Crash with magic signature 'v8::internal::Page::ShrinkToHighWaterMark' is also seen @ go/chromecrash.

Link to the list the builds:
============================
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3APage%3A%3AShrinkToHighWaterMark%27%20AND%20product.name%3D%27Chrome%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

Cc'ing v8 CF sheriff for help in routing this to appropriate owner.

Users experienced this crash on the following builds:

Win Canary 61.0.3119.0 -  2.04 CPM, 95 reports, 75 clients (signature v8::internal::Page::ShrinkToHighWaterMark)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

V8 revision range: https://chromium.googlesource.com/v8/v8/+log/6.1.55..6.1.60

Guessing one of the following CLs is the culprit:
3fc2c27 [heap] MinorMC: Fix page promotion during incremental marking by Michael Lippautz · 4 days ago
502c6ae [heap] Activate memory reducer on external memory activity.   by hpayer · 4 days ago


List of crashers on all M61 versions windows:
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%20LIKE%20%27%25v8%3A%3Ainternal%3A%3APage%3A%3AShrinkToHighWaterMark%27%20AND%20product.Version%20LIKE%20%2761.%25%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports

Failing on:  CHECK(filler->IsFiller());

0x5580792f	(chrome_child.dll -spaces.cc:793 )	v8::internal::Page::ShrinkToHighWaterMark()
0x551ae29b	(chrome_child.dll -spaces.cc:1403 )	v8::internal::PagedSpace::ShrinkImmortalImmovablePages()
0x551ae252	(chrome_child.dll -heap.cc:5796 )	v8::internal::Heap::NotifyDeserializationComplete()
0x5549e5d7	(chrome_child.dll -isolate.cc:2802 )	v8::internal::Isolate::Init(v8::internal::Deserializer *)
0x551acd3e	(chrome_child.dll -snapshot-common.cc:44 )	v8::internal::Snapshot::Initialize(v8::internal::Isolate *)
0x551acca6	(chrome_child.dll -api.cc:8372 )	v8::IsolateNewImpl(v8::internal::Isolate *,v8::Isolate::CreateParams const &)
0x551ac7dd	(chrome_child.dll -isolate_holder.cc:54 )	gin::IsolateHolder::IsolateHolder(scoped_refptr<base::SingleThreadTaskRunner>,gin::IsolateHolder::AccessMode,gin::IsolateHolder::AllowAtomicsWaitMode)
0x551ac400	(chrome_child.dll -v8perisolatedata.cpp:55 )	blink::V8PerIsolateData::V8PerIsolateData(blink::WebTaskRunner *)
0x551ac3bb	(chrome_child.dll -v8perisolatedata.cpp:82 )	blink::V8PerIsolateData::Initialize(blink::WebTaskRunner *)
0x5553d23d	(chrome_child.dll -workerbackingthread.cpp:63 )	blink::WorkerBackingThread::Initialize()

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c8e6cdfdcee0319fec69926e074d047f668c6f8b

commit c8e6cdfdcee0319fec69926e074d047f668c6f8b
Author: Ulan Degenbaev <ulan@chromium.org>
Date: Tue Jun 06 14:16:55 2017

Revert "[heap] Use partial free when shrinking instead of uncommitting"

This reverts commit 0d06e42b690cfe80454c7f065c382f2b7200a40f.

Reason for revert: clusterfuzz and canary crashes.

BUG= chromium:729209 , v8:6456 

Original change's description:
> [heap] Use partial free when shrinking instead of uncommitting
> 
> This fixes the counter inconsistencies while leaving the memory in an
> inaccessible state.
> 
> Bug:  chromium:724947 
> Change-Id: I431eb6fda84922a52dfb9380c6b482ada55bccee
> Reviewed-on: https://chromium-review.googlesource.com/519164
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Hannes Payer <hpayer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#45647}

TBR=hpayer@chromium.org,mlippautz@chromium.org
# Not skipping CQ checks because original CL landed > 1 day ago.
Bug:  chromium:724947 

Change-Id: I6c52b478b89a858ba984fe17f86cdf15fcfa974c
Reviewed-on: https://chromium-review.googlesource.com/525716
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45733}
[modify] https://crrev.com/c8e6cdfdcee0319fec69926e074d047f668c6f8b/src/heap/spaces.cc
[modify] https://crrev.com/c8e6cdfdcee0319fec69926e074d047f668c6f8b/src/heap/spaces.h

ClusterFuzz has detected this issue as fixed in range 477401:477458.

Detailed report: https://clusterfuzz.com/testcase?key=5229464488509440

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference WRITE
Crash Address: 0x00000000
Crash State:
  base::win::ForceCrashOnSigAbort
  v8::internal::Page::ShrinkToHighWaterMark
  v8::internal::PagedSpace::ShrinkImmortalImmovablePages
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=476132:476165
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=477401:477458

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5229464488509440


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5229464488509440 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Issue 730388 has been merged into this issue.