Bug 120079

Summary: Flattening a dictionary can cause CopiedSpace corruption
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ggaren
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Mark Hahnenberg 2013-08-20 12:54:38 PDT 
When we flatten an object in dictionary mode, we compact its properties. If the object had out-of-line storage in the form of a Butterfly prior to this compaction, and after compaction its properties fit inline, the object's Structure "forgets" that the object has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes with bytes = 0, which causes all sorts of badness in CopiedSpace.

When we flatten a dictionary, if the properties fit inline we should clear the Butterfly pointer so that the GC doesn't get confused later.
Comment 1 Mark Hahnenberg 2013-08-20 12:58:13 PDT 
Created attachment 209220 [details]
Patch
Comment 2 Mark Hahnenberg 2013-08-20 14:07:36 PDT 
<rdar://problem/14331193>
Comment 3 WebKit Commit Bot 2013-08-20 15:16:21 PDT 
Comment on attachment 209220 [details]
Patch

Clearing flags on attachment: 209220

Committed r154366: <http://trac.webkit.org/changeset/154366>
Comment 4 WebKit Commit Bot 2013-08-20 15:16:23 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 5 Geoffrey Garen 2013-08-20 16:55:25 PDT 
Having both of these is kind of odd:

    void setButterfly(VM&, Butterfly*, Structure*);
    void setStructure(VM&, Structure*, Butterfly* = 0);

Can we switch to just "setStructureAndButterfly"?