<rdar://problem/83902782>
Created attachment 453178 [details] proposed patch.
Comment on attachment 453178 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=453178&action=review > Source/JavaScriptCore/ChangeLog:10 > + weren't sure that the StringImpl pointer can be null or not. We're now certain We should explain why/how the StringImpl can be null.
(In reply to Keith Miller from comment #2) > Comment on attachment 453178 [details] > proposed patch. > > View in context: > https://bugs.webkit.org/attachment.cgi?id=453178&action=review > > > Source/JavaScriptCore/ChangeLog:10 > > + weren't sure that the StringImpl pointer can be null or not. We're now certain > > We should explain why/how the StringImpl can be null. The ASSERT is from here: ``` auto* impl = string->tryGetValueImpl(); ASSERT(impl); // FIXME: rdar://83902782 if (impl && impl->isAtom() && ... ``` ... where string is a JSString, which can also be a JSRopeString. JSString::tryGetValueImpl() is: ``` inline const StringImpl* JSString::tryGetValueImpl() const { uintptr_t pointer = fiberConcurrently(); if (pointer & isRopeInPointer) return nullptr; return bitwise_cast<StringImpl*>(pointer); } ``` Hence, if string is a JSRopeString, the implication can be null.
> Hence, if string is a JSRopeString, the implication can be null. /implication/impl/ ... sigh auto-correct. Anyway, I'll add this info to the ChangeLog before landing.
Landed in r290530: <http://trac.webkit.org/r290530>.