<rdar://problem/20310708>

This test is still flakily failing.

(In reply to comment #2) > This test is still flakily failing. OK, looking at it now.

Turns out to be a pretty bad bug. PreciseLocalClobberize's readTop() method is totally wrong for accesses to "escaped" arguments. There are a handful of ways to fix this and I'll investigate. Here's a version of the test that crashes every time: function foo() { return arguments; } function bar(a, b, c, i) { var a = foo(b, c, 42); return a[i]; } noInline(bar); var expected = [2, 3, 42]; for (var i = 0; i < 10000; ++i) { var result = bar(1, 2, 3, i % 3); if (result != expected[i % 3]) throw "Error: bad result: " + result; }

Same bug, involving ForwardVarargs: function foo() { return arguments; } function baz(a, b, c) { return a + b + c; } function bar(a, b, c) { var args = foo(b, c, 42); return baz.apply(void 0, args); } noInline(bar); for (var i = 0; i < 10000; ++i) { var result = bar(1, 2, 3); if (result != 47) throw "Error: bad result: " + result; }

Created attachment 249738 [details] hopefully the patch Not yet ready for review. I'm still running tests.

Comment on attachment 249738 [details] hopefully the patch Looks like it works!

Comment on attachment 249738 [details] hopefully the patch r=me

Comment on attachment 249738 [details] hopefully the patch Clearing flags on attachment: 249738 Committed r182148: <http://trac.webkit.org/changeset/182148>

All reviewed patches have been landed. Closing bug.