If you run run-webkit-tests --32-bit --debug fast/js, you will get a crash in running fast/js/dfg-create-inlined-arguments-in-closure-inline with a traceback like: ASSERTION FAILED: isCell() /Volumes/Data/src/webkit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h(298) : JSC::JSCell *JSC::JSValue::asCell() const 1 0xfc657 JSC::JSValue::asCell() const 2 0x107a41 JSC::asObject(JSC::JSValue) 3 0x10c805 JSC::Register::function() const 4 0x109acc JSC::ExecState::callee() const 5 0x1dbc7c JSC::InlineCallFrame::calleeForCallFrame(JSC::ExecState*) const 6 0x2b8b8c JSC::Arguments::finishCreation(JSC::ExecState*, JSC::InlineCallFrame*) 7 0x2b7032 JSC::Arguments::create(JSC::JSGlobalData&, JSC::ExecState*, JSC::InlineCallFrame*) 8 0x2b1c6d operationCreateInlinedArguments 9 0x14bbb3e 10 0x3be164 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*) 11 0x3ba5be JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) 12 0x1e50df JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 13 0x8d6a9 functionLoad(JSC::ExecState*) 14 0x14ba68f 15 0x3be164 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*) 16 0x3ba5be JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) 17 0x1e50df JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 18 0x8c61e runInteractive(GlobalObject*) 19 0x8b6cc jscmain(int, char**) 20 0x8b4a7 main 21 0x93901725 start It appears that we aren't setting the tag for the inline callee. <rdar://problem/13095042>