If there are unboxed integers and cells in register file (e.g. by SetLocal), they must be reboxed before exiting from the speculative DFG JIT execution.
Created attachment 109397 [details] the patch This scrubs all obvious crashes of DFG32_64 on SunSpider and kraken cases. Also the number of mozilla test failure cases is reduced to 65/1127 if with op_call/op_construct enabled in DFG32_64 (comparing to the 57/1127 if without op_call/op_construct support). - Tested on Linux x86.
Comment on attachment 109397 [details] the patch This looks great. I'd r+ if I officially had review privileges. :-)
Comment on attachment 109397 [details] the patch Clearing flags on attachment: 109397 Committed r96458: <http://trac.webkit.org/changeset/96458>
All reviewed patches have been landed. Closing bug.