Bug 113453

Summary: CodeCache::m_capacity can becoming negative, producing undefined results in pruneSlowCase
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: ossy, simon.fraser
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ggaren: review+

Mark Hahnenberg
Reported 2013-03-27 16:05:10 PDT
I encountered a situation where m_capacity can become negative in pruneSlowCase, which will lead to undefined behavior because we'll hit the end of m_map, but there's no check to make sure that m_map.begin() != m_map.end(). Depending on what it->key gives us, sometimes we'll crash, sometimes we'll get a very big number back from length() which will keep us alive by allowing our size to go below our negative m_size, etc. It doesn't happen during every run, so there's some non-determinism there. And sometimes we'll get zero as the length, which will cause an infinite loop.
Attachments
Patch (1.33 KB, patch)
2013-03-27 16:32 PDT, Mark Hahnenberg 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2013-03-27 16:05:26 PDT
<rdar://problem/13519289>
Mark Hahnenberg
Comment 2 2013-03-27 16:32:59 PDT
Created attachment 195430 [details] Patch
Geoffrey Garen
Comment 3 2013-03-27 16:34:28 PDT
Comment on attachment 195430 [details] Patch r=me
Mark Hahnenberg
Comment 4 2013-03-27 16:35:45 PDT
Committed r147017: <http://trac.webkit.org/changeset/147017>
Csaba Osztrogonác
Comment 5 2013-03-28 01:23:11 PDT
(In reply to comment #4) > Committed r147017: <http://trac.webkit.org/changeset/147017> And the buildfix landed in http://trac.webkit.org/changeset/147079. Thanks Zan. (We could have avoided this build breakage and killing EWS bots if you waited for the EWS bots a little bit more than 3 minutes. Or watched the bots after landing ...)
Alexey Proskuryakov
Comment 6 2013-08-13 14:53:26 PDT
*** Bug 112263 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.