Bug 273814 - Assertion failure in void JSC::WatchpointSet::add(JSC::Watchpoint *) (Watchpoint.cpp(112))
Summary: Assertion failure in void JSC::WatchpointSet::add(JSC::Watchpoint *) (Watchp...
Status: RESOLVED CONFIGURATION CHANGED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-07 02:16 PDT by m.foley20
Modified: 2024-05-09 14:38 PDT (History)
2 users (show)

See Also:

Attachments
Inconsistent assertion failure: state() != IsInvalidated, Watchpoint.cpp(112) : void JSC::WatchpointSet::add(JSC::Watchpoint *) (48.35 KB, application/x-javascript)
2024-05-07 02:16 PDT, m.foley20 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description m.foley20 2024-05-07 02:16:47 PDT 
Created attachment 471298 [details]
Inconsistent assertion failure: state() != IsInvalidated, Watchpoint.cpp(112) : void JSC::WatchpointSet::add(JSC::Watchpoint *)

The attached test case can lead to an assertion failue, however this seems to be inconsistent. 

Command:
./jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=40 --thresholdForOptimizeAfterLongWarmUp=40 --thresholdForOptimizeSoon=40 --thresholdForFTLOptimizeAfterWarmUp=80 --thresholdForFTLOptimizeSoon=80 --validateBCE=true bug.js

Expected Behaviour:
 EXPLORE_ACTION: {"operation":"CONSTRUCT","inputs":[{"special":{"name":"exploredValue"}},{"argument":{"index":1}},{"argument":{"index":0}}],"isGuarded":true,"id":"v3"}
EXPLORE_ACTION: {"operation":"CONSTRUCT_METHOD","inputs":[{"special":{"name":"exploredValue"}},{"string":{"value":"constructor"}},{"argument":{"index":0}},{"argument":{"index":4}}],"isGuarded":true,"id":"v4"}
EXPLORE_FAILURE: v5
EXPLORE_FAILURE: v7
EXPLORE_ACTION: {"operation":"CALL_METHOD","inputs":[{"special":{"name":"exploredValue"}},{"string":{"value":"m"}},{"argument":{"index":1}}],"isGuarded":true,"id":"v20"}
Exception: TypeError: calling Int16Array constructor without new is invalid
Int16Array@[native code]

Actual Behaviour:
EXPLORE_ACTION: {"operation":"CONSTRUCT","inputs":[{"special":{"name":"exploredValue"}},{"argument":{"index":1}},{"argument":{"index":0}}],"isGuarded":true,"id":"v3"}
EXPLORE_ACTION: {"operation":"CONSTRUCT_METHOD","inputs":[{"special":{"name":"exploredValue"}},{"string":{"value":"constructor"}},{"argument":{"index":0}},{"argument":{"index":4}}],"isGuarded":true,"id":"v4"}
EXPLORE_FAILURE: v5
EXPLORE_FAILURE: v7
ASSERTION FAILED: state() != IsInvalidated
/home/mlf20/webkit_latest/Source/JavaScriptCore/bytecode/Watchpoint.cpp(112) : void JSC::WatchpointSet::add(JSC::Watchpoint *)
Aborted (core dumped)

Core dump 

                Stack trace of thread 1186518:
                #0  0x00007f283c2969fc n/a (n/a + 0x0)
Comment 1 Fujii Hironori 2024-05-08 22:39:32 PDT 
Did 278223@main solve this?
Comment 2 Alexey Proskuryakov 2024-05-09 14:38:27 PDT 
Moving to resolved for now, as the next step is for the originator to verify if this is still happening.

Thank you for the report!