Reproduces as follows on tip-of-tree. Requires Ignition, but that might just be for timing reasons ...

$ git checkout 76a514435400359d8f51189314514bfbb5cde10a
$ make -j1000 x64.debug
$ ./out/x64.debug/d8 --ignition ~/Downloads/fuzz-00879.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2263ee9bf4e5aa341cbac547add68a2105963477

commit 2263ee9bf4e5aa341cbac547add68a2105963477
Author: mlippautz <mlippautz@chromium.org>
Date: Thu Jun 16 16:52:45 2016

Revert of [heap] Add page evacuation mode for new->new (patchset #18 id:440001 of https://codereview.chromium.org/1957323003/ )

Reason for revert:
Fragmentation of LABs could result in increasing memory usage (pages) instead of shrinking.

BUG= chromium:620320 
LOG=N

Original issue's description:
> [heap] Add page evacuation mode for new->new
>
> Adds an evacuation mode that allows moving pages within new space without
> copying objects.
>
> Basic idea:
> a) Move page within new space
> b) Sweep page to make iterable and process ArrayBuffers
> c) Finish sweep till next scavenge
>
> Threshold is currently 70% live bytes, i.e., the same threshold we use
> to determine fragmented pages.
>
> BUG=chromium:581412
> LOG=N
> CQ_EXTRA_TRYBOTS=tryserver.v8:v8_linux_arm64_gc_stress_dbg,v8_linux_gc_stress_dbg,v8_mac_gc_stress_dbg,v8_linux64_tsan_rel,v8_mac64_asan_rel
>
> Committed: https://crrev.com/49b23201671b25092a3c22eb85783f39b95a5f87
> Cr-Commit-Position: refs/heads/master@{#36990}

TBR=ulan@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:581412

Review-Url: https://codereview.chromium.org/2063013005
Cr-Commit-Position: refs/heads/master@{#37042}

[modify] https://crrev.com/2263ee9bf4e5aa341cbac547add68a2105963477/src/heap/heap.cc
[modify] https://crrev.com/2263ee9bf4e5aa341cbac547add68a2105963477/src/heap/mark-compact.cc
[modify] https://crrev.com/2263ee9bf4e5aa341cbac547add68a2105963477/src/heap/mark-compact.h
[modify] https://crrev.com/2263ee9bf4e5aa341cbac547add68a2105963477/src/heap/spaces.cc
[modify] https://crrev.com/2263ee9bf4e5aa341cbac547add68a2105963477/src/heap/spaces.h
[modify] https://crrev.com/2263ee9bf4e5aa341cbac547add68a2105963477/test/cctest/cctest.gyp
[modify] https://crrev.com/2263ee9bf4e5aa341cbac547add68a2105963477/test/cctest/heap/test-heap.cc
[delete] https://crrev.com/b60da28cedb011e0e66468cfe18f24ef7c21dbe3/test/cctest/heap/test-page-promotion.cc

Has been reverted. The reland will (hopefully ;)) not have this problem.

ClusterFuzz has detected this issue as fixed in range 37041:37042.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5645048280776704

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  to_remove != current_page_ in spaces.cc
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=35719:35720
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=37041:37042

Minimized Testcase (0.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv973D-gzyxrktronuiPuiaybLIQzY9VTibxA60a8orQR5Uh-b607Gya5G50tc_cJpfO6m9OHJG13M1IStYcO85J0nMyD7mcbvvj2a5CniptgRfaIIfqfdBp5ZVva1NRQf6d5Z7vr3M3fdh-5HprE-LEbsBbdIA?testcase_id=5645048280776704

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot