jbroman@, could you please take a look and help us to find correct owner?. thank you.

I am the correct owner. I've got a fix out for review (it's a moderately clever way of avoiding the OOM protections by exploiting the fact that objects are converted to string when used as keys, and sparse arrays allow for an extremely large string to be produced with small serialized data -- a very long string of commas).

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8990399dc7c2f36ba4f566a415a0823d229dff21

commit 8990399dc7c2f36ba4f566a415a0823d229dff21
Author: jbroman <jbroman@chromium.org>
Date: Thu Feb 16 13:59:56 2017

ValueDeserializer: Only allow valid keys when deserializing object properties.

The serializer won't ever write a more complex object. Not validating this
allows other things to be used as keys, and converted to string when the
property set actually occurs. It turns out this gives an opportunity to trigger
OOM by giving an object a key which is a very large sparse array (whose string
representation is very large).

This case is now rejected by the deserializer.

BUG= chromium:686511 

Review-Url: https://codereview.chromium.org/2697023002
Cr-Commit-Position: refs/heads/master@{#43249}

[modify] https://crrev.com/8990399dc7c2f36ba4f566a415a0823d229dff21/src/value-serializer.cc
[modify] https://crrev.com/8990399dc7c2f36ba4f566a415a0823d229dff21/test/unittests/value-serializer-unittest.cc

ClusterFuzz has detected this issue as fixed in range 451108:451152.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5015347871875072

Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  v8_serialized_script_value_fuzzer
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=440754:440763
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=451108:451152

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94llBArqgV7qr6B0p8s2BnSEv9HZ5zc61vMXhRnYdxEJh45paXzci2XcCcS8b0Q8E2J3PGq3lNqBwlitxd8quOE7EocPm160dbRxNpUNxeIPM6FWk2DSQWM1JNAmRFXlTBzzPKq8EhhDNMrykYLWVElkChDsLEKSs_HEJGx9HJ3Y5ihwFt85J9XmOKtiPx2k6ZmtNcd6THz8Uhamz2Tse9D7TeGWKl0ljdHvwBL7q9L7tptgHDUjIBYfmL7l23hty4ATFpri6HNEhl2EqJ0tzpkgwEpIRC5i6k4WgScTT86VRGvrWXAnLUus-jlHErHe-lbbLnciprqAlGoiJq8-Xrjs4iGps6XqqrivgjVCufbN9yEnHM?testcase_id=5015347871875072


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5015347871875072 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.