From 51e41d6773ef6b16563a0620b21cc34ce8aca278 Mon Sep 17 00:00:00 2001 From: mjs Date: Wed, 27 Apr 2005 00:18:14 +0000 Subject: [PATCH] JavaScriptCore: Reviewed by Chris. reproducible crash in KJS::kjs_fast_realloc loading maps.google.com * kjs/string_object.cpp: (StringObjectFuncImp::call): Allocate adopted ustring buffer properly. WebCore: New test case for reproducible crash in KJS::kjs_fast_realloc loading maps.google.com * layout-tests/fast/js/string-from-char-code-expected.txt: Added. * layout-tests/fast/js/string-from-char-code.html: Added. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@9059 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- JavaScriptCore/ChangeLog | 9 +++++++++ JavaScriptCore/kjs/string_object.cpp | 2 +- .../fast/js/string-from-char-code-expected.txt | 11 +++++++++++ LayoutTests/fast/js/string-from-char-code.html | 8 ++++++++ WebCore/ChangeLog-2005-08-23 | 7 +++++++ 5 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 LayoutTests/fast/js/string-from-char-code-expected.txt create mode 100644 LayoutTests/fast/js/string-from-char-code.html diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog index 2f7297ce6d02..31e3f9507066 100644 --- a/JavaScriptCore/ChangeLog +++ b/JavaScriptCore/ChangeLog @@ -1,3 +1,12 @@ +2005-04-26 Maciej Stachowiak + + Reviewed by Chris. + + reproducible crash in KJS::kjs_fast_realloc loading maps.google.com + + * kjs/string_object.cpp: + (StringObjectFuncImp::call): Allocate adopted ustring buffer properly. + 2005-04-22 Darin Adler Reviewed by Maciej. diff --git a/JavaScriptCore/kjs/string_object.cpp b/JavaScriptCore/kjs/string_object.cpp index 32a3fe7f6c28..816917f6c7ad 100644 --- a/JavaScriptCore/kjs/string_object.cpp +++ b/JavaScriptCore/kjs/string_object.cpp @@ -740,7 +740,7 @@ Value StringObjectFuncImp::call(ExecState *exec, Object &/*thisObj*/, const List { UString s; if (args.size()) { - UChar *buf = new UChar[args.size()]; + UChar *buf = static_cast(kjs_fast_malloc(args.size() * sizeof(UChar))); UChar *p = buf; ListIterator it = args.begin(); while (it != args.end()) { diff --git a/LayoutTests/fast/js/string-from-char-code-expected.txt b/LayoutTests/fast/js/string-from-char-code-expected.txt new file mode 100644 index 000000000000..10736e2fcf1c --- /dev/null +++ b/LayoutTests/fast/js/string-from-char-code-expected.txt @@ -0,0 +1,11 @@ +layer at (0,0) size 800x600 + RenderCanvas at (0,0) size 800x600 +layer at (0,0) size 800x600 + RenderBlock {HTML} at (0,0) size 800x600 + RenderBody {BODY} at (8,8) size 784x584 + RenderText {TEXT} at (0,0) size 422x18 + text run at (0,0) width 422: "This test should not crash and should display an X on the next line:" + RenderBR {BR} at (0,0) size 0x0 + RenderText {TEXT} at (0,18) size 12x18 + text run at (0,18) width 12: "X" + RenderBR {BR} at (0,0) size 0x0 diff --git a/LayoutTests/fast/js/string-from-char-code.html b/LayoutTests/fast/js/string-from-char-code.html new file mode 100644 index 000000000000..5e29f43805a9 --- /dev/null +++ b/LayoutTests/fast/js/string-from-char-code.html @@ -0,0 +1,8 @@ + + +This test should not crash and should display an X on the next line:
+ + \ No newline at end of file diff --git a/WebCore/ChangeLog-2005-08-23 b/WebCore/ChangeLog-2005-08-23 index 12603cc52545..7b8af828a19c 100644 --- a/WebCore/ChangeLog-2005-08-23 +++ b/WebCore/ChangeLog-2005-08-23 @@ -1,3 +1,10 @@ +2005-04-26 Maciej Stachowiak + + New test case for reproducible crash in KJS::kjs_fast_realloc loading maps.google.com + + * layout-tests/fast/js/string-from-char-code-expected.txt: Added. + * layout-tests/fast/js/string-from-char-code.html: Added. + 2005-04-26 Darin Adler Reviewed by John. -- 2.36.0