Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/4ae6b581b0d55832eed7cfca7e95740368df319f ([parser] Use ScopedPtrList in ParseExpressionCoverGrammar).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5bf9e470f8290dde983797e695e5156374d81962

commit 5bf9e470f8290dde983797e695e5156374d81962
Author: Toon Verwaest <verwaest@chromium.org>
Date: Thu Nov 08 14:42:35 2018

[parser] Fix cover-grammar initializer positions

Since we use a ScopedPtrList to track cover grammar expressions we don't know
the position of the commas anymore. The position of the commas was used to
demark the initializer, which is needed to figure out whether we need hole
checks for variable references. (Typically only references within the
initializer need hole checks for the initialized variable.) Since we didn't
have the comma position, we simply used the position of the first expression as
the position of any subsequent comma, which would make it seem as if the
initializer body wasn't in the initializer. Now instead we simply use the
position of the subsequent parameter as the end of the initializer, which is
close enough.

Bug:  chromium:902810 
Change-Id: I8d2bc7a2dc9f59db16ce56ccef01e263a18a3b7a
Reviewed-on: https://chromium-review.googlesource.com/c/1326022
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57357}
[modify] https://crrev.com/5bf9e470f8290dde983797e695e5156374d81962/src/parsing/parser.cc
[add] https://crrev.com/5bf9e470f8290dde983797e695e5156374d81962/test/mjsunit/regress/regress-902810.js

ClusterFuzz has detected this issue as fixed in range 57356:57357.

Detailed report: https://clusterfuzz.com/testcase?key=5450342827032576

Fuzzer: lokihardt_jshitter
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x55b8a06aad78
Crash State:
  v8::internal::Isolate::PushStackTraceAndDie
  v8::internal::LookupIterator::GetRootForNonJSReceiver
  v8::internal::LookupIterator::LookupIterator
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=56942:56943
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=57356:57357

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5450342827032576

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5450342827032576 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

+cc lokihardt@ who is the author of this fuzzer.