Bug 135025

The following tests are currently failing in debug builds on the ftlopt branch: stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager stress/prune-multi-put-by-offset-replace-or-transition-variant.js.ftl-eager Here's the backtrace: * thread #1: tid = 0x636d33, 0x008ca122 JavaScriptCore`WTFCrash + 50 at Assertions.cpp:333, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: 0x008ca122 JavaScriptCore`WTFCrash + 50 at Assertions.cpp:333 frame #1: 0x0006f0e7 JavaScriptCore`JSC::JSValue::asCell(this=0xbfff8d48) const + 103 at JSCJSValueInlines.h:299 frame #2: 0x0020d3d5 JavaScriptCore`JSC::DFG::Node::asCell(this=0x05a68b14) + 53 at DFGNode.h:588 frame #3: 0x0038884d JavaScriptCore`JSC::DFG::SpeculativeJIT::silentSavePlanForGPR(this=0x020daa00, spillMe=(m_virtualRegister = -9), source=ebx) + 1213 at DFGSpeculativeJIT.cpp:345 frame #4: 0x003c98b0 JavaScriptCore`void JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl<WTF::Vector<JSC::DFG::SilentRegisterSavePlan, 0ul, WTF::CrashOnOverflow> >(this=0x020daa00, doSpill=true, plans=0x020db0ec, exclude=-1, exclude2=-1, fprExclude=-1) + 368 at DFGSpeculativeJIT.h:348 frame #5: 0x003b094d JavaScriptCore`JSC::DFG::SpeculativeJIT::silentSpillAllRegisters(this=0x020daa00, exclude=-1, exclude2=-1, fprExclude=-1) + 93 at DFGSpeculativeJIT.h:383 frame #6: 0x003aa113 JavaScriptCore`JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer(this=0x020daa00, cell=ebx, scratch1=eax, scratch2=edx) + 931 at DFGSpeculativeJIT.cpp:5476 frame #7: 0x003a9d4a JavaScriptCore`JSC::DFG::SpeculativeJIT::writeBarrier(this=0x020daa00, ownerGPR=ebx, scratch1=eax, scratch2=edx) + 90 at DFGSpeculativeJIT.cpp:5522 frame #8: 0x003a9aba JavaScriptCore`JSC::DFG::SpeculativeJIT::compileStoreBarrier(this=0x020daa00, node=0x05a6f90c) + 314 at DFGSpeculativeJIT.cpp:5430 frame #9: 0x003f9558 JavaScriptCore`JSC::DFG::SpeculativeJIT::compile(this=0x020daa00, node=0x05a6f90c) + 99704 at DFGSpeculativeJIT32_64.cpp:4547 frame #10: 0x0038ee2b JavaScriptCore`JSC::DFG::SpeculativeJIT::compileCurrentBlock(this=0x020daa00) + 1883 at DFGSpeculativeJIT.cpp:1452 frame #11: 0x0038f752 JavaScriptCore`JSC::DFG::SpeculativeJIT::compile(this=0x020daa00) + 226 at DFGSpeculativeJIT.cpp:1564 frame #12: 0x00309f80 JavaScriptCore`JSC::DFG::JITCompiler::compileBody(this=0xbfffdc58) + 48 at DFGJITCompiler.cpp:113 frame #13: 0x0030bb0e JavaScriptCore`JSC::DFG::JITCompiler::compile(this=0xbfffdc58) + 286 at DFGJITCompiler.cpp:293 frame #14: 0x0037aaf8 JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=0x01a34910, longLivedState=0x03f249c0) + 1848 at DFGPlan.cpp:298 frame #15: 0x00379fd4 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x01a34910, longLivedState=0x03f249c0, threadData=0x00000000) + 436 at DFGPlan.cpp:160 frame #16: 0x002bf8fd JavaScriptCore`JSC::DFG::compileImpl(vm=0x020ba000, codeBlock=0x01a34790, profiledDFGCodeBlock=0x00000000, mode=DFGMode, osrEntryBytecodeIndex=495, mustHandleValues=0xbfffe7c8, callback=0xbfffe658) + 1853 at DFGDriver.cpp:104 frame #17: 0x002bf152 JavaScriptCore`JSC::DFG::compile(vm=0x020ba000, codeBlock=0x01a34790, profiledDFGCodeBlock=0x00000000, mode=DFGMode, osrEntryBytecodeIndex=495, mustHandleValues=0xbfffe7c8, passedCallback=0xbfffe788) + 194 at DFGDriver.cpp:122 frame #18: 0x00534e19 JavaScriptCore`operationOptimize(exec=0xbfffe998, bytecodeIndex=495) + 2793 at JITOperations.cpp:1203 frame #19: 0x05a82cad frame #20: 0x0068a924 JavaScriptCore`callToJavaScript + 292 frame #21: 0x0051d400 JavaScriptCore`JSC::JITCode::execute(this=0x01a2c7d0, vm=0x020ba000, protoCallFrame=0xbfffec20) + 64 at JITCode.cpp:47 frame #22: 0x004f981f JavaScriptCore`JSC::Interpreter::execute(this=0x03f246c0, program=0x05a1fe80, callFrame=0x019cfa6c, thisObj=0x019dfb60) + 5455 at Interpreter.cpp:933 frame #23: 0x0018035f JavaScriptCore`JSC::evaluate(exec=0x019cfa6c, source=0xbffff860, thisValue=JSValue at 0xbffff7b8, returnedException=0xbffff880) + 607 at Completion.cpp:82 frame #24: 0x00002c36 jsc`runWithScripts(globalObject=0x019cfa40, scripts=0xbffff964, dump=false) + 534 at jsc.cpp:1066 frame #25: 0x00002110 jsc`jscmain(argc=10, argv=0xbffffa14) + 432 at jsc.cpp:1283 frame #26: 0x00001e89 jsc`main(argc=10, argv=0xbffffa14) + 233 at jsc.cpp:1024 frame #27: 0x96a75701 libdyld.dylib`start + 1