It must be a regression, because I haven't seen this failure 
previously, near ~ 1-2 weeks before. I'm going to do a bisect.

I finished with the bisecting, http://trac.webkit.org/changeset/181077 
is the culprit. It passed before r181077 and started to fail from r181077.

Didn't you notice the same failure on iOS AArch64 too?

Thank you for your notification, I've now noticed this.
I'll investigate it.

Seeing the result,

1. builtin arrays work fine. pseudo arrays created by Object.create(Array.prototype) fail.
2. They behave like array.length is not shortened.

And major changes introduced by this patch is,

1. Enumeration phase includes pushTry/popTryAndEmitCatch to catch thrown errors & execute iterator.return method.
2. next() is rewritten in JavaScript. So there's chance to inline it. (previously, this function is written in ASM as intrinsic)

Since there's no JIT code changes, I think that I missed something in (1), BytecodeGenerator change.

Filip, does it fail on iOS Aarch64 build?
I don't have any Aarch64 devices, I cannot check it...

Created attachment 248721 [details]
Patch

Seeing the ForOfNode implementation, I found several issues that I missed.
This patch fixes several issues in the existing ForOfNode/BytecodeGenerator.

However, I'm not sure that this patch can solve ARM64 issues originally reported here.

ossy, could you apply this patch in your local ARM64 environment?
This patch includes "attempt to fix".

(In reply to comment #6)
> Seeing the ForOfNode implementation, I found several issues that I missed.
> This patch fixes several issues in the existing ForOfNode/BytecodeGenerator.
> 
> However, I'm not sure that this patch can solve ARM64 issues originally
> reported here.
> 
> ossy, could you apply this patch in your local ARM64 environment?
> This patch includes "attempt to fix".

Sure, will check soon.

Unfortunately it didn't fix the original issue on AArch64 Linux
and the new stress/pseudo-array-length-shorten.js fails too:

stress/pseudo-array-length-shorten.js.no-llint: Exception: Error: bad value 1
stress/pseudo-array-length-shorten.js.no-llint: testLengthShortening@pseudo-array-length-shorten.js:11:24
stress/pseudo-array-length-shorten.js.no-llint: global code@pseudo-array-length-shorten.js:28:21
stress/pseudo-array-length-shorten.js.no-llint: ERROR: Unexpected exit code: 3

stress/pseudo-array-length-shorten.js.ftl-no-cjit-validate: Exception: Error: bad value 1
stress/pseudo-array-length-shorten.js.ftl-no-cjit-validate: testLengthShortening@pseudo-array-length-shorten.js:11:24
stress/pseudo-array-length-shorten.js.ftl-no-cjit-validate: global code@pseudo-array-length-shorten.js:55:21
stress/pseudo-array-length-shorten.js.ftl-no-cjit-validate: ERROR: Unexpected exit code: 3

stress/pseudo-array-length-shorten.js.no-cjit-validate-phases: Exception: Error: bad value 1
stress/pseudo-array-length-shorten.js.no-cjit-validate-phases: testLengthShortening@pseudo-array-length-shorten.js:11:24
stress/pseudo-array-length-shorten.js.no-cjit-validate-phases: global code@pseudo-array-length-shorten.js:55:21
stress/pseudo-array-length-shorten.js.no-cjit-validate-phases: ERROR: Unexpected exit code: 3

stress/pseudo-array-length-shorten.js.dfg-eager: Exception: Error: bad value 2
stress/pseudo-array-length-shorten.js.dfg-eager: testLengthShortening@pseudo-array-length-shorten.js:9:24
stress/pseudo-array-length-shorten.js.dfg-eager: global code@pseudo-array-length-shorten.js:28:21
stress/pseudo-array-length-shorten.js.dfg-eager: ERROR: Unexpected exit code: 3

stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate: Exception: Error: bad value 1
stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate: testLengthShortening@pseudo-array-length-shorten.js:11:24
stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate: global code@pseudo-array-length-shorten.js:55:21
stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate: ERROR: Unexpected exit code: 3

stress/pseudo-array-length-shorten.js.dfg-eager-no-cjit-validate: Exception: Error: bad value 2
stress/pseudo-array-length-shorten.js.dfg-eager-no-cjit-validate: testLengthShortening@pseudo-array-length-shorten.js:9:24
stress/pseudo-array-length-shorten.js.dfg-eager-no-cjit-validate: global code@pseudo-array-length-shorten.js:28:21
stress/pseudo-array-length-shorten.js.dfg-eager-no-cjit-validate: ERROR: Unexpected exit code: 3

