This is due to the order of exports being off. The following is the dump of the asm.js export object with and without translation to WASM.

=== Expected order (without --validate-asm):
DebugPrint: 0xb7d27a0edf1: [JS_OBJECT_TYPE]
 - map = 0x3275e6890699 [FastProperties]
 - prototype = 0x37f1ab584471
 - elements = 0x10d25fa02241 <FixedArray[0]> [FAST_HOLEY_ELEMENTS]
 - properties = 0x10d25fa02241 <FixedArray[0]> {
    #__f_39: 0xb7d27a0e979 <JSFunction __f_39 (sfi = 0x37f1ab5b1281)> (data field 0)
    #__f_38: 0xb7d27a0e9c1 <JSFunction __f_38 (sfi = 0x37f1ab5b1359)> (data field 1)
    #__f_40: 0xb7d27a0ea09 <JSFunction __f_40 (sfi = 0x37f1ab5b1431)> (data field 2)
    #__f_30: 0xb7d27a0ea51 <JSFunction __f_30 (sfi = 0x37f1ab5b1509)> (data field 3)
    #__f_17: 0xb7d27a0eae1 <JSFunction __f_17 (sfi = 0x37f1ab5b16b9)> (data field 4)
    #__f_3: 0xb7d27a0ea99 <JSFunction __f_3 (sfi = 0x37f1ab5b15e1)> (data field 5)
 }

=== Observed order (with --validate-asm):
DebugPrint: 0x320e04c8ed29: [JS_OBJECT_TYPE]
 - map = 0x2917b8107f9 [FastProperties]
 - prototype = 0x32b46304471
 - elements = 0x3464f6302241 <FixedArray[0]> [FAST_HOLEY_ELEMENTS]
 - properties = 0x3464f6302241 <FixedArray[0]> {
    #__f_39: 0x32b46331aa9 <JSFunction __f_39 (sfi = 0x32b46331929)> (const data descriptor)
    #__f_38: 0x32b46331ca1 <JSFunction __f_38 (sfi = 0x32b46331b21)> (const data descriptor)
    #__f_40: 0x32b46331eb1 <JSFunction __f_40 (sfi = 0x32b46331d31)> (const data descriptor)
    #__f_30: 0x32b463320c1 <JSFunction __f_30 (sfi = 0x32b46331f41)> (const data descriptor)
    #__f_3: 0x32b463322d1 <JSFunction __f_3 (sfi = 0x32b46332151)> (const data descriptor)
    #__f_17: 0x32b463324e1 <JSFunction __f_17 (sfi = 0x32b46332361)> (const data descriptor)
 }

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/fe9c60c17561312b7c01d19ff2fdb7f20a56031a

commit fe9c60c17561312b7c01d19ff2fdb7f20a56031a
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Fri May 12 12:11:06 2017

[asm.js] Maintain global order of exported functions.

This makes sure that the order of exports as they appear in asm.js
modules is maintained globally (not just per function) while being
translated to a WASM module.

R=clemensh@chromium.org
TEST=mjsunit/asm/asm-validation
BUG= chromium:720586 

Change-Id: I8b26d717ae2f88467d41670bced901f196c7b3fc
Reviewed-on: https://chromium-review.googlesource.com/503708
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45277}
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/src/asmjs/asm-parser.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/src/wasm/wasm-module-builder.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/src/wasm/wasm-module-builder.h
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/test/cctest/wasm/test-run-wasm-module.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/test/fuzzer/wasm-call.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/test/fuzzer/wasm-code.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/test/fuzzer/wasm-compile.cc
[modify] https://crrev.com/fe9c60c17561312b7c01d19ff2fdb7f20a56031a/test/mjsunit/asm/asm-validation.js

ClusterFuzz has detected this issue as fixed in range 45276:45277.

Detailed report: https://clusterfuzz.com/testcase?key=4509604565483520

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_asm
  sources: ed0
  
Sanitizer: address (ASAN)

Regressed: V8: 44941:44942
Fixed: V8: 45276:45277

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4509604565483520


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.