When a RegExp.test() call is made and the result is spilled prior to a consuming Branch, the Branch will fill the the tag and payload, but the spill only stored the payload. Therefore we end up with garbage in the tag register.
Created attachment 199690 [details] Patch Working on test, but can't seem to reduce down to a test that crashes without the fix. Test will be in subsequent patch.
Comment on attachment 199690 [details] Patch r=me
Comment on attachment 199690 [details] Patch I think we could test this just by assigning the result of regexp.test() to a local variable, and then asking if the variable is === true, or === false, depending on the regexp. In theory, the CFA will cause garbage to be stored into the tag of the local variable, causing non-boolean-ness with very high probability.
Committed r149128: <http://trac.webkit.org/changeset/149128>
<rdar://problem/13716112>