function f() {}
function g(x) {
    return (x >> 0) + Math.imul(+f(), Math.round(1));
}
for (let i = 0; i < 2; ++i) {
    print(g());
}

$ ./js-dbg-64-dm-armsim64-linux-x86_64-aecb76a0cd77 --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js
0
0

$ ./js-dbg-64-dm-armsim64-linux-x86_64-aecb76a0cd77 --fuzzing-safe --no-threads --ion-eager testcase.js
0
-13

Tested this on m-c rev aecb76a0cd77.

My configure flags are:

AR=ar sh ./configure --enable-simulator=arm64 --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift

python3 -u -m funfuzz.js.compile_shell -b "--enable-debug --enable-more-deterministic --enable-simulator=arm64" -r aecb76a0cd77

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/afb2e1e1665f
user: Sean Stangl
date: Thu Mar 07 03:57:23 2019 +0000
summary: Bug 1528869 - Enable IonMonkey in the ARM64 shell, but keep it disabled in the browser. r=nbp

Setting needinfo? from Sean and Nicolas since this is IonMonkey on ARM64. Also setting [fuzzblocker] because this is hard to differentiate from the other fuzzblocking compare_jit issues.

I can reproduce this issue. I will investigate.

The problem here is that the code got copied from x86-shared, which is lowered with defineReuseInput, however this is not the case on arm64 and we missed a register copy in case the registers are different.

https://hg.mozilla.org/mozilla-central/rev/425b8e0eb6d6