Bug 140879

--------------------------
function g() {
function f() {
g.apply(null, ['']);
}
f().watch(a)
}
(function () {
g.apply(null, null);
})();
--------------------------

If I run this code, It crashes.

Program received signal SIGSEGV, Segmentation fault.
tJSC::DFG::prepareOSREntry (exec=exec@entry=0x7ffeb2308f68, codeBlock=codeBlock@entry=0x7ffff7f52000,
    bytecodeIndex=bytecodeIndex@entry=0) at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGOSREntry.cpp:121
121             if (!entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) {
(gdb) bt
#0  JSC::DFG::prepareOSREntry (exec=exec@entry=0x7ffeb2308f68, codeBlock=codeBlock@entry=0x7ffff7f52000,
    bytecodeIndex=bytecodeIndex@entry=0) at /development/tunz/javascript/webkit/Source/JavaScriptCore/dfg/DFGOSREntry.cpp:121
#1  0x00000000006082bf in JSC::cti_optimize (args=0x7fffffffd730)
    at /development/tunz/javascript/webkit/Source/JavaScriptCore/jit/JITStubs.cpp:1991
#2  0x00007fffb2cbb3d6 in ?? ()
#3  0x00007ffe00000000 in ?? ()
#4  0x00007ffe00000000 in ?? ()
#5  0x00007ffff7ed1108 in ?? ()
#6  0x0000000000000000 in ?? ()
(gdb) list
116     #endif
117                     return 0;
118                 }
119                 continue;
120             }
121             if (!entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) {
122     #if ENABLE(JIT_VERBOSE_OSR)
123                 dataLog("    OSR failed because variable ", local, " is ", exec->registers()[local].jsValue(), ", expected ", entry->m_expectedValues.local(local), ".\n");
124     #endif
125                 return 0;

I think it is stack overflow of JIT (DFG).

tested it on QtWebKit Ubuntu 14.04 64bit.

I found this crash with afl-fuzz.