Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/d7ae63e6f2b5f39b905ce35aee68129af75b5e10 ([Intl] Move toLDMLString & canonicalizeTimeZoneID js->C++).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Need some help. Not sure how to proceed now:

ftang@ftang4:~$ /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce  5662345442099200
Version: 2.5.0
Path: /usr/local/google/home/ftang/.pex/code/135ac5b377916f0dd13f8139ba9ac334a7d48f4d/clusterfuzz/main.pyc
Reproducing testcase 5662345442099200
Downloading testcase information...
Downloading testcase files...
Running: wget --no-verbose --waitretry=100 --retry-connrefused --content-disposition --header="Authorization: Bearer ya29.GlsiBuVJxy3mj3x-ZBIVfY-orW2iyhOEd3Vv_UTEO3KQnK642WuoT0FvJdjfHigDJQbPPoGlAnoWab3r9KWfvFF0A_p7qLLV_pH0-81jhGPaHjiM92CnKomGpj5z" "https://clusterfuzz.com/v2/testcase-detail/download-testcase?id=5662345442099200"
.
2018-09-24 12:29:37 URL:https://storage.googleapis.com/clusterfuzz-blobs/40622f1c-f287-45d5-ac1f-24c4f5e9d2c5?Expires=1537819176&GoogleAccessId=cluster-fuzz%40appspot.gserviceaccount.com&Signature=qN5j%2B%2B2WNiA5BGHD4wjfFRpnuq%2BAhE8Q%2BLBHc8K4ElmhwrZhc%2FIDsZhcZeDGCo4lNSua1260Oi%2Bz96ZS840GDdtpXSNU3bDAusYiguNtgSjlzYPu9EFvcX2mcsK6TLFXTaDsmUsTX160WTiUzRDiIwHOIwROfVrtVtfdu1Rw2xqmVlKlkLUARh0RCbKs5mpdyCia4jMX0HMSWE6VT8j0hvJMVT2Byk5o4Ur1cqDCHnmKOYRowPulgsqxPLuxHEwrqbd6nJkwZdTH61fB48hCTySO88V%2FSDXYM9ZEBWQb0Et%2Bsxlprvj6mV7UX%2FC3peY91HEe2eV2aizUOTVlWaKHsA%3D%3D&response-content-disposition=attachment%3B+filename%3Dtestcase-5662345442099200-estcases%2Ffuzz-940.js [879/879] -> "fuzz-940.js" [1]

JobTypeNotSupportedError: Unfortunately, the job linux_d8_dbg is not yet supported.If you believe that the crash will occur on Linux as well, please go to https://clusterfuzz.com/v2/upload-testcase?upload=true&testcaseId=5662345442099200 and choose a corresponding Linux job type. Ask us for help at clusterfuzz-dev@chromium.org.

Detailed log of this run can be found in: /usr/local/google/home/ftang/.clusterfuzz/logs/output.log
ftang@ftang4:~$ /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce  -c 5662345442099200
Version: 2.5.0
Path: /usr/local/google/home/ftang/.pex/code/135ac5b377916f0dd13f8139ba9ac334a7d48f4d/clusterfuzz/main.pyc
Reproducing testcase 5662345442099200
Downloading testcase information...
Downloading testcase files...
Running: wget --no-verbose --waitretry=100 --retry-connrefused --content-disposition --header="Authorization: Bearer ya29.GlsiBuVJxy3mj3x-ZBIVfY-orW2iyhOEd3Vv_UTEO3KQnK642WuoT0FvJdjfHigDJQbPPoGlAnoWab3r9KWfvFF0A_p7qLLV_pH0-81jhGPaHjiM92CnKomGpj5z" "https://clusterfuzz.com/v2/testcase-detail/download-testcase?id=5662345442099200"
.
2018-09-24 12:29:47 URL:https://storage.googleapis.com/clusterfuzz-blobs/40622f1c-f287-45d5-ac1f-24c4f5e9d2c5?Expires=1537819186&GoogleAccessId=cluster-fuzz%40appspot.gserviceaccount.com&Signature=X0nnOwznblu0EWvm%2BR5ootKpEYMtI78X736UUaM%2FnBh12UftvsIGsiW37LgGjzXVKqfk0d3aRwPzejLn3%2BCCtBBJHWeZbjOUOPSMfIsTDW72xD5mY7sSQPTOJznZjT3HcplO8JMzC%2B7YyurLiaajBuAKctbbrIs5D7WjEQTQL7GltaqRbb20QdJcJntwZRAl4S%2FNo%2BdjSmob%2BSbgZJ1Lx%2FQytZeuwKATIJn6cRRXYerwrbkqrcWoYHHqX%2BmU3OgTIcXZ0zZHuTGhur5eO11U%2BAEkahDqetBYpL7tOt0Vo1MSdqlqyD7X%2B4BQjnG7hW%2BBFZM%2B9pHKO1NUtgrtZ9gkuw%3D%3D&response-content-disposition=attachment%3B+filename%3Dtestcase-5662345442099200-estcases%2Ffuzz-940.js [879/879] -> "fuzz-940.js" [1]

