Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: jgruber
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/cec39ad1ade5b38a7b203e9cc64cca867196f33a
Time: Fri Mar 31 09:20:13 2017
Lines 44 of file regexp-parser.cc which potentially caused crash are changed in this cl (frame #7, "RegExpParser"). 

File objects.cc is changed in this cl (and is part of stack frame #10, "v8::internal::JSRegExp::Initialize"; frame #11, "v8::internal::JSRegExp::New")
Minimum distance from crash line to modified line: 0. (file: regexp-parser.cc, crashed on: 44, modified: 44).

@jgruber -- Could you please look into the issue, kindly re-assign if this issue is not related to your changes.
Thank You.

Thanks for triaging, looking.

Looks like the test makes V8 deserialize a JSRegExp with the dotall flag while the running V8 instance does not have FLAG_harmony_regexp_dotall set.

I guess the best way to fix this is by making ValueDeserializer::ReadJSRegExp mask out flags to ensure they're in a valid state.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/540419b660ae8da1d24767be5b95fc0421680580

commit 540419b660ae8da1d24767be5b95fc0421680580
Author: jgruber <jgruber@chromium.org>
Date: Wed May 10 08:52:21 2017

[value-serializer] Verify deserialized JSRegExp flags

One of the serializer fuzzers passes in random data to the deserializer,
which can then be used to deserialize a JSRegExp instance with random flag
contents. This can cause issues since the JSRegExp::Flag enum statically
contains kDotAll - but it is only valid to set kDotAll iff
FLAG_harmony_regexp_dotall is set.

This CL verifies deserialized flags before constructing the JSRegExp
and bails out if they are invalid.

R=jbroman@chromium.org,yangguo@chromium.org
BUG= chromium:719280 

Review-Url: https://codereview.chromium.org/2870743004
Cr-Commit-Position: refs/heads/master@{#45222}

[modify] https://crrev.com/540419b660ae8da1d24767be5b95fc0421680580/src/value-serializer.cc
[modify] https://crrev.com/540419b660ae8da1d24767be5b95fc0421680580/test/unittests/value-serializer-unittest.cc

ClusterFuzz has detected this issue as fixed in range 471277:471297.

Detailed report: https://clusterfuzz.com/testcase?key=5050706389368832

Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  dotall() implies FLAG_harmony_regexp_dotall in regexp-parser.cc
  RegExpParser
  v8::internal::RegExpParser::ParseRegExp
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=461103:461130
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=471277:471297

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5050706389368832


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.