Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Umm, I get the "You (email=...) are not authorized to access this page!" with both marja@google.com and marja@chromium.org. What's up with that?

Trying to set myself as owner to see if that makes it work...

Anyhow, this looks like the second bug found by my new fuzzer. :)

Umm, the test case claims to be:

{ set :  try {  } catch ( a ) { b } finally { set } }

But that doesn't crash locally (not with the fuzzer and not with d8). It also looks relatively harmless.

I wonder why this doesn't repro locally. mmoroz, metzman, any ideas?

Marja, have you tried the clusterfuzz reproduce tool? You'll need a chromium checkout for that. I tried to download and unzip the build but ran out of disk space :(

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Right, yes, that works, actually. And the printed out test case is actually exactly the one above (so it's not about any incompatible changes regarding the proto format or so).

It can be that this is depending on the V8 version...

But... still... whaat... somehow looks like that reproducer thing didn't change the V8 version in the working tree and I'm confused.

Also worth noting that this bug was found using debug build:

enable_nacl = false
ffmpeg_branding = "ChromeOS"
is_asan = true
is_debug = true
pdf_enable_xfa = true
proprietary_codecs = true
use_libfuzzer = true

Now I'm having better luck reproing this... can repro w/ my fuzzer target program, can't repro with plain d8.

This is likely not regression; the blame range contains CLs which enhance my fuzzer to find cases like this.

Ah, module vs script is not properly printed out by the native format input printer.

So the repro is:

{ set :  try {  } catch ( a ) { b } finally { set } }

ran with d8 --module.

Tentatively assigning to neis@, since this seems a case where modules differ from normal scripts (this doesn't crash for normal scripts).

This is unrelated to modules. A fix is at https://chromium-review.googlesource.com/#/c/v8/v8/+/787473.

The bug is not security relevant and not a regression either, removing some labels accordingly.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/aa7d1438df9efe36cdb25a5574659385dd9540cd

commit aa7d1438df9efe36cdb25a5574659385dd9540cd
Author: Georg Neis <neis@chromium.org>
Date: Tue Nov 28 09:07:51 2017

[parsing] Fix bug in rewriter concerning a breakable try-finally.

R=adamk@chromium.org

Bug:  chromium:787698 
Change-Id: I873debe61b152a9e88ce22d95a69f27eab2d0f55
Reviewed-on: https://chromium-review.googlesource.com/787473
Reviewed-by: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49653}
[modify] https://crrev.com/aa7d1438df9efe36cdb25a5574659385dd9540cd/src/parsing/rewriter.cc
[modify] https://crrev.com/aa7d1438df9efe36cdb25a5574659385dd9540cd/test/mjsunit/es6/completion.js

ClusterFuzz has detected this issue as fixed in range 519661:519672.

Detailed report: https://clusterfuzz.com/testcase?key=5092953914867712

Fuzzer: libFuzzer_javascript_parser_proto_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  scope->is_module_scope() implies processor.result_assigned() in rewriter.cc
  v8::internal::Rewriter::Rewrite
  v8::internal::Compiler::Analyze
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=510082:510099
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=519661:519672

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5092953914867712

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5092953914867712 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.