Similar to  issue 620553 , but this one involves only a single Scavenge. Needs the same fix, i.e., filtering out stale handles. Will take a closer look now.

commit	7a88ff3cc096ecd681e9d10ad0a75c7d3daf027e
tree	1ff0db4c6d9d982027979a58e1367fd3fc56a7f1
parent	d4d470326668a69a3d00cae51ae96d375f862d95 [diff]
[heap] Filter out stale left-trimmed handles for scavenges

The missing part from
  https://codereview.chromium.org/2078403002/

R=jochen@chromium.org
BUG= chromium:621869 
LOG=N

Review-Url: https://codereview.chromium.org/2077353004
Cr-Commit-Position: refs/heads/master@{#37184}

ClusterFuzz has detected this issue as fixed in range 37183:37184.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6020185320587264

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  heap->AllowedToBeMigrated(object, NEW_SPACE) in scavenger.cc
  
Fixed: V8: r37183:37184

Minimized Testcase (10.26 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94w6PrSwe3-xGiHzyGBKaCQJYSrZgykOUD7dGQRjXh1oVkblJg_56lOcBbUX-85OCWjZjhQHrxliAGttdADTdVJwzDhMlv7YzYA9j-njdZRD9oxmlqEToMfKTCcVz2h1VYZpxQAgc5gpWCWwnqYJdFmdObxzA?testcase_id=6020185320587264

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b4b9377b674f84d21c12e1d6986c5b1ecffb7b3f

commit b4b9377b674f84d21c12e1d6986c5b1ecffb7b3f
Author: mlippautz <mlippautz@chromium.org>
Date: Thu Jun 30 12:50:19 2016

Version 5.2.361.32 (cherry-pick)

Merged d800a65967b115c6e1aa6c3ba08861a304383088
Merged 7a88ff3cc096ecd681e9d10ad0a75c7d3daf027e
Merged a7159577b7d092ef6283c51f8bb2c456b0e23a38

[heap] Filter out stale left-trimmed handles
[heap] Filter out stale left-trimmed handles for scavenges
[heap] Iterate handles with special left-trim visitor

BUG= chromium:620553 , chromium:620553 , chromium:621869 
LOG=N
R=hablich@chromium.org, hpayer@chromium.org
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2111133002
Cr-Commit-Position: refs/branch-heads/5.2@{#38}
Cr-Branched-From: 2cd36d6d0439ddfbe84cd90e112dced85084ec95-refs/heads/5.2.361@{#1}
Cr-Branched-From: 3fef34e02388e07d46067c516320f1ff12304c8e-refs/heads/master@{#36332}

[modify] https://crrev.com/b4b9377b674f84d21c12e1d6986c5b1ecffb7b3f/include/v8-version.h
[modify] https://crrev.com/b4b9377b674f84d21c12e1d6986c5b1ecffb7b3f/src/heap/heap.cc
[modify] https://crrev.com/b4b9377b674f84d21c12e1d6986c5b1ecffb7b3f/src/heap/heap.h
[modify] https://crrev.com/b4b9377b674f84d21c12e1d6986c5b1ecffb7b3f/src/heap/mark-compact.cc
[modify] https://crrev.com/b4b9377b674f84d21c12e1d6986c5b1ecffb7b3f/src/heap/scavenger.cc
[modify] https://crrev.com/b4b9377b674f84d21c12e1d6986c5b1ecffb7b3f/src/objects-inl.h
[modify] https://crrev.com/b4b9377b674f84d21c12e1d6986c5b1ecffb7b3f/src/objects.h
[add] https://crrev.com/b4b9377b674f84d21c12e1d6986c5b1ecffb7b3f/test/mjsunit/regress/regress-620553.js
[add] https://crrev.com/b4b9377b674f84d21c12e1d6986c5b1ecffb7b3f/test/mjsunit/regress/regress-621869.js

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot