changeset 5057:45efea44f8dd

RT-26306: Crash in JSValueMakeFromJSONString
author Vasiliy Baranov <vasiliy.baranov@oracle.com>
date Thu, 12 Sep 2013 15:05:30 +0400
parents 6a2c7c339d17
children 3712e86c7317
files modules/web/src/main/native/Source/JavaScriptCore/jit/ThunkGenerators.cpp modules/web/src/test/java/javafx/scene/web/MiscellaneousTest.java
diffstat 2 files changed, 20 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/modules/web/src/main/native/Source/JavaScriptCore/jit/ThunkGenerators.cpp	Thu Sep 12 12:40:49 2013 +0400
+++ b/modules/web/src/main/native/Source/JavaScriptCore/jit/ThunkGenerators.cpp	Thu Sep 12 15:05:30 2013 +0400
@@ -196,6 +196,14 @@
         JSInterfaceJIT::TrustedImmPtr(vm->stringStructure.get()));
 
     // Checks out okay! - get the length from the Ustring.
+#if PLATFORM(JAVA) // RT-26306
+    jit.load32(
+        JSInterfaceJIT::Address(JSInterfaceJIT::regT0, JSString::offsetOfLength()),
+        JSInterfaceJIT::regT0);
+
+    JSInterfaceJIT::Jump failureCases3 = jit.branch32(
+        JSInterfaceJIT::Above, JSInterfaceJIT::regT0, JSInterfaceJIT::TrustedImm32(INT_MAX));
+#else // PLATFORM(JAVA)
     jit.load32(
         JSInterfaceJIT::Address(JSInterfaceJIT::regT0, JSString::offsetOfLength()),
         JSInterfaceJIT::regT2);
@@ -203,6 +211,7 @@
     JSInterfaceJIT::Jump failureCases3 = jit.branch32(
         JSInterfaceJIT::Above, JSInterfaceJIT::regT2, JSInterfaceJIT::TrustedImm32(INT_MAX));
     jit.move(JSInterfaceJIT::regT2, JSInterfaceJIT::regT0);
+#endif // PLATFORM(JAVA)
     jit.move(JSInterfaceJIT::TrustedImm32(JSValue::Int32Tag), JSInterfaceJIT::regT1);
 #endif // USE(JSVALUE64)
 
--- a/modules/web/src/test/java/javafx/scene/web/MiscellaneousTest.java	Thu Sep 12 12:40:49 2013 +0400
+++ b/modules/web/src/test/java/javafx/scene/web/MiscellaneousTest.java	Thu Sep 12 15:05:30 2013 +0400
@@ -83,6 +83,17 @@
         assertEquals(location, records.get(0).location);
     }
 
+    @Test public void testRT26306() {
+        loadContent(
+                "<script language='javascript'>\n" +
+                "var s = '0123456789abcdef';\n" +
+                "while (true) {\n" +
+                "    alert(s.length);\n" +
+                "    s = s + s;\n" +
+                "}\n" +
+                "</script>");
+    }
+
     private WebEngine createWebEngine() {
         return submit(new Callable<WebEngine>() {
             public WebEngine call() {