This issue was uncovered when we enabled --useDollarVM=true on the JSC tests. Basically, the case of the failing test we observed, op_tail_call_forward_arguments was allocating stack space to stash the arguments (to be forwarded) and new frame info. The location of this new stash space happens to lie beyond the top of frame of the tail call caller frame. After stashing the arguments, the code proceeded to load the callee codeBlock. This triggers an allocation, which in turn, triggers stack sanitization. The CLoop stack sanitizer was relying on frame->topOfFrame() to tell it where the top of the used stack is. In this case, that turned out to be inadequate. As a result, part of the stashed data was zeroed out, and subsequently led to a crash. This bug does not affect JIT builds for 2 reasons: 1. JIT builds do stack sanitization in the LLInt code itself (different from the CLoop implementation), and the sanitizer there is aware of the true top of stack value (i.e. the stack pointer). 2. JIT builds don't use a parallel stack like the CLoop. The parallel stack is one condition necessary for reproducing this issue. The fix is to make the CLoop record the stack pointer in m_stackTop each time before it calls out to native code. This also brings the CLoops behavior closer to hardware behavior where we always know where the stack pointer is after calling into native C++ code, and make it easier to reason about correctness. <rdar://problem/35623998>