stress/pseudo-array-length-shorten.js.ftl-eager: Exception: Error: bad value 2
stress/pseudo-array-length-shorten.js.ftl-eager: testLengthShortening@pseudo-array-length-shorten.js:9:24
stress/pseudo-array-length-shorten.js.ftl-eager: global code@pseudo-array-length-shorten.js:28:21
stress/pseudo-array-length-shorten.js.ftl-eager: ERROR: Unexpected exit code: 3

stress/pseudo-array-length-shorten.js.ftl-eager-no-cjit: Exception: Error: bad value 2
stress/pseudo-array-length-shorten.js.ftl-eager-no-cjit: testLengthShortening@pseudo-array-length-shorten.js:9:24
stress/pseudo-array-length-shorten.js.ftl-eager-no-cjit: global code@pseudo-array-length-shorten.js:28:21
stress/pseudo-array-length-shorten.js.ftl-eager-no-cjit: ERROR: Unexpected exit code: 3

(In reply to comment #8)
> Unfortunately it didn't fix the original issue on AArch64 Linux
> and the new stress/pseudo-array-length-shorten.js fails too:
> 
> stress/pseudo-array-length-shorten.js.no-llint: Exception: Error: bad value 1
> stress/pseudo-array-length-shorten.js.no-llint:
> testLengthShortening@pseudo-array-length-shorten.js:11:24
> stress/pseudo-array-length-shorten.js.no-llint: global
> code@pseudo-array-length-shorten.js:28:21
> stress/pseudo-array-length-shorten.js.no-llint: ERROR: Unexpected exit code:
> 3
> 
> stress/pseudo-array-length-shorten.js.ftl-no-cjit-validate: Exception:
> Error: bad value 1
> stress/pseudo-array-length-shorten.js.ftl-no-cjit-validate:
> testLengthShortening@pseudo-array-length-shorten.js:11:24
> stress/pseudo-array-length-shorten.js.ftl-no-cjit-validate: global
> code@pseudo-array-length-shorten.js:55:21
> stress/pseudo-array-length-shorten.js.ftl-no-cjit-validate: ERROR:
> Unexpected exit code: 3
> 
> stress/pseudo-array-length-shorten.js.no-cjit-validate-phases: Exception:
> Error: bad value 1
> stress/pseudo-array-length-shorten.js.no-cjit-validate-phases:
> testLengthShortening@pseudo-array-length-shorten.js:11:24
> stress/pseudo-array-length-shorten.js.no-cjit-validate-phases: global
> code@pseudo-array-length-shorten.js:55:21
> stress/pseudo-array-length-shorten.js.no-cjit-validate-phases: ERROR:
> Unexpected exit code: 3
> 
> stress/pseudo-array-length-shorten.js.dfg-eager: Exception: Error: bad value
> 2
> stress/pseudo-array-length-shorten.js.dfg-eager:
> testLengthShortening@pseudo-array-length-shorten.js:9:24
> stress/pseudo-array-length-shorten.js.dfg-eager: global
> code@pseudo-array-length-shorten.js:28:21
> stress/pseudo-array-length-shorten.js.dfg-eager: ERROR: Unexpected exit
> code: 3
> 
> stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate:
> Exception: Error: bad value 1
> stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate:
> testLengthShortening@pseudo-array-length-shorten.js:11:24
> stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate: global
> code@pseudo-array-length-shorten.js:55:21
> stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate: ERROR:
> Unexpected exit code: 3
> 
> stress/pseudo-array-length-shorten.js.dfg-eager-no-cjit-validate: Exception:
> Error: bad value 2
> stress/pseudo-array-length-shorten.js.dfg-eager-no-cjit-validate:
> testLengthShortening@pseudo-array-length-shorten.js:9:24
> stress/pseudo-array-length-shorten.js.dfg-eager-no-cjit-validate: global
> code@pseudo-array-length-shorten.js:28:21
> stress/pseudo-array-length-shorten.js.dfg-eager-no-cjit-validate: ERROR:
> Unexpected exit code: 3
> 
> stress/pseudo-array-length-shorten.js.ftl-eager: Exception: Error: bad value
> 2
> stress/pseudo-array-length-shorten.js.ftl-eager:
> testLengthShortening@pseudo-array-length-shorten.js:9:24
> stress/pseudo-array-length-shorten.js.ftl-eager: global
> code@pseudo-array-length-shorten.js:28:21
> stress/pseudo-array-length-shorten.js.ftl-eager: ERROR: Unexpected exit
> code: 3
> 
> stress/pseudo-array-length-shorten.js.ftl-eager-no-cjit: Exception: Error:
> bad value 2
> stress/pseudo-array-length-shorten.js.ftl-eager-no-cjit:
> testLengthShortening@pseudo-array-length-shorten.js:9:24
> stress/pseudo-array-length-shorten.js.ftl-eager-no-cjit: global
> code@pseudo-array-length-shorten.js:28:21
> stress/pseudo-array-length-shorten.js.ftl-eager-no-cjit: ERROR: Unexpected
> exit code: 3

Thank you!
This new stress test is just moved & modified version of originally failed one.
So still reported issue is not fixed by this patch.
I'll check it more!

