The following testcase asserts on TI revision a2bbe9c999b4 (run with -j -m -n), tested on 64 bit. Original test was produced by anion (fuzzer by adrake): function f0(p0) { var v0; v0 = 1.7; loop0: while (v0) { v0 = p0; } } print(f0(3350));

When marking loop-carried registers we need to keep track of whether the target of the entry jump into the loop has been passed during the compiler's scan, so that the register will be loaded before that entry jump (the backedge does not dominate the entry's jump target). We set this flag too early, before the entry register allocation had been computed, and if register state was modified while coercing ints into doubles for phi nodes at the entry point then the entry register state was updated before it had been constructed. http://hg.mozilla.org/projects/jaegermonkey/rev/d7217d210771

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/loops/bug680809.js.