Bug 160666

Summary:

ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, keith_miller, msaboff, saam

Priority:

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	keith_miller: review+

Description Mark Lam 2016-08-08 11:49:31 PDT

This assertion is benign.  JSFinalObject::visitChildren() calls JSObject::inlineStorage() to get a pointer to the object's inline storage, and later passes it to visitor.appendValuesHidden() with a previously computed storageSize.  When storageSize is 0, appendValuesHidden() ends up doing nothing.  However, before we get there, JSObject::inlineStorage() will be asserting hasInlineStorage() and this assertion will fail when storageSize is 0.

We can fix this assertion failure by simply adding a storageSize check before calling hasInlineStorage() and visitor.appendValuesHidden().

Comment 1 Mark Lam 2016-08-08 11:54:00 PDT

Created attachment 285577 [details]
proposed patch.

Comment 2 Keith Miller 2016-08-08 11:56:06 PDT

Comment on attachment 285577 [details]
proposed patch.

r=me.

Comment 3 Mark Lam 2016-08-08 11:58:58 PDT

Thanks for the review.  Landed in r204261: <http://trac.webkit.org/r204261>.