When jsc run code below ,it will throw an ASSERTION FAILED in function JSC::WatchpointSet* JSC::Structure::ensurePropertyReplacementWatchpointSet ``` //poc function main() { const v1 = {length:parseInt}; let v3 = v1; for (let v6 = 0; v6 < 100; v6 = v6 + 2.0) { function v8(v9,v10,v11,v12) { try { const v13 = v9(); const v15 = {get:v13}; const v17 = Object.defineProperty(v13,"c",v15); v3.__proto__ = v13; const v18 = v1.arguments; } catch(v19) { } return v8; } const v21 = [293729.1679360643,2635518607,293729.1679360643,293729.1679360643,293729.1679360643]; const v22 = v21.reduce(v8); } } noDFG(main); noFTL(main); main(); ``` the command line I used ``` jsc --validateOptions=true --useConcurrentJIT=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true '/home/android/Desktop/JSC_Crash/crash_1576593415940_20540_deterministic_6.js ``` and the result I get ``` ASSERTION FAILED: !isUncacheableDictionary() ../../Source/JavaScriptCore/runtime/Structure.cpp(847) : JSC::WatchpointSet* JSC::Structure::ensurePropertyReplacementWatchpointSet(JSC::VM&, JSC::PropertyOffset) Aborted (core dumped) ```