The following testcase crashes on mozilla-central revision 20210309-5f0f6477c734 (debug build, run with --fuzzing-safe --scalar-replace-arguments --baseline-warmup-threshold=0 --no-threads --fast-warmup):

function testMathyFunction (f, inputs) {
  var results = [];
  for (var j = 0; j < inputs.length; ++j) 
    for (var k = 0; k < inputs.length; ++k) 
      results.push(f(inputs[j], inputs[k]));
}
mathy0 = (function(x, y) {
  y ? arguments : x;
})
mathy3 = (function(x, y) { 
  mathy0(y ? x : mathy0());
})
mathy4 = (function(x, y) {
  mathy3(x);
})
testMathyFunction(mathy4, [1, 1/0, -0x080000001, 0x100000001, -0x0ffffffff, Number.MIN_SAFE_INTEGER])

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555575e9f26 in js::jit::ArgumentsReplacer::visitGetArgumentsObjectArg(js::jit::MGetArgumentsObjectArg*) ()
#1  0x00005555575e8f67 in js::jit::ArgumentsReplacer::run() ()
#2  0x00005555575eb0e7 in js::jit::ScalarReplacement(js::jit::MIRGenerator*, js::jit::MIRGraph&) ()
#3  0x000055555788020d in js::jit::OptimizeMIR(js::jit::MIRGenerator*) ()
#4  0x0000555557888ebc in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#5  0x000055555788a79e in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#6  0x000055555788b317 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#7  0x00003fd6a9bef715 in ?? ()
[...]
#14 0x0000000000000000 in ?? ()
rax	0x5555557487a2	93824994281378
rbx	0x7ffff60ead30	140737321545008
rcx	0x555557fd7ff8	93825036812280
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffa9f0	140737488333296
rsp	0x7fffffffa9c0	140737488333248
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7ffff60ebfb0	140737321549744
r13	0x7ffff60ebce0	140737321549024
r14	0x7ffff60ebf68	140737321549672
r15	0x7ffff60ebc70	140737321548912
rip	0x5555575e9f26 <js::jit::ArgumentsReplacer::visitGetArgumentsObjectArg(js::jit::MGetArgumentsObjectArg*)+182>
=> 0x5555575e9f26 <_ZN2js3jit17ArgumentsReplacer26visitGetArgumentsObjectArgEPNS0_22MGetArgumentsObjectArgE+182>:	movl   $0x35c1,0x0
   0x5555575e9f31 <_ZN2js3jit17ArgumentsReplacer26visitGetArgumentsObjectArgEPNS0_22MGetArgumentsObjectArgE+193>:	callq  0x555556a7cc1c <abort>

Iain, any idea what might cause the issue and how to fix it?

This is my new arguments analysis code. I'll take a look.

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210310093927-056c2a428e2d.
The bug appears to have been introduced in the following build range:

Start: 7b02a20485dfd5e062112aeba80e4a37d7f4aa31 (20210302190509)
End: e57fcca626d0729634a66aae71dea074fa8ae3fd (20210302190559)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7b02a20485dfd5e062112aeba80e4a37d7f4aa31&tochange=e57fcca626d0729634a66aae71dea074fa8ae3fd

I accidentally left a vestigial toInstruction call in visitGetArgumentsObjectArg, which asserts if the inlined argument is a phi. We don't need an instruction here anyway.

Depends on D107957

https://hg.mozilla.org/mozilla-central/rev/40df077126c4

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210312153235-8fdbcaa80217.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.