Patch forthcoming.
It appears that we're converting a GetByVal on a double array to a GetMyArgumentByVal. I'm going to try to construct a reduced test case. We probably have two options: 1) Disable sinking on ClonedArguments. Maybe just disable it if there was some kind of type inference that we can't handle. 2) Make sure that when we convert GetByVal to GetMyArgumentByVal, we respect whatever representation rules there are.
And it looks like the culprit is Node::convertToIdentityOn(). It tries to insert conversion nodes, but it fails to apply the right type checks.
Reduced case: function foo() { "use strict"; return arguments[0] + 1.5; } noInline(foo); for (var i = 0; i < 10000; ++i) { var result = foo(4.2); if (result != 5.7) throw "Error: bad result: " + result; }
Created attachment 253073 [details] the pagch
Landed in http://trac.webkit.org/changeset/184318