Apply the following patch to call  DynamicArchive::dump() twice:

+++ b/src/hotspot/share/runtime/java.cpp
@@ -511,6 +511,7 @@ void before_exit(JavaThread* thread) {
   if (DynamicDumpSharedSpaces) {
     ExceptionMark em(thread);
     DynamicArchive::dump();
+    DynamicArchive::dump();

$  java -Xlog:cds -cp ~/tmp/HelloWorld.jar -XX:ArchiveClassesAtExit=/tmp/foo.jsa HelloWorld

The following crash happens:
 9 Array<char>::size    =========> this == 0x800c415e0
10 MetaspaceClosure::ArrayRef<char>::size 
11 ArchiveBuilder::gather_klass_and_symbol 
12 GatherKlassesAndSymbols::do_unique_ref 
13 UniqueMetaspaceClosure::do_ref 
14 MetaspaceClosure::do_push 
15 MetaspaceClosure::push_impl 
16 MetaspaceClosure::push_with_ref<MetaspaceClosure::OtherArrayRef<char>, Array<char> > 
17 MetaspaceClosure::push<char, 0> 
18 SharedClassPathEntry::metaspace_pointers_do 
19 SharedPathTable::metaspace_pointers_do 
20 FileMapInfo::metaspace_pointers_do 
21 DynamicArchiveBuilder::iterate_roots 
22 ArchiveBuilder::gather_klasses_and_symbols 
23 ArchiveBuilder::gather_source_objs 
24 DynamicArchiveBuilder::doit 
25 VM_PopulateDynamicDumpSharedSpace::doit 

The problem is that FileMapInfo::_saved_shared_path_table was relocated during the first call to DynamicArchive::dump()