The following test asserts on mozilla-central revision a351ae35f2c4 (options -m -n -a): function f0(p0,p1) { var v3; do { p1 > v3 v3=1.7 } while (((p0[p1][5]==1)||(p0[p1][5]==2)||(p0[p1][5] == 3)) + 0 > p0); + (v3(f0)); } f0(4105,8307); Note: The specified mozilla-central revision had a build problem with standalone shell, patch from http://hg.mozilla.org/integration/mozilla-inbound/rev/fff3dc9478ce fixes this.

Wrong test used when identifying entries whose type weakens from double to unknown on a branch, and need to be reset if used to hold a GP reg on the branch. The frame entry itself was tested, rather than the known type information shadowing the frame entry, and the frame entry is not required to reflect that known type. Before branching to a bytecode where the entry was in a GP reg, that reg was loaded for the entry's payload but not forgotten after the branch finished. http://hg.mozilla.org/projects/jaegermonkey/rev/370d051a4c95

Requesting tracking for Firefox 9 to make sure we merge this to m-c, since otherwise bug 684789 is a problem.

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug684576.js.