Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/36d703778ccd0d2777e0d4b69ed6e65e39a9f521 ([parser] Tentatively enable FLAG_preparser_scope_analysis.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Debugging notes:

A more minimal repro:

function lazy(p = (function() {}, class {}, function() {}, class {
  method1() {
  }
})) { }

lazy();

But for some reason modifying this repro at all makes the bug not repro...

Debugging notes cont.

The problem is that preparser thinks that the second function() {} is likely called, and parser thinks it's not.

And that is because Parser creates a FunctionState for the default ctor and PreParser doesn't.

Fix underway.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Actually... it's a bit silly that the class {} inbetween affects the "is-likely-called"ness at all! But I'm first going to do a small fix to just unify the behavior (the branch point is so near) - and leave addressing the main weirdness for later. Adamk, wdyt?

Fix: https://chromium-review.googlesource.com/c/v8/v8/+/712579

Ah, I think #8 answers my question from the code review ("why is this so weird?"). As I said there, I'm OK with a minimal unifying fix before the branch with some followup work to make this make more sense later.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/dd18faf2cbe430c3731107f3eb130fadbb596064

commit dd18faf2cbe430c3731107f3eb130fadbb596064
Author: Marja Hölttä <marja@chromium.org>
Date: Thu Oct 12 18:30:01 2017

[parser] Skipping inner funcs: Fix default ctors in PreParser.

Parser creates a FunctionState for default ctors, which affects the
next_function_is_likely_called logic. PreParser needs to match that logic, so
that Parser and PreParser agree about which functions are skippable.

BUG= v8:5515 ,  chromium:773576 

Change-Id: I96cb6f5aa68e74389a863355f70a34693a2d1329
Reviewed-on: https://chromium-review.googlesource.com/712579
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48511}
[modify] https://crrev.com/dd18faf2cbe430c3731107f3eb130fadbb596064/src/parsing/preparsed-scope-data.cc
[modify] https://crrev.com/dd18faf2cbe430c3731107f3eb130fadbb596064/src/parsing/preparser.h
[modify] https://crrev.com/dd18faf2cbe430c3731107f3eb130fadbb596064/test/mjsunit/skipping-inner-functions.js

ClusterFuzz has detected this issue as fixed in range 48510:48511.

Detailed report: https://clusterfuzz.com/testcase?key=6678215447019520

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  start_position == start_position_from_data in preparsed-scope-data.cc
  v8::internal::ConsumedPreParsedScopeData::GetDataForSkippableFunction
  v8::internal::Parser::SkipFunction
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47802:47803
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48510:48511

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6678215447019520

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6678215447019520 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M63. Please go ahead and merge the CL to branch 3239 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f435a180d199eda0c6777be153aa0ca5541ef599

commit f435a180d199eda0c6777be153aa0ca5541ef599
Author: Marja Hölttä <marja@chromium.org>
Date: Tue Oct 17 16:04:46 2017

Merged: [parser] Skipping inner funcs: Fix default ctors in PreParser.

Parser creates a FunctionState for default ctors, which affects the
next_function_is_likely_called logic. PreParser needs to match that logic, so
that Parser and PreParser agree about which functions are skippable.

BUG= v8:5515 ,  chromium:773576 
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Change-Id: I96cb6f5aa68e74389a863355f70a34693a2d1329
Reviewed-on: https://chromium-review.googlesource.com/712579
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#48511}(cherry picked from commit dd18faf2cbe430c3731107f3eb130fadbb596064)
Reviewed-on: https://chromium-review.googlesource.com/723519
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#16}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/f435a180d199eda0c6777be153aa0ca5541ef599/src/parsing/preparsed-scope-data.cc
[modify] https://crrev.com/f435a180d199eda0c6777be153aa0ca5541ef599/src/parsing/preparser.h
[modify] https://crrev.com/f435a180d199eda0c6777be153aa0ca5541ef599/test/mjsunit/skipping-inner-functions.js

Per comment #17, this is already merged to M63.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot