The snippet generator code in the baseline JIT was assuming that bytecode *must* have been constant-propagated. But you can’t guarantee that. For example, this constraint means that almost any optimization performed after constant propagation is an invalid optimization, since it may reveal new constant propagation opportunities.
The bytecode generator runs after we have done some constant propagation in the parser, but it doesn’t guarantee that it won’t also do other things that reveal constants.
The correct thing to do - and indeed the thing that all of our other compiler code does - is to gracefully deal with unfolded operations in the backend. There is no cost to doing so, and it ensures that the compiler doesn't crash if by some weird chance we revealed a constant in some late optimization.
Created attachment 270884 [details]
Comment on attachment 270884 [details]
Landed in http://trac.webkit.org/changeset/196273