Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/4623b8223b487fb18b3af12fcf4fdbb7a194eca3 ([heap] replace DisableInlineAllocationSteps with PauseAllocationObservers).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/70c0237578719aba48f56420a0c60ec893e86941

commit 70c0237578719aba48f56420a0c60ec893e86941
Author: Ali Ijaz Sheikh <ofrobots@google.com>
Date: Mon Jan 29 17:42:46 2018

[heap] do not perform a step while a space is partially mutated

We were starting an allocation step during NewSpace::AddFreshPage. At
this point, we had advanced the page, but not updated allocation_info_.
This ultimately led to assertions as Space::Size was not expecting
to be called when to_space_.page_{high,low} are inconsistent with
allocation_info_.top().

The solution here is to avoid starting the step in the middle of the
space state mutation. We account for memory allocated so far before the
mutation is started, and then start a new step after the mutation has
been completed.

Bug:  chromium:806179 
Change-Id: I17ee896d80c4ec752baa2b17c3fd2bef7ea2ca33
Reviewed-on: https://chromium-review.googlesource.com/889981
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Ali Ijaz Sheikh <ofrobots@google.com>
Cr-Commit-Position: refs/heads/master@{#50932}
[modify] https://crrev.com/70c0237578719aba48f56420a0c60ec893e86941/src/heap/spaces.cc

ofrobots: Thanks for the fix. Is beta affected by this? (I think not?)

M65 is affected as the original commit with the issue landed in V8 6.5.100. Adding merge-request label.

Stable is not affected.

ClusterFuzz has detected this issue as fixed in range 50931:50932.

Detailed report: https://clusterfuzz.com/testcase?key=4852142264025088

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  top() >= to_space_.page_low() in spaces.h
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=50051:50052
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=50931:50932

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4852142264025088

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4852142264025088 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M65. Please go ahead and merge the CL to branch 3325 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Pls merge your change to M65 branch 3325 ASAP so we can pick it up for next M65 dev release. Thank you.

While attempting to merge, it turns out that the issue does NOT exist in M65.

M65 has the additional change https://chromium.googlesource.com/v8/v8/+/aefc8a315343b124f16a2cfdaab3b086629e145d which avoids the bug.

The Merge-Approved-65 and Hostlist-Merge-Approved labels can be removed (not sure if I should do that).

Removing "Merge-Approved-65" & "Hotlist-Merge-Approved" labels based on comment #10. Thank you.

Is this need a merge to M64? If yes, pls request a merge to M64.

The fix is not needed on M64.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot