Bug 265742

The following program fails to compile in debug mode on BBQJIT: ``` //@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true") import * as assert from "../assert.js"; import { compile, instantiate } from "./wast-wrapper.js"; instantiate(` (module (type (struct (field (mut i32)))) (func (result i32) (local $5 i32) (local $11 i32) (local $19 (ref 0)) (local $21 (ref 0)) (local $22 i32) (local.set $19 (struct.new_default 0)) (block (result i32) ;;(call ...) ;;(local.set ...) (block (result i32) (block (result i32) (local.get $19) (struct.get 0 0) (local.get $5) i32.eq if (result i32) (local.get $19) (local.get $11) (struct.set 0 0) (local.get $19) (local.set $21) (local.get $21) (struct.get 0 0) (local.set $22) (local.get $21) (block (result i32) (local.get $22) (i32.const 1) i32.add (br 0)) (struct.set 0 0) (i32.const 1) else (i32.const 0) end))))) `); ``` Assuming this is in `JSTests/wasm/gc`. Run as `run-jsc --debug --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true --jsc-only --useWasmLLInt=false -m bbq.js` It crashes with an error like this: ``` ASSERTION FAILED: !currentLocation.isRegister() /home/asumu/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.cpp(9896) : JSC::Wasm::BBQJIT::Location JSC::Wasm::BBQJIT::bind(Value, Location) Aborted (core dumped) ```