WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
134906
Flattening dictionaries with oversize backing stores can cause crashes
https://bugs.webkit.org/show_bug.cgi?id=134906
Summary
Flattening dictionaries with oversize backing stores can cause crashes
Mark Hahnenberg
Reported
2014-07-14 15:14:35 PDT
The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB of the CopiedBlock header. This was always the case except for when flattening a dictionary caused the size of the Butterfly to decrease. This was equivalent to moving the base of the Butterfly to higher addresses. If the object was reduced sufficiently in size, the base would no longer be within the first 32 KB of the CopiedBlock and the next collection would choke on the Butterfly pointer. The fix is to detect this situation during flattening and to memmove the Butterfly down to where the old base was.
Attachments
Patch
(7.89 KB, patch)
2014-07-14 15:20 PDT
,
Mark Hahnenberg
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1
2014-07-14 15:14:56 PDT
<
rdar://problem/17556957
>
Mark Hahnenberg
Comment 2
2014-07-14 15:20:09 PDT
Created
attachment 234884
[details]
Patch
WebKit Commit Bot
Comment 3
2014-07-14 16:59:39 PDT
Comment on
attachment 234884
[details]
Patch Clearing flags on attachment: 234884 Committed
r171092
: <
http://trac.webkit.org/changeset/171092
>
WebKit Commit Bot
Comment 4
2014-07-14 16:59:41 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug