Created attachment 471298 [details] Inconsistent assertion failure: state() != IsInvalidated, Watchpoint.cpp(112) : void JSC::WatchpointSet::add(JSC::Watchpoint *) The attached test case can lead to an assertion failue, however this seems to be inconsistent. Command: ./jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=40 --thresholdForOptimizeAfterLongWarmUp=40 --thresholdForOptimizeSoon=40 --thresholdForFTLOptimizeAfterWarmUp=80 --thresholdForFTLOptimizeSoon=80 --validateBCE=true bug.js Expected Behaviour: EXPLORE_ACTION: {"operation":"CONSTRUCT","inputs":[{"special":{"name":"exploredValue"}},{"argument":{"index":1}},{"argument":{"index":0}}],"isGuarded":true,"id":"v3"} EXPLORE_ACTION: {"operation":"CONSTRUCT_METHOD","inputs":[{"special":{"name":"exploredValue"}},{"string":{"value":"constructor"}},{"argument":{"index":0}},{"argument":{"index":4}}],"isGuarded":true,"id":"v4"} EXPLORE_FAILURE: v5 EXPLORE_FAILURE: v7 EXPLORE_ACTION: {"operation":"CALL_METHOD","inputs":[{"special":{"name":"exploredValue"}},{"string":{"value":"m"}},{"argument":{"index":1}}],"isGuarded":true,"id":"v20"} Exception: TypeError: calling Int16Array constructor without new is invalid Int16Array@[native code] Actual Behaviour: EXPLORE_ACTION: {"operation":"CONSTRUCT","inputs":[{"special":{"name":"exploredValue"}},{"argument":{"index":1}},{"argument":{"index":0}}],"isGuarded":true,"id":"v3"} EXPLORE_ACTION: {"operation":"CONSTRUCT_METHOD","inputs":[{"special":{"name":"exploredValue"}},{"string":{"value":"constructor"}},{"argument":{"index":0}},{"argument":{"index":4}}],"isGuarded":true,"id":"v4"} EXPLORE_FAILURE: v5 EXPLORE_FAILURE: v7 ASSERTION FAILED: state() != IsInvalidated /home/mlf20/webkit_latest/Source/JavaScriptCore/bytecode/Watchpoint.cpp(112) : void JSC::WatchpointSet::add(JSC::Watchpoint *) Aborted (core dumped) Core dump Stack trace of thread 1186518: #0 0x00007f283c2969fc n/a (n/a + 0x0)