Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/47c25893d0862092e8609e069d39e24528dc73ea ([parser] Ship preparser scope analysis under future.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

This is a skipping bug.

A more minimal repro:

function foo(f) { f(); }

foo(function arguments() {
    function skippable() { }
});

This is kinda funny actually. :)

The bug is that "arguments" and the function name are declared in the wrong order in PreParser.

There is even a comment explaining why they need to be declared in the right order:

ParserBase:
-----------

  if (!IsArrowFunction(kind)) {
    // Declare arguments after parsing the function since lexical 'arguments'
    // masks the arguments object. Declare arguments before declaring the
    // function var since the arguments object masks 'function arguments'.
    function_scope->DeclareArguments(ast_value_factory());
  }

  impl()->DeclareFunctionNameVar(function_name, function_type, function_scope);


PreParser:
----------

  if (!IsArrowFunction(kind) && track_unresolved_variables_ &&
      result == kLazyParsingComplete) {
    DeclareFunctionNameVar(function_name, function_type, function_scope);

    // Declare arguments after parsing the function since lexical 'arguments'
    // masks the arguments object. Declare arguments before declaring the
    // function var since the arguments object masks 'function arguments'.
    function_scope->DeclareArguments(ast_value_factory());
  }

But somehow the PreParser code doesn't match that comment :P

Fix underway: https://chromium-review.googlesource.com/c/v8/v8/+/865900 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9bc4e5602a4740bb06a0cce4ceb27248d90591d4

commit 9bc4e5602a4740bb06a0cce4ceb27248d90591d4
Author: Marja Hölttä <marja@chromium.org>
Date: Wed Jan 17 08:29:20 2018

[parser] Fix declaration order of "arguments" and func name.

They were in the wrong order in PreParser, which caused problem for "function
arguments() { ... }".

BUG= chromium:801772 

Change-Id: Ia04c8c8c0a5d641fd1db0746dc3312c83ebcaf24
Reviewed-on: https://chromium-review.googlesource.com/865900
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50640}
[modify] https://crrev.com/9bc4e5602a4740bb06a0cce4ceb27248d90591d4/src/parsing/preparser.cc
[add] https://crrev.com/9bc4e5602a4740bb06a0cce4ceb27248d90591d4/test/mjsunit/regress/regress-801772.js

ClusterFuzz has detected this issue as fixed in range 50639:50640.

Detailed report: https://clusterfuzz.com/testcase?key=4971037795287040

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  scope_data_->ReadUint32() == static_cast<uint32_t>(name->length()) in preparsed-
  v8::internal::ConsumedPreParsedScopeData::RestoreDataForVariable
  v8::internal::ConsumedPreParsedScopeData::RestoreData
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=47663:47664
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=50639:50640

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4971037795287040

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4971037795287040 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e4941f76f5588ac787b32a5d9c5852b0b174d8b6

commit e4941f76f5588ac787b32a5d9c5852b0b174d8b6
Author: Marja Hölttä <marja@chromium.org>
Date: Thu Jan 18 14:26:35 2018

[parser] Follow-up to r50640: add cctest.

This adds a test-preparser cctest corresponding to the regression test added in
https://chromium-review.googlesource.com/865900

BUG= chromium:801772 

Change-Id: I33d74e242fd765b91b7c148b9a0af4960a7b05ea
Reviewed-on: https://chromium-review.googlesource.com/870311
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50688}
[modify] https://crrev.com/e4941f76f5588ac787b32a5d9c5852b0b174d8b6/test/cctest/parsing/test-preparser.cc

The VRP panel looked at this and concluded that it very likely doesn't lead to  memory corruption. If execution gets past this DCHECK, it hits another DCHECK later as not everything has been parsed, but if that is also removed there's still no crash.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot