Created attachment 280637 [details] [TEST] Test case * SUMMARY EXITs when using spread operator with mixed type array. * TEST (function() { function myLog() { var args = Array.from(arguments); print(args.join(" ")); } function myAssert(condition, ...args) { "use strict"; if (!condition) myLog(...args); } noInline(myLog); noInline(myAssert); for (var i = 0; i < 1e6; ++i) myAssert((i % 1e4), "Expected Failure", i); })(); * STEPS TO REPRODUCE 1. jsc test.js -p profile => Profile shows "Bad Type" errors when handling the spread operator * PROFILE Lots more Baseline/DFG runs then expected due to exists. > l myAssert Compilation myAssert#CCcDJe-1-Baseline: Total count: 240941 Max count: 20064 Compilation myAssert#CCcDJe-2-DFG: Total count: 701430 Max count: 58445 EXIT: at bc#190 due to BadType, 5 times Compilation myAssert#CCcDJe-3-FTL: Total count: 11061788 Max count: 921463 Exits are when spreading the array via inlined array iterator code > b myAssert ... [ 169] get_by_id loc17, loc16, done(@id4) predicting None [ 178] jtrue loc17, 50(->228) [ 181] get_by_id loc16, loc16, value(@id5) predicting None [ 190] jmp -104(->86) !!!!! EXIT: in myAssert#CCcDJe-2-DFG due to BadType, 5 times ... Looks like it was predicting Boolint32, but the spreaded array (the rest param) should always have [String ("Expected Failure"), int32 (i)]. So that prediction seems unexpected. > d myAssert ... 9/5/184/0 185:< 3:loc14> GetByOffset(KnownCell:@182, KnownCell:@182, JS|UseAsOther, Boolint32, id5{value}, 1, inferredType = Top, R:NamedProperties(5), Exits, bc#181) predicting Boolint32 9/5/184/0 0x3baa19e02d1a: mov 0x18(%rax), %rsi 9/5/184/0 186:<!0:-> MovHint(Untyped:@185, MustGen, loc16, W:SideState, ClobbersExit, bc#181) 9/5/184/0 187:<!0:-> Check(Check:Int32:@185, MustGen, Exits, bc#181, exit: bc#190) 9/5/184/0 0x3baa19e02d1e: cmp %r14, %rsi 9/5/184/0 0x3baa19e02d21: jb 0x3baa19e0335f !!!!! EXIT: due to BadType, 5 times ...