Reproduces on x64.debug on 187f86c589dc97fb1e794edf9d4c0e20af20389b (once out of ten runs).

(gdb) bt
#0  v8::base::OS::Abort () at ../src/base/platform/platform-posix.cc:240
#1  0x0000000001a985d8 in V8_Fatal (file=0x1d78316 "../src/heap/mark-compact.cc", line=3697, 
    format=0x1d33658 "Check failed: %s.") at ../src/base/logging.cc:116
#2  0x00000000012b3939 in v8::internal::PointerUpdateJobTraits<(v8::internal::PointerDirection)1>::CheckAndUpdateOldToNewSlot (
    heap=0x225f1b0, slot_address=0x2d100d64b5b8 '\314' <repeats 199 times>, <incomplete sequence \314>...)
    at ../src/heap/mark-compact.cc:3697
#3  0x00000000012b38a0 in v8::internal::PointerUpdateJobTraits<(v8::internal::PointerDirection)1>::UpdateUntypedPointers(v8::internal::Heap*, v8::internal::MemoryChunk*)::{lambda(unsigned char*)#1}::operator()(unsigned char*) const (this=0x7fffffffc160, 
    slot=0x2d100d64b5b8 '\314' <repeats 199 times>, <incomplete sequence \314>...) at ../src/heap/mark-compact.cc:3661
#4  0x00000000012b37da in v8::internal::SlotSet::Iterate<v8::internal::PointerUpdateJobTraits<(v8::internal::PointerDirection)1>::UpdateUntypedPointers(v8::internal::Heap*, v8::internal::MemoryChunk*)::{lambda(unsigned char*)#1}>(v8::internal::PointerUpdateJobTraits<(v8::internal::PointerDirection)1>::UpdateUntypedPointers(v8::internal::Heap*, v8::internal::MemoryChunk*)::{lambda(unsigned char*)#1}) (this=0x22a52c8, callback=...) at .././src/heap/slot-set.h:152
#5  0x00000000012b36a3 in v8::internal::RememberedSet<(v8::internal::PointerDirection)1>::Iterate<v8::internal::PointerUpdateJobTraits<(v8::internal::PointerDirection)1>::UpdateUntypedPointers(v8::internal::Heap*, v8::internal::MemoryChunk*)::{lambda(unsigned char*)#1}>(v8::internal::MemoryChunk*, v8::internal::PointerUpdateJobTraits<(v8::internal::PointerDirection)1>::UpdateUntypedPointers(v8::internal::Heap*, v8::internal::MemoryChunk*)::{lambda(unsigned char*)#1}) (chunk=0x2d100d600000, callback=...)
    at .././src/heap/remembered-set.h:119
#6  0x00000000012b35b1 in v8::internal::PointerUpdateJobTraits<(v8::internal::PointerDirection)1>::UpdateUntypedPointers (
    heap=0x225f1b0, chunk=0x2d100d600000) at ../src/heap/mark-compact.cc:3660
#7  0x00000000012b3523 in v8::internal::PointerUpdateJobTraits<(v8::internal::PointerDirection)1>::ProcessPageInParallel (
    heap=0x225f1b0, chunk=0x2d100d600000) at ../src/heap/mark-compact.cc:3649
#8  0x00000000012b33d0 in v8::internal::PageParallelJob<v8::internal::PointerUpdateJobTraits<(v8::internal::PointerDirection)1> >::Task::RunInternal (this=0x22b49a0) at .././src/heap/page-parallel-job.h:160
#9  0x000000000123a719 in v8::internal::CancelableTask::Run (this=0x22b49a0) at .././src/cancelable-task.h:130
#10 0x00000000012b3002 in v8::internal::PageParallelJob<v8::internal::PointerUpdateJobTraits<(v8::internal::PointerDirection)1> >::Run<void v8::internal::UpdatePointersInParallel<(v8::internal::PointerDirection)1>(v8::internal::Heap*, v8::base::Semaphore*)::{lambda(int)#1}>(int, void v8::internal::UpdatePointersInParallel<(v8::internal::PointerDirection)1>(v8::internal::Heap*, v8::base::Semaphore*)::{lambda(int)#1}) (this=0x7fffffffc3b8, num_tasks=1, per_task_data_callback=...)
    at .././src/heap/page-parallel-job.h:102
#11 0x0000000001298775 in v8::internal::UpdatePointersInParallel<(v8::internal::PointerDirection)1> (heap=0x225f1b0, 
    semaphore=0x2298c58) at ../src/heap/mark-compact.cc:3742
#12 0x00000000012978fd in v8::internal::MarkCompactCollector::UpdatePointersAfterEvacuation (this=0x2298c50)
    at ../src/heap/mark-compact.cc:3819
#13 0x000000000128b936 in v8::internal::MarkCompactCollector::EvacuateNewSpaceAndCandidates (this=0x2298c50)
    at ../src/heap/mark-compact.cc:3590
#14 0x0000000001289869 in v8::internal::MarkCompactCollector::CollectGarbage (this=0x2298c50)
    at ../src/heap/mark-compact.cc:349
#15 0x000000000124841a in v8::internal::Heap::MarkCompact (this=0x225f1b0) at ../src/heap/heap.cc:1425
#16 0x0000000001246d42 in v8::internal::Heap::PerformGarbageCollection (this=0x225f1b0, 
    collector=v8::internal::MARK_COMPACTOR, gc_callback_flags=v8::kGCCallbackFlagCollectAllAvailableGarbage)
    at ../src/heap/heap.cc:1302
#17 0x00000000012461f6 in v8::internal::Heap::CollectGarbage (this=0x225f1b0, collector=v8::internal::MARK_COMPACTOR, 
    gc_reason=0x1d39a16 "low memory notification", collector_reason=0x0, 
    gc_callback_flags=v8::kGCCallbackFlagCollectAllAvailableGarbage) at ../src/heap/heap.cc:1008
#18 0x0000000001245dff in v8::internal::Heap::CollectAllAvailableGarbage (this=0x225f1b0, 
    gc_reason=0x1d39a16 "low memory notification") at ../src/heap/heap.cc:899
#19 0x0000000000df99ca in v8::Isolate::LowMemoryNotification (this=0x225f190) at ../src/api.cc:7779
#20 0x0000000000d8c210 in v8::Shell::CollectGarbage (isolate=0x225f190) at ../src/d8.cc:2081
#21 0x0000000000d8ec2d in v8::Shell::RunMain (isolate=0x225f190, argc=9, argv=0x7fffffffd1f8, last_run=true)
    at ../src/d8.cc:2055
#22 0x0000000000d8fd74 in v8::Shell::Main (argc=9, argv=0x7fffffffd1f8) at ../src/d8.cc:2516
#23 0x0000000000d96b82 in main (argc=9, argv=0x7fffffffd1f8) at ../src/d8.cc:2561

