Bug 298850

JavaScriptCore version ``` commit: 3ae1078a1f76b25460f42cec72023404adccd8a4 ``` Build commands: ``` Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS='-Wno-error -Wno-all -Wno-extra -O0 -lrt'" ``` Test case: ``` function foo(){ const v1 = [0]; let v2 = 0; while (v2 !== 2) { v1.a ||= v2; v2++; } return v1; } for(let i = 0; i < 32; i++) { foo(42); } ``` Run: ``` ./jsc --forceEagerCompilation=true ./mini.js ``` Result: ``` DFG ASSERTION FAILED: Generating OSR exit while node says DoesNotExit WebKit/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp(24375) : JSC::FTL::OSRExitDescriptor* JSC::FTL::{anonymous}::LowerDFGToB3::appendOSRExitDescriptor(JSC::FTL::FormattedValue, const JSC::MethodOfGettingAValueProfile&, bool) While handling node D@44 Graph at time of failure: 61: DFG for foo#DaOGfX:[0x7857754a0480->0x7857754a0260->0x785775475c80, DFGFunctionCall, 48 (DidTryToEnterInLoop)]: 61: Fixpoint state: FixpointConverged; Form: SSA; Unification state: GloballyUnified; Ref count state: ExactRefCount 61: Argument formats for entrypoint index: 0 : FlushedJSValue 0 61: Block #0 (bc#0): (OSR target) 0 61: Execution count: 1.000000 0 61: Predecessors: 0 61: Successors: #4 #3 0 61: Dominated by: #0 0 61: Dominates: #0 #3 #4 #5 #8 #9 #10 0 61: Dominance Frontier: 0 61: Iterated Dominance Frontier: 0 61: Backwards dominates by: #root #0 #5 #9 0 61: Backwards dominates: #0 0 61: Control equivalent to: #0 #5 #9 0 61: States: StructuresAreWatched 0 61: Live: 0 61: Values: 0 0 61: D@20:< 9:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid) 1 0 61: D@68:< 3:-> JSConstant(JS|PureNum|NeedsNaNOrInfinity, Int32, Int32: 1, bc#0, ExitValid) 2 0 61: D@27:< 3:-> JSConstant(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, BoolInt32, Int32: 0, bc#0, ExitValid) 3 0 61: D@1:< 4:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid) 4 0 61: D@50:<!0:-> ExitOK(MustGen, W:SideState, bc#0, ExitValid) 5 0 61: D@32:<!0:-> InitializeEntrypointArguments(MustGen, W:SideState, ClobbersExit, bc#0, ExitValid) 6 0 61: D@67:<!0:-> ExitOK(MustGen, W:SideState, bc#0, ExitValid) 7 0 61: D@22:<!0:-> KillStack(MustGen, loc0, W:Stack(loc0), ClobbersExit, bc#0, ExitValid) 8 0 61: D@2:<!0:-> ZombieHint(Check:Untyped:D@20, MustGen, loc0, W:SideState, ClobbersExit, bc#0, ExitInvalid) 9 0 61: D@26:<!0:-> KillStack(MustGen, loc1, W:Stack(loc1), ClobbersExit, bc#0, ExitInvalid) 10 0 61: D@4:<!0:-> ZombieHint(Check:Untyped:D@20, MustGen, loc1, W:SideState, ClobbersExit, bc#0, ExitInvalid) 11 0 61: D@29:<!0:-> KillStack(MustGen, loc2, W:Stack(loc2), ClobbersExit, bc#0, ExitInvalid) 12 0 61: D@6:<!0:-> ZombieHint(Check:Untyped:D@20, MustGen, loc2, W:SideState, ClobbersExit, bc#0, ExitInvalid) 13 0 61: D@34:<!0:-> KillStack(MustGen, loc3, W:Stack(loc3), ClobbersExit, bc#0, ExitInvalid) 14 0 61: D@8:<!0:-> ZombieHint(Check:Untyped:D@20, MustGen, loc3, W:SideState, ClobbersExit, bc#0, ExitInvalid) 