Bug 260515

Created attachment 467385 [details] Reproducible poc Commit: 5466cd2c24514bdeee05075d5a2eb35e8c146e40 Run Flag: --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyGC=true --useWebAssemblyTailCalls=true Backtrace: ``` #0 0x00007ffff5ac900b in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff5aa8859 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x0000555555ac698a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:762 #3 0x0000555557de8840 in JSC::Wasm::AirIRGenerator64::emitCoerceToI64 (this=this@entry=0x7fffa9276170, src=..., result=...) at ../../Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp:968 #4 0x0000555557e5e501 in JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::addArraySet (this=0x7fffa9276170, typeIndex=0x4, arrayref=..., index=..., value=...) at ../../Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:2698 #5 0x0000555557e34ad3 in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseExpression (this=this@entry=0x7fffa9276288) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:2090 #6 0x0000555557e13cab in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseBody (this=this@entry=0x7fffa9276288) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:366 #7 0x0000555557e129e5 in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parse (this=this@entry=0x7fffa9276288) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:336 #8 0x0000555557dfeb82 in JSC::Wasm::parseAndCompileAirImpl<JSC::Wasm::AirIRGenerator64> (compilationContext=..., callee=..., function=..., signature=..., unlinkedWasmToWasmCalls=..., info=..., mode=<optimized out>, functionIndex=<optimized out>, hasExceptionHandlers=..., tierUp=<optimized out>) at ../../Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:3956 #9 0x0000555557dfe5ad in JSC::Wasm::parseAndCompileAir (compilationContext=..., callee=..., function=..., signature=..., unlinkedWasmToWasmCalls=..., info=..., mode=<optimized out>, functionIndex=<optimized out>, hasExceptionHandlers=..., tierUp=<optimized out>) at ../../Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp:2688 #10 0x0000555557c6fa2c in JSC::Wasm::BBQPlan::compileFunction (this=this@entry=0x7fffec05d800, functionIndex=0x0, callee=..., context=..., unlinkedWasmToWasmCalls=..., tierUp=<optimized out>) at ../../Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:307 #11 0x0000555557c6d689 in JSC::Wasm::BBQPlan::work (this=0x7fffec05d800, effort=<optimized out>) at ../../Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:186 #12 0x000055555809a50f in JSC::Wasm::Worklist::Thread::work (this=0x7fffec02e160) at ../../Source/JavaScriptCore/wasm/WasmWorklist.cpp:111 #13 0x00005555582308b0 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at ../../Source/WTF/wtf/AutomaticThread.cpp:229 #14 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at ../../Source/WTF/wtf/Function.h:53 #15 0x00005555582763a9 in WTF::Function<void ()>::operator()() const (this=<optimized out>) at ../../Source/WTF/wtf/Function.h:82 #16 WTF::Thread::entryPoint (newThreadContext=0x7fffec02eb10) at ../../Source/WTF/wtf/Threading.cpp:250 #17 0x0000555558339543 in WTF::wtfThreadEntryPoint (context=0x2) at ../../Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242 #18 0x00007ffff5fd8609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #19 0x00007ffff5ba5133 in clone () from /lib/x86_64-linux-gnu/libc.so.6 ```