This is because a regular String (non-Identifier) can be converted into an Identifier. During DFG/FTL compilation, AbstractValue::checkConsistency() may expect a value to be of type SpecStringVar, but the mutator thread may have converted the string into an Identifier. This creates a race where AbstractValue::checkConsistency() may fail because it sees a SpecStringIdent when it expects the a SpecStringVar. The fix is to speculate non-Identifier strings as type SpecString which allows it to be SpecStringVar or SpecStringIndent. <rdar://problem/46480355>
Created attachment 356684 [details] proposed patch.
Comment on attachment 356684 [details] proposed patch. Thanks for the review. Landing now.
Comment on attachment 356684 [details] proposed patch. Clearing flags on attachment: 356684 Committed r238923: <https://trac.webkit.org/changeset/238923>
All reviewed patches have been landed. Closing bug.