15 0 61: D@39:<!0:-> KillStack(MustGen, loc4, W:Stack(loc4), ClobbersExit, bc#0, ExitInvalid) 16 0 61: D@10:<!0:-> ZombieHint(Check:Untyped:D@20, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) 17 0 61: D@41:<!0:-> KillStack(MustGen, loc4, W:Stack(loc4), ClobbersExit, bc#0, ExitInvalid) 18 0 61: D@14:<!0:-> ZombieHint(Check:Untyped:D@20, MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) 19 0 61: D@15:<!0:-> ExitOK(MustGen, W:SideState, bc#0, ExitValid) 20 0 61: D@16:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#0, ExitValid) 21 0 61: D@43:<!0:-> KillStack(MustGen, loc5, W:Stack(loc5), ClobbersExit, bc#1, ExitValid) 22 0 61: D@19:<!0:-> ZombieHint(Check:Untyped:D@20, MustGen, loc5, W:SideState, ClobbersExit, bc#1, ExitInvalid) 23 0 61: D@70:<!0:-> KillStack(MustGen, loc6, W:Stack(loc6), ClobbersExit, bc#4, ExitValid) 24 0 61: D@21:<!0:-> ZombieHint(Check:Untyped:D@20, MustGen, loc6, W:SideState, ClobbersExit, bc#4, ExitInvalid) 25 0 61: D@24:< 8:-> NewArrayBuffer(JS|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Array, <0x7857754a4140, Cell Butterfly>, vectorLengthHint = 1, CopyOnWriteArrayWithInt32, R:HeapObjectCount, W:HeapObjectCount, Exits, bc#7, ExitValid) 26 0 61: D@72:<!0:-> KillStack(MustGen, loc5, W:Stack(loc5), ClobbersExit, bc#7, ExitValid) 27 0 61: D@25:<!0:-> MovHint(Check:Untyped:D@24, MustGen, loc5, W:SideState, ClobbersExit, bc#7, ExitInvalid) 28 0 61: D@48:<!0:-> KillStack(MustGen, loc6, W:Stack(loc6), ClobbersExit, bc#12, ExitValid) 29 0 61: D@28:<!0:-> MovHint(Check:Untyped:D@27, MustGen, loc6, W:SideState, ClobbersExit, bc#12, ExitInvalid) 30 0 61: D@52:<!0:-> ExitOK(MustGen, W:SideState, bc#19, ExitValid) 31 0 61: D@33:<!0:-> LoopHint(MustGen, W:SideState, bc#19, ExitValid) 32 0 61: D@36:<!0:-> FilterGetByStatus(Check:Untyped:D@24, MustGen, (Simple, <id='uid:(a)', [0x7856010024e0:[0x10024e0/16786656, Array, (0/0, 0/0){}, CopyOnWriteArrayWithInt32, Unknown, Proto:0x7857770183d8]], [<Object: 0x7857770183d8 with butterfly 0x785775478448(base=0x785775478240) (Structure 0x7856010021d0:[0x10021d0/16785872, Array, (0/0, 50/64){toString:64, values:65, Symbol.iterator:66, toLocaleString:67, concat:68, fill:69, join:70, pop:71, push:72, reverse:73, shift:74, shift:75, slice:76, sort:77, splice:78, unshift:79, every:80, forEach:81, some:82, indexOf:83, lastIndexOf:84, filter:85, flat:86, flatMap:87, reduce:88, reduceRight:89, map:90, keys:91, entries:92, find:93, findLast:94, findIndex:95, findLastIndex:96, includes:97, copyWithin:98, at:99, toReversed:100, toSorted:101, toSpliced:102, with:103, entries:104, forEach:105, includes:106, indexOf:107, keys:108, map:109, pop:110, values:111, Symbol.unscopables:112, constructor:113}, ArrayClass, BecomePrototype, Proto:0x785777018348, Leaf (Watched)]), StructureID: 16785872: Absence of a with prototype Object: 0x785777018348 with butterfly 