JavaScript array problem affecting bugzilla

John Sullivan sullivan at apple.com
Tue Jul 20 01:44:51 CEST 2004 

On Jul 19, 2004, at 4:00 PM, Harri Porten wrote:

> On Mon, 19 Jul 2004, John Sullivan wrote:
>
>> FYI, we were getting a NAN value that was being converted to some huge
>> negative value by toInteger(), causing the subsequent loop to run for
>> an extremely long time.
>
> Hmm. Okay. Although I don't understand how this can happen as the 
> value is
> made fit into the range [0; length] in your code, too, no? Is the 
> problem
> related to the fact that you do the
>
>   int b = static_cast<int>(begin);
>
> after the bound check?

This line:

double begin = args[0].toInteger(exec);

was setting begin to a value reported by the debugger as 
nan(0x8000000000000). This failed both the (begin < 0) check and the 
(begin > length) check, because NAN values fail all comparisons. Later, 
this line:

  int b = static_cast<int>(begin);

was setting b to -2147483648.


> What happens when the user specifies NaN explicitly?

Good point. The UndefinedType check on args[0] wouldn't catch that. 
I've added additional bulletproofing for this in this new patch:

Index: JavaScriptCore/kjs/array_object.cpp
===================================================================
RCS file: 
/local/home/cvs/Labyrinth/JavaScriptCore/kjs/array_object.cpp,v
retrieving revision 1.36
diff -u -p -r1.36 JavaScriptCore/kjs/array_object.cpp
--- JavaScriptCore/kjs/array_object.cpp	2004/07/16 22:56:24	1.36
+++ JavaScriptCore/kjs/array_object.cpp	2004/07/19 23:36:21
@@ -583,6 +583,9 @@ Value ArrayProtoFuncImp::call(ExecState
      double begin = 0;
      if (args[0].type() != UndefinedType) {
          begin = args[0].toInteger(exec);
+        if (isnan(begin)) {
+            begin = 0;
+        }
          if (begin < 0) {
              begin += length;
              if (begin < 0)
@@ -595,7 +598,9 @@ Value ArrayProtoFuncImp::call(ExecState
      double end = length;
      if (args[1].type() != UndefinedType) {
        end = args[1].toInteger(exec);
-      if (end < 0) {
+      if (isnan(end)) {
+        end = length;
+      } else if (end < 0) {
          end += length;
          if (end < 0)
            end = 0;

More information about the Khtml-devel mailing list