Suspected CLs: Unable to determine culprit CLs without crash revision and regression information.

Findit did not find any Cls.
From code search on the file 'spaces-inl.h', which is stake frame # 1, suspecting the below.
https://codereview.chromium.org/1632913003
mlippautz@ : Could you please take a look into this issue if its related to your change.
cced V8-sheriffs as well as its related to V8.

Clusterfuzz properly identified the culprit, which is the *single* CL [1] in the regression range [2]... 

Basically, we lack smi tags for a mips builtin that triggers a GC through a runtime call. The scavenger tries to iterate over untagged smis, sees a tagged pointer, and crashes.

I notified the mips people on the CL and will keep this bug up to date.

[1]: https://codereview.chromium.org/1694833002
[2]: https://chromium.googlesource.com/v8/v8/+log/ed2b31585e769608948d898cec5da194d585538a..d4a391bb7a7d1cec861f168eeeece1633e633946?pretty=fuller

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6debe59f920dffe40d9e30928022f7b9c5c2d528

commit 6debe59f920dffe40d9e30928022f7b9c5c2d528
Author: balazs.kilvady <balazs.kilvady@imgtec.com>
Date: Wed Mar 30 09:52:46 2016

MIPS: Fix 'MIPS: Support r6 max, min floating point instructions.'

Port d4a391bb7a7d1cec861f168eeeece1633e633946

Add SmiTag()/smiUntag() calls to make values on stack GC-safe.

Original commit message:
Use macro instructions for min, max ops to get the same functionality on
pre-r6 and r6 targets.

BUG= chromium:598651 
LOG=N

Review URL: https://codereview.chromium.org/1842833002

Cr-Commit-Position: refs/heads/master@{#35130}

[modify] https://crrev.com/6debe59f920dffe40d9e30928022f7b9c5c2d528/src/mips/builtins-mips.cc
[modify] https://crrev.com/6debe59f920dffe40d9e30928022f7b9c5c2d528/src/mips64/builtins-mips64.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6debe59f920dffe40d9e30928022f7b9c5c2d528

commit 6debe59f920dffe40d9e30928022f7b9c5c2d528
Author: balazs.kilvady <balazs.kilvady@imgtec.com>
Date: Wed Mar 30 09:52:46 2016

MIPS: Fix 'MIPS: Support r6 max, min floating point instructions.'

Port d4a391bb7a7d1cec861f168eeeece1633e633946

Add SmiTag()/smiUntag() calls to make values on stack GC-safe.

Original commit message:
Use macro instructions for min, max ops to get the same functionality on
pre-r6 and r6 targets.

BUG= chromium:598651 
LOG=N

Review URL: https://codereview.chromium.org/1842833002

Cr-Commit-Position: refs/heads/master@{#35130}

[modify] https://crrev.com/6debe59f920dffe40d9e30928022f7b9c5c2d528/src/mips/builtins-mips.cc
[modify] https://crrev.com/6debe59f920dffe40d9e30928022f7b9c5c2d528/src/mips64/builtins-mips64.cc

ClusterFuzz has detected this issue as fixed in range 35129:35130.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5528671464456192

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000004
Crash State:
  v8::internal::ScavengeVisitor::VisitPointers
  v8::internal::InternalFrame::Iterate
  v8::internal::Isolate::Iterate
  
Regressed: V8: r35072:35073
Fixed: V8: r35129:35130

Minimized Testcase (2.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94sOgR_0qg9P7GLxNG1VtuAeA8dqZJMqqf_exjpOuqCkeHCc9lbZDTR2iHaysdSMAaRng5kQVJsMDBCQONlSfk8MvW1_qNcTe91mnkeDsUlLEG-fPBwupVQYuMYWhV3rqNc09iSQ3QFMGivNs0WTM-oSSft6g

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 598079  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot