RESOLVED FIXED305771
ASSERTION FAILED: callee.refCount() 
https://bugs.webkit.org/show_bug.cgi?id=305771
Summary ASSERTION FAILED: callee.refCount()
katoshi1337
Reported 2026-01-19 06:55:05 PST
poc: ``` const v1 = WebAssembly.Memory; const o4 = { "initial": 1, "maximum": 1, }; const v5 = new v1(o4); const v6 = WebAssembly.Instance; const v7 = WebAssembly.Module; const v122 = new Uint8Array([0,97,115,109,1,0,0,0,1,7,1,96,3,127,127,127,0,2,12,1,2,106,115,3,109,101,109,2,1,1,1,3,2,1,0,6,1,0,7,13,1,9,100,111,95,109,101,109,99,112,121,0,0,10,57,1,55,1,1,127,65,0,33,3,3,64,2,64,32,2,32,3,70,13,0,32,1,65,4,108,32,3,65,4,108,106,32,0,32,3,65,4,108,106,40,0,0,54,0,0,32,3,65,1,106,33,3,12,1,11,11,11]); const v123 = new v7(v122); const o124 = { "mem": v5, }; const o125 = { "js": o124, }; const v126 = new v6(v123, o125); for (let i128 = 0; i128 < 1000000;) { v126.exports.do_memcpy(); } gc(); ``` command: ./jsc --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --useConcurrentJIT=0 --validateDFGClobberize=1 poc.js Output: ASSERTION FAILED: callee.refCount() /home/ubuntu/WebKit/Source/JavaScriptCore/wasm/WasmOperations.cpp(941) : void JSC::Wasm::operationWasmTriggerOSREntryNow(Probe::Context &)
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-01-19 06:55:12 PST
<rdar://problem/168448595>
Shu-yu Guo
Comment 2 2026-01-20 15:34:15 PST
This is not a security bug, but a bug in the codegen for --validateDFGClobberize=1.
Shu-yu Guo
Comment 3 2026-01-20 15:35:13 PST
Pull request: https://github.com/WebKit/WebKit/pull/56931
EWS
Comment 4 2026-01-20 16:47:24 PST
Committed 305909@main (c8a415fbb88a): <https://commits.webkit.org/305909@main> Reviewed commits have been landed. Closing PR #56931 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.