CC'ing rossberg@, on-duty CF sheriff.

Please triage.

Hannes, can you please triage further?

Assigning to the current memory sheriff.

How can a P1 take more than 2 weeks to triage?

Was able to reproduce on ToT chrome 84d672e116927823f0dc079f9928a6043c775837

cmd line:
out/Release/chrome --user-data-dir=/tmp/user_profile_0 --dns-prefetch-disable --disable-deult-apps --disable-component-update --disable-metrics --js-flags="--expose-gc --verify-heap --trace-gc" --new-window --no-first-run --disable-breakpad ~/Downloads/clusterfuzz-testcase-4999349663956992/fuzz-extension-run-756.html


gn args:
is_component_build = false
is_debug = false
use_goma = true
dcheck_always_on = true
v8_enable_verify_heap = true
is_asan = true
enable_ipc_fuzzer = true

--no-turbo makes it disappear.

Investigating further.

Forgot to add: --no-incremental-marking also fixes the issue. I suspect a missed write barrier somewhere.

Likely not a turbofan issue but rather left trimming. Bisected it in Chromium to

9552c2c3a6399668a90723c4d42a3d9862cf4591 is the first bad commit
commit 9552c2c3a6399668a90723c4d42a3d9862cf4591
Author: v8-autoroll <v8-autoroll@chromium.org>
Date:   Tue Mar 7 12:25:06 2017 -0800

    Update V8 to version 5.9.23.
    
    Summary of changes available at:
    https://chromium.googlesource.com/v8/v8/+log/942d095c..a4c21af3
    
    Please follow these instructions for assigning/CC'ing issues:
    https://github.com/v8/v8/wiki/Triaging%20issues
    
    Please close rolling in case of a roll revert:
    https://v8-roll.appspot.com/
    This only works with a Google account.

Will continue bisecting in V8 now.

And the winner is

6517b4477cbf13243caf9a5eeb658f8940ad3c44 is the first bad commit
commit 6517b4477cbf13243caf9a5eeb658f8940ad3c44
Author: hpayer <hpayer@chromium.org>
Date:   Tue Mar 7 07:16:49 2017 -0800

    [heap] Do not clear mark bits of left trimmed old object start.
    
    BUG= chromium:694255 
    
    Review-Url: https://codereview.chromium.org/2731363002
    Cr-Commit-Position: refs/heads/master@{#43645}

Assigning back as I likely won't have time tomorrow and hpayer@ should be back Tuesday next week.

Repro: See above.

ClusterFuzz has detected this issue as fixed in range 470896:470927.

Detailed report: https://clusterfuzz.com/testcase?key=4999349663956992

Fuzzer: meacer_chromebot_extensions
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: CHECK failure
Crash Address: 
Crash State:
  ObjectMarking::IsBlack(object) in mark-compact.cc
  gin::PrintStackTrace
  v8::internal::VerifyMarking
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458024:458029
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=470896:470927

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4999349663956992


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4999349663956992 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.