Only reproduces with --harmony-function-tostring and hence started happening since fa31434127441d07fdf91ca506b20af7719ee4f9 which staged that feature. Adam, could you help finding the right owner for this?

Hits unreachable code in the pattern rewriter ...

$ ./out/x64.debug/d8 --harmony-function-tostring ~/Downloads/clusterfuzz-testcase-minimized-6191356228927488.js 

#
# Fatal error in ../src/parsing/pattern-rewriter.cc, line 712
# unreachable code
#

Assigning to jwolfe who's working on this feature.

I don't think this is really a Function.prototype.toString bug but rather an async function parsing bug. The old Function constructor blocked the case, but it's available in the parser generally. Here's a more minimal test case:

(function (async function() {}) {})()

This is a really quick fix; I have a patch coming.

See the patch at https://chromium-review.googlesource.com/c/567002/

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/cad3c5a1665594c611ade0deb918447b1fee083f

commit cad3c5a1665594c611ade0deb918447b1fee083f
Author: Daniel Ehrenberg <littledan@chromium.org>
Date: Wed Jul 12 13:21:54 2017

[parser] Disallow async functions as destructuring targets

This patch teaches the parser that async functions are not valid
destructuring targets so that it can cleanly exit with a SyntaxError.
Previously, async functions used in the wrong position would lead
to a check failure.

Bug:  chromium:740366 
Change-Id: Ie5b0cf50326c3f96174c6b29d0ccedb5da4f75a2
Reviewed-on: https://chromium-review.googlesource.com/567002
Reviewed-by: Adam Klein <adamk@chromium.org>
Reviewed-by: Caitlin Potter <caitp@igalia.com>
Commit-Queue: Daniel Ehrenberg <littledan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46587}
[modify] https://crrev.com/cad3c5a1665594c611ade0deb918447b1fee083f/src/parsing/parser-base.h
[modify] https://crrev.com/cad3c5a1665594c611ade0deb918447b1fee083f/test/cctest/test-parsing.cc

ClusterFuzz has detected this issue as fixed in range 486166:486194.

Detailed report: https://clusterfuzz.com/testcase?key=6191356228927488

Fuzzer: mbarbella_js_mutation
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  NULL
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=460866:460935
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=486166:486194

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6191356228927488


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6191356228927488 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.