0x78577545c2a8(base=0x78577545c220) (Structure 0x785601001de0:[0x1001de0/16784864, Object, (0/0, 12/16){toString:64, toLocaleString:65, valueOf:66, hasOwnProperty:67, propertyIsEnumerable:68, isPrototypeOf:69, __defineGetter__:70, __defineSetter__:71, __lookupGetter__:72, __lookupSetter__:73, __proto__:74, constructor:75}, NonArray, BecomePrototype, Leaf (Watched)]), StructureID: 16784864>, <Object: 0x785777018348 with butterfly 0x78577545c2a8(base=0x78577545c220) (Structure 0x785601001de0:[0x1001de0/16784864, Object, (0/0, 12/16){toString:64, toLocaleString:65, valueOf:66, hasOwnProperty:67, propertyIsEnumerable:68, isPrototypeOf:69, __defineGetter__:70, __defineSetter__:71, __lookupGetter__:72, __lookupSetter__:73, __proto__:74, constructor:75}, NonArray, BecomePrototype, Leaf (Watched)]), StructureID: 16784864: Absence of a with prototype <JSValue()>>], viaGlobalProxy = false, offset = -1>, seenInJIT = true), W:SideState, bc#21, ExitValid) 33 0 61: D@76:<!0:-> KillStack(MustGen, loc7, W:Stack(loc7), ClobbersExit, bc#21, ExitValid) 34 0 61: D@38:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc7, W:SideState, ClobbersExit, bc#21, ExitInvalid) 35 0 61: D@40:<!0:-> Branch(Check:Int32:D@1, MustGen, T:#4/w:10.000000, F:#3/w:10.000000, W:SideState, Exits, bc#27, ExitValid) 0 61: States: TakeBoth, StructuresAreWatched 0 61: Live: D@1, D@20, D@24, D@27, D@68 0 61: Values: D@1=>(None, 1:StructuresAreWatched), D@24=>(Array, CopyOnWriteArrayWithInt32, [%Dj:Array,ArrayWithInt32], 1:StructuresAreWatched), D@27=>(BoolInt32, Int32: 0, 1:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 1:StructuresAreWatched), D@68=>(BoolInt32, Int32: 1, 1:StructuresAreWatched) 3 61: Block #3 (bc#30): 3 61: Execution count: 10.000000 3 61: Predecessors: #0 3 61: Successors: #5 3 61: Dominated by: #0 #3 3 61: Dominates: #3 3 61: Dominance Frontier: #5 3 61: Iterated Dominance Frontier: #5 3 61: Backwards dominates by: #root #3 #5 #9 3 61: Backwards dominates: #3 3 61: Control equivalent to: #3 3 61: States: StructuresAreWatched 3 61: Live: D@1, D@20, D@24, D@27, D@68 3 61: Values: D@1=>(None, none:StructuresAreClobbered), D@24=>(Array, CopyOnWriteArrayWithInt32, [%Dj:Array,ArrayWithInt32], 1:StructuresAreWatched), D@27=>(BoolInt32, Int32: 0, 1:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 1:StructuresAreWatched), D@68=>(BoolInt32, Int32: 1, 1:StructuresAreWatched) 0 3 61: D@57:<!0:-> ExitOK(MustGen, W:SideState, bc#30, ExitValid) 1 3 61: D@51:<!0:-> KillStack(MustGen, loc7, W:Stack(loc7), ClobbersExit, bc#30, ExitValid) 2 3 61: D@42:<!0:-> MovHint(Check:Untyped:D@27, MustGen, loc7, W:SideState, ClobbersExit, bc#30, ExitInvalid) 3 3 61: D@45:<!0:-> PutById(Cell:D@24, Check:Untyped:Kill:D@27, MustGen, cachable-id {uid:(a)}, R:World, W:Heap, Exits, ClobbersExit, bc#33, ExitValid) 4 3 61: D@69:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#39, ExitValid) 