Something to look into. After code generation, the instruction which fails later looks like this:
  0x316f64984282    62  48bb0fd0e81c687f0000 REX.W movq rbx,0x7f681ce8d00f    ;; wasm memory reference
  0x316f6498428c    6c  894314         movl [rbx+0x14],rax

Later, when it fails, it looks like this:
  0x316f64984282    62  48bb1f10a339d0fe0000 REX.W movq rbx,0xfed039a3101f    ;; wasm memory reference
  0x316f6498428c    6c  894314         movl [rbx+0x14],rax

Hence, the memory reference has been patched. The original address is still accessible, the new address is not.

Hi Deepti, this is a grow memory issue. Can you take a look please? I attached a reduced mjsunit test case.
Thanks, Andreas

Deleted: regression-763439.js 805 bytes

regression-763439.js 805 bytes View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/327df0b8c2831ae60ce492221754bba7b54de492

commit 327df0b8c2831ae60ce492221754bba7b54de492
Author: Deepti Gandluri <gdeepti@chromium.org>
Date: Wed Sep 20 22:52:31 2017

[wasm] Fix memory initialization on instantiate

Memory instantiate on initialize should always patch memory
references. If memory references are not patched for no initial
memory, on subsequent calls to grow_memory in wasm functions for
instances that share a module, the references will be patched
without resetting cloned compiled values to their correct initial
values.

BUG= chromium:763439 

Change-Id: I666439332379b02aa344e99d61ef3dc88ab86cc8
Reviewed-on: https://chromium-review.googlesource.com/674707
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48097}
[modify] https://crrev.com/327df0b8c2831ae60ce492221754bba7b54de492/src/wasm/module-compiler.cc
[add] https://crrev.com/327df0b8c2831ae60ce492221754bba7b54de492/test/mjsunit/regress/wasm/regression-763439.js
[modify] https://crrev.com/327df0b8c2831ae60ce492221754bba7b54de492/test/mjsunit/wasm/import-memory.js

ClusterFuzz has detected this issue as fixed in range 503331:503365.

Detailed report: https://clusterfuzz.com/testcase?key=6616003734929408

Fuzzer: libFuzzer_v8_wasm_async_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::Invoke
  v8::internal::CallInternal
  v8::internal::wasm::testing::CallWasmFunctionForTesting
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500374:500444
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=503331:503365

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6616003734929408

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6616003734929408 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

see https://bugs.chromium.org/p/chromium/issues/detail?id=782102#c14

 Issue 782102  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b60438869987952083597c2ce55a9abdba19d557

commit b60438869987952083597c2ce55a9abdba19d557
Author: Deepti Gandluri <gdeepti@chromium.org>
Date: Thu Nov 09 09:51:18 2017

Merged: [wasm] Fix memory initialization on instantiate

Memory instantiate on initialize should always patch memory
references. If memory references are not patched for no initial
memory, on subsequent calls to grow_memory in wasm functions for
instances that share a module, the references will be patched
without resetting cloned compiled values to their correct initial
values.

BUG= chromium:763439 
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Change-Id: I666439332379b02aa344e99d61ef3dc88ab86cc8
Reviewed-on: https://chromium-review.googlesource.com/674707
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#48097}(cherry picked from commit 327df0b8c2831ae60ce492221754bba7b54de492)
Reviewed-on: https://chromium-review.googlesource.com/759778
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.2@{#84}
Cr-Branched-From: efa2ac4129d30c7c72e84c16af3d20b44829f990-refs/heads/6.2.414@{#1}
Cr-Branched-From: a861ebb762a60bf5cc2a274faee3620abfb06311-refs/heads/master@{#47693}
[modify] https://crrev.com/b60438869987952083597c2ce55a9abdba19d557/src/wasm/module-compiler.cc
[add] https://crrev.com/b60438869987952083597c2ce55a9abdba19d557/test/mjsunit/regress/wasm/regression-763439.js
[modify] https://crrev.com/b60438869987952083597c2ce55a9abdba19d557/test/mjsunit/wasm/import-memory.js