[Webkit-unassigned] [Bug 273814] New: Assertion failure in void JSC::WatchpointSet::add(JSC::Watchpoint *) (Watchpoint.cpp(112))

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 7 02:16:47 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=273814

            Bug ID: 273814
           Summary: Assertion failure in void
                    JSC::WatchpointSet::add(JSC::Watchpoint *)
                    (Watchpoint.cpp(112))
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: m.foley20 at imperial.ac.uk

Created attachment 471298

  --> https://bugs.webkit.org/attachment.cgi?id=471298&action=review

Inconsistent assertion failure: state() != IsInvalidated, Watchpoint.cpp(112) : void JSC::WatchpointSet::add(JSC::Watchpoint *)

The attached test case can lead to an assertion failue, however this seems to be inconsistent. 

Command:
./jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=40 --thresholdForOptimizeAfterLongWarmUp=40 --thresholdForOptimizeSoon=40 --thresholdForFTLOptimizeAfterWarmUp=80 --thresholdForFTLOptimizeSoon=80 --validateBCE=true bug.js

Expected Behaviour:
 EXPLORE_ACTION: {"operation":"CONSTRUCT","inputs":[{"special":{"name":"exploredValue"}},{"argument":{"index":1}},{"argument":{"index":0}}],"isGuarded":true,"id":"v3"}
EXPLORE_ACTION: {"operation":"CONSTRUCT_METHOD","inputs":[{"special":{"name":"exploredValue"}},{"string":{"value":"constructor"}},{"argument":{"index":0}},{"argument":{"index":4}}],"isGuarded":true,"id":"v4"}
EXPLORE_FAILURE: v5
EXPLORE_FAILURE: v7
EXPLORE_ACTION: {"operation":"CALL_METHOD","inputs":[{"special":{"name":"exploredValue"}},{"string":{"value":"m"}},{"argument":{"index":1}}],"isGuarded":true,"id":"v20"}
Exception: TypeError: calling Int16Array constructor without new is invalid
Int16Array@[native code]

Actual Behaviour:
EXPLORE_ACTION: {"operation":"CONSTRUCT","inputs":[{"special":{"name":"exploredValue"}},{"argument":{"index":1}},{"argument":{"index":0}}],"isGuarded":true,"id":"v3"}
EXPLORE_ACTION: {"operation":"CONSTRUCT_METHOD","inputs":[{"special":{"name":"exploredValue"}},{"string":{"value":"constructor"}},{"argument":{"index":0}},{"argument":{"index":4}}],"isGuarded":true,"id":"v4"}
EXPLORE_FAILURE: v5
EXPLORE_FAILURE: v7
ASSERTION FAILED: state() != IsInvalidated
/home/mlf20/webkit_latest/Source/JavaScriptCore/bytecode/Watchpoint.cpp(112) : void JSC::WatchpointSet::add(JSC::Watchpoint *)
Aborted (core dumped)

Core dump 

                Stack trace of thread 1186518:
                #0  0x00007f283c2969fc n/a (n/a + 0x0)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240507/b60adee0/attachment.htm>

More information about the webkit-unassigned mailing list