Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/7b11480f3bd92317c3fe97ae51b11cb7e1d97ec2 ([preparser] Remove ExpressionClassifier error tracking in the PreParser.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/563eeec64cacdf02f0f133ec4668b69d880ee8d5

commit 563eeec64cacdf02f0f133ec4668b69d880ee8d5
Author: Florian Sattler <sattlerf@google.com>
Date: Mon Oct 01 13:14:33 2018

[parser] Fix function name variable tracking

Delay the creation of FunctionNameVariables until we validated the
FormalParameters. This is needed so we don't declare them in cases where
we later get an error, have to reset, and reparse.

Bug:  chromium:890553 ,  v8:7926 
Change-Id: I742e6f7f71158e3903843bd583dc7943468c18f6
Reviewed-on: https://chromium-review.googlesource.com/1254061
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Florian Sattler <sattlerf@google.com>
Cr-Commit-Position: refs/heads/master@{#56314}
[modify] https://crrev.com/563eeec64cacdf02f0f133ec4668b69d880ee8d5/src/parsing/preparser.cc
[add] https://crrev.com/563eeec64cacdf02f0f133ec4668b69d880ee8d5/test/mjsunit/regress/regress-890553.js

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 56313:56314.

Detailed report: https://clusterfuzz.com/testcase?key=5153368765628416

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  (function_) == nullptr in scopes.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=56280:56281
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=56313:56314

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5153368765628416

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5153368765628416 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot