Bug 262863

Summary: ASSERTION FAILED: !HashTranslator::equal(KeyTraits::emptyValue(), key) /home/WebKit/WebKitBuild/Debug/WTF/Headers/wtf/HashTable.h(648) : void WTF::HashTable<unsigned long, WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT>>, WTF::KeyValuePairKey
Product: WebKit Reporter: xiangwei1895
Component: WebAssemblyAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: justin_michaud, keith_miller, mark.lam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description xiangwei1895 2023-10-08 05:17:03 PDT 
## JavaScriptCore Version
3cf70a3a572708fefd7eb755db3cc211798022a7

## Build 
Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64)
./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'"

## Testcase and  Execution steps

```
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,162,128,128,128,0,6,80,0,95,0,80,0,95,0,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,0,0,80,0,96,1,107,1,1,127,3,130,128,128,128,0,1,3,4,133,128,128,128,0,1,112,1,1,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,4,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,149,128,128,128,0,1,19,1,1,108,1,2,107,1,251,8,1,11,3,5,26,65,237,0,11,11]);
var wasm_module = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_module);
var f = wasm_instance.exports.main;
f();

```
./bin/jsc  --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true  testcase.js

## Output
ASSERTION FAILED: !HashTranslator::equal(KeyTraits::emptyValue(), key)
/home/WebKit/WebKitBuild/Debug/WTF/Headers/wtf/HashTable.h(648) : void WTF::HashTable<unsigned long, WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT>>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT>>>, WTF::DefaultHash<unsigned long>, WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT>>::KeyValuePairTraits, WTF::HashTraits<unsigned long>>::checkKey(const T &) [Key = unsigned long, Value = WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT>>, Extractor = WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT>>>, HashFunctions = WTF::DefaultHash<unsigned long>, Traits = WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT>>::KeyValuePairTraits, KeyTraits = WTF::HashTraits<unsigned long>, HashTranslator = WTF::IdentityHashTranslator<WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT>>::KeyValuePairTraits, WTF::DefaultHash<unsigned long>>, T = unsigned long]

