Bug 262862

## JavaScriptCore Version 3cf70a3a572708fefd7eb755db3cc211798022a7 ## Build Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64) ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'" ## Testcase and Execution steps ``` var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,153,128,128,128,0,4,80,0,95,1,127,0,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,1,127,0,3,130,128,128,128,0,1,2,4,137,128,128,128,0,2,112,1,1,2,109,1,0,31,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,3,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,134,128,128,128,0,1,4,0,32,0,11]); var wasm_module = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_module); var f = wasm_instance.exports.main; f(); ``` ./bin/jsc --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true testcase.js ## Output ASSERTION FAILED: isExternref(wasmType) || (Options::useWebAssemblyGC() && isSubtype(wasmType, anyrefType())) /home/WebKit/Source/JavaScriptCore/wasm/WasmTable.cpp(232) : JSC::Wasm::ExternRefTable::ExternRefTable(uint32_t, std::optional<uint32_t>, JSC::Wasm::Type) ## Backtrace #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737139328960) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737139328960) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737139328960, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007fffeb36b476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007fffeb3517f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff03b92ff in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:778 #6 0x00007ffff47e1b4e in JSC::Wasm::ExternRefTable::ExternRefTable ( this=0x606000006320, initial=initial@entry=0, maximum=maximum@entry=std::optional<unsigned int> = {...}, wasmType=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmTable.cpp:232 #7 0x00007ffff47e0515 in JSC::Wasm::Table::tryCreate (initial=0, maximum=..., type=<optimized out>, wasmType=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmTable.cpp:93 #8 0x00007ffff48ac938 in JSC::WebAssemblyModuleRecord::initializeExports ( this=0x613000002028, globalObject=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:475 #9 0x00007ffff48530a8 in JSC::JSWebAssemblyInstance::finalizeCreation ( --Type <RET> for more, q to quit, c to continue without paging--c this=<optimized out>, vm=..., globalObject=0x27caf2, wasmCalleeGroup=..., creationMode=JSC::Wasm::CreationMode::FromJS) at /home/WebKit/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:147 #10 0x00007ffff4895063 in JSC::constructJSWebAssemblyInstance (globalObject=0x6, callFrame=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp:78 #11 0x00007fffa8f000c7 in ?? () #12 0x00007fffffffc710 in ?? () #13 0x00007ffff037107b in js_trampoline_op_construct () from /home/WebKit/WebKitBuild/Debug/lib/libJavaScriptCore.so.1 #14 0x0000000000000000 in ?? ()