Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/fa3b73fffe232b601d2a94f129446f41c765a86e ([parser] Skipping inner funcs: Turn flag back on.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Looking into this...

The minimal repro case is:

var o = [ function f3() {
  x = 1;
  x = 1;
  ... // enough times
} ];

o[0]();

Hmm, no, even more minimal is possible:

var o = function f3() {
  x = 1;
  x = 1;
  ... // enough times
}


So this is some weird interaction between skipping inner funcs and aborting preparsing.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d69159d52daef4596e87a385f01dfbbda33d2245

commit d69159d52daef4596e87a385f01dfbbda33d2245
Author: Marja Hölttä <marja@chromium.org>
Date: Mon Oct 16 13:31:49 2017

[parser] Skipping inner funcs: fix related to aborting preparsing.

When skipping inner funcs is enabled, we also track variables for top level
funcs. Thus, we also declared the function name for the function scope, even
though it was the function scope for a function whose preparsing was
aborted. This lead into declaring the function name twice.

The fix is to declare the function name only in the success case.

The code was "wrong" before too, but this was never a problem, since variable
tracking and aborting preparsing were enabled for disjoint sets of
functions (aborting preparsing only for top-level, and variable tracking for
non-top-level).

BUG= v8:5516 , chromium:774475 

Change-Id: Ie6c321cc834cd946e8843f73916fa7dd75e9cd09
Reviewed-on: https://chromium-review.googlesource.com/720920
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48592}
[modify] https://crrev.com/d69159d52daef4596e87a385f01dfbbda33d2245/src/parsing/preparser.cc
[add] https://crrev.com/d69159d52daef4596e87a385f01dfbbda33d2245/test/mjsunit/regress/regress-774475.js

ClusterFuzz has detected this issue as fixed in range 48591:48592.

Detailed report: https://clusterfuzz.com/testcase?key=4577259615944704

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  (function_) == nullptr in scopes.cc
  V8_Dcheck
  v8::internal::DeclarationScope::DeclareFunctionVar
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_mipsel_dbg&range=48275:48276
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_mipsel_dbg&range=48591:48592

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4577259615944704

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4577259615944704 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M63. Please go ahead and merge the CL to branch 3239 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/518b58afa6c377d7f18014ffb48a7e187bd1ee03

commit 518b58afa6c377d7f18014ffb48a7e187bd1ee03
Author: Marja Hölttä <marja@chromium.org>
Date: Thu Oct 19 09:26:06 2017

Merged: [parser] Skipping inner funcs: fix related to aborting preparsing.

When skipping inner funcs is enabled, we also track variables for top level
funcs. Thus, we also declared the function name for the function scope, even
though it was the function scope for a function whose preparsing was
aborted. This lead into declaring the function name twice.

The fix is to declare the function name only in the success case.

The code was "wrong" before too, but this was never a problem, since variable
tracking and aborting preparsing were enabled for disjoint sets of
functions (aborting preparsing only for top-level, and variable tracking for
non-top-level).

BUG= v8:5516 , chromium:774475 
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Change-Id: Ie6c321cc834cd946e8843f73916fa7dd75e9cd09
Reviewed-on: https://chromium-review.googlesource.com/720920
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#48592}(cherry picked from commit d69159d52daef4596e87a385f01dfbbda33d2245)
Reviewed-on: https://chromium-review.googlesource.com/728000
Reviewed-by: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#25}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/518b58afa6c377d7f18014ffb48a7e187bd1ee03/src/parsing/preparser.cc
[add] https://crrev.com/518b58afa6c377d7f18014ffb48a7e187bd1ee03/test/mjsunit/regress/regress-774475.js

Per comment #12, this is already merged to M63.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot