This assertion is benign. JSFinalObject::visitChildren() calls JSObject::inlineStorage() to get a pointer to the object's inline storage, and later passes it to visitor.appendValuesHidden() with a previously computed storageSize. When storageSize is 0, appendValuesHidden() ends up doing nothing. However, before we get there, JSObject::inlineStorage() will be asserting hasInlineStorage() and this assertion will fail when storageSize is 0.
We can fix this assertion failure by simply adding a storageSize check before calling hasInlineStorage() and visitor.appendValuesHidden().
Created attachment 285577 [details]
Comment on attachment 285577 [details]
Thanks for the review. Landed in r204261: <http://trac.webkit.org/r204261>.