Doing so results in two outcomes: 1) We're overly pessimistic about how we compile code that uses 'this' in inlined function calls that uses arguments. 2) We try to flush the this argument when we assign to it in create_this. Except that the this argument wouldn't have been assigned. This results in strange IR corruption, including causing the OSR entry code to try to test the values in the locals associated with the 'this' argument of inlined code - except that the 'this' argument to an inline construct is a temporary, and would not have been initialized at OSR entrypoints. This can lead to strange crashes in OSR entry.
<rdar://problem/12439776>
Created attachment 181800 [details] the patch
Comment on attachment 181800 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=181800&action=review r=me > Source/JavaScriptCore/dfg/DFGValidate.cpp:80 > + // Validate that all local variable phis at the head of the root block are dead. No "phis". > Source/JavaScriptCore/dfg/DFGValidate.cpp:297 > + void reportValidationContext() Remove.
Landed in http://trac.webkit.org/changeset/139136