The DFG JIT needs to store offsets between the return address and patchable points in the code, because these offsets vary depending on how register allocation works out. As an optimization these were compressed to 8 bits. But, the offsets may be greater than 127 when a large number of registers get spilled. It's not clear that the offsets are guaranteed to be less than 256, either, when all registers get spilled, particularly in the number of registers used by DFG is increased. These offsets should use more bits to be robust against the rare and difficult-to-debug cases where large amounts of spilling occurs.
Created attachment 103721 [details] the patch
Comment on attachment 103721 [details] the patch Never mind. This doesn't really fix it. Trying again...
Created attachment 103724 [details] the patch
Created attachment 103725 [details] the patch (even better)
Comment on attachment 103725 [details] the patch (even better) Clearing flags on attachment: 103725 Committed r92911: <http://trac.webkit.org/changeset/92911>
All reviewed patches have been landed. Closing bug.