This crash occurs very frequently on android and windows platforms and is likely preventing the fuzzer ochang_js_fuzzer_win from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.

CF points to c9525de5727ec353dbf9621d10cac765a6dff4b5. PTAL

M70 already branched, and this bug is marked as RBB. Can we have the latest update on this issue?

Thanks for the ping, this totally slipped through. Fix in review:
https://chromium-review.googlesource.com/c/v8/v8/+/1199910

I'll merge it back to M70 after we get some coverage.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/992a4f61edf54e78668bd445a5875166d8289691

commit 992a4f61edf54e78668bd445a5875166d8289691
Author: Sathya Gunasekaran <gsathya@chromium.org>
Date: Fri Aug 31 23:56:33 2018

[Intl] Convert options arg to Object before processing it

This makes us spec compliant.

Bug:  chromium:875643 
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I489870495fe1d326991c99f0551fe3329268c984
Reviewed-on: https://chromium-review.googlesource.com/1199910
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55567}
[modify] https://crrev.com/992a4f61edf54e78668bd445a5875166d8289691/src/js/intl.js
[add] https://crrev.com/992a4f61edf54e78668bd445a5875166d8289691/test/intl/number-format/options.js
[add] https://crrev.com/992a4f61edf54e78668bd445a5875166d8289691/test/intl/regress-875643.js

ClusterFuzz has detected this issue as fixed in range 55566:55567.

Detailed report: https://clusterfuzz.com/testcase?key=4760919218061312

Fuzzer: ochang_js_fuzzer_win
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Fatal error
Crash Address: 
Crash State:
  
  v8::platform::PrintStackTrace
  v8::internal::Runtime_GetNumberOption
  v8::internal::Snapshot::DefaultSnapshotBlob
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=54793:54794
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=55566:55567

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4760919218061312

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4760919218061312 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

[Auto-generated comment by a script] We noticed that this issue is targeted for M-70; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-70 label, otherwise remove Merge-TBD label. Thanks.

The NextAction date has arrived: 2018-09-05

As per https://chromiumdash.appspot.com/commit/992a4f61edf54e78668bd445a5875166d8289691, we've got two days of canary coverage. This is a pretty simple fix and I'd like to backmerge it soon.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/192bc71a9fb897afad921a74377c0f0cd16f3f05

commit 192bc71a9fb897afad921a74377c0f0cd16f3f05
Author: Sathya Gunasekaran <gsathya@chromium.org>
Date: Mon Sep 10 17:31:00 2018

Merged: [Intl] Convert options arg to Object before processing it

Revision: 992a4f61edf54e78668bd445a5875166d8289691

BUG= chromium:875643 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=adamk@chromium.org

Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I7af842bec360f8a7e09748f4210f78d0546e4f91
Reviewed-on: https://chromium-review.googlesource.com/1216783
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/7.0@{#15}
Cr-Branched-From: 6e2adae6f7f8e891cfd01f3280482b20590427a6-refs/heads/7.0.276@{#1}
Cr-Branched-From: bc08a8624cbbea7a2d30071472bc73ad9544eadf-refs/heads/master@{#55424}
[modify] https://crrev.com/192bc71a9fb897afad921a74377c0f0cd16f3f05/src/js/intl.js
[add] https://crrev.com/192bc71a9fb897afad921a74377c0f0cd16f3f05/test/intl/number-format/options.js
[add] https://crrev.com/192bc71a9fb897afad921a74377c0f0cd16f3f05/test/intl/regress-875643.js