Bug 140879

-------------------------- function g() { function f() { g.apply(null, ['']); } f().watch(a) } (function () { g.apply(null, null); })(); -------------------------- If I run this code, It crashes. Program received signal SIGSEGV, Segmentation fault. tJSC::DFG::prepareOSREntry (exec=exec@entry=0x7ffeb2308f68, codeBlock=codeBlock@entry=0x7ffff7f52000, bytecodeIndex=bytecodeIndex@entry=0) at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGOSREntry.cpp:121 121 if (!entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) { (gdb) bt #0 JSC::DFG::prepareOSREntry (exec=exec@entry=0x7ffeb2308f68, codeBlock=codeBlock@entry=0x7ffff7f52000, bytecodeIndex=bytecodeIndex@entry=0) at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGOSREntry.cpp:121 #1 0x00000000006082bf in JSC::cti_optimize (args=0x7fffffffd730) at /development/tunz/javascript/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1991 #2 0x00007fffb2cbb3d6 in ?? () #3 0x00007ffe00000000 in ?? () #4 0x00007ffe00000000 in ?? () #5 0x00007ffff7ed1108 in ?? () #6 0x0000000000000000 in ?? () (gdb) list 116 #endif 117 return 0; 118 } 119 continue; 120 } 121 if (!entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) { 122 #if ENABLE(JIT_VERBOSE_OSR) 123 dataLog(" OSR failed because variable ", local, " is ", exec->registers()[local].jsValue(), ", expected ", entry->m_expectedValues.local(local), ".\n"); 124 #endif 125 return 0; I think it is stack overflow of JIT (DFG). tested it on QtWebKit Ubuntu 14.04 64bit. I found this crash with afl-fuzz.