Found the following two cases by fuzzing with AFL:
# Case #1: array_expand_index
bash <<'EOF'
x='${p[--b[?]]'; echo ${x@P}
EOF
# Case #1 backtrace
: <<'EOF'
Program received signal SIGSEGV, Segmentation fault.
0x000000000080e0d3 in __strchr_sse2 ()
#0 0x000000000080e0d3 in __strchr_sse2 ()
#1 0x00000000006d954b in mbschr (s=0x0, c=91) at mbschr.c:90
#2 0x000000000058acdf in valid_array_reference (name=0x0, flags=0) at
arrayfunc.c:899
#3 0x000000000049c4e9 in bind_int_variable (lhs=0x0, rhs=0xbb5228 "-1",
flags=0) at variables.c:3371
#4 0x00000000004c632c in expr_bind_variable (lhs=0x0, rhs=<optimized out>) at
expr.c:333
#5 exp0 () at expr.c:1015
#6 exp1 () at expr.c:983
#7 0x00000000004c54ae in exppower () at expr.c:938
#8 0x00000000004c4cf8 in exp2 () at expr.c:863
#9 0x00000000004c4695 in exp3 () at expr.c:837
#10 expshift () at expr.c:813
#11 0x00000000004c3d95 in exp4 () at expr.c:783
#12 exp5 () at expr.c:761
#13 0x00000000004c3a61 in expband () at expr.c:743
#14 expbxor () at expr.c:724
#15 0x00000000004c3621 in expbor () at expr.c:705
#16 expland () at expr.c:678
#17 0x00000000004c2e01 in explor () at expr.c:650
#18 expcond () at expr.c:603
#19 0x00000000004c1f2b in expassign () at expr.c:488
#20 0x00000000004be48e in expcomma () at expr.c:472
#21 subexpr (expr=0xbc9a48 "--b[?]") at expr.c:450
#22 0x00000000004bdba0 in evalexp (expr=0xbc9a48 "--b[?]", flags=<optimized
out>, validp=0x7fffffffce14) at expr.c:415
#23 0x0000000000589d81 in array_expand_index (var=<optimized out>, s=<optimized
out>, len=<optimized out>, flags=<optimized out>) at arrayfunc.c:952
#24 0x000000000058b7f5 in array_value_internal (s=0xbc9a08 "p[--b[?]]",
quoted=<optimized out>, flags=1, rtype=0x7fffffffce9c, indp=<optimized out>) at
arrayfunc.c:1133
#25 0x000000000053eed1 in parameter_brace_expand_word (name=0xbc9a08
"p[--b[?]]", var_is_special=0, quoted=1, pflags=<optimized out>,
indp=0x7fffffffcf40) at subst.c:6584
#26 0x0000000000536c7b in parameter_brace_expand (string=<optimized out>,
quoted=<optimized out>, pflags=<optimized out>, contains_dollar_at=<optimized
out>, indexp=<optimized out>, quoted_dollar_atp=<optimized out>) at subst.c:8702
#27 param_expand (string=0xbc5fe8 "${p[--b[?]]", sindex=<optimized out>,
quoted=<optimized out>, expanded_something=<optimized out>,
contains_dollar_at=<optimized out>, quoted_dollar_at_p=<optimized out>,
had_quoted_null_p=0x0, pflags=<optimized out>) at subst.c:9316
#28 0x0000000000510893 in expand_word_internal (word=0x7fffffffd0b0,
quoted=<optimized out>, isexp=<optimized out>, contains_dollar_at=<optimized
out>, expanded_something=<optimized out>) at subst.c:9887
#29 0x000000000050f595 in expand_prompt_string (string=0xbc7ec8 "${p[--b[?]]",
quoted=1, wflags=<optimized out>) at subst.c:3804
#30 0x0000000000420e71 in decode_prompt_string (string=<optimized out>) at
./parse.y:6065
#31 0x000000000055059c in string_transform (xc=<optimized out>, v=0xbc7dc8,
s=0xbc5fc8 "${p[--b[?]]") at subst.c:7468
#32 0x000000000054a2b5 in parameter_brace_transform (varname=<optimized out>,
value=<optimized out>, ind=<optimized out>, xform=<optimized out>, rtype=0,
quoted=<optimized out>, pflags=0, flags=<optimized out>) at subst.c:7616
#33 0x000000000053bb17 in parameter_brace_expand (string=<optimized out>,
quoted=<optimized out>, pflags=<optimized out>, contains_dollar_at=<optimized
