Somehow a JS function run twice after the DFG optimization.
Created attachment 187677 [details] test.js The test output is when DFG starts to work: 1 --> a --> b 2 --> c 3 1 --> a --> b 2 --> c 3 1 --> a --> b --> a --> b 2 --> c 3 The output with DFGDisassembly: https://gist.github.com/rgabor-szeged/4758227 This problem exists on x86-64 and ARM architectures as well.
Fascinating ... I'll try to take a look.
Yup, this is a fun bug. Int32ToDouble was being injected at a SetLocal, without realizing that it should be doing a forward exit.
Created attachment 187713 [details] the patch
Comment on attachment 187713 [details] the patch r=me
Landed in http://trac.webkit.org/changeset/142544
*** Bug 108491 has been marked as a duplicate of this bug. ***