Bug 290250

Summary: ASSERTION FAILED: this->variant() != StructureVariant::WebAssemblyGC
Product: WebKit Reporter: katoshi1337
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

katoshi1337
Reported 2025-03-22 01:33:58 PDT
Commit: b12ed39572951123a4b5a99c471e0262e9481001 Command: ./jsc ./poc.js PoC: ``` load("wasm-module-builder.js"); const v4 = new WasmModuleBuilder(); const v17 = [kExprI32Const,42,kGCPrefix,kExprStructNew,v4.addStruct([makeField(kWasmI32, false)]),kGCPrefix,kExprExternConvertAny]; v4.addFunction("foo", makeSig([], [kWasmExternRef])).exportFunc().addBody(v17); globalThis.struct = v4.instantiate().exports.foo(); function f31(a32) { a32.prototype = globalThis.struct; new a32(); } function f44() { } f31(f44); ``` Output: ``` ASSERTION FAILED: this->variant() != StructureVariant::WebAssemblyGC /home/test/WebKit/Source/JavaScriptCore/runtime/Structure.cpp(305) : JSC::Structure::Structure(VM &, StructureVariant, Structure *) ```
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-03-22 01:34:07 PDT
<rdar://problem/147638735>
Yusuke Suzuki
Comment 2 2025-04-06 14:38:24 PDT
Hi! Can you attach wasm-module-builder.js script?
Yusuke Suzuki
Comment 3 2025-04-06 17:17:23 PDT
This is ToT issue.
Yusuke Suzuki
Comment 4 2025-04-06 17:19:16 PDT
Pull request: https://github.com/WebKit/WebKit/pull/43722
EWS
Comment 5 2025-04-06 20:42:06 PDT
Committed 293344@main (ccb7cffd3e58): <https://commits.webkit.org/293344@main> Reviewed commits have been landed. Closing PR #43722 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.