RESOLVED FIXED 113453
CodeCache::m_capacity can becoming negative, producing undefined results in pruneSlowCase 
https://bugs.webkit.org/show_bug.cgi?id=113453
Summary CodeCache::m_capacity can becoming negative, producing undefined results in p...
Mark Hahnenberg
Reported 2013-03-27 16:05:10 PDT
I encountered a situation where m_capacity can become negative in pruneSlowCase, which will lead to undefined behavior because we'll hit the end of m_map, but there's no check to make sure that m_map.begin() != m_map.end(). Depending on what it->key gives us, sometimes we'll crash, sometimes we'll get a very big number back from length() which will keep us alive by allowing our size to go below our negative m_size, etc. It doesn't happen during every run, so there's some non-determinism there. And sometimes we'll get zero as the length, which will cause an infinite loop.
Attachments
Patch (1.33 KB, patch)
2013-03-27 16:32 PDT, Mark Hahnenberg 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2013-03-27 16:05:26 PDT
<rdar://problem/13519289>
Mark Hahnenberg
Comment 2 2013-03-27 16:32:59 PDT
Created attachment 195430 [details] Patch
Geoffrey Garen
Comment 3 2013-03-27 16:34:28 PDT
Comment on attachment 195430 [details] Patch r=me
Mark Hahnenberg
Comment 4 2013-03-27 16:35:45 PDT
Committed r147017: <http://trac.webkit.org/changeset/147017>
Csaba Osztrogonác
Comment 5 2013-03-28 01:23:11 PDT
(In reply to comment #4) > Committed r147017: <http://trac.webkit.org/changeset/147017> And the buildfix landed in http://trac.webkit.org/changeset/147079. Thanks Zan. (We could have avoided this build breakage and killing EWS bots if you waited for the EWS bots a little bit more than 3 minutes. Or watched the bots after landing ...)
Alexey Proskuryakov
Comment 6 2013-08-13 14:53:26 PDT
*** Bug 112263 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.