The DFG speculative JIT may speculate that a value is a double, even though there may be operations that set it to a non-double constant. Such static speculation failures are benign if the JIT notices them and performs the appropriate evasive action. Unfortunately, the DFG JIT does not do this in this particular case (SetLocal to a speculate-double from a non-double JSConstant), which causes crashes when the fillFPR code wants to refill the register.
Created attachment 100386 [details] the patch
Comment on attachment 100386 [details] the patch Clearing flags on attachment: 100386 Committed r90799: <http://trac.webkit.org/changeset/90799>
All reviewed patches have been landed. Closing bug.