The following test case: ``` //@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true") import * as assert from "../assert.js"; import { compile, instantiate } from "./wast-wrapper.js"; function module(bytes, valid = true) { let buffer = new ArrayBuffer(bytes.length); let view = new Uint8Array(buffer); for (let i = 0; i < bytes.length; ++i) { view[i] = bytes.charCodeAt(i); } return new WebAssembly.Module(buffer); } function testStructSet() { /* * Point(i64) * * (module * (type $Point (struct (field $x (mut i64)))) * (func $doTest (param $p (ref $Point)) (result i64) * (struct.set $Point $x * (local.get $p) * (i64.const 37) * ) * (struct.get $Point $x * (local.get $p) * ) * ) * * (func (export "main") (result i64) * (call $doTest * (struct.new $Point (i64.const 0)) * ) * ) * ) */ let instance = new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x0f\x03\x5f\x01\x7e\x01\x60\x01\x6b\x00\x01\x7e\x60\x00\x01\x7e\x03\x03\x02\x01\x02\x07\x08\x01\x04\x6d\x61\x69\x6e\x00\x01\x0a\x1c\x02\x10\x00\x20\x00\x42\x25\xfb\x06\x00\x00\x20\x00\xfb\x03\x00\x00\x0b\x09\x00\x42\x00\xfb\x07\x00\x10\x00\x0b")); assert.eq(instance.exports.main() == 37, true); } testStructSet(); ``` fails non-deterministically when run with the `--collectContinuously=true` JSC flag. This test is minimized from https://searchfox.org/wubkat/source/JSTests/wasm/gc/structs.js . The command line is as follows: ``` jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --collectContinuously\=true --verifyGC\=true --useFTLJIT\=true -m --useWebAssemblyTypedFunctionReferences\=true --useWebAssemblyGC\=true structs.js ``` (Some of the flags may not be necessary to reproduce the bug; this is taken from the flags used by `run-jsc-stress-tests`.) On my machine, the test fails approximately 1 out of 3 times. The abbreviated call stack when it fails is: ``` #0 WTFCrash() () at /app/webkit/Source/WTF/wtf/Assertions.cpp:327 #1 0x00007ffff75cf50f in WTFCrashWithInfoImpl(int, char const*, char const*, int, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, unsigned long) () at /app/webkit/Source/WTF/wtf/Assertions.cpp:733 #2 0x00007ffff6ddb0c0 in WTFCrashWithInfo<unsigned long, unsigned long, unsigned long, unsigned int, unsigned long, JSC::MarkedBlock*, unsigned long>(int, char const*, char const*, int, unsigned long, unsigned long, unsigned long, unsigned int, unsigned long, JSC::MarkedBlock*, unsigned long) (line=330, file=0x7ffff4442460 "/app/webkit/Source/JavaScriptCore/runtime/JSCell.cpp", function=0x7ffff4442988 "void JSC::reportZappedCellAndCrash(Heap&, const JSCell*)", counter=2632, reason=140737054723368, misc1=26388279141376, misc2=0, misc3=1782743008, misc4=32, misc5=0x0, misc6=58) at /app/webkit/WebKitBuild/isolating-gc-bug/Debug/WTF/Headers/wtf/Assertions.h:746 #3 0x00007ffff6dd57c3 in JSC::reportZappedCellAndCrash(JSC::Heap&, JSC::JSCell const*) (heap=..., cell=0x7fffe6274d28) at /app/webkit/Source/JavaScriptCore/runtime/JSCell.cpp:330 #4 0x00007ffff6ee1adb in JSC::jsCast<JSC::JSFinalObject*, JSC::JSCell>(JSC::JSCell*) (from=0x7fffe6274d28) at /app/webkit/Source/JavaScriptCore/runtime/JSCast.h:38 #5 0x00007ffff6edd562 in JSC::JSFinalObject::visitChildrenImpl<JSC::SlotVisitor>(JSC::JSCell*, JSC::SlotVisitor&) (cell=0x7fffe6274d28, visitor=...) at /app/webkit/Source/JavaScriptCore/runtime/JSObject.cpp:468 #6 