If I do ArithAdd(Int32Use, Int32Use, CheckOverflow) then AI will prove that this returns Int32. We may later perform code simplifications based on the proof that this is Int32, and we may kill all DFG users of this ArithAdd. Then we may prove that there is no exit site at which the ArithAdd is live. This is sufficient to then kill the ArithAdd - except that we still need the overflow check! Currently we mishandle this: - In places where we want the overflow check we need to use MustGenerate(@ArithAdd) as a hack to keep it alive. That's dirty and it's just indicative of a deeper issue. - Our MovHint removal doesn't do Phantom canonicalization which essentially makes it powerless. This was sort of hiding the bug. - Nodes that have checks that AI leverages should always be NodeMustGenerate. You can't kill something that you are relying on for subsequent simplifications.
Created attachment 251613 [details] the patch
*** Bug 144148 has been marked as a duplicate of this bug. ***
Comment on attachment 251613 [details] the patch r=me
Landed in http://trac.webkit.org/changeset/183401