rdar://124477605 In Wasm::RTT (see WasmTypeDefinition.h), we allocate a variable-length payload of supertype indices immediately after the RTT structure. To get the offset of the payload, we have the following method: static ptrdiff_t offsetOfPayload() { return offsetOfDisplaySize() + sizeof(DisplayCount); } ...and to actually get the address of the payload, we have the following slightly different method: const RTT** payload() { return static_cast<const RTT**>(static_cast<void*>(this + 1)); } In order for these to work correctly, the m_displaySize field must be the very last element of the RTT structure, so that offsetOfDisplaySize() + sizeof(DisplayCount) exactly equals the end of the RTT. This is true on macOS...however, on iOS, or any other platform where we HAVE(36BIT_ADDRESS), we require that the RTT is 16-byte aligned so that it can be easily referenced via 32-bit pointer. This means that after the display size, we have an additional 12 bytes of padding on these platforms, since otherwise the RTT object is only 20 bytes. So, these functions disagree, with payload() returning the address after the RTT object, and offsetOfPayload() returning an offset 12 bytes before the end of the RTT object. The former is correct; we allocate the payload strictly after the RTT structure, with no overlap. So we should fix offsetOfPayload() to return the end of the whole RTT object and not just the offset after the display size.