Build with: Tools/Scripts/build-jsc --gtk --debug export CFLAGS="fsanitize=address -fsanitize=address " The following test case triggers segmentation fault. Test case: --- function recompile() { var arr = [0, 1, 2, 3, 4]; arr.__defineSetter__("4", function(x) { this._4 = true | x; }); for (var i = 0; i < 5; i++) arr[i] = "grue"; var tmp = arr._4; for (var p in arr) arr[p] = "bleen"; return tmp + " " + arr._4; } function bar() { for (var i = 0; i < 50; i++) { var foo = new Function("recompile(arguments[0] + " + i + "); return arguments[0]"); bar(foo.apply(null, [i]), i); } } bar(); ---- Stacktrace with sanitizer ==757==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd59945c47a bp 0x7ffff95abf30 sp 0x7ffff95abeb0 T0) #0 0x7fd59945c479 in JSC::VMEntryScope::~VMEntryScope() /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/VMEntryScope.cpp:70 #1 0x7fd599092a19 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /home/webkitgtk-2.16.0/Source/JavaScriptCore/interpreter/Interpreter.cpp:905 #2 0x7fd59926b603 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/CallData.cpp:39 #3 0x7fd5992c8330 in JSC::callSetter(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::JSValue, JSC::ECMAMode) /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/GetterSetter.cpp:108 #4 0x7fd59940f528 in JSC::SparseArrayEntry::put(JSC::ExecState*, JSC::JSValue, JSC::SparseArrayValueMap*, JSC::JSValue, bool) /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp:188 #5 0x7fd59940fa8c in JSC::SparseArrayValueMap::putEntry(JSC::ExecState*, JSC::JSObject*, unsigned int, JSC::JSValue, bool) /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp:126 #6 0x7fd5993448d8 in JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage(JSC::ExecState*, unsigned int, JSC::JSValue, bool, JSC::ArrayStorage*) /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/JSObject.cpp:2635 #7 0x7fd599348e02 in JSC::JSObject::putByIndexBeyondVectorLength(JSC::ExecState*, unsigned int, JSC::JSValue, bool) /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/JSObject.cpp:2672 #8 0x7fd599348a13 in JSC::JSObject::putByIndex(JSC::JSCell*, JSC::ExecState*, unsigned int, JSC::JSValue, bool) /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/JSObject.cpp:930 #9 0x7fd59934dc2c in JSC::JSObject::putInline(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/JSObjectInlines.h:211 #10 0x7fd59934dc2c in JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/JSObject.cpp:751 #11 0x7fd5992f40b1 in JSC::JSArray::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/JSArray.cpp:272 #12 0x7fd598ea13fd in JSC::JSValue::put(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) /home/webkitgtk-2.16.0/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:872 #13 0x7fd598ea13fd in operationPutByValInternal<false, false> /home/webkitgtk-2.16.0/Source/JavaScriptCore/dfg/DFGOperations.cpp:145 #14 0x7fd598ea13fd in operationPutByValNonStrict /home/webkitgtk-2.16.0/Source/JavaScriptCore/dfg/DFGOperations.cpp:624 #15 0x7fd55180350c (<unknown module>)