This looks like an FTL bug. No FTL and the bug goes away.

Wow, this is hilarious. The various escape analyses don't have any clue how to handle: a: NewObject() b: Check(Number:@a) or anything else like that where the check is guaranteed to fail.

Created attachment 253012 [details] starting to work

Created attachment 253018 [details] the patch One of the newly introduced tests is still crashing. I'll investigate whether this is related to my patch or not. If it's unrelated then I'll land the test skipped and file a separate bug.

Attachment 253018 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:171: Place brace on its own line for function definitions. [whitespace/braces] [4] ERROR: Source/JavaScriptCore/dfg/DFGVarargsForwardingPhase.cpp:111: Place brace on its own line for function definitions. [whitespace/braces] [4] Total errors found: 2 in 24 files If any of these errors are false positives, please file a bug against check-webkit-style.

(In reply to comment #4) > Created attachment 253018 [details] > the patch > > One of the newly introduced tests is still crashing. I'll investigate > whether this is related to my patch or not. If it's unrelated then I'll > land the test skipped and file a separate bug. Yup, it's a preexisting separate bug: https://bugs.webkit.org/show_bug.cgi?id=144945

Comment on attachment 253018 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=253018&action=review > Source/JavaScriptCore/jsc.cpp:624 > + putDirectNativeFunction(vm, this, Identifier::fromString(&vm, "isInt32"), 0, functionIsInt32, CheckInt32, DontEnum | JSC::Function); I would prefer CheckInt32Intrinsic to follow the other intrinsics naming.

Landed in http://trac.webkit.org/changeset/184260