Bug 160666 - ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
Summary: ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
Depends on:
Reported: 2016-08-08 11:49 PDT by Mark Lam
Modified: 2016-08-08 11:58 PDT (History)
4 users (show)

See Also:

proposed patch. (3.09 KB, patch)
2016-08-08 11:54 PDT, Mark Lam
keith_miller: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2016-08-08 11:49:31 PDT
This assertion is benign.  JSFinalObject::visitChildren() calls JSObject::inlineStorage() to get a pointer to the object's inline storage, and later passes it to visitor.appendValuesHidden() with a previously computed storageSize.  When storageSize is 0, appendValuesHidden() ends up doing nothing.  However, before we get there, JSObject::inlineStorage() will be asserting hasInlineStorage() and this assertion will fail when storageSize is 0.

We can fix this assertion failure by simply adding a storageSize check before calling hasInlineStorage() and visitor.appendValuesHidden().
Comment 1 Mark Lam 2016-08-08 11:54:00 PDT
Created attachment 285577 [details]
proposed patch.
Comment 2 Keith Miller 2016-08-08 11:56:06 PDT
Comment on attachment 285577 [details]
proposed patch.

Comment 3 Mark Lam 2016-08-08 11:58:58 PDT
Thanks for the review.  Landed in r204261: <http://trac.webkit.org/r204261>.