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4520930553626624

See https://github.com/google/clusterfuzz-tools for more information.

Detailed report: https://clusterfuzz.com/testcase?key=5613767668006912

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !node->is_rewritten() in pattern-rewriter.cc
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5613767668006912

See https://github.com/google/clusterfuzz-tools for more information.

CF points to 983eec897979c48070ea5c76eda2afe339eda602. PTAL

Detailed report: https://clusterfuzz.com/testcase?key=5613767668006912

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !node->is_rewritten() in pattern-rewriter.cc
  v8::internal::PatternRewriter::VisitRewritableExpression
  v8::internal::PatternRewriter::Visit
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47381:47382

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5613767668006912

See https://github.com/google/clusterfuzz-tools for more information.

Detailed report: https://clusterfuzz.com/testcase?key=6700977704140800

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !node->is_rewritten() in pattern-rewriter.cc
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6700977704140800

See https://github.com/google/clusterfuzz-tools for more information.

Detailed report: https://clusterfuzz.com/testcase?key=4559672232378368

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !node->is_rewritten() in pattern-rewriter.cc
  v8::internal::PatternRewriter::VisitRewritableExpression
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4559672232378368

See https://github.com/google/clusterfuzz-tools for more information.

 Issue 756258  has been merged into this issue.

It's not clear to me that Adam's CL is the proper culprit, as it looks like it takes the same execution paths within PatternRewriter.

I believe this is form parser-base.h:

```
    if (is_lazy_top_level_function) {
      FunctionState* parent_state = function_state.outer();
      DCHECK_NOT_NULL(parent_state);
      DCHECK_GE(parent_state->destructuring_assignments_to_rewrite().length(),
                rewritable_length);
      parent_state->RewindDestructuringAssignments(rewritable_length);
    }
```

This branch isn't being taken in the repro case, (maybe it was before?), so ParseProgram rewrites the recorded destructuring assignments, which includes one which has already been processed by DeclareAndInitializeVariables() for the arrow function.

It may be workable/make sense to always erase destructuring assignments from the parent function state, and doing so does fix this crash

https://chromium-review.googlesource.com/c/619386/2 tries this approach, but fails some regression tests. Could be that the condition to enter the branch just needs to be fine-tuned more.

More minimal repro:

{ ({x: {y} = {} } = {}) => {}; }

or for Array destructuring

{ ({x: [y] = [] } = {}) => {}; }

The failing DCHECK used to be an early return:

https://cs.chromium.org/chromium/src/v8/src/parsing/pattern-rewriter.cc?rcl=07259a9ceafa078c9bb7f9ee1bb6f2d67256cc80&l=335

Rewinding appropriately (as caitp suggests) seems more correct, but in the interest of a speedy fix I'll aim to land an early return with a TODO.

Detailed report: https://clusterfuzz.com/testcase?key=5146411875434496

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !node->is_rewritten() in pattern-rewriter.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47381:47382

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5146411875434496

See https://github.com/google/clusterfuzz-tools for more information.

Detailed report: https://clusterfuzz.com/testcase?key=5697924330946560

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !node->is_rewritten() in pattern-rewriter.cc
  v8::internal::PatternRewriter::VisitRewritableExpression
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5697924330946560

See https://github.com/google/clusterfuzz-tools for more information.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/cec289ea57cc2d5ec72d55c524a181f89ce864ce

commit cec289ea57cc2d5ec72d55c524a181f89ce864ce
Author: Adam Klein <adamk@chromium.org>
Date: Fri Aug 18 16:16:24 2017

[pattern-rewriter] Handle already-rewritten RewritableExpressions as before

Before 983eec897979c48070ea5c76eda2afe339eda602, RewritableExpressions
which had been queued for destructuring assignment rewriting but which
turned out to be part of a binding pattern in arrow function parameters
would be silently ignored by the PatternRewriter. After that CL, they
failed with a DCHECK.

This patch reverts to the previous behavior, with a TODO to handle this
in a better way by dequeuing RewritableExpressions that turned out
to be part of an inner arrow function.

Bug:  chromium:756332 
Change-Id: I0a9bf51499940c944034d9a8128e89950de38059
Reviewed-on: https://chromium-review.googlesource.com/619506
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47435}
[modify] https://crrev.com/cec289ea57cc2d5ec72d55c524a181f89ce864ce/src/parsing/pattern-rewriter.cc
[add] https://crrev.com/cec289ea57cc2d5ec72d55c524a181f89ce864ce/test/mjsunit/regress/regress-crbug-756332.js

ClusterFuzz has detected this issue as fixed in range 47434:47435.

Detailed report: https://clusterfuzz.com/testcase?key=4559672232378368

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !node->is_rewritten() in pattern-rewriter.cc
  v8::internal::PatternRewriter::VisitRewritableExpression
  v8::internal::PatternRewriter::Visit
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47381:47382
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47434:47435

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4559672232378368

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 47434:47435.

Detailed report: https://clusterfuzz.com/testcase?key=5146411875434496

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !node->is_rewritten() in pattern-rewriter.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47381:47382
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47434:47435

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5146411875434496

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6418618903691264 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz testcase 5613767668006912 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

I can't reproduce against tip-of-tree. Marking as Clusterfuzz-Wrong, since I'm fairly confident this is fixed, but CCing inferno@ in case there's something else I should be trying.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot