Created attachment 324905 [details] ROLLOUT of r223691 Any committer can land this patch automatically by marking it commit-queue+. The commit-queue will build and test the patch before landing to ensure that the rollout will be successful. This process takes approximately 15 minutes. If you would like to land the rollout faster, you can use the following command: webkit-patch land-attachment ATTACHMENT_ID where ATTACHMENT_ID is the ID of this attachment.

Comment on attachment 324905 [details] ROLLOUT of r223691 Clearing flags on attachment: 324905 Committed r223989: <https://trac.webkit.org/changeset/223989>

All reviewed patches have been landed. Closing bug.

*** Bug 178820 has been marked as a duplicate of this bug. ***

With sbarati and fpizlo, we found the origin of this problem: the bug is actually in DFGByteCodeParser.cpp::flush(InlineStackEntry *) and was only made visible in Speedometer by my optimization. The bug is in the following two lines: ``` if (!inlineStackEntry->m_inlineCallFrame && m_graph.needsFlushedThis()) flushDirect(virtualRegisterForArgument(0)); ``` It causes 'this' not to be correctly preserved for OSR exit in some corner cases. It is fixed by adding the following just afterwards: ``` else phantomLocalDirect(virtualRegisterForArgument(0)); ``` I will upload a fix on this bug as soon as I manage to write a minimized test case that triggers without my optimization.

I thought I would do this as a separate patch, but as I could not build a regression test that does not use https://bugs.webkit.org/show_bug.cgi?id=176601, I decided to merge the two bugs together. *** This bug has been marked as a duplicate of bug 176601 ***