5 3 61: D@46:<!0:-> Jump(MustGen, T:#5, W:SideState, bc#39, ExitValid) 3 61: States: InvalidBranchDirection, StructuresAreWatched 3 61: Live: D@1, D@20, D@24, D@68 3 61: Values: D@1=>(None, 2:StructuresAreWatched), D@24=>(Array, TOP, TOP, 2:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 2:StructuresAreWatched), D@68=>(BoolInt32, Int32: 1, 2:StructuresAreWatched) 4 61: Block #4 (bc#39): 4 61: Execution count: 10.000000 4 61: Predecessors: #0 4 61: Successors: #5 4 61: Dominated by: #0 #4 4 61: Dominates: #4 4 61: Dominance Frontier: #5 4 61: Iterated Dominance Frontier: #5 4 61: Backwards dominates by: #root #4 #5 #9 4 61: Backwards dominates: #4 4 61: Control equivalent to: #4 4 61: States: StructuresAreWatched 4 61: Live: D@1, D@20, D@24, D@68 4 61: Values: D@1=>(None, none:StructuresAreClobbered), D@24=>(Array, CopyOnWriteArrayWithInt32, [%Dj:Array,ArrayWithInt32], 1:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 1:StructuresAreWatched), D@68=>(BoolInt32, Int32: 1, 1:StructuresAreWatched) 0 4 61: D@75:<!0:-> ExitOK(MustGen, W:SideState, bc#39, ExitValid) 1 4 61: D@71:<!0:-> Jump(MustGen, T:#5, W:SideState, bc#39, ExitValid) 4 61: States: InvalidBranchDirection, StructuresAreWatched 4 61: Live: D@1, D@20, D@24, D@68 4 61: Values: D@1=>(None, 1:StructuresAreWatched), D@24=>(Array, CopyOnWriteArrayWithInt32, [%Dj:Array,ArrayWithInt32], 1:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 1:StructuresAreWatched), D@68=>(BoolInt32, Int32: 1, 1:StructuresAreWatched) 5 61: Block #5 (bc#39): 5 61: Execution count: 10.000000 5 61: Predecessors: #4 #3 5 61: Successors: #8 #10 5 61: Dominated by: #0 #5 5 61: Dominates: #5 #8 #9 #10 5 61: Dominance Frontier: 5 61: Iterated Dominance Frontier: 5 61: Backwards dominates by: #root #5 #9 5 61: Backwards dominates: #0 #3 #4 #5 5 61: Control equivalent to: #0 #5 #9 5 61: States: StructuresAreWatched 5 61: Live: D@1, D@20, D@24, D@68 5 61: Values: D@1=>(None, none:StructuresAreClobbered), D@24=>(Array, TOP, TOP, 2:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 2:StructuresAreWatched), D@68=>(BoolInt32, Int32: 1, 2:StructuresAreWatched) 0 5 61: D@74:<!0:-> ExitOK(MustGen, W:SideState, bc#39, ExitValid) 1 5 61: D@73:<!0:-> KillStack(MustGen, loc6, W:Stack(loc6), ClobbersExit, bc#39, ExitInvalid) 2 5 61: D@49:<!0:-> MovHint(Check:Untyped:D@68, MustGen, loc6, W:SideState, ClobbersExit, bc#39, ExitInvalid) 3 5 61: D@66:<!0:-> ExitOK(MustGen, W:SideState, bc#19, ExitValid) 4 5 61: D@56:<!0:-> LoopHint(MustGen, W:SideState, bc#19, ExitValid) 5 5 61: D@54:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#20, ExitValid) 6 5 61: D@53:<!0:-> FilterGetByStatus(Check:Untyped:D@24, MustGen, (Simple, <id='uid:(a)', [0x7856010024e0:[0x10024e0/16786656, Array, (0/0, 0/0){}, CopyOnWriteArrayWithInt32, Unknown, Proto:0x7857770183d8]], [<Object: 0x7857770183d8 with butterfly 0x785775478448(base=0x785775478240) (Structure 