Automatically adding ccs based on suspected regression changelists:

[intl] Port BreakIterator to C++ by usharma1998@gmail.com - https://chromium.googlesource.com/v8/v8/+/f2d07ec516fc069e93df4b2983cbd112a8ade3e9

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

This crash occurs very frequently on mac platform and is likely preventing the fuzzer v8_builtins_generator from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.

Assigning this issue to reviewer since it cannot be assigned to author.

This is fixed as of https://chromium-review.googlesource.com/c/v8/v8/+/1207579

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/16f8417b66c05d9713045bebd67e92df84cbe1f4

commit 16f8417b66c05d9713045bebd67e92df84cbe1f4
Author: Sathya Gunasekaran <gsathya@chromium.org>
Date: Wed Sep 05 20:49:21 2018

[Intl] Convert options to an object in v8BreakIterator

Previously in the JS implementation, this would throw (on property
access) but this new behavior is more in line with how all the other
intl objects work.

Bug:  v8:5751 ,  chromium:880697 
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I0bd073b2a0a6fc1eacd686083d8f1a72252cea53
Reviewed-on: https://chromium-review.googlesource.com/1207579
Commit-Queue: Sathya Gunasekaran <gsathya@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55664}
[modify] https://crrev.com/16f8417b66c05d9713045bebd67e92df84cbe1f4/src/objects/js-break-iterator.cc
[add] https://crrev.com/16f8417b66c05d9713045bebd67e92df84cbe1f4/test/intl/break-iterator/options.js

ClusterFuzz has detected this issue as fixed in range 55663:55664.

Detailed report: https://clusterfuzz.com/testcase?key=5703279089287168

Fuzzer: v8_builtins_generator
Job Type: mac_asan_d8_dbg
Platform Id: mac

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsJSReceiver()) in objects-i
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=55626:55627
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_d8_dbg&range=55663:55664

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5703279089287168

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5703279089287168 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot