This assertion is benign. JSFinalObject::visitChildren() calls JSObject::inlineStorage() to get a pointer to the object's inline storage, and later passes it to visitor.appendValuesHidden() with a previously computed storageSize. When storageSize is 0, appendValuesHidden() ends up doing nothing. However, before we get there, JSObject::inlineStorage() will be asserting hasInlineStorage() and this assertion will fail when storageSize is 0. We can fix this assertion failure by simply adding a storageSize check before calling hasInlineStorage() and visitor.appendValuesHidden().
Created attachment 285577 [details] proposed patch.
Comment on attachment 285577 [details] proposed patch. r=me.
Thanks for the review. Landed in r204261: <http://trac.webkit.org/r204261>.