Bug 276935

==============poc.js============= class C3 { #a; constructor(a10) { try { const v11 = ("f").#a; arguments.g = arguments; } catch(e26) { const v29 = new Float64Array(120); for (const v30 in v29) { for (let v31 = 0; v31 < 5; v31++) { } } } } } new C3(-9.99828580875919); new C3("f"); const v47 = new C3(C3); ================================== Run args: ./jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --useConcurrentJIT=0 --validateBCE=true poc.js Result: ASSERTION FAILED: !scope.exception() && result webkit/Source/JavaScriptCore/dfg/DFGOperations.cpp(2304) : JSC::OperationReturnType<JSCell *> JSC::DFG::operationCreateClonedArgumentsDuringExit(JSC::VM *, JSC::InlineCallFrame *, JSC::JSFunction *, uint32_t) Crash Stack: * frame #0: 0x00007ffff56afe5c libc.so.6`__pthread_kill_implementation + 268 frame #1: 0x00007ffff565fa76 libc.so.6`raise + 22 frame #2: 0x00007ffff56497fc libc.so.6`abort + 215 frame #3: 0x0000000000db635a jsc`WTFCrashWithInfo((null)=2304, (null)="/data/wjm/webkit_latest/Source/JavaScriptCore/dfg/DFGOperations.cpp", (null)="JSC::OperationReturnType<JSCell *> JSC::DFG::operationCreateClonedArgumentsDuringExit(JSC::VM *, JSC::InlineCallFrame *, JSC::JSFunction *, uint32_t)", (null)=5798) at Assertions.h:829:5 frame #4: 0x000000000157c0a5 jsc`::operationCreateClonedArgumentsDuringExit(vmPointer=0x00007fffa9000000, inlineCallFrame=0x0000000000000000, callee=<unavailable>, argumentCount=<unavailable>) at DFGOperations.cpp:2304:5 frame #5: 0x00007fffaa91c44f frame #6: 0x000000000104fe58 jsc`llint_op_construct + 162 frame #7: 0x000000000102e4ee jsc`llint_call_javascript + 6 frame #8: 0x00000000020adc18 jsc`JSC::Interpreter::executeProgram(this=<unavailable>, source=<unavailable>, (null)=<unavailable>, thisObj=0x00007fffeb022008) at Interpreter.cpp:1145:28 frame #9: 0x000000000251ace2 jsc`JSC::evaluate(globalObject=0x00007fffa941a088, source=<unavailable>, thisValue=JSValue @ 0x00007fffffffd7d0, returnedException=0x00007fffffffd9f0) at Completion.cpp:137:37 frame #10: 0x0000000000dbb79f jsc`int runJSC<jscmain(int, char**)::$_11>(CommandLine const&, bool, jscmain(int, char**)::$_11 const&) at jsc.cpp:3777:35 frame #11: 0x0000000000dbabdf jsc`int runJSC<jscmain(int, char**)::$_11>(CommandLine const&, bool, jscmain(int, char**)::$_11 const&) [inlined] jscmain(this=<unavailable>, vm=<unavailable>, globalObject=0x00007fffa941a088, success=0x00007fffffffd8a7)::$_11::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:4428:13 frame #12: 0x0000000000dbabd2 jsc`int runJSC<jscmain(int, char**)::$_11>(options=0x0000000003b131b8, isWorker=false, func=<unavailable>)::$_11 const&) at jsc.cpp:4210:13 frame #13: 0x0000000000db8911 jsc`jscmain(argc=12, argv=0x00007fffffffdcf8) at jsc.cpp:4421:18 frame #14: 0x0000000000db8517 jsc`main(argc=12, argv=0x00007fffffffdcf8) at jsc.cpp:3535:15 frame #15: 0x00007ffff564a510 libc.so.6`__libc_start_call_main + 128 frame #16: 0x00007ffff564a5c9 libc.so.6`__libc_start_main@@GLIBC_2.34 + 137 frame #17: 0x0000000000d9b425 jsc`_start + 37