I realized this morning that bug 740446 mishandles two corner cases with the f.apply(arguments) optimization stemming from the use of ssa instead of bytecode pattern-matching. Insane test-cases, but trivial fixes.
Created attachment 614841 [details] [diff] [review] fix 1 Because a magic value can be left on the stack even after applySpeculationFailed, it is possible to call applySpeculationFailed even when needsArgsObj is true.
Created attachment 614842 [details] [diff] [review] fix 2 If 'arguments' is overwritten, we don't want to clobber it in applySpeculationFailed.
(Note: there is one more fix to review)
Comment on attachment 614842 [details] [diff] [review] fix 2 Ah, yeah, meant to review both and got distracted.
Comment on attachment 614841 [details] [diff] [review] fix 1 [triage comment] low/no risk to mobile.