Able to reproduce this issue on Windows 10, Ubuntu 14.04 & Mac 10.12.6 with chrome Beta #62.0.3202.18, 
Dev #63.0.3213.3, Canary #63.0.3218.0 Issue is broken in 62.

Bisect Info:
===========
Good build : 62.0.3174.0,  Revision Range -491203
Bad build  : 62.0.3175.0,  Revision Range -491592

After executing the per-revision bisect script , i got the following CL's between good and bad build versions
===========================================
https://chromium.googlesource.com/chromium/src/+log/10570781a35945d5f833f423ca3940bc81bd7c0d..d68025ec1b431429a939e80cacceeae20dd9ff4a

The suspecting Change Log is :
-----------
https://chromium.googlesource.com/chromium/src/+/d68025ec1b431429a939e80cacceeae20dd9ff4a


jbroman@- Could you please look into this issue, if it's related to your change?  if not could you please help us to reassign this issue to the right owner.

+mlippautz: Is it possible that V8 objects kept alive due to wrapper tracing aren't captured in the heap snapshot?

I think this is a problem with UnreachableObjectsFilter that doesn't do wrapper tracing.  Essentially, the filter can be used for snapshots to filter out unreachable objects. The filter however, doesn't do ephemeral marking or wrapper tracing. 

I think this is in general flawed as the filter needs to mirror the GC behavior exactly and not just do best effort marking on its own as unmarked objects are not reported.

This probably used to work when we just called MarkLiveObjects in the GC. This was however broken with incremental marking.

Assigning to mlippautz; please feel free to reassign to the correct assignee on the V8 side.

On a second look, this should work. Because the listener should still be reachable via a global handle and so the UnreachableObjectsFilter should not get rid of it.

Any other thoughts from DevTools experts?

A quick look revealed the following. I modified the example a bit to be able to find the Foo class:

<html>
    <body>
        <script>
            class Foo {
                constructor() {
                    window.addEventListener('mousemove', (e) => {
                        this.x = e.pageX;
                    });
                }
            }

            function bootstrap() {
                const f = new Foo();
                return f;
            }

            zzz = bootstrap();
        </script>
    </body>
</html>

Now the Foo retaining tree looks like (see attachment 1)
The context @60389 seems to be missing retainers.

The DevTools on DevTools shows some warnings as well:

Heap snapshot: 7 nodes are unreachable from the root. Following nodes have only weak retainers:
   @60389  weak retainers: (Global handles)@29.67
_buildPostOrderIndex @ Trie.js:1575

Will investigate further

attachment 1

Deleted: Screenshot from 2017-09-27 10:57:14.png 20.9 KB

	Screenshot from 2017-09-27 10:57:14.png 20.9 KB View Download

So to summarize what's going on.

The Foo object is indeed reachable, but it is not reachable from the global object. So heap profiler treats it as V8 internal object and hides from the class list. You still can find it in the Containment view by exploring global handles.

To address it I'm probably going to turn off the filtering as it started to produce lots of false negatives recently.

Another problem however is that the retainment path for it would just be:
Foo <- context <- anonymous function
The rest is not visible as event listeners are beyond v8 heap. So the path does not give the user a hint on why the object is alive.

Thanks a lot for debugging this!

I'll move this over so you can decide whether followup actions are needed.

> The rest is not visible as event listeners are beyond v8 heap. So the path does not give the user a hint on why the object is alive.

That's an issue we've heard a few times recently. It looks like expanding the graph to the Blink side would be really useful.

Actually, the (Foo <- context <- anonymous function) is usually sufficient hint to the user as to why it's still alive, since the dev tools let you click through to see the source code of the anonymous function. You probably see that it's being passed into addEventListener, and from there it becomes obvious. I think this is all the info we used to get in Chrome 60, but obviously I'd welcome more context if it's possible to get.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/78b4c3503d857ed4285fc6bbd3eab9a4b6c80ec7

commit 78b4c3503d857ed4285fc6bbd3eab9a4b6c80ec7
Author: Alexei Filippov <alph@chromium.org>
Date: Tue Oct 03 06:14:45 2017

DevTools: Do not filter out nodes unreachable from window in heap snapshot.

There are user objects that are not reachable from root, e.g. event listeners.
We want user be able to see them in the class list.

BUG= 765666 

Change-Id: I51e95cc9b5ae3d8530cc93d37781d1ee269a1ca7
Reviewed-on: https://chromium-review.googlesource.com/691187
Commit-Queue: Alexei Filippov <alph@chromium.org>
Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#505963}
[add] https://crrev.com/78b4c3503d857ed4285fc6bbd3eab9a4b6c80ec7/third_party/WebKit/LayoutTests/http/tests/devtools/profiler/heap-snapshot-event-listeners-expected.txt
[add] https://crrev.com/78b4c3503d857ed4285fc6bbd3eab9a4b6c80ec7/third_party/WebKit/LayoutTests/http/tests/devtools/profiler/heap-snapshot-event-listeners.html
[modify] https://crrev.com/78b4c3503d857ed4285fc6bbd3eab9a4b6c80ec7/third_party/WebKit/LayoutTests/http/tests/devtools/profiler/heap-snapshot.html
[modify] https://crrev.com/78b4c3503d857ed4285fc6bbd3eab9a4b6c80ec7/third_party/WebKit/Source/devtools/front_end/heap_snapshot_worker/HeapSnapshot.js

 Issue 767553  has been merged into this issue.