out>, indexp=<optimized out>, quoted_dollar_atp=<optimized out>) at subst.c:8884
#34 param_expand (string=0xbc7e68 "${REPLY@P}", sindex=<optimized out>,
quoted=<optimized out>, expanded_something=<optimized out>,
contains_dollar_at=<optimized out>, quoted_dollar_at_p=<optimized out>,
had_quoted_null_p=<optimized out>, pflags=<optimized out>) at subst.c:9316
#35 0x0000000000510893 in expand_word_internal (word=0xbc7828,
quoted=<optimized out>, isexp=<optimized out>, contains_dollar_at=<optimized
out>, expanded_something=<optimized out>) at subst.c:9887
#36 0x0000000000529560 in shell_expand_word_list (tlist=<optimized out>,
eflags=0) at subst.c:11233
#37 expand_word_list_internal (list=<optimized out>, eflags=<optimized out>) at
subst.c:11357
#38 0x000000000046f341 in execute_simple_command (simple_command=<optimized
out>, pipe_in=-1, pipe_out=-1, async=<optimized out>, fds_to_close=<optimized
out>) at execute_cmd.c:4278
#39 execute_command_internal (command=<optimized out>, asynchronous=<optimized
out>, pipe_in=<optimized out>, pipe_out=<optimized out>,
fds_to_close=<optimized out>) at execute_cmd.c:840
#40 0x000000000046b5cb in execute_connection (command=<optimized out>,
asynchronous=<optimized out>, pipe_in=<optimized out>, pipe_out=<optimized
out>, fds_to_close=<optimized out>) at execute_cmd.c:2689
#41 execute_command_internal (command=0xbc5e48, asynchronous=<optimized out>,
pipe_in=<optimized out>, pipe_out=<optimized out>, fds_to_close=<optimized
out>) at execute_cmd.c:1013
#42 0x0000000000605bcc in parse_and_execute (string=<optimized out>,
from_file=<optimized out>, flags=4) at evalstring.c:436
#43 0x0000000000409a8c in run_one_command (command=<optimized out>) at
shell.c:1416
#44 0x00000000004063a7 in main (argc=<optimized out>, argv=<optimized out>,
env=<optimized out>) at shell.c:735
EOF
# Case #2
bash <<'EOF'
x='$[++K[+]]/'; echo ${x@P}
EOF
# Case #2 backtrace
: <<'EOF'
Program received signal SIGSEGV, Segmentation fault.
0x000000000080e0d3 in __strchr_sse2 ()
#0 0x000000000080e0d3 in __strchr_sse2 ()
#1 0x00000000006d954b in mbschr (s=0x0, c=91) at mbschr.c:90
#2 0x000000000058acdf in valid_array_reference (name=0x0, flags=0) at
arrayfunc.c:899
#3 0x000000000049c4e9 in bind_int_variable (lhs=0x0, rhs=0xbb5248 "1",
flags=0) at variables.c:3371
#4 0x00000000004c632c in expr_bind_variable (lhs=0x0, rhs=<optimized out>) at
expr.c:333
#5 exp0 () at expr.c:1015
#6 exp1 () at expr.c:983
#7 0x00000000004c54ae in exppower () at expr.c:938
#8 0x00000000004c4cf8 in exp2 () at expr.c:863
#9 0x00000000004c4695 in exp3 () at expr.c:837
#10 expshift () at expr.c:813
#11 0x00000000004c3d95 in exp4 () at expr.c:783
#12 exp5 () at expr.c:761
#13 0x00000000004c3a61 in expband () at expr.c:743
#14 expbxor () at expr.c:724
#15 0x00000000004c3621 in expbor () at expr.c:705
#16 expland () at expr.c:678
#17 0x00000000004c2e01 in explor () at expr.c:650
#18 expcond () at expr.c:603
#19 0x00000000004c1f2b in expassign () at expr.c:488
#20 0x00000000004be48e in expcomma () at expr.c:472
#21 subexpr (expr=0xbcc9a8 "++K[+]") at expr.c:450
#22 0x00000000004bdba0 in evalexp (expr=0xbcc9a8 "++K[+]", flags=<optimized
out>, validp=0x7fffffffdee0) at expr.c:415
#23 0x0000000000531828 in param_expand (string=0xbcc968 "$[++K[+]]/",
