mlippautz@, can you please take a look? One of your recent CLs (https://chromium.googlesource.com/v8/v8/+/df5b86de4cc3115b849d3c40d12637ce39131ed7) was in the bisection range.

My CL is still a noop. 

Rather suspecting concurrent store buffer landing in a9e6bbba263c98090f96bb0dccff09d8ffb86c0a :)

Release mode only repro, gdb:

Thread 2 (Thread 0x7ffff1f49700 (LWP 4724)):
#0  0x00005555567be42a in Acquire_Load () at ../../src/base/atomicops_internals_portable.h:165
#1  Value () at ../../src/base/atomic-utils.h:119
#2  old_to_new_slots () at ../../src/heap/spaces.h:442
#3  GetSlotSet () at ../../src/heap/remembered-set.h:212
#4  Insert () at ../../src/heap/remembered-set.h:26
#5  MoveEntriesToRememberedSet () at ../../src/heap/store-buffer.cc:118
#6  0x00005555567be761 in ConcurrentlyProcessStoreBuffer () at ../../src/heap/store-buffer.cc:136
#7  RunInternal () at ../../src/heap/store-buffer.h:98
#8  0x000055555770735d in v8::platform::WorkerThread::Run() ()
    at ../../src/libplatform/worker-thread.cc:26
#9  0x00005555576f2c4e in NotifyStartedAndRun () at ../../src/base/platform/platform.h:504
#10 ThreadEntry () at ../../src/base/platform/platform-posix.cc:582
#11 0x00007ffff7243184 in start_thread (arg=0x7ffff1f49700) at pthread_create.c:312
#12 0x00007ffff6d5a37d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Thread 1 (Thread 0x7ffff7fc17c0 (LWP 4721)):
#0  0x00005555566d9be0 in NoBarrier_Load () at ../../src/base/atomicops_internals_portable.h:161
#1  map_word () at ../../src/objects-inl.h:1420
#2  map () at ../../src/objects-inl.h:1377
#3  IsFiller () at ../../src/objects-inl.h:663
#4  ProcessMarkingDeque () at ../../src/heap/incremental-marking.cc:881
#5  Step () at ../../src/heap/incremental-marking.cc:1137
#6  0x00005555566dadd1 in AdvanceIncrementalMarkingOnAllocation ()
    at ../../src/heap/incremental-marking.cc:1105
#7  0x00005555567b8615 in AllocationStep () at ../../src/heap/heap.h:2618
#8  AllocationStep () at ../../src/heap/spaces.cc:1167
#9  AllocateRaw () at ../../src/heap/spaces.cc:3000
#10 0x0000555556615ee1 in AllocateRaw () at ../../src/heap/heap-inl.h:328
#11 0x00005555566b73d9 in AllocateRawFixedArray () at ../../src/heap/heap.cc:3888
#12 AllocateUninitializedFixedArray () at ../../src/heap/heap.cc:3931
#13 0x00005555565d3beb in NewUninitializedFixedArray () at ../../src/factory.cc:154
#14 0x000055555654c9e6 in ConvertElementsWithCapacity () at ../../src/elements.cc:813
#15 ConvertElementsWithCapacity () at ../../src/elements.cc:792
#16 GrowCapacity () at ../../src/elements.cc:925
#17 0x0000555556d0326c in __RT_impl_Runtime_GrowArrayElements ()

Confirmed bisect to:

commit a9e6bbba263c98090f96bb0dccff09d8ffb86c0a
Author: hpayer <hpayer@chromium.org>
Date:   Fri Nov 11 06:00:55 2016 -0800

    [heap] Reland concurrent store buffer processing.
    
    BUG=chromium:648973,  chromium:648568 
    
    Review-Url: https://codereview.chromium.org/2493083003
    Cr-Commit-Position: refs/heads/master@{#40928}

...
insert 0x7f4449b7ef68 0x7f4443200048
insert done 0x7f4449b7ef68
insert 0x7f4449b7ef70 0x7f4443200048
insert done 0x7f4449b7ef70
insert 0x7f4449b7ef78 0x48
ASAN:DEADLYSIGNAL

We are trying to add an entry to a slot set of address 0x48. Right before, the address of the slot set was still ok.

It seems to be the slot was part of a large object that gets uncommitted.

...insert 0x7fffbb500010 0x7fffb4b80000 0x7fffb4b80048
insert done 0x7fffbb500010
insert 0x7fffbb500018 0x7fffb4b80000 0x7fffb4b80048
insert done 0x7fffbb500018
insert 0x7fffbb500020 0x7fffb4b80000 0x7fffb4b80048
insert done 0x7fffbb500020
insert 0x7fffbb500028 (nil) 0x48

The chunk_map_ of large objects gets resized while inserting entries. That is bad.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/124e77f02b13563e0eaefd61aa44c1f40ce5b631

commit 124e77f02b13563e0eaefd61aa44c1f40ce5b631
Author: hpayer <hpayer@chromium.org>
Date: Wed Nov 16 16:04:21 2016

[heap] Synchronize concurrent chunk map modifications.

BUG= chromium:664793 

Review-Url: https://codereview.chromium.org/2510733002
Cr-Commit-Position: refs/heads/master@{#41042}

[modify] https://crrev.com/124e77f02b13563e0eaefd61aa44c1f40ce5b631/src/heap/spaces-inl.h
[modify] https://crrev.com/124e77f02b13563e0eaefd61aa44c1f40ce5b631/src/heap/spaces.cc
[modify] https://crrev.com/124e77f02b13563e0eaefd61aa44c1f40ce5b631/src/heap/spaces.h

ClusterFuzz has detected this issue as fixed in range 41032:41054.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5967031234199552

Fuzzer: decoder_langfuzz
Job Type: linux_asan_chrome_v8_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000048
Crash State:
  v8::internal::StoreBuffer::MoveEntriesToRememberedSet
  v8::internal::StoreBuffer::Task::RunInternal
  v8::platform::WorkerThread::Run
  
Regressed: V8: r40912:40940
Fixed: V8: r41032:41054

Minimized Testcase (4.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ckQP4x9hayI-3GkFm-5aaVeXabotnDSrzSxx-2KS9MIcQrKhEeTB5K_xol57qOjTY0C0HbeUfVoPP4fG0LVLqTsyeipagvMnHqxKZ74FSwnXPhTKWiJbn0y169IWVuu1QP0R2bm1CJ6uBBhCZUbJuA-tuFg?testcase_id=5967031234199552

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot