Chromium 284577 needs a mitigation CL added. There is a TODO to remove

src/objects.cc

 // Copyright 2013 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 8998 matching lines @@
   return string;
 }
 
 
 AllocationMemento* AllocationMemento::FindForJSObject(JSObject* object) {
   // Currently, AllocationMemento objects are only allocated immediately
   // after JSArrays in NewSpace, and detecting whether a JSArray has one
   // involves carefully checking the object immediately after the JSArray
   // (if there is one) to see if it's an AllocationMemento.
   if (FLAG_track_allocation_sites && object->GetHeap()->InNewSpace(object)) {
-    // TODO(mvstanton): CHECK to diagnose chromium bug 284577, remove after.
-    CHECK(object->GetHeap()->InToSpace(object));
+    ASSERT(object->GetHeap()->InToSpace(object));
     Address ptr_end = (reinterpret_cast<Address>(object) - kHeapObjectTag) +
         object->Size();
     if ((ptr_end + AllocationMemento::kSize) <=
         object->GetHeap()->NewSpaceTop()) {
       // There is room in newspace for allocation info. Do we have some?
       Map** possible_allocation_memento_map =
           reinterpret_cast<Map**>(ptr_end);
       if (*possible_allocation_memento_map ==
           object->GetHeap()->allocation_memento_map()) {
-        Address ptr_object = reinterpret_cast<Address>(object);
-        // TODO(mvstanton): CHECK to diagnose chromium bug 284577, remove after.
-        // If this check fails it points to the very unlikely case that we've
-        // misinterpreted a page header as an allocation memento. Follow up
-        // with a real fix.
-        CHECK(Page::FromAddress(ptr_object) == Page::FromAddress(ptr_end));
         AllocationMemento* memento = AllocationMemento::cast(
             reinterpret_cast<Object*>(ptr_end + kHeapObjectTag));
-        return memento;
+
+        // TODO(mvstanton): because of chromium bug 284577, put extra care
+        // into validating that the memento points to a valid AllocationSite.
+        // This check is expensive so remove it asap. Also, this check
+        // HIDES bug 284577, so it must be disabled to debug/diagnose.
+        Object* site = memento->allocation_site();
+        Heap* heap = object->GetHeap();
+        if (heap->InOldPointerSpace(site) &&
+            site->IsHeapObject() &&
+            HeapObject::cast(site)->map() == heap->allocation_site_map()) {
+          return memento;
+        }
       }
     }
   }
   return NULL;
 }
 
 
 uint32_t StringHasher::MakeArrayIndexHash(uint32_t value, int length) {
   // For array indexes mix the length into the hash as an array index could
   // be zero.
@@ skipping 7101 matching lines @@
 #define ERROR_MESSAGES_TEXTS(C, T) T,
   static const char* error_messages_[] = {
       ERROR_MESSAGES_LIST(ERROR_MESSAGES_TEXTS)
   };
 #undef ERROR_MESSAGES_TEXTS
   return error_messages_[reason];
 }
 
 
 } }  // namespace v8::internal