The following test: ``` //@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true") import * as assert from "../assert.js"; import { compile, instantiate } from "./wast-wrapper.js"; function module(bytes, valid = true) { let buffer = new ArrayBuffer(bytes.length); let view = new Uint8Array(buffer); for (let i = 0; i < bytes.length; ++i) { view[i] = bytes.charCodeAt(i); } return new WebAssembly.Module(buffer); } function test() { let m = instantiate(`(module (type $inner (struct (field i32) (field i32))) (type $outer (struct (field (ref $inner)) (field (ref $inner)))) (func $new (export "new") (result (ref $outer)) (struct.new_canon $outer (struct.new_canon $inner (i32.const 41) (i32.const 42)) (struct.new_canon $inner (i32.const 43) (i32.const 45)))) (func (export "get_field0_0") (result i32) (call $new) (struct.get $inner 0 (struct.get $outer 0))))`); assert.eq(m.exports.get_field0_0(), 41); } testStructs(); ``` fails in a debug build: ``` wasm.yaml/wasm/gc/nested_structs.js.default-wasm: ASSERTION FAILED: expression == slot || expression.isConstant() || expression.isArgument() || static_cast<unsigned>(expression.toLocal()) < m_codeBlock->m_numVars wasm.yaml/wasm/gc/nested_structs.js.default-wasm: /home/tjc/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp(495) : JSC::Wasm::LLIntGenerator::checkConsistency()::<lambda(JSC::VirtualRegister, JSC::VirtualRegister)> wasm.yaml/wasm/gc/nested_structs.js.default-wasm: ERROR: Unexpected exit code: 134 FAIL: wasm.yaml/wasm/gc/nested_structs.js.default-wasm Aborted (core dumped) ``` I tested both with and without my patch for https://bugs.webkit.org/show_bug.cgi?id=252538 and the output is the same either way. So my fix for #252538 wasn't a complete solution. It seems like the stack consistency checking in LLInt is failing because when `addStructNew()` calls `push()` in the loop that materializes the arguments, the stack becomes deeper than the parser's expression stack.