I encountered a situation where m_capacity can become negative in pruneSlowCase, which will lead to undefined behavior because we'll hit the end of m_map, but there's no check to make sure that m_map.begin() != m_map.end(). Depending on what it->key gives us, sometimes we'll crash, sometimes we'll get a very big number back from length() which will keep us alive by allowing our size to go below our negative m_size, etc. It doesn't happen during every run, so there's some non-determinism there. And sometimes we'll get zero as the length, which will cause an infinite loop.
<rdar://problem/13519289>
Created attachment 195430 [details] Patch
Comment on attachment 195430 [details] Patch r=me
Committed r147017: <http://trac.webkit.org/changeset/147017>
(In reply to comment #4) > Committed r147017: <http://trac.webkit.org/changeset/147017> And the buildfix landed in http://trac.webkit.org/changeset/147079. Thanks Zan. (We could have avoided this build breakage and killing EWS bots if you waited for the EWS bots a little bit more than 3 minutes. Or watched the bots after landing ...)
*** Bug 112263 has been marked as a duplicate of this bug. ***