Let me reopen that, as the trace might actually point to another bug. Investigating.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9a4132aad254894df4e8e7f41bb8ceefd266d721

commit 9a4132aad254894df4e8e7f41bb8ceefd266d721
Author: mlippautz <mlippautz@chromium.org>
Date: Tue Jul 05 16:58:32 2016

[heap] Clear slots for map space when writing zap values

Pointer updating requires the all slots to be valid. If we write zap values in
the sweeper we need to filter out invalid slots before.

BUG= chromium:625748 
LOG=N
R=ulan@chromium.org

Review-Url: https://codereview.chromium.org/2122963002
Cr-Commit-Position: refs/heads/master@{#37538}

[modify] https://crrev.com/9a4132aad254894df4e8e7f41bb8ceefd266d721/src/heap/remembered-set.cc

ClusterFuzz has detected this issue as fixed in range 37529:37530.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6253279818547200

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Regressed: V8: r37501:37502
Fixed: V8: r37529:37530

Minimized Testcase (6.75 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94YixbY4LoWT09FPAWKbN4A5OMEPmg37qjCfB4lLJQfjxmluzplYFawGTTQjJd2aWOSHZRLIVzZnXbhQeI3yn7BPGGwgsCnbBtjNBN-kMtIhv8C6dleNDGMIfmxb4Guz606Z2Z_57mWlFk5M94cYO2-tyb2hQ?testcase_id=6253279818547200

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot