I will have to think about this. I suspect that most uses of StringImpls in the DFG are totally safe. But the ones that involve debug dumps probably aren't.
Created attachment 200041 [details] work in progress
Created attachment 200081 [details] starting to run things Still more work to do.
Created attachment 200151 [details] the patch
Comment on attachment 200151 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=200151&action=review r=me > Source/JavaScriptCore/runtime/Identifier.h:251 > + typedef HashMap<StringImpl*, int, IdentifierRepHash, HashTraits<StringImpl*>, IdentifierMapIndexHashTraits> ConcurrentIdentifierMap; Maybe BorrowedIdentifierMap instead? I don't love "Concurrent" in the name because it might imply safety.
Looks like I need to fix Structure::addPropertyTransitionToExistingStructure(). I'll do that shortly, and commit this after that is fixed.
Landed in http://trac.webkit.org/changeset/149516