(In reply to comment #4)
> Seeing the result,
> 
> 1. builtin arrays work fine. pseudo arrays created by
> Object.create(Array.prototype) fail.
> 2. They behave like array.length is not shortened.
> 
> And major changes introduced by this patch is,
> 
> 1. Enumeration phase includes pushTry/popTryAndEmitCatch to catch thrown
> errors & execute iterator.return method.
> 2. next() is rewritten in JavaScript. So there's chance to inline it.
> (previously, this function is written in ASM as intrinsic)
> 
> Since there's no JIT code changes, I think that I missed something in (1),
> BytecodeGenerator change.
> 
> Filip, does it fail on iOS Aarch64 build?
> I don't have any Aarch64 devices, I cannot check it...

It does fail on iOS AArch64.

I'll try it.
http://webkit.sed.hu/blog/20140816/quickndirty-set-aarch64-ubuntu-1404-vm-qemu

(In reply to comment #10)
> It does fail on iOS AArch64.

Thank you for your report!
Seeing the results, especially,

> stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate:
> Exception: Error: bad value 1
> stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate:
> testLengthShortening@pseudo-array-length-shorten.js:11:24
> stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate: global
> code@pseudo-array-length-shorten.js:55:21
> stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate: ERROR:
> Unexpected exit code: 3

is quite odd. It checks array.length === 1. Since array.length is set to 1 explicitly, this should be 1.

I'm planning to check it on QEMU aarch64 emurators.

(In reply to comment #12)
> (In reply to comment #10)
> > It does fail on iOS AArch64.
> 
> Thank you for your report!
> Seeing the results, especially,
> 
> > stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate:
> > Exception: Error: bad value 1
> > stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate:
> > testLengthShortening@pseudo-array-length-shorten.js:11:24
> > stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate: global
> > code@pseudo-array-length-shorten.js:55:21
> > stress/pseudo-array-length-shorten.js.ftl-no-cjit-no-inline-validate: ERROR:
> > Unexpected exit code: 3
> 
> is quite odd. It checks array.length === 1. Since array.length is set to 1
> explicitly, this should be 1.
> 
> I'm planning to check it on QEMU aarch64 emurators.

Building and debugging in qemu is extremely slow. Fortunately we have
real hardware now for testing, so if you have a patch with debug infos
and or tell me which command line argument should I pass JSC, I willingly
try patches and send debug infos.

(In reply to comment #13)
> 
> Building and debugging in qemu is extremely slow. Fortunately we have
> real hardware now for testing, so if you have a patch with debug infos
> and or tell me which command line argument should I pass JSC, I willingly
> try patches and send debug infos.

Great! Thank you.
I'm now planning to identify the root cause of this. To do that, try and error is required; I need to pass variaous input data (input script) and check the result.
So at first, I'll set up the environment and perform try and error on QEMU.

After I identified the root cause of this, I need to check it is correct on some actual machines.
At that time, I'd appreciate it if you would help :)

(In reply to comment #13)

Hi! Could you try the tests with http://trac.webkit.org/changeset/182058 patch?
I think that the above change may fix this issue.

(In reply to comment #15)
> (In reply to comment #13)
> 
> Hi! Could you try the tests with http://trac.webkit.org/changeset/182058
> patch?
> I think that the above change may fix this issue.

I checked it, it passes now and unskipped by https://trac.webkit.org/changeset/182070

If the change/improvement you proposed here is still needed, it would be 
better to do it in another bug report. This title is invalid, r181077 is
innocent, it only revealed this bug.

*** This bug has been marked as a duplicate of bug 142792 ***

(In reply to comment #16)
> I checked it, it passes now and unskipped by
> https://trac.webkit.org/changeset/182070
> 
> If the change/improvement you proposed here is still needed, it would be 
> better to do it in another bug report. This title is invalid, r181077 is
> innocent, it only revealed this bug.
> 
> *** This bug has been marked as a duplicate of bug 142792 ***

Great! I'm happy to hear that :D