0x7856010021d0:[0x10021d0/16785872, Array, (0/0, 50/64){toString:64, values:65, Symbol.iterator:66, toLocaleString:67, concat:68, fill:69, join:70, pop:71, push:72, reverse:73, shift:74, shift:75, slice:76, sort:77, splice:78, unshift:79, every:80, forEach:81, some:82, indexOf:83, lastIndexOf:84, filter:85, flat:86, flatMap:87, reduce:88, reduceRight:89, map:90, keys:91, entries:92, find:93, findLast:94, findIndex:95, findLastIndex:96, includes:97, copyWithin:98, at:99, toReversed:100, toSorted:101, toSpliced:102, with:103, entries:104, forEach:105, includes:106, indexOf:107, keys:108, map:109, pop:110, values:111, Symbol.unscopables:112, constructor:113}, ArrayClass, BecomePrototype, Proto:0x785777018348, Leaf (Watched)]), StructureID: 16785872: Absence of a with prototype Object: 0x785777018348 with butterfly 0x78577545c2a8(base=0x78577545c220) (Structure 0x785601001de0:[0x1001de0/16784864, Object, (0/0, 12/16){toString:64, toLocaleString:65, valueOf:66, hasOwnProperty:67, propertyIsEnumerable:68, isPrototypeOf:69, __defineGetter__:70, __defineSetter__:71, __lookupGetter__:72, __lookupSetter__:73, __proto__:74, constructor:75}, NonArray, BecomePrototype, Leaf (Watched)]), StructureID: 16784864>, <Object: 0x785777018348 with butterfly 0x78577545c2a8(base=0x78577545c220) (Structure 0x785601001de0:[0x1001de0/16784864, Object, (0/0, 12/16){toString:64, toLocaleString:65, valueOf:66, hasOwnProperty:67, propertyIsEnumerable:68, isPrototypeOf:69, __defineGetter__:70, __defineSetter__:71, __lookupGetter__:72, __lookupSetter__:73, __proto__:74, constructor:75}, NonArray, BecomePrototype, Leaf (Watched)]), StructureID: 16784864: Absence of a with prototype <JSValue()>>], viaGlobalProxy = false, offset = -1>, seenInJIT = true), W:SideState, bc#21, ExitValid) 7 5 61: D@0:<!0:-> CheckStructure(Cell:D@24, MustGen, [%Dj:Array,ArrayWithInt32], R:JSCell_structureID, Exits, bc#21, ExitValid) 8 5 61: D@65:<!0:-> KillStack(MustGen, loc7, W:Stack(loc7), ClobbersExit, bc#21, ExitValid) 9 5 61: D@47:<!0:-> MovHint(Check:Untyped:D@1, MustGen, loc7, W:SideState, ClobbersExit, bc#21, ExitInvalid) 10 5 61: D@44:<!0:-> Branch(Int32:Kill:D@1, MustGen, T:#8/w:10.000000, F:#10/w:10.000000, W:SideState, bc#27, ExitValid) 5 61: States: TakeBoth, StructuresAreWatched 5 61: Live: D@20, D@24, D@68 5 61: Values: D@24=>(Array, CopyOnWriteArrayWithInt32, [%Dj:Array,ArrayWithInt32], 1:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 1:StructuresAreWatched), D@68=>(BoolInt32, Int32: 1, 1:StructuresAreWatched) 8 61: Block #8<-#4 (bc#39): 8 61: Execution count: 10.000000 8 61: Predecessors: #5 8 61: Successors: #9 8 61: Dominated by: #0 #5 #8 8 61: Dominates: #8 8 61: Dominance Frontier: #9 8 61: Iterated Dominance Frontier: #9 8 61: Backwards dominates by: #root #8 #9 8 61: Backwards dominates: #8 8 61: Control equivalent to: #8 8 61: States: StructuresAreWatched 