Looks like a race when accessing stats counters. The counters are not thread-safe and cannot be used off the thread that currently holds the Isolate lock.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/418c9eca799530ab19b9dd2d0eb24278669945b7

commit 418c9eca799530ab19b9dd2d0eb24278669945b7
Author: mstarzinger <mstarzinger@chromium.org>
Date: Tue Jan 31 08:52:16 2017

[turbofan] Remove escape analysis stats counters.

These counters were used during the initial implementation to gather
statistics about comparative effectiveness of the two escape analysis
approaches in practice. The counters are not thread-safe and cannot be
used for the analysis any longer as it is now running off main thread.
We deprecate the counters in question in favor of maintaining deferred
statistics until the need for such statistics arises again.

R=bmeurer@chromium.org
BUG= chromium:685942 

Review-Url: https://codereview.chromium.org/2667453003
Cr-Commit-Position: refs/heads/master@{#42808}

[modify] https://crrev.com/418c9eca799530ab19b9dd2d0eb24278669945b7/src/compiler/escape-analysis-reducer.cc
[modify] https://crrev.com/418c9eca799530ab19b9dd2d0eb24278669945b7/src/compiler/escape-analysis-reducer.h
[modify] https://crrev.com/418c9eca799530ab19b9dd2d0eb24278669945b7/src/counters.h
[modify] https://crrev.com/418c9eca799530ab19b9dd2d0eb24278669945b7/src/crankshaft/hydrogen-escape-analysis.cc

ClusterFuzz has detected this issue as fixed in range 447218:447232.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5117998529773568

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race READ 1
Crash Address: 0x7bbc000019d0
Crash State:
  v8::internal::compiler::EscapeAnalysisReducer::ReduceAllocate
  v8::internal::compiler::EscapeAnalysisReducer::ReduceNode
  v8::internal::compiler::EscapeAnalysisReducer::Reduce
  
Sanitizer: thread (TSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=442831:443258
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=447218:447232

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95ci9G1wVfAawOVs-CO2oLYnELZd5gGaD79vye0eoKZ_ejivUJt-LHgPEbv9DR-cIz8DG5BEsRea7TVzLhZmHwhsMwmlxdQDrr6AgYAqQkG7G2lJCoLjOrjf_vEew3usBbs22ZLGmDLahtvBWYXu-Qi33pI6xERZSM_2MvyOvc01i3iQxQdQJVJwNy7pPKviFxW6qm7wZbnRnQVsKGhCzzP45KNRkT2FSogKZMYtc5aMGlqJqcoZ6GtYcFwfEZ9rnqo6PwtRMBTeX4brdIbeW8uBvPl7m2h4b_dPlmVdfJhFE3aGEFP7UYjAxh2EaDK5tIp9_NrChMLEd_oDQmGjQFOrubHzJSpWZ2_6iL3oB5uPEDozI0?testcase_id=5117998529773568


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.