The FATAL is already fixed by 21b55c4aa5fd47da0ef3802c88f6da41690b7d1f.

Fixing the bad-cast issue now.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2658eb2af53b776ac18bebfc466803b743b77604

commit 2658eb2af53b776ac18bebfc466803b743b77604
Author: mlippautz <mlippautz@chromium.org>
Date: Thu Jun 23 09:08:22 2016

[heap] Fix bad-cast in Sweeper

BUG= chromium:622351 
LOG=N
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2097453002
Cr-Commit-Position: refs/heads/master@{#37209}

[modify] https://crrev.com/2658eb2af53b776ac18bebfc466803b743b77604/src/heap/mark-compact.cc

ClusterFuzz has detected this issue as fixed in range 401244:401272.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5178929405231104

Fuzzer: mbarbella_js_mutation
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x000000ccc0e0
Crash State:
  Bad-cast to v8::internal::PagedSpace from v8::internal::SemiSpace
  
Recommended Security Severity: High

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_d8&range=401244:401272

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95TTKVVXu3RjqLe3l7KWbGbmFdcLid1qakcLAUxFDFRTymsSTatwx2plXj8O_Kl8WM7ftmeHqAhNoMg4n89lrruf7fDL99ttELQuq86TIXKIt-bCjzSKEj8V3hSOtCeW3mXHv3UW1trE511nxbEQwJaAk1B6Q?testcase_id=5178929405231104
var __v_24 = {};
  gc();
try {
__v_2 = [];
  __f_0();
} catch(e) {; }
__v_9 = [ 4294967295];
for (var __v_2 in __v_9) {
  for (var __v_7 = 0; __v_7 < 4294967296; __v_7 += 3999773) {
  }
}
var __f_1 = (function() {
  return {__f_1: __f_1};
})().__f_1;
  for (var __v_28 = 0; __v_28 < 4294967296; __v_24 += 3999773) {
  }


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot