-
ggaren@apple.com authored
https://bugs.webkit.org/show_bug.cgi?id=106686 Reviewed by Gavin Barraclough. The ASSERTs were passing a JSType instead of an inlineCapacity, due to an incomplete refactoring. The compiler didn't catch this because both types are int underneath. * runtime/JSObject.h: (JSC::JSObject::getDirect): (JSC::JSObject::getDirectLocation): (JSC::JSObject::offsetForLocation): * runtime/Structure.cpp: (JSC::Structure::addPropertyTransitionToExistingStructure): Validate against our inline capacity, as we intended. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139482 268f45cc-cd09-0410-ab3c-d52691b4dbfc
338bd6f3