Both allocators have a loop devoted to ensuring that all Def's interfere with each other. Inst::extraClobberedRegs() is like an extra set of Def's. This is important because it's what ensures that we don't put something into a register that is clobbered by a call.
I think that both allocators want an abstraction like: inst.forEachTmpIncludingExtra( [&] (Tmp tmp, Arg::Role role, Arg::Type type) { // tmp is not a reference, since we cannot edit an extraClobberedReg. }); This could be implemented as: template<typename Functor> void forEachTmpIncludingExtra(const Functor& functor) { forEachTmp( [&] (Tmp& tmp, Arg::Role role, Arg::Type type) { functor(tmp, role, type); }); if (hasSpecial()) { extraClobberedRegs().forEach( [&] (Reg reg) { functor(Tmp(reg), Arg::Def, reg.isGPR() ? Arg::GP : Arg::FP); }); } } Armed with such an abstraction, we could fix the bug by just changing which method the register allocators call when handling Def-to-Def interference.
Fixed in https://bugs.webkit.org/show_bug.cgi?id=151246 *** This bug has been marked as a duplicate of bug 151246 ***