Looks like a missed write barrier in generated code.
[6930:0x28f4b10] Added black page 0x59fef700000
Hardware watchpoint 1: *0x59fef704868

Old value = -1095909649
New value = -1940787783
0x0000338347221e17 in ?? ()
(gdb) bt
#0  0x0000338347221e17 in ?? ()
#1  0xbeefdeadbeefdeef in ?? ()
#2  0xbeefdeadbeefdeef in ?? ()
#3  0x000018c300000000 in ?? ()
#4  0x00003f417a2b18f9 in ?? ()
....


...
0x338347221e09  2825  49bab9ed518c18070000 REX.W movq r10,0x7188c51edb9    ;; object: 0x7188c51edb9 <String[13]: , "field2" : >
0x338347221e13  2835  4c89511f       REX.W movq [rcx+0x1f],r10
0x338347221e17  2839  e903000000     jmp 2847  (0x338347221e1f)
...

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5085273813155840

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x000000000000
Crash State:
  v8::internal::StackFrameIterator::StackFrameIterator
  v8::internal::Isolate::PrintStack
  v8::internal::Isolate::StackTraceString
  
Regressed: V8: r34761:34762

Minimized Testcase (6.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97bxYi0NHeVy1c14uwTwmFTTOpx-CURELGT_Sh1Y3k-oyze97nBLp0UwLtPfWq7qqHOdPF7qmw1pXz_jnx4HNwtLkjVJruqN_Dpgu0ttrK6Ic0EOlKQZkizEL0EF4ur2zV8pf8rZMgA3Ji2ckFDNK3ovMxM5g

Filer: hablich

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

$1 = void
(gdb) job 0x59fef73d031
#, "field2" : $2 = void
(gdb) x/10xg 0x59fef73d030
0x59fef73d030:	0x00002ca76d004261	0x0000000008c4bc7e
0x59fef73d040:	0x0000000d00000000	0x646c65696622202c
0x59fef73d050:	0xdeadbe203a202232	0x00002ca76d004261
0x59fef73d060:	0x00000000c75e94ca	0x0000000200000000
0x59fef73d070:	0xdeadbeedbead5d7d	0x00002ca76d004209
(gdb) job 0x00002ca76d004261
0x2ca76d004261: [Map]
 - type: ONE_BYTE_INTERNALIZED_STRING_TYPE
 - instance size: 0
 - elements kind: FAST_HOLEY_ELEMENTS
 - unused property fields: 0
 - enum length: invalid
 - stable_map
 - back pointer: 0x3f417a204201 <undefined>
 - instance descriptors (own) #0: 0x3f417a204131 <FixedArray[0]>
 - layout descriptor: 0
 - prototype: 0x3f417a204101 <null>
 - constructor: 0x3f417a204101 <null>
 - code cache: 0x3f417a204141 <FixedArray[0]>
 - dependent code: 0x3f417a204141 <FixedArray[0]>
 - construction counter: 0

Addresses changed in #6
0x338347221e09  2825  49ba31d073ef9f050000 REX.W movq r10,0x59fef73d031    ;; object: 0x59fef73d031 <String[13]: , "field2" : >
0x338347221e13  2835  4c89511f       REX.W movq [rcx+0x1f],r10

x/10xg 0x726a9104848
0x726a9104848:	0x00002ca76d005021	0xdeadbeed00000003
0x726a9104858:	0x0000001e00000000	0x00000726a9104821
0x726a9104868:	0x0000059fef73d031	0xdeadbeedbeadbeef
0x726a9104878:	0xdeadbeedbeadbeef	0xdeadbeedbeadbeef
0x726a9104888:	0xdeadbeedbeadbeef	0xdeadbeedbeadbeef
(gdb) job 0x00002ca76d005021
0x2ca76d005021: [Map]
 - type: CONS_ONE_BYTE_STRING_TYPE
 - instance size: 40
 - elements kind: FAST_HOLEY_ELEMENTS
 - unused property fields: 0
 - enum length: invalid
 - back pointer: 0x3f417a204201 <undefined>
 - instance descriptors (own) #0: 0x3f417a204131 <FixedArray[0]>
 - layout descriptor: 0
 - prototype: 0x3f417a204101 <null>
 - constructor: 0x3f417a204101 <null>
 - code cache: 0x3f417a204141 <FixedArray[0]>
 - dependent code: 0x3f417a204141 <FixedArray[0]>
 - construction counter: 0
$6 = void

0x726a9104849 is a CONS_ONE_BYTE_STRING_TYPE and lives on a black page. Write 0x0000059fef73d031 does not come with a write barrier in generated code.

0x726a9104849 is on a black page but crankshaft write barrier elimination decides to not emit write barriers because storing value is a cons strings. The cons string is on an evacuation candidate, slot does not get recorded, and we do not update the value after compaction.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ddb9707db95a98a63db223c6c3c4e860cb30e250

commit ddb9707db95a98a63db223c6c3c4e860cb30e250
Author: hpayer <hpayer@chromium.org>
Date: Wed Mar 16 14:39:35 2016

Emit write barrier for old space constants.

Tenured objects allocated on black pages require write barriers.
BUG= chromium:594958 
LOG=n

Review URL: https://codereview.chromium.org/1811473002

Cr-Commit-Position: refs/heads/master@{#34818}

[modify] https://crrev.com/ddb9707db95a98a63db223c6c3c4e860cb30e250/src/crankshaft/hydrogen-instructions.h

ClusterFuzz has detected this issue as fixed in range 34804:34805.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5085273813155840

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x000000000000
Crash State:
  v8::internal::StackFrameIterator::StackFrameIterator
  v8::internal::Isolate::PrintStack
  v8::internal::Isolate::StackTraceString
  
Regressed: V8: r34761:34762
Fixed: V8: r34804:34805

Minimized Testcase (6.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97bxYi0NHeVy1c14uwTwmFTTOpx-CURELGT_Sh1Y3k-oyze97nBLp0UwLtPfWq7qqHOdPF7qmw1pXz_jnx4HNwtLkjVJruqN_Dpgu0ttrK6Ic0EOlKQZkizEL0EF4ur2zV8pf8rZMgA3Ji2ckFDNK3ovMxM5g

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 34804:34805.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5307162661748736

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0xcc800004
Crash State:
  v8::internal::MarkCompactMarkingVisitor::MarkObjectByPointer
  v8::internal::FixedBodyVisitor<v8::internal::MarkCompactMarkingVisitor, v8::inte
  v8::internal::MarkCompactCollector::EmptyMarkingDeque
  
Regressed: V8: r34761:34762
Fixed: V8: r34804:34805

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94CHZOTkcMgXd7E-R_bremHLPA8V2D02Rs4OGAeXvb518jDMI8oy124uyUYLI82k2PlffNBxy6dbPlzwD-dCjor6tvfYds13CdYN5UDkar_xjnxOmkfTkw4cJCt9c_6Tzwpll1TysAniSRF2kyjIim3Wleoz47mG7VgjC5IUCB4U_DQUIA


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

According to CF, regressed and fixed on trunk. No merge required.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot