CF points to db883422c88d1c9c2b0c4991ccc8197d07bc0ba6.

I can reproduce it with just a debug build.  My assumption that there are only two cases (Flat.OneByte() and Flat.TwoByte()) is wrong. 

Hmm, this should have failed even without a recent CL.   

I forgot to flatten an input string in some places. A CL is up for review. 

ClusterFuzz has detected this issue as fixed in range 42342:42343.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6746449070260224

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  TWO_BYTE == state_ in objects.h
  
Sanitizer: address (ASAN)

Regressed: V8: r42245:42246
Fixed: V8: r42342:42343

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv962AzzgXo2x9MjEXEPKPQcXo4hoEfCF4Z2uc3CI7J7Y36Z600MWfJn-vhcH3ytb6nD2ZzygtkGdK-zI82yYzDL64OIhF7mJRYTFPgBKlEHPsjD1p_u1dO8Sc_jLc8wKOaA4BaUPOz_Oz4cSWyRARM-k5W8J1-lcGb_36G8inPHgK8I-z3CM28GLDNd9g-inwVakRSGQQk74msYjnhy_piULVueKHX-2k5FSiLo7CycGW0FOFk-7kM-8ufmgJ7tPC-zzMR-0VtW_8SuPWu_ogKmLVSrJYewKPQXV-ihXGtrZfxM-M8ZofZCoqmBxIPfDckZshGR9JkJjLqqV8Ba_XxtYfWtzRe0ABS5XREw9gFgp5ujJHcuMGRrITxbkwFIEGRVsG1nDRgr_C7_A2Sm_bexumYM9FA?testcase_id=6746449070260224
 v5 = "str"; 
 v12 = new ArrayBuffer(); 
 v43 = new String(v12); 
 v44 = v43.toLocaleLowerCase(v5); 


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6746449070260224 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.