This crash is spurious. The underlying issue appears to be that the stack is growing due to recursive calls to token_to_string, and on each call ASAN adds to the stack until it gets too large then segfaults.

I've played with three solutions to this that all work:
1. Setting ulimit -s to give the process more stack space.
2. Not sanitizing token_to_string.
3. Bounding the recursive depth of calls to token_to_string.

A (probably) related issue is that non-debug builds have oom errors on the corpus. Solution 1 does not fix this and I don't believe 2 does either. However, 3, which I put in this CL (https://chromium-review.googlesource.com/c/chromium/src/+/727075) does appear to solve this problem. 

I'm suspicious that even with my fix there is something wrong since execution slows down to less than 100 executions per second, but peak_rss_mb seems to be under control after about an hour of fuzzing.

Marja, feel free to reject my CL if you think this problem should be fixed some other way.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33d1942c85d11d65a399b1dd78f2e86765dd0b41

commit 33d1942c85d11d65a399b1dd78f2e86765dd0b41
Author: Jonathan Metzman <metzman@chromium.org>
Date: Thu Oct 19 14:57:10 2017

Bound recursive calls of token_to_string to prevent *san errors.

Bug:  776125 
Change-Id: I4f5e788dccd9aca77ad58c45db75027f5288a629
Reviewed-on: https://chromium-review.googlesource.com/727075
Commit-Queue: Jonathan Metzman <metzman@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#510086}
[modify] https://crrev.com/33d1942c85d11d65a399b1dd78f2e86765dd0b41/testing/libfuzzer/fuzzers/generate_javascript_parser_proto.py
[modify] https://crrev.com/33d1942c85d11d65a399b1dd78f2e86765dd0b41/testing/libfuzzer/fuzzers/javascript_parser_proto_fuzzer.cc
[modify] https://crrev.com/33d1942c85d11d65a399b1dd78f2e86765dd0b41/testing/libfuzzer/fuzzers/javascript_parser_proto_to_string.h

ClusterFuzz has detected this issue as fixed in range 510082:510099.

Detailed report: https://clusterfuzz.com/testcase?key=5136270815920128

Fuzzer: libFuzzer_javascript_parser_proto_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7fff89285d98
Crash State:
  token_to_string
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=509728:509746
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=510082:510099

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5136270815920128

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5136270815920128 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.