[Webkit-unassigned] [Bug 205573] New: JSC::WatchpointSet* JSC::Structure::ensurePropertyReplacementWatchpointSet ASSERTION FAILED

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 23 17:28:04 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=205573

            Bug ID: 205573
           Summary: JSC::WatchpointSet*
                    JSC::Structure::ensurePropertyReplacementWatchpointSet
                    ASSERTION FAILED
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: hearmen at 163.com

When jsc run code below ,it will throw an ASSERTION FAILED in function 
JSC::WatchpointSet* JSC::Structure::ensurePropertyReplacementWatchpointSet

```
//poc
function main() {
const v1 = {length:parseInt};
let v3 = v1;
for (let v6 = 0; v6 < 100; v6 = v6 + 2.0) {
    function v8(v9,v10,v11,v12) {
        try {
            const v13 = v9();
            const v15 = {get:v13};
            const v17 = Object.defineProperty(v13,"c",v15);
            v3.__proto__ = v13;
            const v18 = v1.arguments;
        } catch(v19) {
        }
        return v8;
    }
    const v21 = [293729.1679360643,2635518607,293729.1679360643,293729.1679360643,293729.1679360643];
    const v22 = v21.reduce(v8);
}
}
noDFG(main);
noFTL(main);
main();
```

the command line I used

```
jsc --validateOptions=true --useConcurrentJIT=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true '/home/android/Desktop/JSC_Crash/crash_1576593415940_20540_deterministic_6.js
```

and the result I get

```
ASSERTION FAILED: !isUncacheableDictionary()
../../Source/JavaScriptCore/runtime/Structure.cpp(847) : JSC::WatchpointSet* JSC::Structure::ensurePropertyReplacementWatchpointSet(JSC::VM&, JSC::PropertyOffset)
Aborted (core dumped)
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191224/1630bdc0/attachment.htm>

More information about the webkit-unassigned mailing list