sindex=<optimized out>, quoted=<optimized out>, expanded_something=<optimized
out>, contains_dollar_at=<optimized out>, quoted_dollar_at_p=<optimized out>,
had_quoted_null_p=0x0, pflags=<optimized out>) at subst.c:9391
#24 0x0000000000510893 in expand_word_internal (word=0x7fffffffe050,
quoted=<optimized out>, isexp=<optimized out>, contains_dollar_at=<optimized
out>, expanded_something=<optimized out>) at subst.c:9887
#25 0x000000000050f595 in expand_prompt_string (string=0xbcc948 "$[++K[+]]/",
quoted=0, wflags=<optimized out>) at subst.c:3804
#26 0x00000000005b82a8 in bash_directory_completion_hook (dirname=0xb182f8
<rl_filename_completion_function.dirname>) at bashline.c:3284
#27 0x00000000007057c7 in rl_filename_completion_function (text=<optimized
out>, state=<optimized out>) at complete.c:2508
#28 0x000000000070bacd in rl_completion_matches (text=0xbcc8c8 "$[++K[+]]/",
entry_function=0x7051c0 <rl_filename_completion_function>) at complete.c:2185
#29 0x000000000070819f in gen_completion_matches (text=0xbcc8c8 "$[++K[+]]/",
start=<optimized out>, end=<optimized out>, our_func=0x7051c0
<rl_filename_completion_function>, found_quote=<optimized out>,
quote_char=<optimized out>) at complete.c:1228
#30 0x00000000006fd828 in rl_complete_internal (what_to_do=9) at complete.c:2013
#31 0x00000000006de509 in _rl_dispatch_subseq (key=9, map=0xb104d0
<vi_insertion_keymap>, got_subseq=0) at readline.c:852
#32 0x00000000006dc6ce in _rl_dispatch (key=0, map=0x5b) at readline.c:798
#33 readline_internal_char () at readline.c:632
#34 0x00000000006da72d in readline_internal_charloop () at readline.c:659
#35 readline_internal () at readline.c:671
#36 readline (prompt=0x8e11cf "") at readline.c:377
#37 0x0000000000629741 in edit_line (p=<optimized out>, itext=<optimized out>)
at ./read.def:1104
#38 read_builtin (list=<optimized out>) at ./read.def:563
#39 0x0000000000483417 in execute_builtin (builtin=0x6268c0 <read_builtin>,
words=<optimized out>, flags=<optimized out>, subshell=0) at execute_cmd.c:4677
#40 0x00000000004725d4 in execute_builtin_or_function (redirects=<optimized
out>, fds_to_close=<optimized out>, flags=<optimized out>, words=<optimized
out>, builtin=<optimized out>, var=<optimized out>) at execute_cmd.c:5185
#41 execute_simple_command (simple_command=<optimized out>, pipe_in=<optimized
out>, pipe_out=<optimized out>, async=<optimized out>, fds_to_close=<optimized
out>) at execute_cmd.c:4449
#42 execute_command_internal (command=<optimized out>, asynchronous=<optimized
out>, pipe_in=<optimized out>, pipe_out=<optimized out>,
fds_to_close=<optimized out>) at execute_cmd.c:840
#43 0x000000000046b5cb in execute_connection (command=<optimized out>,
asynchronous=<optimized out>, pipe_in=<optimized out>, pipe_out=<optimized
out>, fds_to_close=<optimized out>) at execute_cmd.c:2689
#44 execute_command_internal (command=0xbc5d88, asynchronous=<optimized out>,
pipe_in=<optimized out>, pipe_out=<optimized out>, fds_to_close=<optimized
out>) at execute_cmd.c:1013
#45 0x0000000000605bcc in parse_and_execute (string=<optimized out>,
from_file=<optimized out>, flags=4) at evalstring.c:436
#46 0x0000000000409a8c in run_one_command (command=<optimized out>) at
shell.c:1416
#47 0x00000000004063a7 in main (argc=<optimized out>, argv=<optimized out>,
env=<optimized out>) at shell.c:735
EOF