0x00007ffff6eb6577 in JSC::JSFinalObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) (cell=0x7fffe6274d28, visitor=...) at /app/webkit/Source/JavaScriptCore/runtime/JSObject.cpp:480 #7 0x00007ffff671ce37 in JSC::SlotVisitor::visitChildren(JSC::JSCell const*) (this=0x7fffe6028100, cell=0x7fffe6274d28) at /app/webkit/Source/JavaScriptCore/heap/SlotVisitor.cpp:373 #8 0x00007ffff6718966 in operator()(JSC::MarkStackArray&) const (__closure=0x7fffffffc120, stack=...) at /app/webkit/Source/JavaScriptCore/heap/SlotVisitor.cpp:504 #9 0x00007ffff671b9eb in JSC::SlotVisitor::forEachMarkStack<JSC::SlotVisitor::drain(WTF::MonotonicTime)::<lambda(JSC::MarkStackArray&)> >(const struct {...} &) (this=0x7fffe6028100, func=...) at /app/webkit/Source/JavaScriptCore/heap/SlotVisitorInlines.h:184 #10 0x00007ffff6718a79 in JSC::SlotVisitor::drain(WTF::MonotonicTime) (this=0x7fffe6028100, timeout=...) at /app/webkit/Source/JavaScriptCore/heap/SlotVisitor.cpp:494 #11 0x00007ffff6719c0e in JSC::SlotVisitor::donateAndDrain(WTF::MonotonicTime) (this=0x7fffe6028100, timeout=...) at /app/webkit/Source/JavaScriptCore/heap/SlotVisitor.cpp:777 #12 0x00007ffff671970e in JSC::SlotVisitor::drainInParallel(WTF::MonotonicTime) (this=0x7fffe6028100, timeout=...) at /app/webkit/Source/JavaScriptCore/heap/SlotVisitor.cpp:703 #13 0x00007ffff6654760 in JSC::Heap::runFixpointPhase(JSC::GCConductor) (this=0x7fffa4000080, conn=JSC::GCConductor::Mutator) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1488 #14 0x00007ffff6653a14 in JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) (this=0x7fffa4000080, conn=JSC::GCConductor::Mutator, currentThreadState=0x7fffffffc2e0) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1302 #15 0x00007ffff6656344 in operator()(JSC::CurrentThreadState&) const (__closure=0x7fffffffc380, state=...) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1926 #16 0x00007ffff6671131 in WTF::ScopedLambdaFunctor<void(JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::<lambda(JSC::CurrentThreadState&)> >::implFunction(void *, JSC::CurrentThreadState &) (argument=0x7fffffffc370, arguments#0=...) at /app/webkit/WebKitBuild/isolating-gc-bug/Debug/WTF/Headers/wtf/ScopedLambda.h:106 #17 0x00007ffff670af3d in WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()<JSC::CurrentThreadState&>(JSC::CurrentThreadState&) const (this=0x7fffffffc370) at /app/webkit/WebKitBuild/isolating-gc-bug/Debug/WTF/Headers/wtf/ScopedLambda.h:58 #18 0x00007ffff66fb02c in JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&) (lambda=...) at /app/webkit/Source/JavaScriptCore/heap/MachineStackMarker.cpp:224 #19 0x00007ffff665645d in JSC::Heap::collectInMutatorThread() (this=0x7fffa4000080) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1938 ``` The cause of the failure seems to be that [the JSWebAssemblyStruct class](https://searchfox.org/wubkat/source/Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.h#38) inherits from `JSNonFinalObject`, but [new structs are created](https://searchfox.org/wubkat/source/Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.h#53) using a `Structure` with a `FinalObjectType` TypeInfo. Changing `FinalObjectType` to `ObjectType` in `JSWebAssemblyStruct::createStructure()` eliminates the bug. I haven't been able to create a test that fails deterministically yet.