Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Umm, can't access the test case... seeing if setting me as an owner helps.

Ok that helped. The minified test case claims to be:

// C(a, b) { s }
function g(...args) { reonincontintecontinckftinteoninteconecontinteconcintecnteconintecootintecoftinteconintecontintecontonintecontintecoftinteconinteonteintectinteconiecontitinteeconintecotinteconcontint;s;sent=htod;sent;sent;sent=htod;sent;sent;sent=htod;sent;sent;se=htod;t;sent;s=htod;sent;sent;t=htod;sent;s;sent=hd;senecoftinteconeconftinteconincontieconintecontintecoftinteconinteconticoftintecontecontinteconcontiecoftinteconintecontinteconcontin;sent;htod;se;nstent;d;sent;sent;sent=ht;sent;sent;htod;sent;sent;seod;set;sent;sent=htod;sent;sent;sent=htod;nt;sent=htod;s;sent;ent;sent=htod;sent;sent;sentd;sent;sent;s        ;sent;sent;sent=htod;continteecnteconftintececontieceintecoftinteconintecontintecontecontinteconinteccontteconintececoncotecontconintecootintecofteconinteconconctecofteconintecntinteoneteconintecontinteconcontin;sent;sent=htod;se;sent;sent=d;sent;sent;set=htod;sent;sent;d;sent;sent;sent=htod;sent;sent;sentod;sent;sent;tod;senconcontineoftintecnteconfticoecontieconintecontintecoftinteecontintecoftinteconintecontieecoftintecoinetinteconntin;sent;sent=htod;se;nt;sen=thtod;e;sent;sent=htod;sent;sent;sent=htod;sent;sent;sentd;sent;sent;senttod;sent;sent;        d;sent;sent=htod;sent;st;sulfle/!}ll0e0.^~



But I can't repro, at least not with d8.

marja@: Did you try to repro on an ASAN build, which might make a difference?

Also, are there clear implication of that DCHECK failing? It's not clear the severity on this bug is correct.

Yeah, I can't repro with asan either.

I'm also not sure about the severity. It's a syntax error, so, the script won't be executed. Looking at the DCHECK, if we carry on at that point, looks like we would reintroduce a rest parameter, but, if we don't compile the script anyway, it looks relatively harmless.

Btw, looking at the repro case, I don't see how that would cause that DCHECK to fire, since there's no second rest parameter anywhere and when we introduce the rest parameter, everything's still syntactically correct... I wonder whether there's something I was missing when trying to extract the repro case.

marja: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Contrary to the status quo before, now I can actually repro this with v8_script_parser_fuzzer. Investigating...

OMG, this is the "aborting preparsing" feature again. Looks like the has_rest_ is just not reset properly. Fix underway.

I don't think this is security critical, so removing the labels.

https://chromium-review.googlesource.com/#/c/v8/v8/+/972901

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4f506dbeec3fad4c7bcdda68c3ff701dbc52f055

commit 4f506dbeec3fad4c7bcdda68c3ff701dbc52f055
Author: Marja Hölttä <marja@chromium.org>
Date: Wed Mar 21 09:04:07 2018

[parser] Fix aborting preparsing of a function with a rest param.

BUG= chromium:813630 

Change-Id: I9eeaeb8830533c178c8073f48f036f9af8887a55
Reviewed-on: https://chromium-review.googlesource.com/972901
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52095}
[modify] https://crrev.com/4f506dbeec3fad4c7bcdda68c3ff701dbc52f055/src/ast/scopes.cc
[add] https://crrev.com/4f506dbeec3fad4c7bcdda68c3ff701dbc52f055/test/mjsunit/regress/regress-crbug-813630.js

Marking fixed. As it's just a tracking variable that we failed to update properly (the actual parameters are cleared properly), I don't think this has any actual impact. I don't think merges are needed here.

ClusterFuzz has detected this issue as fixed in range 544721:544735.

Detailed report: https://clusterfuzz.com/testcase?key=6312624434970624

Fuzzer: libFuzzer_v8_script_parser_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !has_rest_ in scopes.cc
  v8::internal::DeclarationScope::DeclareParameter
  DeclareFormalParameters
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=499534:499545
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=544721:544735

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6312624434970624

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6312624434970624 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Flipping to "bug" per c21

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot