Reproduces nicely. Bisects to the following change ...

commit 535a5f962407b92701e04adea709a990f88b4646 (HEAD)
Author: Mircea Trofin <mtrofin@chromium.org>
Date:   Wed Jun 28 18:14:44 2017 -0700

    [wasm] Disabling wasm-opts
    
    It appears we actually get a compile time boost, and sometimes a
    runtime boost, at the cost of some reloc info growth.
    
    Bug:
    Change-Id: I1d1dc48f364e6611f895ebd00f86451199dd8626
    Reviewed-on: https://chromium-review.googlesource.com/544713
    Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
    Reviewed-by: Brad Nelson <bradnelson@chromium.org>
    Reviewed-by: Ben Titzer <titzer@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#46302}

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/7e8ae6a8f483644bc80ae6f5127cd4327e603d01

commit 7e8ae6a8f483644bc80ae6f5127cd4327e603d01
Author: Mircea Trofin <mtrofin@chromium.org>
Date: Mon Aug 28 23:05:14 2017

[regalloc] Validator: handle aliasing first class.

The validator was trying to finalize virtual register assignments in
phi cases, however, since phis may create aliases, we ended up with
an unnecessarily complex design that was the source of pretty much all
validator bugs since its introduction.

This change embraces the fact that phis may create aliases: pending
assessments (==phis) carry a bag of aliased virtual registers. 

Bug:  chromium:758778 
Change-Id: Ib7ded350a726fbc77e9d0ff3eeda7f00acc4de13
Reviewed-on: https://chromium-review.googlesource.com/639530
Commit-Queue: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Brad Nelson <bradnelson@chromium.org>
Reviewed-by: Bill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47657}
[modify] https://crrev.com/7e8ae6a8f483644bc80ae6f5127cd4327e603d01/src/compiler/register-allocator-verifier.cc
[modify] https://crrev.com/7e8ae6a8f483644bc80ae6f5127cd4327e603d01/src/compiler/register-allocator-verifier.h

ClusterFuzz has detected this issue as fixed in range 498073:498087.

Detailed report: https://clusterfuzz.com/testcase?key=5860644401446912

Fuzzer: libFuzzer_v8_wasm_code_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (old) != nullptr in register-allocator-verifier.cc
  v8::internal::compiler::RegisterAllocatorVerifier::ValidateFinalAssessment
  v8::internal::compiler::RegisterAllocatorVerifier::ValidatePendingAssessment
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=483315:483373
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=498073:498087

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5860644401446912

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5860644401446912 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.