Bug 120079 - Flattening a dictionary can cause CopiedSpace corruption
Summary: Flattening a dictionary can cause CopiedSpace corruption
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Hahnenberg
Depends on:
Reported: 2013-08-20 12:54 PDT by Mark Hahnenberg
Modified: 2013-08-20 16:55 PDT (History)
2 users (show)

See Also:

Patch (12.07 KB, patch)
2013-08-20 12:58 PDT, Mark Hahnenberg
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Hahnenberg 2013-08-20 12:54:38 PDT
When we flatten an object in dictionary mode, we compact its properties. If the object had out-of-line storage in the form of a Butterfly prior to this compaction, and after compaction its properties fit inline, the object's Structure "forgets" that the object has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes with bytes = 0, which causes all sorts of badness in CopiedSpace.

When we flatten a dictionary, if the properties fit inline we should clear the Butterfly pointer so that the GC doesn't get confused later.
Comment 1 Mark Hahnenberg 2013-08-20 12:58:13 PDT
Created attachment 209220 [details]
Comment 2 Mark Hahnenberg 2013-08-20 14:07:36 PDT
Comment 3 WebKit Commit Bot 2013-08-20 15:16:21 PDT
Comment on attachment 209220 [details]

Clearing flags on attachment: 209220

Committed r154366: <http://trac.webkit.org/changeset/154366>
Comment 4 WebKit Commit Bot 2013-08-20 15:16:23 PDT
All reviewed patches have been landed.  Closing bug.
Comment 5 Geoffrey Garen 2013-08-20 16:55:25 PDT
Having both of these is kind of odd:

    void setButterfly(VM&, Butterfly*, Structure*);
    void setStructure(VM&, Structure*, Butterfly* = 0);

Can we switch to just "setStructureAndButterfly"?