8 61: Live: D@20, D@24 8 61: Values: D@24=>(Array, CopyOnWriteArrayWithInt32, [%Dj:Array,ArrayWithInt32], 1:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 1:StructuresAreWatched) 0 8 61: D@63:<!0:-> ExitOK(MustGen, W:SideState, bc#39, ExitValid) 1 8 61: D@35:<!0:-> Jump(MustGen, T:#9, W:SideState, bc#39, ExitValid) 8 61: States: InvalidBranchDirection, StructuresAreWatched 8 61: Live: D@20, D@24 8 61: Values: D@24=>(Array, CopyOnWriteArrayWithInt32, [%Dj:Array,ArrayWithInt32], 1:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 1:StructuresAreWatched) 9 61: Block #9<-#5 (bc#39): 9 61: Execution count: 10.000000 9 61: Predecessors: #8 #10 9 61: Successors: 9 61: Dominated by: #0 #5 #9 9 61: Dominates: #9 9 61: Dominance Frontier: 9 61: Iterated Dominance Frontier: 9 61: Backwards dominates by: #root #9 9 61: Backwards dominates: #0 #3 #4 #5 #8 #9 #10 9 61: Control equivalent to: #0 #5 #9 9 61: States: StructuresAreWatched 9 61: Live: D@20, D@24 9 61: Values: D@24=>(Array, TOP, TOP, 1:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 1:StructuresAreWatched) 0 9 61: D@62:<!0:-> ExitOK(MustGen, W:SideState, bc#39, ExitValid) 1 9 61: D@61:<!0:-> KillStack(MustGen, loc6, W:Stack(loc6), ClobbersExit, bc#39, ExitInvalid) 2 9 61: D@17:<!0:-> ZombieHint(Check:Untyped:Kill:D@20, MustGen, loc6, W:SideState, ClobbersExit, bc#39, ExitInvalid) 3 9 61: D@60:<!0:-> ExitOK(MustGen, W:SideState, bc#46, ExitValid) 4 9 61: D@55:<!0:-> Return(Check:Untyped:Kill:D@24, MustGen, W:SideState, Exits, bc#46, ExitValid) 9 61: States: InvalidBranchDirection, StructuresAreWatched, CFAInvalidated 9 61: Live: 9 61: Values: 10 61: Block #10<-#3 (bc#30): 10 61: Execution count: 10.000000 10 61: Predecessors: #5 10 61: Successors: #9 10 61: Dominated by: #0 #5 #10 10 61: Dominates: #10 10 61: Dominance Frontier: #9 10 61: Iterated Dominance Frontier: #9 10 61: Backwards dominates by: #root #9 #10 10 61: Backwards dominates: #10 10 61: Control equivalent to: #10 10 61: States: StructuresAreWatched 10 61: Live: D@20, D@24, D@68 10 61: Values: D@24=>(Array, CopyOnWriteArrayWithInt32, [%Dj:Array,ArrayWithInt32], 1:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 1:StructuresAreWatched), D@68=>(BoolInt32, Int32: 1, 1:StructuresAreWatched) 0 10 61: D@59:<!0:-> ExitOK(MustGen, W:SideState, bc#30, ExitValid) 1 10 61: D@58:<!0:-> KillStack(MustGen, loc7, W:Stack(loc7), ClobbersExit, bc#30, ExitValid) 2 10 61: D@3:<!0:-> MovHint(Check:Untyped:D@68, MustGen, loc7, W:SideState, ClobbersExit, bc#30, ExitInvalid) 3 10 61: D@5:<!0:-> PutById(Cell:D@24, Check:Untyped:Kill:D@68, MustGen, cachable-id {uid:(a)}, R:World, W:Heap, Exits, ClobbersExit, bc#33, ExitValid) 4 10 61: D@37:<!0:-> FencedStoreBarrier(Check:KnownCell:D@24, MustGen, R:Heap, W:JSCell_cellState, bc#33, ExitInvalid) 5 10 61: D@7:<!0:-> InvalidationPoint(MustGen, W:SideState, Exits, bc#39, ExitValid) 6 10 61: D@9:<!0:-> Jump(MustGen, T:#9, W:SideState, bc#39, ExitValid) 10 61: States: InvalidBranchDirection, StructuresAreWatched 10 61: Live: D@20, D@24 10 61: Values: D@24=>(Array, TOP, TOP, 2:StructuresAreWatched), D@30=>(NonBoolInt32, Int32: 2, 2:StructuresAreWatched) 61: GC Values: 61: Strong:Cell: 0x785775475c80 (%C9:FunctionExecutable), StructureID: 16778928 61: Weak:Object: 0x7857754627e0 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %Eh:Function), StructureID: 16783632 61: Weak:Object: 0x785777050318 with butterfly (nil)(base=0xfffffffffffffff8) (Structure %Ds:JSGlobalLexicalEnvironment), StructureID: 16782512 61: Strong:Cell: 0x7857754a4140 (%BN:Cell Butterfly,ArrayWithInt32), StructureID: 16779488 61: Weak:Object: 0x78577503a088 with butterfly 0x785775494578(base=0x785775494170) (Structure %Bv:global), StructureID: 16799792 61: Desired watchpoints: 61: Watchpoint sets: 0x7857770666e0 61: Inline watchpoint sets: 0x7856010001d8, 0x7856010002b8, 0x785601001518, 0x785601001978, 0x785601000948, 0x785601006318, 0x785601000718, 0x785601000868 61: SymbolTables: 61: FunctionExecutables: 0x785775475c80 61: Buffer views: 61: Object property conditions: <Object: 0x785777018348 with butterfly 0x78577545c2a8(base=0x78577545c220) (Structure %Ei:Object), StructureID: 16784864: Absence of a with prototype <JSValue()>>, <Object: 0x7857770183d8 with butterfly 0x785775478448(base=0x785775478240) (Structure %AN:Array), StructureID: 16785872: Absence of a with prototype Object: 0x785777018348 with butterfly 0x78577545c2a8(base=0x78577545c220) (Structure %Ei:Object), StructureID: 16784864> 61: Structures: 61: %AN:Array = 0x7856010021d0:[0x10021d0/16785872, Array, (0/0, 50/64){toString:64, values:65, Symbol.iterator:66, toLocaleString:67, concat:68, fill:69, join:70, pop:71, push:72, reverse:73, shift:74, shift:75, slice:76, sort:77, splice:78, unshift:79, every:80, forEach:81, some:82, indexOf:83, lastIndexOf:84, filter:85, flat:86, flatMap:87, reduce:88, reduceRight:89, map:90, keys:91, entries:92, find:93, findLast:94, findIndex:95, findLastIndex:96, includes:97, copyWithin:98, at:99, toReversed:100, toSorted:101, toSpliced:102, with:103, entries:104, forEach:105, includes:106, indexOf:107, keys:108, map:109, pop:110, values:111, Symbol.unscopables:112, constructor:113}, ArrayClass, BecomePrototype, Proto:0x785777018348, Leaf (Watched)] 61: %BN:Cell Butterfly,ArrayWithInt32 = 0x7856010008e0:[0x10008e0/16779488, Cell Butterfly, (0/0, 0/0){}, CopyOnWriteArrayWithInt32, Unknown, Leaf (Watched)] 61: %Bv:global = 0x785601005830:[0x1005830/16799792, global, (0/0, 116/128){Object:64, Function:65, Array:66, RegExp:67, Iterator:68, SharedArrayBuffer:69, String:70, Promise:71, BigInt:72, Symbol:73, WeakRef:74, FinalizationRegistry:75, Intl:76, WebAssembly:77, Symbol.toStringTag:78, testLoopCount:79, wasmTestLoopCount:80, atob:81, btoa:82, disassembleBase64:83, debug:84, describe:85, describeArray:86, print:87, printErr:88, prettyPrint:89, quit:90, gc:91, fullGC:92, edenGC:93, gcHeapSize:94, memoryUsageStatistics:95, MemoryFootprint:96, resetMemoryPeak:97, addressOf:98, version:99, run:100, runString:101, load:102, loadString:103, readFile:104, read:105, writeFile:106, write:107, checkSyntax:108, sleepSeconds:109, jscStack:110, openFile:111, readline:112, preciseTime:113, neverInlineFunction:114, noInline:115, noDFG:116, noFTL:117, noOSRExitFuzzing:118, numberOfDFGCompiles:119, callerIsBBQOrOMGCompiled:120, jscOptions:121, optimizeNextInvocation:122, reoptimizationRetryCount:123, transferArrayBuffer:124, failNextNewCodeBlock:125, OSRExit:126, isFinalTier:127, predictInt32:128, isInt32:129, isPureNaN:130, fiatInt52:131, effectful42:132, makeMasquerader:133, hasCustomProperties:134, createGlobalObject:135, createHeapBigInt:136, useBigInt32:137, isBigInt32:138, isHeapBigInt:139, createNonRopeNonAtomString:140, dumpTypesForAllVariables:141, drainMicrotasks:142, setTimeout:143, releaseWeakRefs:144, finalizationRegistryLiveCount:145, finalizationRegistryDeadCount:146, getRandomSeed:147, setRandomSeed:148, isRope:149, callerSourceOrigin:150, is32BitPlatform:151, checkModuleSyntax:152, checkScriptSyntax:153, platformSupportsSamplingProfiler:154, generateHeapSnapshot:155, generateHeapSnapshotForGCDebugging:156, resetSuperSamplerState:157, ensureArrayStorage:158, startSamplingProfiler:159, samplingProfilerStackTraces:160, maxArguments:161, asyncTestStart:162, asyncTestPassed:163, WebAssemblyMemoryMode:164, createWebAssemblyMemoryWithMode:165, console:166, $:167, $262:168, waiterListSize:169, waitForReport:170, heapCapacity:171, flashHeapAccess:172, disableRichSourceInfo:173, mallocInALoop:174, totalCompileTime:175, setUnhandledRejectionCallback:176, asDoubleNumber:177, dropAllLocks:178, performance:179}, NonArray, ChangePrototype, Proto:0x785777018348, Dictionary, Leaf] 61: %C9:FunctionExecutable = 0x7856010006b0:[0x10006b0/16778928, FunctionExecutable, (0/0, 0/0){}, NonArray, Unknown, Leaf (Watched)] 61: %Dj:Array,ArrayWithInt32 = 0x7856010024e0:[0x10024e0/16786656, Array, (0/0, 0/0){}, CopyOnWriteArrayWithInt32, Unknown, Proto:0x7857770183d8] 61: %Ds:JSGlobalLexicalEnvironment = 0x7856010014b0:[0x10014b0/16782512, JSGlobalLexicalEnvironment, (0/0, 0/0){}, NonArray, Unknown, Leaf (Watched)] 61: %Eh:Function = 0x785601001910:[0x1001910/16783632, Function, (0/0, 0/0){}, NonArray, Unknown, Proto:0x785777008688, Leaf (Watched)] 61: %Ei:Object = 0x785601001de0:[0x1001de0/16784864, Object, (0/0, 12/16){toString:64, toLocaleString:65, valueOf:66, hasOwnProperty:67, propertyIsEnumerable:68, isPrototypeOf:69, __defineGetter__:70, __defineSetter__:71, __lookupGetter__:72, __lookupSetter__:73, __proto__:74, constructor:75}, NonArray, BecomePrototype, Leaf (Watched)] ``` This may leads to memory corruption in the engine.