JobTypeNotSupportedError: Unfortunately, the job linux_d8_dbg is not yet supported.If you believe that the crash will occur on Linux as well, please go to https://clusterfuzz.com/v2/upload-testcase?upload=true&testcaseId=5662345442099200 and choose a corresponding Linux job type. Ask us for help at clusterfuzz-dev@chromium.org.

Detailed log of this run can be found in: /usr/local/google/home/ftang/.clusterfuzz/logs/output.log

I try to go to https://clusterfuzz.com/v2/upload-testcase?upload=true&testcaseId=5662345442099200 to upload a testcase but not sure I can do that.

Frank, copy the test case into a file and run with a debug build of d8 with these flags as specified in the report: 
--random-seed=680561613 --expose-gc --enable-slow-asserts --invoke-weak-callbacks --omit-quit --disable-in-process-stack-traces --stress-compaction-random

I was able to repro this locally like this:

➜  ./out.gn/x64.debug/d8 --random-seed=680561613 --expose-gc --enable-slow-asserts --invoke-weak-callbacks --omit-quit --disable-in-process-stack-traces --stress-compaction-random _test.js


#
# Fatal error in ../../src/objects/js-date-time-format.cc, line 839
# Check failed: !maybe_skeleton.FromJust().empty().
#
#
#
#FailureMessage Object: 0x7ffee6ec4120
==== C stack trace ===============================

    0   libv8_libbase.dylib                 0x000000010aec4243 v8::base::debug::StackTrace::StackTrace() + 19
    1   libv8_libplatform.dylib             0x000000010aef1e29 v8::platform::(anonymous namespace)::PrintStackTrace() + 41
    2   libv8_libbase.dylib                 0x000000010aeb9d05 V8_Fatal(char const*, int, char const*, ...) + 325
    3   libv8.dylib                         0x000000010979650a v8::internal::JSDateTimeFormat::Initialize(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSDateTimeFormat>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) + 1594
    4   libv8.dylib                         0x0000000108f4bee0 v8::internal::Builtin_Impl_DateTimeFormatConstructor(v8::internal::BuiltinArguments, v8::internal::Isolate*) + 656
    5   libv8.dylib                         0x0000000108f4ba03 v8::internal::Builtin_DateTimeFormatConstructor(int, v8::internal::Object**, v8::internal::Isolate*) + 115
    6   libv8.dylib                         0x0000000109ffc415 v8_Default_embedded_blob_ + 3605397
[1]    40305 illegal hardware instruction  ./out.gn/x64.optdebug/d8 --random-seed=680561613 --expose-gc   --omit-quit

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/93cbb579a64e4a84f09bc1edd3a7922394ba91d8

commit 93cbb579a64e4a84f09bc1edd3a7922394ba91d8
Author: Frank Tang <ftang@chromium.org>
Date: Wed Sep 26 00:24:28 2018

[Intl] Remove incorrect CHECK

The CHECK was introduced in d7ae63e6f2b5f39b905ce35aee68129af75b5e10.

The first time the property got read by ToDateTimeOptions
and the test will cause the needsDefault in ToDateTimeOptions
be false. Then in step 22 of InitializeDateTimeFormat,
it will get all undefined and cause the
skeleton to be empty string. If we only pass in empty options, the
defaults will be filled by ToDateTimeOptions and won't cause any
CHECK failure.


Bug:  chromium:888299 
Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng
Change-Id: I3ee14434f0708eaaea78cc8857591152d1bdef8a
Reviewed-on: https://chromium-review.googlesource.com/1241316
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56226}
[modify] https://crrev.com/93cbb579a64e4a84f09bc1edd3a7922394ba91d8/src/objects/js-date-time-format.cc
[add] https://crrev.com/93cbb579a64e4a84f09bc1edd3a7922394ba91d8/test/intl/regress-888299.js

ClusterFuzz has detected this issue as fixed in range 56225:56226.

Detailed report: https://clusterfuzz.com/testcase?key=5662345442099200

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !maybe_skeleton.FromJust().empty() in js-date-time-format.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=55624:55625
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=56225:56226

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5662345442099200

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5662345442099200 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot