JavaScriptCore:

        Reviewed by Chris.

	<rdar://problem/4092136> reproducible crash in KJS::kjs_fast_realloc loading maps.google.com

	* kjs/string_object.cpp:
        (StringObjectFuncImp::call): Allocate adopted ustring buffer properly.

WebCore:

        New test case for <rdar://problem/4092136> reproducible crash in KJS::kjs_fast_realloc loading maps.google.com

        * layout-tests/fast/js/string-from-char-code-expected.txt: Added.
        * layout-tests/fast/js/string-from-char-code.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@9059 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 2f7297ce6d02bdd533ab6bb18f4c7bfe69c19e0d..31e3f95070664fde5e72f563ca52ca69558aa781 100644 (file)
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,12 @@
+2005-04-26  Maciej Stachowiak  <mjs@apple.com>
+
+        Reviewed by Chris.
+
+       <rdar://problem/4092136> reproducible crash in KJS::kjs_fast_realloc loading maps.google.com
+        
+       * kjs/string_object.cpp:
+        (StringObjectFuncImp::call): Allocate adopted ustring buffer properly.
+

 2005-04-22  Darin Adler  <darin@apple.com>
 
         Reviewed by Maciej.
 2005-04-22  Darin Adler  <darin@apple.com>
 
         Reviewed by Maciej.

diff --git a/JavaScriptCore/kjs/string_object.cpp b/JavaScriptCore/kjs/string_object.cpp
index 32a3fe7f6c2827f2be7bcfd6486c73a2f6a5cb2f..816917f6c7ad140be5d9e7c2434437f51c418c86 100644 (file)
--- a/JavaScriptCore/kjs/string_object.cpp
+++ b/JavaScriptCore/kjs/string_object.cpp
@@ -740,7 +740,7 @@ Value StringObjectFuncImp::call(ExecState *exec, Object &/*thisObj*/, const List
 {
   UString s;
   if (args.size()) {
 {
   UString s;
   if (args.size()) {

-    UChar *buf = new UChar[args.size()];
+    UChar *buf = static_cast<UChar *>(kjs_fast_malloc(args.size() * sizeof(UChar)));

     UChar *p = buf;
     ListIterator it = args.begin();
     while (it != args.end()) {
     UChar *p = buf;
     ListIterator it = args.begin();
     while (it != args.end()) {

diff --git a/LayoutTests/fast/js/string-from-char-code-expected.txt b/LayoutTests/fast/js/string-from-char-code-expected.txt
new file mode 100644 (file)
index 0000000..10736e2
--- /dev/null
+++ b/LayoutTests/fast/js/string-from-char-code-expected.txt
@@ -0,0 +1,11 @@
+layer at (0,0) size 800x600
+  RenderCanvas at (0,0) size 800x600
+layer at (0,0) size 800x600
+  RenderBlock {HTML} at (0,0) size 800x600
+    RenderBody {BODY} at (8,8) size 784x584
+      RenderText {TEXT} at (0,0) size 422x18
+        text run at (0,0) width 422: "This test should not crash and should display an X on the next line:"
+      RenderBR {BR} at (0,0) size 0x0
+      RenderText {TEXT} at (0,18) size 12x18
+        text run at (0,18) width 12: "X"
+      RenderBR {BR} at (0,0) size 0x0

diff --git a/LayoutTests/fast/js/string-from-char-code.html b/LayoutTests/fast/js/string-from-char-code.html
new file mode 100644 (file)
index 0000000..5e29f43
--- /dev/null
+++ b/LayoutTests/fast/js/string-from-char-code.html
@@ -0,0 +1,8 @@
+<html>
+<body>
+This test should not crash and should display an X on the next line:<br>
+<script>
+document.write(String.fromCharCode(88));
+document.write('<br>');
+</script>
+</body>
\ No newline at end of file

diff --git a/WebCore/ChangeLog-2005-08-23 b/WebCore/ChangeLog-2005-08-23
index 12603cc525458e2a7520342c14479ad66bf701b6..7b8af828a19cb6c59aa5196a5cbe34877b76b2b5 100644 (file)
--- a/WebCore/ChangeLog-2005-08-23
+++ b/WebCore/ChangeLog-2005-08-23
@@ -1,3 +1,10 @@
+2005-04-26  Maciej Stachowiak  <mjs@apple.com>
+
+        New test case for <rdar://problem/4092136> reproducible crash in KJS::kjs_fast_realloc loading maps.google.com
+
+        * layout-tests/fast/js/string-from-char-code-expected.txt: Added.
+        * layout-tests/fast/js/string-from-char-code.html: Added.
+

 2005-04-26  Darin Adler  <darin@apple.com>
 
         Reviewed by John.
 2005-04-26  Darin Adler  <darin@apple.com>
 
         Reviewed by John.