Looks like a race between the sweeper thread and the main thread. Unfortunately the stack trace from the main thread seems to be missing. Not sure how actionable this is. Hannes, could you please triage further or simply close if not actionable? Thanks!

ClusterFuzz has detected this issue as fixed in range 434636:434658.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5706695407042560

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race ATOMIC WRITE 8
Crash Address: 0x7f24c21451e8
Crash State:
  v8::internal::Heap::CreateFillerObjectAt
  v8::internal::FreeList::Free
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=433807:433985
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=434636:434658

Minimized Testcase (0.43 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv954PbpGUIcsrlyE1zRAa5GA4Fg6Pn1ONLtPn9kbeuDmhqNolebvWveNpVixFhLO2zGHK_DXsaoKz3_7qDlZF5GXVg03UWiko6Xc9Vzg2doyK1byAdxjzwxxLecQUXHbYqs4r-EsiOAgv15XmVNY9cDYCcZQXw?testcase_id=5706695407042560
 -->
<iframe onload="test()"></iframe>
<script>
var iterationsLeft = 50;
function test()
{
    if (--iterationsLeft) {
        frames[0].history.go();
    } else {
        document.body.textContent = frames[0].document.body.textContent;
    }
}
</script>
<script>
document.documentElement.addEventListener("DOMNodeInserted", test);
document.body.parentNode.insertBefore(document.createElement("canvas"), document.body.nextSibling);
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.