Find it did not provide any possible suspect.
Assigning to the concern owner from regressed range, below is the CL --
https://chromium.googlesource.com/v8/v8/+log/e7a00891495d123f68b7fe0f2a43839e34591c8e..5d9fa102a792a9882be0ff463eaee7d89d259c4e?pretty=fuller

@clemensh -- Could you please look into the issue, kindly re-assign if this is not related to your change.

Thank You.

Reduced test case:
var sym = Symbol();
function asm(stdlib, ffi) {
  "use asm";
  var get_sym = ffi.get_sym;
  function crash() {
    get_sym()|0;
  }
  return {crash: crash};
}
function get_sym() {
  return sym;
}
asm(null, {get_sym: get_sym}).crash();

This is missing support for wasm frames originating from asm.js in Isolate::ComputeLocationFromStackTrace.
Working on a fix.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6a8dccb19731fe78ce0d576876677734a7c0ae5e

commit 6a8dccb19731fe78ce0d576876677734a7c0ae5e
Author: clemensh <clemensh@chromium.org>
Date: Mon Dec 05 19:29:38 2016

[wasm] Implement location from stack trace for asm.js frames

This avoids the crash which ClusterFuzz found, but still does not
report the same position as without validate.asm.
For calls like "foo()|0", we report the position of the call instead of
the position of the "|" if ToNumber throws an error.

After this CL, the correctness-fuzzer for validate-asm will probably
find mismatches there.

R=titzer@chromium.org
BUG= chromium:670808 

Review-Url: https://codereview.chromium.org/2548323002
Cr-Commit-Position: refs/heads/master@{#41500}

[modify] https://crrev.com/6a8dccb19731fe78ce0d576876677734a7c0ae5e/src/isolate.cc
[modify] https://crrev.com/6a8dccb19731fe78ce0d576876677734a7c0ae5e/src/isolate.h
[add] https://crrev.com/6a8dccb19731fe78ce0d576876677734a7c0ae5e/test/mjsunit/regress/regress-670808.js

ClusterFuzz has detected this issue as fixed in range 41499:41500.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6114433966538752

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()) in objects-i
  
Regressed: V8: r40204:40205
Fixed: V8: r41499:41500

Minimized Testcase (0.55 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv951z3aV3US6K7WzDkMhXXLXSnfjzdlm4vsevnaT67V_h61zxVjNKay-n3nkgsqfYbINIbvCR27dJKkM-f6DKaJ4zE58Am-ZArS4TE94ya7cvugZPQbIdD0WbPL7kVsF7cs-VK0tGQ7ToAIo48fG4UyOoW01DA?testcase_id=6114433966538752
__v_7 = new Array( Symbol());
__f_118();
( {
})();
function __f_118() {
  function __f_52(__v_18, __v_47) {
    "use asm";
    var __f_72 = __v_47.__f_72;
    function __f_31(initial_value, new_value) {
      initial_value = initial_value|0;
      new_value = new_value|0;
      if ((__f_72()|0) == (initial_value|0)) {
      }
    }
    return {__f_31:__f_31};
  }
  function __f_17() {
    function __f_72() {
      return __v_7;
    }
    return {__f_72:__f_72};
  }
  var __v_47 = new __f_17();
  var module = __f_52({Math: Math}, __v_47);
 module.__f_31();
}


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6114433966538752 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.