Regression range points to 47c25893d0862092e8609e069d39e24528dc73ea.

Seems our "future" trials still work :)

Fix: https://chromium-review.googlesource.com/c/v8/v8/+/642886

Detailed report: https://clusterfuzz.com/testcase?key=4746823632945152

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  scope_data->get(index_++) == static_cast<uint32_t>(name->length()) in preparsed-
  v8::internal::ConsumedPreParsedScopeData::RestoreDataForVariable
  v8::internal::ConsumedPreParsedScopeData::RestoreData
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4746823632945152

See https://github.com/google/clusterfuzz-tools for more information.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Removing release-block label since this only happens with --future, which we're not shipping yet.

Downgrading severity to Low based on c#8.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/025ea28bcaa0cf972f6f3160fda5ddeba17f3ab5

commit 025ea28bcaa0cf972f6f3160fda5ddeba17f3ab5
Author: Marja Hölttä <marja@chromium.org>
Date: Thu Aug 31 05:42:36 2017

[parser] Skipping inner funcs: fix sloppy block generators.

PreParser and Parser didn't agree whether a generator in a sloppy block is a
sloppy block function or not, and thus the data generated by PreParser was
inconsistent with what the Parser wanted to restore.

BUG= v8:5516 ,  chromium:760116 

Change-Id: I0fd3c267691b8afd63a1336774769caf551c143e
Reviewed-on: https://chromium-review.googlesource.com/642886
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47727}
[modify] https://crrev.com/025ea28bcaa0cf972f6f3160fda5ddeba17f3ab5/src/parsing/parser.h
[modify] https://crrev.com/025ea28bcaa0cf972f6f3160fda5ddeba17f3ab5/test/cctest/parsing/test-preparser.cc
[modify] https://crrev.com/025ea28bcaa0cf972f6f3160fda5ddeba17f3ab5/test/mjsunit/skipping-inner-functions.js

ClusterFuzz has detected this issue as fixed in range 47726:47727.

Detailed report: https://clusterfuzz.com/testcase?key=6137204392067072

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  scope_data->get(index_++) == static_cast<uint32_t>(name->length()) in preparsed-
  v8::internal::ConsumedPreParsedScopeData::RestoreDataForVariable
  v8::internal::ConsumedPreParsedScopeData::RestoreData
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47663:47664
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47726:47727

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6137204392067072

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 760982  has been merged into this issue.

ClusterFuzz testcase 6149866224091136 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz testcase 4746823632945152 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Umm.... weird, the test case https://clusterfuzz.com/testcase?key=4746823632945152 was (rightfully) detected as a duplicate by ClusterFuzz, and as far as I can tell, it really is duplicate. I cannot repro any more on tip-of-tree V8.

The test case is this:

function $DONE() {
}
function __f_0() {
    { function* __f_2() {} }
}
 __f_0();


(So it's also about a generator inside a sloppy block.)

ClusterFuzz has detected this issue as fixed in range 47726:47727.

Detailed report: https://clusterfuzz.com/testcase?key=4746823632945152

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  scope_data->get(index_++) == static_cast<uint32_t>(name->length()) in preparsed-
  v8::internal::ConsumedPreParsedScopeData::RestoreDataForVariable
  v8::internal::ConsumedPreParsedScopeData::RestoreData
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47663:47664
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47726:47727

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4746823632945152

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot