Bug 293911

tested in the following commit: 201464e0c29adb867d38fd481e5ac707a48ea9e2(wpewebkit-2.48.2) run argument: ./jsc crash.js build argument: ./Tools/Scripts/build-jsc --jsc-only --debug crash.js: ``` const wasmcode = new WebAssembly.Instance(new WebAssembly.Module(new Uint8Array([ 0x00, 0x61, 0x73, 0x6D, 0x01, 0x00, 0x00, 0x00, 0x01, 0x13, 0x03, 0x60, 0x01, 0x7E, 0x01, 0x7C, 0x60, 0x00, 0x00, 0x60, 0x06, 0x7C, 0x7D, 0x7C, 0x7D, 0x7F, 0x7C, 0x01, 0x7D, 0x03, 0x02, 0x01, 0x02, 0x04, 0x01, 0x00, 0x05, 0x01, 0x00, 0x06, 0x01, 0x00, 0x07, 0x06, 0x01, 0x02, 0x77, 0x30, 0x00, 0x00, 0x09, 0x01, 0x00, 0x0A, 0x39, 0x01, 0x37, 0x05, 0x01, 0x7C, 0x01, 0x7E, 0x01, 0x7E, 0x01, 0x7F, 0x01, 0x7C, 0x44, 0x00, 0xF4, 0x82, 0xB5, 0x6C, 0x78, 0x81, 0x3F, 0x21, 0x06, 0x20, 0x04, 0xAC, 0x21, 0x07, 0x20, 0x07, 0x06, 0x00, 0x21, 0x08, 0x41, 0x0A, 0x21, 0x09, 0x03, 0x01, 0x20, 0x09, 0x0D, 0x00, 0x0B, 0x20, 0x06, 0x19, 0x20, 0x00, 0x0B, 0x21, 0x0A, 0x20, 0x03, 0x0B, ]))); wasmcode.exports.w0(); gc(); ``` output: ASSERTION FAILED: osrEntryCallee.osrEntryScratchBufferSize() == valueSize * osrEntryData.values().size() /root/webkit/Source/JavaScriptCore/wasm/WasmOperations.cpp(865) : void JSC::Wasm::doOSREntry(JSC::JSWebAssemblyInstance *, Probe::Context &, JSC::Wasm::BBQCallee &, JSC::Wasm::OMGOSREntryCallee &, JSC::Wasm::OSREntryData &) backtrace: #0 __futex_abstimed_wait_common64 (private=0, cancel=true, abstime=0x0, op=393, expected=0, futex_word=0x7fffe7027be4) at ./nptl/futex-internal.c:57 #1 __futex_abstimed_wait_common (cancel=true, private=0, abstime=0x0, clockid=0, expected=0, futex_word=0x7fffe7027be4) at ./nptl/futex-internal.c:87 #2 __GI___futex_abstimed_wait_cancelable64 (futex_word=futex_word@entry=0x7fffe7027be4, expected=expected@entry=0, clockid=clockid@entry=0, abstime=abstime@entry=0x0, private=private@entry=0) at ./nptl/futex-internal.c:139 #3 0x00007ffff0e62a41 in __pthread_cond_wait_common (abstime=0x0, clockid=0, mutex=0x7fffe7027b90, cond=0x7fffe7027bb8) at ./nptl/pthread_cond_wait.c:503 #4 ___pthread_cond_wait (cond=0x7fffe7027bb8, mutex=0x7fffe7027b90) at ./nptl/pthread_cond_wait.c:627 #5 0x00007ffff78e7efd in WTF::ThreadCondition::wait (this=0x7fffe7027bb8, mutex=...) at /root/webkit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:650 #6 0x00007ffff78e8026 in WTF::ThreadCondition::timedWait (this=0x7fffe7027bb8, mutex=..., absoluteTime=...) at /root/webkit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:659 #7 0x00007ffff770f921 in WTF::ParkingLot::parkConditionallyImpl(void const*, WTF::ScopedLambda<bool ()> const&, WTF::ScopedLambda<void ()> const&, WTF::TimeWithDynamicClockType const&) (address=0x7fffe7009618, validation=..., beforeSleep=..., timeout=...) at /root/webkit/Source/WTF/wtf/ParkingLot.cpp:597 #8 0x00007ffff697878a in WTF::ParkingLot::parkConditionally<WTF::ParkingLot::compareAndPark<unsigned char, unsigned char>(WTF::Atomic<unsigned char> const*, unsigned char)::{lambda()#1}, WTF::ParkingLot::compareAndPark<unsigned char, unsigned char>(WTF::Atomic<unsigned char> const*, unsigned char)::{lambda()#2}>(void const*, WTF::ParkingLot::compareAndPark<unsigned char, unsigned char>(WTF::Atomic<unsigned char> const*, unsigned char)::{lambda()#1} const&, WTF::ParkingLot::compareAndPark<unsigned char, unsigned char>(WTF::Atomic<unsigned char> const*, unsigned char)::{lambda()#2} const&, WTF::TimeWithDynamicClockType const&) ( address=0x7fffe7009618, validation=..., beforeSleep=..., timeout=...) at WTF/Headers/wtf/ParkingLot.h:82 #9 0x00007ffff6978715 in WTF::ParkingLot::compareAndPark<unsigned char, unsigned char> ( address=0x7fffe7009618, expected=3 '\003') at WTF/Headers/wtf/ParkingLot.h:94 #10 0x00007ffff76ee10e in WTF::LockAlgorithm<unsigned char, (unsigned char)1, (unsigned char)2, WTF::EmptyLockHooks<unsigned char> >::lockSlow (lock=...) at /root/webkit/Source/WTF/wtf/LockAlgorithmInlines.h:84 #11 0x00007ffff76edf56 in WTF::Lock::lockSlow (this=0x7fffe7009618) at /root/webkit/Source/WTF/wtf/Lock.cpp:51 #12 0x00007ffff4e85575 in WTF::Lock::lock (this=0x7fffe7009618) at WTF/Headers/wtf/Lock.h:70 #13 0x00007ffff4e85534 in WTF::Locker<WTF::Lock, void>::Locker (this=0x7fffffffc790, lock=...) at WTF/Headers/wtf/Lock.h:197 #14 0x00007ffff702b446 in JSC::IPInt::jitCompileAndSetHeuristics(JSC::Wasm::IPIntCallee*, JSC::JSWebAssemblyInstance*, JSC::IPInt::OSRFor)::{lambda()#1}::operator()() const (this=0x7fffffffc858) at /root/webkit/Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:123 #15 0x00007ffff70213f4 in JSC::IPInt::jitCompileAndSetHeuristics (callee=0x7fffe712c0e0, instance=0x7fffe713c218, osrFor=JSC::IPInt::OSRFor::Loop) at /root/webkit/Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:129 #16 0x00007ffff70218dc in ipint_extern_loop_osr (instance=0x7fffe713c218, callFrame=0x7fffffffccc0, pc=0x7fffe70709b7 "\001!\031!\032!\033!\034!\035!\036 \a\374\002!\037 \025 \035 \035 \022 \036 \031 \037\r", pl=0x7fffffffca40) at /root/webkit/Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:289 #17 0x00007ffff4da8649 in ipint_loop () from /root/webkit/testCrashBuild/lib/libJavaScriptCore.so.1 #18 0x00007ffff4da8300 in ?? () from /root/webkit/testCrashBuild/lib/libJavaScriptCore.so.1 #19 0x00007fffffffca40 in ?? () #20 0x00007fffe7130115 in ?? () #21 0x00007fffe70709b6 in ?? () #22 0x000000007870cfad in ?? () #23 0x000000007870cfad in ?? () #24 0x000000001fffffe9 in ?? () #25 0x000000001fffffe9 in ?? () #26 0x000000000ffffff1 in ?? () #27 0x000000000ffffff1 in ?? () #28 0x7fefffffffffffff in ?? () #29 0x7fefffffffffffff in ?? () #30 0x7fefffffffffffff in ?? () #31 0x7fefffffffffffff in ?? () #32 0x000000001fffffe9 in ?? () #33 0x000000001fffffe9 in ?? () #34 0x0000000000000000 in ?? ()