When we flatten an object in dictionary mode, we compact its properties. If the object had out-of-line storage in the form of a Butterfly prior to this compaction, and after compaction its properties fit inline, the object's Structure "forgets" that the object has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes with bytes = 0, which causes all sorts of badness in CopiedSpace. When we flatten a dictionary, if the properties fit inline we should clear the Butterfly pointer so that the GC doesn't get confused later.
Created attachment 209220 [details] Patch
<rdar://problem/14331193>
Comment on attachment 209220 [details] Patch Clearing flags on attachment: 209220 Committed r154366: <http://trac.webkit.org/changeset/154366>
All reviewed patches have been landed. Closing bug.
Having both of these is kind of odd: void setButterfly(VM&, Butterfly*, Structure*); void setStructure(VM&, Structure*, Butterfly* = 0); Can we switch to just "setStructureAndButterfly"?