Changeset 204261 in webkit

Timestamp:

Aug 8, 2016 11:56:54 AM (8 years ago)

Author:

mark.lam@apple.com

Message:

ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
​https://bugs.webkit.org/show_bug.cgi?id=160666

Reviewed by Keith Miller.

JSTests:

• stress/object-constructor-should-be-new-target-aware.js:

Source/JavaScriptCore:

This assertion is benign. JSFinalObject::visitChildren() calls
JSObject::inlineStorage() to get a pointer to the object's inline storage, and
later passes it to visitor.appendValuesHidden() with a previously computed
storageSize. When storageSize is 0, appendValuesHidden() ends up doing nothing.
However, before we get there, JSObject::inlineStorage() will be asserting
hasInlineStorage() and this assertion will fail when storageSize is 0.

We can fix this assertion failure by simply adding a storageSize check before
calling hasInlineStorage() and visitor.appendValuesHidden().

• runtime/JSObject.cpp:

(JSC::JSFinalObject::visitChildren):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/object-constructor-should-be-new-target-aware.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2016-08-08  Mark Lam  <mark.lam@apple.com>
+
+        ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
+        https://bugs.webkit.org/show_bug.cgi?id=160666
+
+        Reviewed by Keith Miller.
+
+        * stress/object-constructor-should-be-new-target-aware.js:
+
 2016-08-07  Yusuke Suzuki  <utatane.tea@gmail.com>
 

trunk/JSTests/stress/object-constructor-should-be-new-target-aware.js

@@ -15 +15 @@
 
 shouldBe(Reflect.construct(Object, [], Hello).__proto__, Hello.prototype);
+
+gc(); // Regression test for https:/webkit.org/b/160666.

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-08-08  Mark Lam  <mark.lam@apple.com>
+
+        ASSERTION FAILED: hasInlineStorage() in JSFinalObject::visitChildren().
+        https://bugs.webkit.org/show_bug.cgi?id=160666
+
+        Reviewed by Keith Miller.
+
+        This assertion is benign.  JSFinalObject::visitChildren() calls
+        JSObject::inlineStorage() to get a pointer to the object's inline storage, and
+        later passes it to visitor.appendValuesHidden() with a previously computed
+        storageSize.  When storageSize is 0, appendValuesHidden() ends up doing nothing.
+        However, before we get there, JSObject::inlineStorage() will be asserting
+        hasInlineStorage() and this assertion will fail when storageSize is 0.
+
+        We can fix this assertion failure by simply adding a storageSize check before
+        calling hasInlineStorage() and visitor.appendValuesHidden().
+
+        * runtime/JSObject.cpp:
+        (JSC::JSFinalObject::visitChildren):
+
 2016-08-08  Brian Burg  <bburg@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -294 +294 @@
 
     size_t storageSize = structure->inlineSize();
-    visitor.appendValuesHidden(thisObject->inlineStorage(), storageSize);
+    if (storageSize)
+        visitor.appendValuesHidden(thisObject->inlineStorage(), storageSize);
 
 #if !ASSERT_DISABLED