Bug 256872

Created attachment 466374 [details] poc with wrong result run with： ./WebKitBuild/Debug/bin/jsc --useConcurrentJIT=0 --jitPolicyScale=0.001 test.js `opt` function's IR after PutStack sinking: ``` #0 D@22 : JSConstant(3333) #6 D@68 : Phi(...) D@190: MovHint(D@68,arg1) D@162: PutStack(D@22, arg1) <-- inserted by PutStackSinkingPhase, which is wrong D@126: ArithAdd(CheckOverflow) <-- osr exit here D@131: Return(D@68) ``` expected output: 1111 actual output: 3333 I think it's because `ssaCalculator.reachingDefAtHead` found the value `3333` from the dominator #0, but not the missing phi(probably around D@68), leading to a misjudgment of the variable reference. When analyzing the `then branch` of the first if statement, `a` is marked as `DeadFlush`, and the `functor` argument of `ssaCalculator.computePhis` (in DFGPutStackSinkingPhase.cpp) returns nullptr. The nullptr prevents subsequent ssa calculation, so the `phi` on the last block is not created.