Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/13485a69913e27bd5e5915c52a383481774dff73 ([test] Add basic test-runner system tests).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Regression range detection went wrong. Will restart it - assume it's a bit flaky?

Bisects to wasm async compilation now, and the testcase includes wasm compilation. Did not verify locally, please put back to triaging queue if this is wrong.

This is an issue in d8, most likely without any implications on any other embedder.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/1016e6257d240531feb3b211b5626c401926df4f

commit 1016e6257d240531feb3b211b5626c401926df4f
Author: Andreas Haas <ahaas@chromium.org>
Date: Tue Jan 09 13:51:41 2018

[d8] Run the message loop in the same RealmScope as the script

In d8 a script is executed in a RealmScope. However, all micro task
which are created by the script are not executed within the RealmScope
at the moment. With this CL I move the execution of the micro task into
the RealmScope.

I thought about creating a new RealmScope for the micro tasks, but
(1) It did not fix the crashing repro;
(2) It seems wrong that the micro tasks are executed in a different
    realm than the script;

Therefore I just moved the execution of the micro tasks into the
RealmScope of the script.

Thereby I moved the execution tasks also into the Context::Scope of the
script. The problem is that the Context::Scope surrounds the RealmScope,
and when I to open the RealmScope before the Context::Scope, not even
the execution of the script works anymore.

R=yangguo@chromium.org

Bug:  chromium:797846 
Change-Id: If152af282beec8f0b0564dcc9682fee8588e142c
Reviewed-on: https://chromium-review.googlesource.com/856497
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50442}
[modify] https://crrev.com/1016e6257d240531feb3b211b5626c401926df4f/src/d8.cc
[add] https://crrev.com/1016e6257d240531feb3b211b5626c401926df4f/test/mjsunit/regress/wasm/regress-797846.js

ClusterFuzz testcase 6195446669377536 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

ClusterFuzz has detected this issue as fixed in range 50441:50442.

Detailed report: https://clusterfuzz.com/testcase?key=6195446669377536

Fuzzer: inferno_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  v8::Shell::CreateRealm
  v8::Shell::RealmCreateAllowCrossRealmAccess
  v8::internal::FunctionCallbackArguments::Call
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=49424:49425
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=50441:50442

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6195446669377536

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6195446669377536 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.