Bug 134906 - Flattening dictionaries with oversize backing stores can cause crashes
Summary: Flattening dictionaries with oversize backing stores can cause crashes
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Hahnenberg
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-14 15:14 PDT by Mark Hahnenberg
Modified: 2014-07-14 16:59 PDT (History)
1 user (show)

See Also:

Attachments
Patch (7.89 KB, patch)
2014-07-14 15:20 PDT, Mark Hahnenberg 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Hahnenberg 2014-07-14 15:14:35 PDT 
The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB of the CopiedBlock header. This was always the case except for when flattening a dictionary caused the size of the Butterfly to decrease. This was equivalent to moving the base of the Butterfly to higher addresses. If the object was reduced sufficiently in size, the base would no longer be within the first 32 KB of the CopiedBlock and the next collection would choke on the Butterfly pointer.

The fix is to detect this situation during flattening and to memmove the Butterfly down to where the old base was.
Comment 1 Mark Hahnenberg 2014-07-14 15:14:56 PDT 
<rdar://problem/17556957>
Comment 2 Mark Hahnenberg 2014-07-14 15:20:09 PDT 
Created attachment 234884 [details]
Patch
Comment 3 WebKit Commit Bot 2014-07-14 16:59:39 PDT 
Comment on attachment 234884 [details]
Patch

Clearing flags on attachment: 234884

Committed r171092: <http://trac.webkit.org/changeset/171092>
Comment 4 WebKit Commit Bot 2014-07-14 16:59:41 PDT 
All reviewed patches have been landed.  Closing bug.