## Backtrace
#0  __pthread_kill_implementation (no_tid=0, signo=6, 
    threadid=140735851497024) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140735851497024)
    at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140735851497024, signo=signo@entry=6)
    at ./nptl/pthread_kill.c:89
#3  0x00007fffeb36b476 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/posix/raise.c:26
#4  0x00007fffeb3517f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff03b92ff in WTFCrashWithInfo ()
    at WTF/Headers/wtf/Assertions.h:778
#6  0x00007ffff484bd4c in WTF::HashTable<unsigned long, WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > > >, WTF::DefaultHash<unsigned long>, WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> >, WTF::DefaultHash<unsigned long>, WTF::HashTraits<unsigned long>, WTF::HashTraits<WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<unsigned long> >::checkKey<WTF::IdentityHashTranslator<WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTrait--Type <RET> for more, q to quit, c to continue without paging--c
s<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> >, WTF::DefaultHash<unsigned long>, WTF::HashTraits<unsigned long>, WTF::HashTraits<WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::HashTableTraits>::KeyValuePairTraits, WTF::DefaultHash<unsigned long> >, unsigned long> (this=<optimized out>, this@entry=0x7fffefe59d40 <__PRETTY_FUNCTION__._ZN3WTF9HashTableImNS_12KeyValuePairImNS_6RefPtrIN3JSC4Wasm3RTTENS_12RawPtrTraitsIS5_EENS_21DefaultRefDerefTraitsIS5_EEEEEENS_24KeyValuePairKeyExtractorISB_EENS_11DefaultHashImEENS_7HashMapImSA_SF_NS_10HashTraitsImEENSH_ISA_EENS_15HashTableTraitsEE18KeyValuePairTraitsESI_E8checkKeyINS_22IdentityHashTranslatorISM_SF_EEmEEvRKT0_>, key=<optimized out>) at WTF/Headers/wtf/HashTable.h:648
#7  WTF::HashTable<unsigned long, WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > > >, WTF::DefaultHash<unsigned long>, WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> >, WTF::DefaultHash<unsigned long>, WTF::HashTraits<unsigned long>, WTF::HashTraits<WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<unsigned long> >::inlineLookup<WTF::IdentityHashTranslator<WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> >, WTF::DefaultHash<unsigned long>, WTF::HashTraits<unsigned long>, WTF::HashTraits<WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::HashTableTraits>::KeyValuePairTraits, WTF::DefaultHash<unsigned long> >, unsigned long> (this=this@entry=0x613000001ab0, key=@0x7fff9e6e60d0: 0) at WTF/Headers/wtf/HashTable.h:670
#8  0x00007ffff481e8cc in WTF::HashTable<unsigned long, WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > > >, WTF::DefaultHash<unsigned long>, WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> >, WTF::DefaultHash<unsigned long>, WTF::HashTraits<unsigned long>, WTF::HashTraits<WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<unsigned long> >::lookup<WTF::IdentityHashTranslator<WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> >, WTF::DefaultHash<unsigned long>, WTF::HashTraits<unsigned long>, WTF::HashTraits<WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::HashTableTraits>::KeyValuePairTraits, WTF::DefaultHash<unsigned long> >, unsigned long> (this=0x613000001ab0, key=<optimized out>) at WTF/Headers/wtf/HashTable.h:662
#9  WTF::HashTable<unsigned long, WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > > >, WTF::DefaultHash<unsigned long>, WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> >, WTF::DefaultHash<unsigned long>, WTF::HashTraits<unsigned long>, WTF::HashTraits<WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<unsigned long> >::find<WTF::IdentityHashTranslator<WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> >, WTF::DefaultHash<unsigned long>, WTF::HashTraits<unsigned long>, WTF::HashTraits<WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::HashTableTraits>::KeyValuePairTraits, WTF::DefaultHash<unsigned long> >, unsigned long> (this=0x613000001ab0, key=@0x7fff9e6e60d0: 0) at WTF/Headers/wtf/HashTable.h:1014
#10 WTF::HashTable<unsigned long, WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > > >, WTF::DefaultHash<unsigned long>, WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> >, WTF::DefaultHash<unsigned long>, WTF::HashTraits<unsigned long>, WTF::HashTraits<WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<unsigned long> >::find (this=0x613000001ab0, key=@0x7fff9e6e60d0: 0) at WTF/Headers/wtf/HashTable.h:487
#11 WTF::HashMap<unsigned long, WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> >, WTF::DefaultHash<unsigned long>, WTF::HashTraits<unsigned long>, WTF::HashTraits<WTF::RefPtr<JSC::Wasm::RTT, WTF::RawPtrTraits<JSC::Wasm::RTT>, WTF::DefaultRefDerefTraits<JSC::Wasm::RTT> > >, WTF::HashTableTraits>::find (this=0x613000001ab0, key=@0x7fff9e6e60d0: 0) at WTF/Headers/wtf/HashMap.h:312
#12 JSC::Wasm::TypeInformation::tryGetCanonicalRTT (type=0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:1017
#13 0x00007ffff409ac20 in JSC::Wasm::isSubtypeIndex (sub=<optimized out>, parent=0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFormat.h:291
#14 0x00007ffff469ee4a in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::unify (this=this@entry=0x7fff9e6f3ba0, controlData=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:1546
#15 0x00007ffff464cb3e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=0x1fefb5, this@entry=0x7fff9e6f3ba0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:3004
#16 0x00007ffff462a57e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this@entry=0x7fff9e6f3ba0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:429
#17 0x00007ffff4614fcd in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this@entry=0x7fff9e6f3ba0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:382
#18 0x00007ffff45c0412 in JSC::Wasm::parseAndCompileBytecode (functionStart=<optimized out>, functionLength=<optimized out>, signature=..., info=..., functionIndex=0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:580
#19 0x00007ffff45f9cfc in JSC::Wasm::LLIntPlan::compileFunction (this=0x615000018180, functionIndex=0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89
#20 0x00007ffff43f6411 in JSC::Wasm::EntryPlan::compileFunctions (this=0x615000018180, effort=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:220
#21 0x00007ffff484efe1 in JSC::Wasm::Worklist::Thread::work (this=0x607000004380) at /home/WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:111
#22 0x00007ffff4d0b9d1 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/AutomaticThread.cpp:229
#23 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:53
#24 0x00007ffff4dc07b6 in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:82
#25 WTF::Thread::entryPoint (newThreadContext=<optimized out>) at /home/WebKit/Source/WTF/wtf/Threading.cpp:258
#26 0x00007ffff4f52126 in WTF::wtfThreadEntryPoint (context=0x1f8add) at /home/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242
#27 0x00007fffeb3bdb43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#28 0x00007fffeb44fa00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Comment 1 Radar WebKit Bug Importer 2023-10-15 05:17:15 PDT 
<rdar://problem/116979392>
Comment 2 Asumu Takikawa 2023-12-01 14:53:29 PST 
Pull request: https://github.com/WebKit/WebKit/pull/21188
Comment 3 EWS 2023-12-01 22:30:25 PST 
Committed 271420@main (b02c88c35d2f): <https://commits.webkit.org/271420@main>

Reviewed commits have been landed. Closing PR #21188 and removing active labels.