The DFG may emit code that refers to objects in the heap. This is only safe because those same objects would be referenced from inline caches maintained by the old JIT, which only works because the old JIT will never clear inline caches.
Created attachment 115033 [details] the patch
Comment on attachment 115033 [details] the patch r=oliver
Comment on attachment 115033 [details] the patch This is broken.
Created attachment 115051 [details] the patch
Landed in http://trac.webkit.org/changeset/100221