Bug 88438

In osrExitGenerationThunkGenerator(), after setting up arg0, we store the active length of the scratch register. We use regT0 to set the size, but regT0 is also argumentGPR0 on ARM. .. // Set up one argument. #if CPU(X86) jit.poke(GPRInfo::callFrameRegister, 0); #else jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0); #endif // Tell GC mark phase how much of the scratch buffer is active during call. jit.move(MacroAssembler::TrustedImmPtr(scratchBuffer->activeLengthPtr()), GPRInfo::regT0); <== This wil trash arg0 jit.storePtr(MacroAssembler::TrustedImmPtr(scratchSize), GPRInfo::regT0); MacroAssembler::Call functionCall = jit.call(); ... The fix is to move the storing of the active scratch buffer length to before setting up arg0. A visual inspection of the other locations in the code where we set the scratch buffer active length appear safe. either because we use an allocated register or because regT0 is available.