https://bugs.webkit.org/show_bug.cgi?id=75516
<rdar://problem/10640266>

Source/JavaScriptCore: 

Reviewed by Gavin Barraclough.
        
Removed the offending assertion, since it was wrong.  Also hardened the code to make
this case less likely by first having the propagator fixpoint converge, and then doing
double voting combined with a second fixpoint.  This is neutral on benchmarks and
fixes the assertion in a fairly low-risk way (i.e. we won't vote a variable double
until we've converged to the conclusion that it really is double).

* dfg/DFGPropagator.cpp:
(JSC::DFG::Propagator::propagatePredictions):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):

LayoutTests: 

Reviewed by Andy Estes.
        
Created a fuzzer that produces sufficiently awkward data flow that includes variables
that become either double, or integer, or mix of double and integer only after multiple
iterations of a fixpoint. This crashes the compiler prior to this patch, but works with
this patch.

* fast/js/dfg-double-vote-fuzz-expected.txt: Added.
* fast/js/dfg-double-vote-fuzz.html: Added.
* fast/js/script-tests/dfg-double-vote-fuzz.js: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@104016 268f45cc-cd09-0410-ab3c-d52691b4dbfc