I modified ss-fannkuch to work around the missing JSOP_NOT support (bug 709240) and hit an assertion failure. While reducing this assert, I hit an (unrelated) inference failure. The problem is that we can't fold null/undefined in jsop_getelem_dense, since the resulting SSA no longer mimics the bytecode (required by IsPhiObservable).
Created attachment 594681 [details] [diff] [review] Fix + test Also has a trivial fix for an unrelated STRICTEQ/NE assert I had in my queue - I don't think it deserves its own bug.
Comment on attachment 594681 [details] [diff] [review] Fix + test Okay, I think I understand this now: the way EliminateDeadPhis works requires that we consider the uses in the bytecode to be uses in the SSA as well. If we eliminate the LoadElement of |perm| we consider |perm| as dead. This is tricky and I wouldn't be surprised if we end up deciding to overhaul EliminateDeadPhis later.