This is mine, I actually realized this issue yesterday and am already crunching on a fix for it.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b4948f1b81248f0a739a075ee4dcae6cd14a269a

commit b4948f1b81248f0a739a075ee4dcae6cd14a269a
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Thu May 11 12:25:26 2017

[asm.js] Test and fix function (table) immutability.

This makes sure that function variables as well as function table
variables are properly typed as immutable, hence assignments to them
should cause validation failures.

R=clemensh@chromium.org
TEST=mjsunit/asm/immutable
BUG= chromium:721271 

Change-Id: Ia3f65fd0782ca571ffcf99520fdbd8fc5a359d16
Reviewed-on: https://chromium-review.googlesource.com/503209
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45256}
[modify] https://crrev.com/b4948f1b81248f0a739a075ee4dcae6cd14a269a/src/asmjs/asm-parser.cc
[add] https://crrev.com/b4948f1b81248f0a739a075ee4dcae6cd14a269a/test/mjsunit/asm/immutable.js

ClusterFuzz has detected this issue as fixed in range 45255:45256.

Detailed report: https://clusterfuzz.com/testcase?key=5816247869767680

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  is_local ? info->kind == VarKind::kLocal : info->kind == VarKind::kGlobal in asm
  v8::internal::wasm::AsmJsParser::AssignmentExpression
  v8::internal::wasm::AsmJsParser::Expression
  
Sanitizer: address (ASAN)

Regressed: V8: 45077:45078
Fixed: V8: 45255:45256

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5816247869767680


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.