109388 2013-02-10 14:06:20 -0800 Implicit type check on local variables hoisting is unsound with respect to CFG simplification 2013-02-28 12:43:51 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED DUPLICATE 109389 P2 Normal --- 109371 110433 1 fpizlo fpizlo barraclough ggaren mark.lam mhahnenberg msaboff oliver sam oldest_to_newest 829355 0 fpizlo 2013-02-10 14:06:20 -0800 We may hoist int, number, cell, or boolean checks into SetLocals. But we do so implicitly - the SetLocal doesn't "know" that it has this check; the CFA and the backend end up just deciding to put checks there without telling anyone else. So, if you CFG simplify and get rid of a SetLocal that had a type check that you had used to construct some proof, then you're going to have a really bad time. 829361 1 fpizlo 2013-02-10 14:55:40 -0800 The best way to solve this is to explicitly have the Fixup phase shove type checks into Phantom nodes with appropriate Edges that are just above the SetLocal. Then CFG simplification will be able to "just work" and not worry about this. This of course relies on https://bugs.webkit.org/show_bug.cgi?id=109371. 844375 2 fpizlo 2013-02-28 12:43:51 -0800 My current approach to fixing this is to handle it as part of DCE hardening. *** This bug has been marked as a duplicate of bug 109389 ***