Related to the to-string conversion when the Array prototype ins monkey-patched. Seems like it has been in the code for a while. Reproduces as follows on tip-of-tree ...

$ git checkout bc0798ca1a7e28eb82f03f40184b3b252f389fc4
$ make -j1000 x64.debug
$ ./out/x64.debug/d8 --enable-slow-asserts --omit-quit boom.js
$ cat boom.js 
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

Object.defineProperty(Array.prototype, "1", {
  get: toLocaleString,
  set: function(value) { }
});

new RegExp(0, Uint16Array);

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/85b8c2dc4aee1031ac02f9d7c02d5c1aa76bc2ba

commit 85b8c2dc4aee1031ac02f9d7c02d5c1aa76bc2ba
Author: yangguo <yangguo@chromium.org>
Date: Tue Jun 07 08:36:43 2016

Fix observable array access when formatting stack trace.

This is a fix intended to be merged. Ideally messages.js should be rewritten.

R=bmeurer@chromium.org
BUG= chromium:617527 

Review-Url: https://codereview.chromium.org/2044823002
Cr-Commit-Position: refs/heads/master@{#36775}

[modify] https://crrev.com/85b8c2dc4aee1031ac02f9d7c02d5c1aa76bc2ba/src/js/messages.js

ClusterFuzz has detected this issue as fixed in range 36774:36775.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6701724974972928

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsJSReceiver()) in objects-i
  
Fixed: V8: r36774:36775

Minimized Testcase (8.88 Kb): https://cluster-fuzz.appspot.com/download/AMIfv971DxPbHH2gAbRVunUDo3dkg3CAEwGKpyKwh-PnDRg6K9eUkHhRfV62N-EsM-u6cB0mEzDukHcFe_77wMqFPU04bnQBbjk2oVRQDN3444H0siUVNF7yvMiKyezpGB3U6xZ_L9k3UUpVkjO9ElMcvG2_oylwgA

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

[Automated comment] Request affecting a post-stable build (M51), manual review required.

Your change meets the bar and is auto-approved for M52 (branch: 2743)

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e3b815914fa3ff83144175d9322504a31e604f49

commit e3b815914fa3ff83144175d9322504a31e604f49
Author: Yang Guo <yangguo@chromium.org>
Date: Wed Jun 08 07:51:09 2016

Version 5.2.361.18 (cherry-pick)

Merged 85b8c2dc4aee1031ac02f9d7c02d5c1aa76bc2ba

Fix observable array access when formatting stack trace.

BUG= chromium:617527 
LOG=N
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/2040393002 .

Cr-Commit-Position: refs/branch-heads/5.2@{#23}
Cr-Branched-From: 2cd36d6d0439ddfbe84cd90e112dced85084ec95-refs/heads/5.2.361@{#1}
Cr-Branched-From: 3fef34e02388e07d46067c516320f1ff12304c8e-refs/heads/master@{#36332}

[modify] https://crrev.com/e3b815914fa3ff83144175d9322504a31e604f49/include/v8-version.h
[modify] https://crrev.com/e3b815914fa3ff83144175d9322504a31e604f49/src/js/messages.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ada6fa1fda8369f538bbd6cd7013a20e61a7ae1c

commit ada6fa1fda8369f538bbd6cd7013a20e61a7ae1c
Author: yangguo <yangguo@chromium.org>
Date: Wed Jun 08 07:53:18 2016

Add test case for 85b8c2dc (fix observable array access in messages.js).

R=bmeurer@chromium.org
BUG= chromium:617527 

Review-Url: https://codereview.chromium.org/2045153002
Cr-Commit-Position: refs/heads/master@{#36813}

[add] https://crrev.com/ada6fa1fda8369f538bbd6cd7013a20e61a7ae1c/test/mjsunit/regress/regress-crbug-617527.js

Please have the CL merged to M52 branch so that it gets picked up for Beta Promotion scheduled on 06/15.

Merge approved for M51 (branch 2704)

V8 version 5.2 corresponds to M52 btw.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7bd2476771628ccf089c5efa37e1bb612ee663dc

commit 7bd2476771628ccf089c5efa37e1bb612ee663dc
Author: Yang Guo <yangguo@chromium.org>
Date: Fri Jun 10 05:59:16 2016

Version 5.1.281.65 (cherry-pick)

Merged 85b8c2dc4aee1031ac02f9d7c02d5c1aa76bc2ba

Fix observable array access when formatting stack trace.

BUG= chromium:617527 
LOG=N
R=hablich@chromium.org

Review URL: https://codereview.chromium.org/2051383002 .

Cr-Commit-Position: refs/branch-heads/5.1@{#76}
Cr-Branched-From: 167dc63b4c9a1d0f0fe1b19af93644ac9a561e83-refs/heads/5.1.281@{#1}
Cr-Branched-From: 03953f52bd4a184983a551927c406be6489ef89b-refs/heads/master@{#35282}

[modify] https://crrev.com/7bd2476771628ccf089c5efa37e1bb612ee663dc/include/v8-version.h
[modify] https://crrev.com/7bd2476771628ccf089c5efa37e1bb612ee663dc/src/js/messages.js

Seems to have been merged into both M51 and M52. If that is correct and there is no other merge pending into those branches, please remove the Merge-Approved-51 and Merge-Approved-52 labels. Thank you!

Confirmed with Dev yangguo@ :
that it is merged to M52 branch
5.2 is the corresponding v8 version for M52

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

No further backport needed for Node.js.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot