New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 890553 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Oct 2
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

DCHECK failure in (function_) == nullptr in scopes.cc

Project Member Reported by ClusterFuzz, Sep 29

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5153368765628416

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  (function_) == nullptr in scopes.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=56280:56281

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5153368765628416

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Sep 29

Labels: Test-Predator-Auto-Owner
Owner: sattlerf@google.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/7b11480f3bd92317c3fe97ae51b11cb7e1d97ec2 ([preparser] Remove ExpressionClassifier error tracking in the PreParser.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 29

Labels: Pri-1
Labels: Security_Impact-Head M-71
Project Member

Comment 4 by bugdroid1@chromium.org, Oct 1

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/563eeec64cacdf02f0f133ec4668b69d880ee8d5

commit 563eeec64cacdf02f0f133ec4668b69d880ee8d5
Author: Florian Sattler <sattlerf@google.com>
Date: Mon Oct 01 13:14:33 2018

[parser] Fix function name variable tracking

Delay the creation of FunctionNameVariables until we validated the
FormalParameters. This is needed so we don't declare them in cases where
we later get an error, have to reset, and reparse.

Bug:  chromium:890553 ,  v8:7926 
Change-Id: I742e6f7f71158e3903843bd583dc7943468c18f6
Reviewed-on: https://chromium-review.googlesource.com/1254061
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Florian Sattler <sattlerf@google.com>
Cr-Commit-Position: refs/heads/master@{#56314}
[modify] https://crrev.com/563eeec64cacdf02f0f133ec4668b69d880ee8d5/src/parsing/preparser.cc
[add] https://crrev.com/563eeec64cacdf02f0f133ec4668b69d880ee8d5/test/mjsunit/regress/regress-890553.js

Project Member

Comment 5 by sheriffbot@chromium.org, Oct 1

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by ClusterFuzz, Oct 2

ClusterFuzz has detected this issue as fixed in range 56313:56314.

Detailed report: https://clusterfuzz.com/testcase?key=5153368765628416

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  (function_) == nullptr in scopes.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=56280:56281
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=56313:56314

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5153368765628416

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Oct 2

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5153368765628416 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Cc: marja@chromium.org
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 2

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Stable
Project Member

Comment 11 by sheriffbot@chromium.org, Jan 8

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment