JavaScript array problem affecting bugzilla
John Sullivan
sullivan at apple.com
Tue Jul 20 02:18:14 CEST 2004
Thanks for the additional comments . I agree that there is a lot more
bulletproofing against bad values that could be done anywhere we use
doubles even temporarily. We might take a pass at that, but it probably
won't be high on our list of priorities until/unless we see it start to
affect real-world sites.
John
On Jul 19, 2004, at 5:13 PM, Harri Porten wrote:
> On Mon, 19 Jul 2004, John Sullivan wrote:
>
>> This line:
>>
>> double begin = args[0].toInteger(exec);
>>
>> was setting begin to a value reported by the debugger as
>> nan(0x8000000000000). This failed both the (begin < 0) check and the
>> (begin > length) check, because NAN values fail all comparisons.
>> Later,
>> this line:
>
> Ah! As we still do pure int arithmetic in this function this never was
> an
> issue.
>
>>> What happens when the user specifies NaN explicitly?
>>
>> Good point. The UndefinedType check on args[0] wouldn't catch that.
>> I've added additional bulletproofing for this in this new patch:
>
> OK. Not needed here but in case we change toInteger() to return double
> one
> day, too, it will be of course.
>
> Couldn't you just do the cast to int right away? Or did you want to do
> the
> range checks with floating point numbers for a specific reason? I'm
> asking
> because I personally don't know what kind of behaviour
>
> double -> int
>
> casts have over the complete double range. Do they have a continuous
> and
> linear behaviour? Hmm. Probably not:
>
> double d = 3000000000.0; // > MAX_INT
> int i = static_cast<int>(d);
>
> i is -2147483648. So someone (stupid) could still trigger a nasty loop
> by
> passing very large numbers.
>
> Harri.
>
> _______________________________________________
> Khtml-devel at kde.org
> https://mail.kde.org/mailman/listinfo/khtml-devel
More information about the Khtml-devel
mailing list