Fixed some bogus PropertyOffset ASSERTs
authorggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Jan 2013 20:20:25 +0000 (20:20 +0000)
committerggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Jan 2013 20:20:25 +0000 (20:20 +0000)
commita3c102a8f43a7616572c2ee479b961649488afc8
treee95ac3748ad34c81ea15d8d3d67c20f5521a048a
parentf7cd0652bfe3fc735b92d6e3a98978c246bea2ea
Fixed some bogus PropertyOffset ASSERTs
https://bugs.webkit.org/show_bug.cgi?id=106686

Reviewed by Gavin Barraclough.

The ASSERTs were passing a JSType instead of an inlineCapacity, due to
an incomplete refactoring.

The compiler didn't catch this because both types are int underneath.

* runtime/JSObject.h:
(JSC::JSObject::getDirect):
(JSC::JSObject::getDirectLocation):
(JSC::JSObject::offsetForLocation):
* runtime/Structure.cpp:
(JSC::Structure::addPropertyTransitionToExistingStructure): Validate against
our inline capacity, as we intended.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@139482 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.h
Source/JavaScriptCore/runtime/Structure.cpp