rdar://110747242 The ScratchScope abstraction used by the new WebAssembly BBQ JIT implementation is supposed to allow for the preservation of certain registers throughout its scope, preventing them from being chosen as scratches or used for newly allocated values. However, we don't actually do this when locations that are already in use are passed to ScratchScope, which largely defeats the purpose of being able to preserve live registers. It's not clear if this can be reproduced by actual WebAssembly sources, but it's definitely not how this class is supposed to work.
Pull request: https://github.com/WebKit/WebKit/pull/14958
https://bugs.webkit.org/show_bug.cgi?id=258044 tracks the same issue, and was created earlier; resolving this as a dupe and closing my PR. *** This bug has been marked as a duplicate of bug 258044 ***