Bug 113453

Summary: CodeCache::m_capacity can becoming negative, producing undefined results in pruneSlowCase
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: ossy, simon.fraser
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ggaren: review+

Description Mark Hahnenberg 2013-03-27 16:05:10 PDT 
I encountered a situation where m_capacity can become negative in pruneSlowCase, which will lead to undefined behavior because we'll hit the end of m_map, but there's no check to make sure that m_map.begin() != m_map.end(). Depending on what it->key gives us, sometimes we'll crash, sometimes we'll get a very big number back from length() which will keep us alive by allowing our size to go below our negative m_size, etc. It doesn't happen during every run, so there's some non-determinism there. And sometimes we'll get zero as the length, which will cause an infinite loop.
Comment 1 Mark Hahnenberg 2013-03-27 16:05:26 PDT 
<rdar://problem/13519289>
Comment 2 Mark Hahnenberg 2013-03-27 16:32:59 PDT 
Created attachment 195430 [details]
Patch
Comment 3 Geoffrey Garen 2013-03-27 16:34:28 PDT 
Comment on attachment 195430 [details]
Patch

r=me
Comment 4 Mark Hahnenberg 2013-03-27 16:35:45 PDT 
Committed r147017: <http://trac.webkit.org/changeset/147017>
Comment 5 Csaba Osztrogonác 2013-03-28 01:23:11 PDT 
(In reply to comment #4)
> Committed r147017: <http://trac.webkit.org/changeset/147017>

And the buildfix landed in http://trac.webkit.org/changeset/147079. Thanks Zan.
(We could have avoided this build breakage and killing EWS bots if you waited
for the EWS bots a little bit more than 3 minutes. Or watched the bots after landing ...)
Comment 6 Alexey Proskuryakov 2013-08-13 14:53:26 PDT 
*** Bug 112263 has been marked as a duplicate of this bug. ***