The issues are demonstrated by the following code: function putSelf(array, index) { index = index << 0; array[index] = index; return true; } shouldBeTrue("putSelf([0], 0);"); shouldBeTrue("putSelf([0], 1/9);"); The bug in PutByVal is that an operand is in JSValueOperand - when this locks an integer into a register it will always retag the value without checking if the register is already locked. This is a problem where the value being stored by a PutByVal is the same as the subscript. The subscript is locked into a register first, as a strict integer. Locking the value results in the subscript being modified. The bug in ValueToInt related to the function of sillentFillAllRegisters. The problem is that this method will restore all register values from prior to the call, overwriting the result of the call out. Allow a register to be passed to specifically be excluded from being preserved.