The DFG speculative JIT may sometimes perform speculations that are statically wrong. This is inevitable in the current design and is supposed to be both performance neutral in the average and correct, because the JIT will recover once it detects that the speculation was wrong. However, the JIT fails to perform the recovery in the case that a JSConstant node that references a non-int (for example a JSCell*) is speculated to be an Int32. This causes crashes if the GPR that would have contained the Int32 is ever spilled and filled. The spilling code skips spilling under the assumption that the Int32 can be rematerialized, and the filling code crashes because it's not possible to rematerialize something that is not actually an Int32 constant.