Created attachment 466374 [details] poc with wrong result run with: ./WebKitBuild/Debug/bin/jsc --useConcurrentJIT=0 --jitPolicyScale=0.001 test.js `opt` function's IR after PutStack sinking: ``` #0 D@22 : JSConstant(3333) #6 D@68 : Phi(...) D@190: MovHint(D@68,arg1) D@162: PutStack(D@22, arg1) <-- inserted by PutStackSinkingPhase, which is wrong D@126: ArithAdd(CheckOverflow) <-- osr exit here D@131: Return(D@68) ``` expected output: 1111 actual output: 3333 I think it's because `ssaCalculator.reachingDefAtHead` found the value `3333` from the dominator #0, but not the missing phi(probably around D@68), leading to a misjudgment of the variable reference. When analyzing the `then branch` of the first if statement, `a` is marked as `DeadFlush`, and the `functor` argument of `ssaCalculator.computePhis` (in DFGPutStackSinkingPhase.cpp) returns nullptr. The nullptr prevents subsequent ssa calculation, so the `phi` on the last block is not created.
<rdar://problem/109752832>
Pull request: https://github.com/WebKit/WebKit/pull/15613
Committed 265866@main (8495ff2f3399): <https://commits.webkit.org/265866@main> Reviewed commits have been landed. Closing PR #15613 and removing active labels.