After https://bugs.webkit.org/show_bug.cgi?id=139827, a few test failures will start failing. One of them is arguments.js, which can be run this way: $ jsc --useFTLJIT=false --enableFunctionDotArguments=true --enableConcurrentJIT=false --thresholdForJITAfterWarmUp=100 --thresholdForJITAfterWarmUp=10 --thresholdForJITSoon=10 --thresholdForOptimizeAfterWarmUp=20 --thresholdForOptimizeAfterLongWarmUp=20 --thresholdForOptimizeSoon=20 --thresholdForFTLOptimizeAfterWarmUp=20 --thresholdForFTLOptimizeSoon=20 resources/standalone-pre.js arguments.js resources/standalone-post.js The relevant code is as follows: function tear_off_live_2(a, b, c) { var args = arguments; return function() { args[1] = 2; return b; }; } In the generated DFG IR, the fact that CreateArguments replies on the result of CreateActivation is not explicitly spelled out. CreateArguments relies on the created activation (aka LexicalEnvironment) having been stored in the designated lexicalEnvironment local previously. However, without knowing that CreateArgument relies on that local value, CFA declares the store of that local unnecessary and dead code elimination removed it. As a result, the Arguments factory crashes when it use the lexicalEnvironment local but discovers that it is uninitialized. The fix is to pass the result of CreateActivation to CreateArguments as an argument instead of having it implicitly load the lexicalEnvironment from its designated local.
<rdar://problem/19378247>
This issue was resolved as part of the changes for https://bugs.webkit.org/show_bug.cgi?id=141174. *** This bug has been marked as a duplicate of bug 141174 ***