CodeCache::m_capacity can becoming negative, producing undefined resu…

…lts in pruneSlowCase https://bugs.webkit.org/show_bug.cgi?id=113453 Reviewed by Geoffrey Garen. * runtime/CodeCache.cpp: (JSC::CodeCacheMap::pruneSlowCase): We make sure that m_minCapacity doesn't drop below zero now. This prevents m_capacity from doing the same. Canonical link: https://commits.webkit.org/131758@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@147017 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Mar 27, 2013 · a887e2f7908bf044a1b5bf5c77740ecf53b96163 · a887e2f
1 parent adb62c9
commit a887e2f7908bf044a1b5bf5c77740ecf53b96163
Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,14 @@
+2013-03-27  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        CodeCache::m_capacity can becoming negative, producing undefined results in pruneSlowCase
+        https://bugs.webkit.org/show_bug.cgi?id=113453
+
+        Reviewed by Geoffrey Garen.
+
+        * runtime/CodeCache.cpp:
+        (JSC::CodeCacheMap::pruneSlowCase): We make sure that m_minCapacity doesn't drop below zero now.
+        This prevents m_capacity from doing the same.
+
 2013-03-27  Filip Pizlo  <fpizlo@apple.com>
 
         DFG should use CheckStructure for typed array checks whenever possible

diff --git a/Source/JavaScriptCore/runtime/CodeCache.cpp b/Source/JavaScriptCore/runtime/CodeCache.cpp
@@ -40,7 +40,7 @@ const double CodeCacheMap::workingSetTime = 10.0;
 
 void CodeCacheMap::pruneSlowCase()
 {
-    m_minCapacity = m_size - m_sizeAtLastPrune;
+    m_minCapacity = std::max(m_size - m_sizeAtLastPrune, 0LL);
     m_sizeAtLastPrune = m_size;
     m_timeAtLastPrune = monotonicallyIncreasingTime();