Changeset 171092 in webkit for trunk/Source/JavaScriptCore/runtime/JSObject.cpp

Timestamp:

Jul 14, 2014, 4:59:15 PM (11 years ago)

Author:

[email protected]

Message:

Flattening dictionaries with oversize backing stores can cause crashes
​https://bugs.webkit.org/show_bug.cgi?id=134906

Reviewed by Filip Pizlo.

The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB
of the CopiedBlock header. This was always the case except for when flattening a dictionary
caused the size of the Butterfly to decrease. This was equivalent to moving the base of the
Butterfly to higher addresses. If the object was reduced sufficiently in size, the base
would no longer be within the first 32 KB of the CopiedBlock and the next collection would
choke on the Butterfly pointer.

This patch fixes this issue by detect this situation during flattening and memmove-ing
the Butterfly down to where the old base was.

• runtime/JSObject.cpp:

(JSC::JSObject::shiftButterflyAfterFlattening):

• runtime/JSObject.h:

(JSC::JSObject::butterflyPreCapacity):
(JSC::JSObject::butterflyTotalSize):

• runtime/Structure.cpp:

(JSC::Structure::flattenDictionaryStructure):

• tests/stress/flatten-oversize-dictionary-object.js: Added.

(foo):

File:

• trunk/Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -2697 +2697 @@
 }
 
+void JSObject::shiftButterflyAfterFlattening(VM& vm, size_t outOfLineCapacityBefore, size_t outOfLineCapacityAfter)
+{
+    Butterfly* butterfly = this->butterfly();
+    size_t preCapacity = this->butterflyPreCapacity();
+    void* currentBase = butterfly->base(preCapacity, outOfLineCapacityAfter);
+    void* newBase = butterfly->base(preCapacity, outOfLineCapacityBefore);
+
+    memmove(newBase, currentBase, this->butterflyTotalSize());
+    setButterflyWithoutChangingStructure(vm, Butterfly::fromBase(newBase, preCapacity, outOfLineCapacityAfter));
+}
+
 } // namespace JSC