ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5996294548750336.

Clusterfuzz didn't crash on this test case, but reproducing it manually does crash in Chrome 65 (Didn't seem to crash in 66 or 67). 

See crash/8490d341974e437a

Also couldn't repro on >65, but could on 65. Assigning to clemensh, since this looks like a V8 issue.

This crashes in generated code. Assigning to Bmeurer because it seems to be Promise-related.

Also crashes in Node 8 if you extract the JavaScript and change the alert(this) to console.log(this). Looks like there's charCodeAt involved. sigurds@ can you please take a look?

Upgrading to High severity, given it's RCE

This seems to affect Node.js as well, although I don't it is a security issue for Node as the trust model is that local JavaScript is trusted. I propose that we port the fix to Node *after* they have been fixed and released for the browser.

This affects Node.js 8.x, 9.x (both using V8 6.2). I cannot reproduce this with Node.js master (V8 6.6). Does this not affect V8 6.6+?

The affected code is no longer present starting with V8 6.6.

I think I accidentally removed the M-65 label. Adding it back.

I'm sorry to say the VRP panel declined to reward, as we didn't make any change because of this report, per comment 13.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot