When we flatten an object in dictionary mode, we compact its properties. If the object had out-of-line storage in the form of a Butterfly prior to this compaction, and after compaction its properties fit inline, the object's Structure "forgets" that the object has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes with bytes = 0, which causes all sorts of badness in CopiedSpace.
When we flatten a dictionary, if the properties fit inline we should clear the Butterfly pointer so that the GC doesn't get confused later.
Created attachment 209220 [details]
Comment on attachment 209220 [details]
Clearing flags on attachment: 209220
Committed r154366: <http://trac.webkit.org/changeset/154366>
All reviewed patches have been landed. Closing bug.
Having both of these is kind of odd:
void setButterfly(VM&, Butterfly*, Structure*);
void setStructure(VM&, Structure*, Butterfly* = 0);
Can we switch to just "setStructureAndButterfly"?