Found accidentally by running dumping bytecode in a version of JSC compiled with ASAN. The problem is just a call to lastSeenCallee on a CallLinkInfo that was unguarded by haveLastSeenCallee().
Created attachment 327059 [details] Patch
Comment on attachment 327059 [details] Patch r=me
Comment on attachment 327059 [details] Patch Clearing flags on attachment: 327059 Committed r224916: <https://trac.webkit.org/changeset/224916>
All reviewed patches have been landed. Closing bug.
<rdar://problem/35621867>