From 80471d52c85ab8edd1332e084b8bf46f44571c3b Mon Sep 17 00:00:00 2001
From: Julien Brianceau <jbriance@cisco.com>
Date: Wed, 1 Apr 2015 11:36:02 +0200
Subject: Fix crash in JIT::DFG::prepareOSREntry

While verifying predictions in prepareOSREntry, locals could lay
outside the stack in some cases. So we shouldn't retrieve jsValue
from locals when we don't have to.

Task-number: QTBUG-45299
Change-Id: I70003170348887128e11360fb501b69647194172
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>
---
 Source/JavaScriptCore/dfg/DFGOSREntry.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/JavaScriptCore/dfg/DFGOSREntry.cpp b/Source/JavaScriptCore/dfg/DFGOSREntry.cpp
index 5739593ee..9b75e70ab 100644
--- a/Source/JavaScriptCore/dfg/DFGOSREntry.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOSREntry.cpp
@@ -118,7 +118,7 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn
             }
             continue;
         }
-        if (!entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) {
+        if (!entry->m_expectedValues.local(local).isTop() && !entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) {
 #if ENABLE(JIT_VERBOSE_OSR)
             dataLog("    OSR failed because variable ", local, " is ", exec->registers()[local].jsValue(), ", expected ", entry->m_expectedValues.local(local), ".\n");
 #endif
-- 
cgit v1.2.3