Bug 808483: Fix dependent string assertion; r=luke

Undepended strings can break the assertion in JSDependentString::new_. This
generalizes the assertion to work for all cases.

--HG--
extra : rebase_source : 62b7fa786c6250054092723b92cd97bded92d6b1
This commit is contained in:
Terrence Cole 2012-11-05 15:07:52 -08:00
parent 7a8bb88181
commit ab93284615
2 changed files with 32 additions and 4 deletions

View File

@ -0,0 +1,16 @@
pSandbox = newGlobal('new-compartment');
evalcx("\
x = ArrayBuffer;\
y = Map();\
x += 1;\
w = x;\
x += '0';\
z = x;\
", pSandbox);
evalcx("\
x + '0';\
", pSandbox);
evalcx("\
y.delete(z);\
w.slice(2);\
", pSandbox)

View File

@ -162,17 +162,29 @@ JSDependentString::init(JSLinearString *base, const jschar *chars, size_t length
}
JS_ALWAYS_INLINE JSLinearString *
JSDependentString::new_(JSContext *cx, JSLinearString *base_, const jschar *chars, size_t length)
JSDependentString::new_(JSContext *cx, JSLinearString *baseArg, const jschar *chars, size_t length)
{
js::Rooted<JSLinearString*> base(cx, base_);
js::Rooted<JSLinearString*> base(cx, baseArg);
/* Try to avoid long chains of dependent strings. */
while (base->isDependent())
base = base->asDependent().base();
JS_ASSERT(base->isFlat());
JS_ASSERT(chars >= base->chars() && chars < base->chars() + base->length());
JS_ASSERT(length <= base->length() - (chars - base->chars()));
/*
* The chars we are pointing into must be owned by something in the chain
* of dependent or undepended strings kept alive by our base pointer.
*/
#ifdef DEBUG
for (JSLinearString *b = base; ; b = b->base()) {
if (chars >= b->chars() && chars < b->chars() + b->length() &&
length <= b->length() - (chars - b->chars()))
{
break;
}
}
#endif
/*
* Do not create a string dependent on inline chars from another string,