Bug 109393

Here's the test: function foo(a, p) { var p2; var x; var y; if (p) p2 = true; else p2 = true; if (p2) x = a; else x = 0.5; if (p2) y = a; else y = 0.7; var result = x + y; return [result, [x, y], [x, y], [x, y]]; } for (var i = 0; i < 1000; ++i) print(foo(42, true)); What happens here is that in the first pass we infer that x and y may be double, and infer x + y to be a double operation, and hence the edges from the ValueAdd to its children to be double-using edges. But later we CFG simplify and realize that x + y is actually a + a and a is always an integer. Now some parts of the DFG will think that this is an integer edge (because of predictions on the children of the ValueAdd) and other parts will think that it's a double edge (because of the DoubleUse flag on the edges). We shouldn't have this. There should be one way to tell what type an edge has, and the DFG shouldn't get confused about it. I think that https://bugs.webkit.org/show_bug.cgi?id=109371 ought to fix this. I am making these bugs separate because that other bug describes a change I am making to the DFG while this bug describes an observed symptom. With luck, they will be duplicates, but I'm not going to bet huge sums on this.