The DFG speculative JIT may speculate that a value is a double, even though there may be operations that set it to a non-double constant. Such static speculation failures are benign if the JIT notices them and performs the appropriate evasive action. Unfortunately, the DFG JIT does not do this in this particular case (SetLocal to a speculate-double from a non-double JSConstant), which causes crashes when the fillFPR code wants to refill the register.
Created attachment 100386 [details]
Comment on attachment 100386 [details]
Clearing flags on attachment: 100386
Committed r90799: <http://trac.webkit.org/changeset/90799>
All reviewed patches have been landed. Closing bug.