C1 OSR compiled methods have two entries. The normal _verified_entry and _osr_entry. There is a field _frame_complete_offset in (CodeBlob, CompiledMethod or nmethod) which says when the program counter is considered safe. Ie after entry + _frame_complete_offset the program counter is at a point where we can look at the _frame_size to find the return address.

However if we are doing a OSR migration and go to the _osr_entry, the check in frame::safe_for_sender might not take this into account. The check as I recall only checks entry + _frame_complete_offset. Maybe there should also be a check for _osr_entry + some value that I'm not sure if we actually store.

Worth looking into.