## JavaScriptCore Version 1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81 ## Build Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64) ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'" ## Testcase and Execution steps ``` var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,152,128,128,128,0,4,80,0,95,1,127,0,80,0,94,123,1,80,0,96,3,127,127,127,1,127,96,0,0,3,130,128,128,128,0,1,2,4,137,128,128,128,0,2,112,1,1,2,109,1,0,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,3,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,135,128,128,128,0,1,5,0,65,142,127,11]); var wasm_module = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_module); var f = wasm_instance.exports.main; f(); ``` ./bin/jsc --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true testcase.js ## Output ASSERTION FAILED: isExternref(wasmType) || (Options::useWebAssemblyGC() && isSubtype(wasmType, anyrefType())) /home/WebKit/Source/JavaScriptCore/wasm/WasmTable.cpp(232) : JSC::Wasm::ExternRefTable::ExternRefTable(uint32_t, std::optional<uint32_t>, JSC::Wasm::Type) ## Backtrace #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737178216384) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737178216384) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737178216384, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007fffed881476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007fffed8677f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff0c7a16f in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:762 #6 0x00007ffff50cdd4e in JSC::Wasm::ExternRefTable::ExternRefTable (this=0x606000009140, initial=initial@entry=0, maximum=maximum@entry=std::optional<unsigned int> = {...}, wasmType=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmTable.cpp:232 #7 0x00007ffff50cc715 in JSC::Wasm::Table::tryCreate (initial=0, maximum=..., type=<optimized out>, wasmType=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmTable.cpp:93 #8 0x00007ffff5189925 in JSC::WebAssemblyModuleRecord::initializeExports (this=0x613000009728, globalObject=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:474 #9 0x00007ffff51207f8 in JSC::JSWebAssemblyInstance::finalizeCreation (this=<optimized out>, vm=..., globalObject=0x300e0b, wasmCalleeGroup=..., creationMode=JSC::Wasm::CreationMode::FromJS) at /home/WebKit/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:147 #10 0x00007ffff516cfc3 in JSC::constructJSWebAssemblyInstance (globalObject=0x6, callFrame=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp:78 #11 0x00007fffabb000c7 in ?? () #12 0x00007fffffffc6d0 in ?? () #13 0x00007ffff0c59b95 in js_trampoline_op_construct () from /home/WebKit/asan/Debug/lib/libJavaScriptCore.so.1 #14 0x0000000000000000 in ?? ()