The ClusterFuzz bisect is still running, but I did a manual bisect to the 500k pages change. Reproduces as follows (not all flags might be necessary, didn't check) ...

$ ~/Development/v8.git/out/x64.debug/d8 --random-seed=-2132541566 --gc-interval=470 --noenable-sse4-1 --max-semi-space-size=1 --expose-gc --allow-natives-syntax --debug-code --es-staging --enable-slow-asserts --verify-heap --harmony-templates --invoke-weak-callbacks --omit-quit --ignition-staging ~/Downloads/fuzz-00696.js

Alright, that's a missing slot (WB) in the GC. Shame on me ;( 

Fix on the way.

Bugdroid doesn't like this one:

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/bb4974d1864502b99e2fd639b6c584031afd47cc

[heap] Properly propagate allocated space during new space evacuaton in MC

New space evaucation in MC supports, similar to scavenges, fall back allocation
in old space.

For new space evacuation we support stick and non-sticky modes for fallback. The
sticky mode essentially removes the capability to allocate in new space while
the non-sticky mode only falls back for a single allocation.

We use the non-sticky mode for allocations that are too large for a LAB but
should still go in new space. When such an allocation fails in new space, we
allocate in old space in non-sticky mode as we would still like to reuse the
remainder memory in new space. However, in such a case we fail to properly
report the space allocated in resulting in a missed recorded slot.

BUG= chromium:641270 
R=ulan@chromium.org

Review-Url: thttps://codereview.chromium.org/2280943002
Cr-Commit-Position: refs/heads/master@{#38940}

Essentially this bug is present in all versions back to stable (and even longer).

 mlippautz@, as this bug specific to Linux and exists in current Stable and even longer. I'm NOT planning to take this merge in for M53 as we're VERY close to M53 Stable launch and bar is very high. But if you think it is important to take in for M53, then it has to baked/verified in canary and safe to merge. Please let me know what you think about this.

Sorry, the labels are set from what clusterfuzz found. The bug is present on all platforms.

The bug is a corner case which should rarely happen but manifests in a memory corruption later on, i.e., it is not properly bucketized on crash/.

We can also wait and see if it causes problems on Canary and backmerge a bit later.

Ok, sounds good. Please update with Canary data, if all looks good, then we can take it for next M53 Stable release. It will miss first M53 stable cut.

ClusterFuzz has detected this issue as fixed in range 38939:38940.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5269506408841216

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  ho->GetHeap()->Contains(ho) in objects-debug.cc
  
Regressed: V8: r38915:38916
Fixed: V8: r38939:38940

Minimized Testcase (0.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94d9akwcoLcDXvSUc6S628L0GLU7lsDT-tj3Y6rq2xroysMwseVasnSxj352UampHRV5QqD_PV62RP9zngggABKoVikmySldj_aUlSzUFcyfBezUVidkd_SKSUMKRSaRwAsAYCvqO8PdLcvv1PDvjDP0MrMnA?testcase_id=5269506408841216

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

[Automated comment] Request affecting a post-stable build (M52), manual review required.

[Automated comment] Less than 2 weeks to go before stable on M53, manual review required.

Your change meets the bar and is auto-approved for M54 (branch: 2840)

[Automated comment] Request affecting a post-stable build (M52), manual review required.

[Automated comment] Less than 2 weeks to go before stable on M53, manual review required.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please merge your change to M54 (branch: 2840) before 5:00 PM PST Monday [09/05] if you would like to make it to M54 Beta promotion on Thursday [09/08].

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ab911257389366917fe873c93a5c439ad225aaa2

commit ab911257389366917fe873c93a5c439ad225aaa2
Author: mlippautz <mlippautz@chromium.org>
Date: Tue Sep 06 13:16:37 2016

Merged: [heap] Properly propagate allocated space during new space evacuaton in MC

Revision: bb4974d1864502b99e2fd639b6c584031afd47cc

BUG= chromium:641270 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=hablich@chromium.org

Review-Url: https://codereview.chromium.org/2318583002
Cr-Commit-Position: refs/branch-heads/5.4@{#23}
Cr-Branched-From: 5ce282769772d94937eb2cb88eb419a6890c8b2d-refs/heads/5.4.500@{#2}
Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841}

[modify] https://crrev.com/ab911257389366917fe873c93a5c439ad225aaa2/src/heap/mark-compact.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b8ae651b613466664da05f37ca8f2c5b7b06a7e1

commit b8ae651b613466664da05f37ca8f2c5b7b06a7e1
Author: mlippautz <mlippautz@chromium.org>
Date: Tue Sep 06 13:24:38 2016

Merged: [heap] Properly propagate allocated space during new space evacuaton in MC

Revision: bb4974d1864502b99e2fd639b6c584031afd47cc

BUG= chromium:641270 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=hablich@chromium.org

Review-Url: https://codereview.chromium.org/2312153002
Cr-Commit-Position: refs/branch-heads/5.3@{#63}
Cr-Branched-From: 820a23aade5e74a92d794e05a0c2b3597f0da4b5-refs/heads/5.3.332@{#2}
Cr-Branched-From: 37538cb2c1b4d75c41af386cb4fedbe5566f5608-refs/heads/master@{#37308}

[modify] https://crrev.com/b8ae651b613466664da05f37ca8f2c5b7b06a7e1/src/heap/mark-compact.cc

Possibly needed on Node.js 6.x and 4.x. mattloring@ to investigate.

I have opened a backport of this change to 6.x but it does not apply cleanly to V8 4.5 (in node 4.x). The patched class MarkCompactCollector::EvacuateNewSpaceVisitor does not appear to exist in this version. Is there a modified version of the fix needed for V8 4.5?

The bug was introduced when creating this new visitor using TLABs. It did not exist prior to that.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot