160666 – ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().

Bug 160666 - ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().

Summary: ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-08-08 11:49 PDT by Mark Lam
Modified:	2016-08-08 11:58 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
proposed patch. (3.09 KB, patch) 2016-08-08 11:54 PDT, Mark Lam	keith_miller: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2016-08-08 11:49:31 PDT

This assertion is benign.  JSFinalObject::visitChildren() calls JSObject::inlineStorage() to get a pointer to the object's inline storage, and later passes it to visitor.appendValuesHidden() with a previously computed storageSize.  When storageSize is 0, appendValuesHidden() ends up doing nothing.  However, before we get there, JSObject::inlineStorage() will be asserting hasInlineStorage() and this assertion will fail when storageSize is 0.

We can fix this assertion failure by simply adding a storageSize check before calling hasInlineStorage() and visitor.appendValuesHidden().

Comment 1 Mark Lam 2016-08-08 11:54:00 PDT

Created attachment 285577 [details]
proposed patch.

Comment 2 Keith Miller 2016-08-08 11:56:06 PDT

Comment on attachment 285577 [details]
proposed patch.

r=me.

Comment 3 Mark Lam 2016-08-08 11:58:58 PDT

Thanks for the review.  Landed in r204261: <http://trac.webkit.org/r204261>.