Seems to be caused by "--preparser-scope-analysis". Reproduces nicely. The following is a reduced repro and triggers slightly different asserts between release and debug mode.

function f() {
  try {
  } catch(e) {
    if (false) {
      function e() { return 42 }
    }
  }
}
f();

Looking. Probably a bug related to sloppy block function hoisting (in the preparser) when the catch variable name clashes with the function name.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f6f5bafe4133038112d7e00426957c167bc5966d

commit f6f5bafe4133038112d7e00426957c167bc5966d
Author: Marja Hölttä <marja@chromium.org>
Date: Thu Oct 05 12:00:45 2017

[parser] Skipping inner funcs: Fix hoisting.

The catch variable is a special VAR-mode variable which is not in a declaration
scope. Normally creating such a variable is not possible with DeclareVariable,
but Parser bypasses it by calling DeclareLocal directly (which doesn't have the
hoisting check).

PreParser used to cut corners and declare the catch variable as a LET-mode
variable to prevent hoisting.

But since LET and VAR variables behave differently when deciding whether they
block sloppy block function hoisting, that approach doesn't fly.

BUG= v8:5516 , chromium:771474 

Change-Id: Ic6f5f4996416c9fa59132725c8b0b6b570c72f48
Reviewed-on: https://chromium-review.googlesource.com/700634
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48308}
[modify] https://crrev.com/f6f5bafe4133038112d7e00426957c167bc5966d/src/ast/scopes.cc
[modify] https://crrev.com/f6f5bafe4133038112d7e00426957c167bc5966d/src/ast/scopes.h
[modify] https://crrev.com/f6f5bafe4133038112d7e00426957c167bc5966d/src/parsing/preparser.h
[modify] https://crrev.com/f6f5bafe4133038112d7e00426957c167bc5966d/test/cctest/parsing/test-preparser.cc
[modify] https://crrev.com/f6f5bafe4133038112d7e00426957c167bc5966d/test/mjsunit/skipping-inner-functions.js

ClusterFuzz has detected this issue as fixed in range 48307:48308.

Detailed report: https://clusterfuzz.com/testcase?key=5464031245893632

Fuzzer: decoder_langfuzz
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  scope_data_->RemainingBytes() >= kUint8Size in preparsed-scope-data.cc
  
Sanitizer: undefined (UBSAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=48307:48308

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5464031245893632

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5464031245893632 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@ (Security TPM) for M63 merge review

No 63 merge needed.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot