Another stack analysis bug

(defun f55 (z)
  (catch (apply #'+ 1 z)
    :done))

The component from the reduced test case (in comment #1) contains this little gem:

IR1 block 5 start c1
cleanup :BLOCK
start stack: uv25
  1> 45: Z
 46> 47: known combination v27 v45 {derived *}
 48> 49: full mv-combination v23 v25 v47 {derived (VALUES NUMBER &OPTIONAL)}
 50> known combination v12 v19 v49 {derived (VALUES T &OPTIONAL)}
 51> 52: SB-C::%CLEANUP-POINT {GLOBAL-FUNCTION}
 53> known combination v52 {derived (VALUES T &OPTIONAL)}
 54> 55: ':DONE
end stack: uv25 uv55
successors c56
cleanup :CATCH

Note that the mv-combination consumes v25, also known as uv25, yet it is still on the end-stack.

It looks like what we have here is a previously-unknown precondition for STACK analysis, similar to the "DX allocators must end their blocks" constraint. The "full mv-combination" is the APPLY that creates the tag value for CATCH. The "known combination v12 v19 v49" is %CATCH, which is the "mess-up" for the :CATCH cleanup. STACK takes the start-stack of the block that contains the mess-up for a cleanup as being forced live throughout the body of the cleanup, which in this case includes a value that the block itself pops.

START is (uv25). START-STACK is (uv25). END is (uv25 uv55). END-STACK starts as (uv25), has uv25 popped off, and uv55 pushed, making it (uv55). (SUBSETP END END-STACK) is (SUBSETP '(uv25 uv55) '(uv55)) is NIL.

Will be fixed after the freeze with https://github.com/stassats/sbcl/commit/b0fd5baf7fd001a5215e8d2d092201a12e48156c

4b9dec6b5de0aad6d5038fe2810864e58a95a1a8