Bug 260515

Created attachment 467385 [details]
Reproducible poc

Commit: 5466cd2c24514bdeee05075d5a2eb35e8c146e40

Run Flag: --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyGC=true --useWebAssemblyTailCalls=true

Backtrace:
```
#0  0x00007ffff5ac900b in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff5aa8859 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x0000555555ac698a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:762
#3  0x0000555557de8840 in JSC::Wasm::AirIRGenerator64::emitCoerceToI64 (this=this@entry=0x7fffa9276170, src=..., result=...) at ../../Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp:968
#4  0x0000555557e5e501 in JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::addArraySet (this=0x7fffa9276170, typeIndex=0x4, arrayref=..., index=..., value=...)
    at ../../Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:2698
#5  0x0000555557e34ad3 in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseExpression (this=this@entry=0x7fffa9276288) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:2090
#6  0x0000555557e13cab in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseBody (this=this@entry=0x7fffa9276288) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:366
#7  0x0000555557e129e5 in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parse (this=this@entry=0x7fffa9276288) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:336
#8  0x0000555557dfeb82 in JSC::Wasm::parseAndCompileAirImpl<JSC::Wasm::AirIRGenerator64> (compilationContext=..., callee=..., function=..., signature=..., unlinkedWasmToWasmCalls=..., info=..., 
    mode=<optimized out>, functionIndex=<optimized out>, hasExceptionHandlers=..., tierUp=<optimized out>) at ../../Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:3956
#9  0x0000555557dfe5ad in JSC::Wasm::parseAndCompileAir (compilationContext=..., callee=..., function=..., signature=..., unlinkedWasmToWasmCalls=..., info=..., mode=<optimized out>, 
    functionIndex=<optimized out>, hasExceptionHandlers=..., tierUp=<optimized out>) at ../../Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp:2688
#10 0x0000555557c6fa2c in JSC::Wasm::BBQPlan::compileFunction (this=this@entry=0x7fffec05d800, functionIndex=0x0, callee=..., context=..., unlinkedWasmToWasmCalls=..., tierUp=<optimized out>)
    at ../../Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:307
#11 0x0000555557c6d689 in JSC::Wasm::BBQPlan::work (this=0x7fffec05d800, effort=<optimized out>) at ../../Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:186
#12 0x000055555809a50f in JSC::Wasm::Worklist::Thread::work (this=0x7fffec02e160) at ../../Source/JavaScriptCore/wasm/WasmWorklist.cpp:111
#13 0x00005555582308b0 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at ../../Source/WTF/wtf/AutomaticThread.cpp:229
#14 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at ../../Source/WTF/wtf/Function.h:53
#15 0x00005555582763a9 in WTF::Function<void ()>::operator()() const (this=<optimized out>) at ../../Source/WTF/wtf/Function.h:82
#16 WTF::Thread::entryPoint (newThreadContext=0x7fffec02eb10) at ../../Source/WTF/wtf/Threading.cpp:250
#17 0x0000555558339543 in WTF::wtfThreadEntryPoint (context=0x2) at ../../Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242
#18 0x00007ffff5fd8609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#19 0x00007ffff5ba5133 in clone () from /lib/x86_64-linux-gnu/libc.so.6
```