Jacek Caban (@jacek) commented about dlls/jscript/engine.c:
+ unsigned i, argc; + HRESULT hres; + + argc = (scope == frame->base_scope) ? max(frame->argc, func->param_cnt) : 0; + if(!argc) + return S_OK; + + if(!(scope->detached_vars = malloc(FIELD_OFFSET(struct vars_buffer, var[argc])))) + return E_OUTOFMEMORY; + detached_var = scope->detached_vars->var; + scope->detached_vars->argc = argc; + scope->detached_vars->func_code = func; + bytecode_addref(func->bytecode); + + for(i = 0; i < argc; i++) { + hres = jsval_copy(ctx->stack[frame->arguments_off + i], &detached_var[i]); I think we may steal value from the stack here. You could just assign value here and set stack to undefined instead.
-- https://gitlab.winehq.org/wine/wine/-/merge_requests/2942#note_36472