Bug 160666

Summary:

ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, keith_miller, msaboff, saam

Priority:

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	keith_miller: review+

Mark Lam

Reported 2016-08-08 11:49:31 PDT

This assertion is benign. JSFinalObject::visitChildren() calls JSObject::inlineStorage() to get a pointer to the object's inline storage, and later passes it to visitor.appendValuesHidden() with a previously computed storageSize. When storageSize is 0, appendValuesHidden() ends up doing nothing. However, before we get there, JSObject::inlineStorage() will be asserting hasInlineStorage() and this assertion will fail when storageSize is 0. We can fix this assertion failure by simply adding a storageSize check before calling hasInlineStorage() and visitor.appendValuesHidden().

Attachments
proposed patch. (3.09 KB, patch) 2016-08-08 11:54 PDT, Mark Lam	keith_miller: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2016-08-08 11:54:00 PDT

Created attachment 285577 [details] proposed patch.

Keith Miller

Comment 2 2016-08-08 11:56:06 PDT

Comment on attachment 285577 [details] proposed patch. r=me.

Mark Lam

Comment 3 2016-08-08 11:58:58 PDT

Thanks for the review. Landed in r204261: <http://trac.webkit.org/r204261>.

Note You need to log in before you can comment on or make changes to this bug.