Bug 284244

Hello, I found a crash in JavaScriptCore. The PoC is shown as below: ============================poc.js======================== class C0 {} const v1 = new C0(); for (let i = 0; i < 10; i++) { const v25 = new SharedArrayBuffer(3614, {"maxByteLength": 3614,}); const v27 = new Int32Array(v25); let originalPrototype = Object.getPrototypeOf(v27); let handler = { get(target, key, receiver) { if ( receiver === v27) return originalPrototype; } }; let newPrototype = new Proxy(originalPrototype, handler); Object.setPrototypeOf(v27, newPrototype); function f28() { try { v1.m(); } catch (e) {} for (let v31 = 0; v31 < 5; v31++) {} } v27[Symbol.toPrimitive] = f28; createGlobalObject().Atomics.waitAsync(v27, 200, v27, 200); } gc(); ========================================================= Reproduce bug: 1. Compile JavaScriptCore in Debug mode. 2. Run jsc: ./jsc -f poc.js --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --useConcurrentJIT=0 Backtrace: * thread #1, name = 'jsc', stop reason = signal SIGABRT * frame #0: 0x00007ffff2c38884 libc.so.6`__pthread_kill_implementation + 276 frame #1: 0x00007ffff2be7afe libc.so.6`raise + 30 frame #2: 0x00007ffff2bd087f libc.so.6`abort + 223 frame #3: 0x00007ffff547320a libJavaScriptCore.so.1`WTFCrashWithInfo((null)=193, (null)="WebKit-https/WebKit_validate/Source/JavaScriptCore/runtime/WaiterListManager.cpp", (null)="void JSC::WaiterListManager::timeoutAsyncWaiter(void *, Ref<JSC::Waiter> &&)", (null)=3555) at Assertions.h:913:5 frame #4: 0x00007ffff691da56 libJavaScriptCore.so.1`JSC::WaiterListManager::timeoutAsyncWaiter(this=<unavailable>, ptr=<unavailable>, waiter=<unavailable>) at WaiterListManager.cpp:193:5 frame #5: 0x00007ffff6e3ffd4 libJavaScriptCore.so.1`WTF::Detail::CallableWrapper<WTF::RunLoop::dispatchAfter(WTF::Seconds, WTF::Function<void ()>&&)::$_2, void>::call() [inlined] WTF::Function<void ()>::operator()(this=<unavailable>) const at Function.h:82:35 frame #6: 0x00007ffff6e3ffc5 libJavaScriptCore.so.1`WTF::Detail::CallableWrapper<WTF::RunLoop::dispatchAfter(WTF::Seconds, WTF::Function<void ()>&&)::$_2, void>::call() [inlined] WTF::RunLoop::dispatchAfter(WTF::Seconds, WTF::Function<void ()>&&)::$_2::operator()(this=<unavailable>) at RunLoop.cpp:179:9 frame #7: 0x00007ffff6e3ffb0 libJavaScriptCore.so.1`WTF::Detail::CallableWrapper<WTF::RunLoop::dispatchAfter(WTF::Seconds, WTF::Function<void ()>&&)::$_2, void>::call(this=<unavailable>) at Function.h:53:39 frame #8: 0x00007ffff6f02d2e libJavaScriptCore.so.1`WTF::RunLoop::runImpl(WTF::RunLoop::RunMode) [inlined] WTF::RunLoop::TimerBase::ScheduledTask::fired(this=0x00007fffe90267c0) at RunLoopGeneric.cpp:64:17 frame #9: 0x00007ffff6f02cbe libJavaScriptCore.so.1`WTF::RunLoop::runImpl(this=0x00007fffe90080e0, runMode=Drain) at RunLoopGeneric.cpp:219:19 frame #10: 0x0000555555569df4 jsc`int runJSC<jscmain(int, char**)::$_9>(options=0x00005555555e2c70, isWorker=false, func=<unavailable>) at jsc.cpp:4300:31 frame #11: 0x0000555555566e33 jsc`jscmain(argc=9, argv=0x00007fffffffd5a8) at jsc.cpp:4499:18 frame #12: 0x0000555555566a40 jsc`main(argc=9, argv=0x00007fffffffd5a8) at jsc.cpp:3573:15 frame #13: 0x00007ffff2bd1b8a libc.so.6`__libc_start_call_main + 122 frame #14: 0x00007ffff2bd1c4b libc.so.6`__libc_start_main@@GLIBC_2.34 + 139 frame #15: 0x0000555555562895 jsc`_start + 37 ASSERTION FAILED: !waiter->isOnList() WebKit-https/WebKit_validate/Source/JavaScriptCore/runtime/WaiterListManager.cpp(193) : void JSC::WaiterListManager::timeoutAsyncWaiter(void *, Ref<JSC::Waiter> &&)