Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on suspected regression changelists:

[parser] Use n-ary addition for template strings by leszeks@chromium.org - https://chromium.googlesource.com/v8/v8/+/531af2f4c1433a3b8b0a42b6ff9c8dd6cf9afdf6

[ast] Expose Literal::Type enum and switch over it in BytecodeGenerator by adamk@chromium.org - https://chromium.googlesource.com/v8/v8/+/bcf9771b81146d7ece2ddcb25c85d3a764040969

If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

siggi: Can you please take a look? It looks like you're the author of the DCHECKs. Thank you!

Not my code - I just converted from CHECK to DCHECK for Albatross. Yang, I see your name there: https://chromium.googlesource.com/v8/v8.git/+blame/61e700767ae04ac3772718a6e0cffc89b3c59f58/src/ast/scopes.cc#1798.

The repro is:

( function *  ( name = ( eval ( foo ) , foo , prototype ) ) {  } )

And the bug is reproducible with plain d8.

Simplest repro I was able to come up with:

(function (name = (eval('') , foo, bar) ) {  })

(Huh, what?)

It's a parser bug so assigning to me.

Alright, this doesn't sound super critical, just some positions are off.. probably a problem in the cover grammar parsing (the "(eval(''), foo, bar)" which is a comma separated expression).

Anyway, this is wonky enough - why are (foo, bar, baz) and (eval(''), foo) ok but (eval(''), foo, bar) not - to warrant having a look. And I guess it's a sensible assumption that we don't produce expressions without positions. Who knows what else goes wrong.

Also, this is interesting in the sense that this is apparently uncovered by our existing tests. When a regression test for this is landed, the mbarbella fuzzer might start finding something interesting based on that. Dunno.

Ok I guess I know what's going on...

A more minimal repro:

(function (name = (foo, bar, baz) ) {  })

now the initializer is (foo, bar, baz) which is a n-ary expression, and for some reason, those have position -1. That initializer position ends up being the scope position. I guess normally the position of the n-ary expression doesn't trickle into anything, but in this case it does.

So I guess a n-ary expression should also have a proper position...

leszeks@, any reason why it shouldn't?

https://chromium-review.googlesource.com/c/v8/v8/+/822093

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/10d9c3148864627d643bbeb74224ffa9c7b4fcf9

commit 10d9c3148864627d643bbeb74224ffa9c7b4fcf9
Author: Marja Hölttä <marja@chromium.org>
Date: Tue Dec 12 18:54:03 2017

[parser] Fix NaryOperation positions.

If an initializer is a NaryOperation, its position ends up as a start position
of a Scope, and a DCHECK used to fire.

Interestingly, this was not caught by our existing tests.

BUG= chromium:791256 

Change-Id: Id47f850c7ad17ca580352f9bd56c9567b485c3b8
Reviewed-on: https://chromium-review.googlesource.com/822093
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50051}
[modify] https://crrev.com/10d9c3148864627d643bbeb74224ffa9c7b4fcf9/src/ast/ast.h
[add] https://crrev.com/10d9c3148864627d643bbeb74224ffa9c7b4fcf9/test/mjsunit/regress/regress-crbug-791256.js

ClusterFuzz has detected this issue as fixed in range 524053:524063.

Detailed report: https://clusterfuzz.com/testcase?key=5681042311872512

Fuzzer: libFuzzer_javascript_parser_proto_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  kNoSourcePosition != start_position() in scopes.cc
  v8::internal::Scope::CheckScopePositions
  v8::internal::Scope::CheckScopePositions
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=512947:512975
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=524053:524063

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5681042311872512

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5681042311872512 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

abdulsyed@ - good for 64

Approving this for M64. Branch:3282

marja@, reminder to please merge CL to M64 branch 3282.

Please merge the approved cl(s) to M64 release branch 3282 as soon as possible.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a28ca3e1004e0cfbbb582bffdc2c527cc17dc3f2

commit a28ca3e1004e0cfbbb582bffdc2c527cc17dc3f2
Author: Adam Klein <adamk@chromium.org>
Date: Fri Jan 05 22:47:11 2018

Merged: [parser] Fix NaryOperation positions.

Revision: 10d9c3148864627d643bbeb74224ffa9c7b4fcf9

BUG= chromium:791256 
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=gsathya@chromium.org

Change-Id: I5149ac5b5582523ef887a13f38844e51bced9f3f
Reviewed-on: https://chromium-review.googlesource.com/853155
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.4@{#39}
Cr-Branched-From: 0407506af3d9d7e2718be1d8759296165b218fcf-refs/heads/6.4.388@{#1}
Cr-Branched-From: a5fc4e085ee543cb608eb11034bc8f147ba388e1-refs/heads/master@{#49724}
[modify] https://crrev.com/a28ca3e1004e0cfbbb582bffdc2c527cc17dc3f2/src/ast/ast.h
[add] https://crrev.com/a28ca3e1004e0cfbbb582bffdc2c527cc17dc3f2/test/mjsunit/regress/regress-crbug-791256.js

Thanks for merging while I was ooo!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot