Bug 134906 - Flattening dictionaries with oversize backing stores can cause crashes
Summary: Flattening dictionaries with oversize backing stores can cause crashes
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Hahnenberg
Depends on:
Reported: 2014-07-14 15:14 PDT by Mark Hahnenberg
Modified: 2014-07-14 16:59 PDT (History)
1 user (show)

See Also:

Patch (7.89 KB, patch)
2014-07-14 15:20 PDT, Mark Hahnenberg
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Hahnenberg 2014-07-14 15:14:35 PDT
The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB of the CopiedBlock header. This was always the case except for when flattening a dictionary caused the size of the Butterfly to decrease. This was equivalent to moving the base of the Butterfly to higher addresses. If the object was reduced sufficiently in size, the base would no longer be within the first 32 KB of the CopiedBlock and the next collection would choke on the Butterfly pointer.

The fix is to detect this situation during flattening and to memmove the Butterfly down to where the old base was.
Comment 1 Mark Hahnenberg 2014-07-14 15:14:56 PDT
Comment 2 Mark Hahnenberg 2014-07-14 15:20:09 PDT
Created attachment 234884 [details]
Comment 3 WebKit Commit Bot 2014-07-14 16:59:39 PDT
Comment on attachment 234884 [details]

Clearing flags on attachment: 234884

Committed r171092: <http://trac.webkit.org/changeset/171092>
Comment 4 WebKit Commit Bot 2014-07-14 16:59:41 PDT
All reviewed patches have been landed.  Closing bug.