Changeset 6025 in webkit for trunk/JavaScriptCore/kjs/array_object.cpp

Timestamp:

Feb 2, 2004, 1:23:17 PM (21 years ago)

Author:

darin

Message:

Reviewed by Maciej.

• fixed <rdar://problem/3519285>: integer operations on large negative numbers yield bad results (discovered with "HTMLCrypt")
• fixed other related overflow issues

• kjs/value.h: Changed return types of toInteger, toInt32, toUInt32, and toUInt16.
• kjs/value.cpp: (ValueImp::toInteger): Change to return a double, since this operation, from the ECMA specification, must not restrict values to the range of a particular integer type. (ValueImp::toInt32): Used a sized integer type for the result of this function, and also added proper handling for negative results from fmod. (ValueImp::toUInt32): Ditto. (ValueImp::toUInt16): Ditto. (ValueImp::dispatchToUInt32): Changed result type from unsigned to uint32_t.

• kjs/array_object.cpp: (ArrayProtoFuncImp::call): Use a double instead of an int to handle out-of-integer-range values better in the slice function.
• kjs/internal.cpp: (KJS::roundValue): Streamline the function, handling NAN and infinity properly.
• kjs/number_object.cpp: (NumberProtoFuncImp::call): Use a double instead of an int to handle out-of-integer-range values better in the toString function.
• kjs/string_object.cpp: (StringProtoFuncImp::call): Use a double instead of an int to handle out-of-integer-range values better in the charAt, charCodeAt, indexOf, lastIndexOf, slice, and substr functions.

File:

• trunk/JavaScriptCore/kjs/array_object.cpp (modified) (1 diff)

trunk/JavaScriptCore/kjs/array_object.cpp

@@ -581 +581 @@
     Object resObj = Object::dynamicCast(exec->interpreter()->builtinArray().construct(exec,List::empty()));
     result = resObj;
-    int begin = args[0].toInteger(exec);
-    if ( begin < 0 )
-      begin = maxInt( begin + length, 0 );
-    else
-      begin = minInt( begin, length );
-    int end = length;
-    if (args[1].type() != UndefinedType)
-    {
+    double begin = args[0].toInteger(exec);
+    if (begin < 0) {
+      begin += length;
+      if (begin < 0)
+        begin = 0;
+    } else {
+      if (begin > length)
+        begin = length;
+    }
+    double end = length;
+    if (args[1].type() != UndefinedType) {
       end = args[1].toInteger(exec);
-      if ( end < 0 )
-        end = maxInt( end + length, 0 );
-      else
-        end = minInt( end, length );
+      if (end < 0) {
+        end += length;
+        if (end < 0)
+          end = 0;
+      } else {
+        if (end > length)
+          end = length;
+      }
     }
 
     //printf( "Slicing from %d to %d \n", begin, end );
     int n = 0;
-    for(int k = begin; k < end; k++, n++) {
+    int b = static_cast<int>(begin);
+    int e = static_cast<int>(end);
+    for(int k = b; k < e; k++, n++) {
       if (thisObj.hasProperty(exec, k)) {
         Value obj = thisObj.get(exec, k);