442086 - XPConnect creates doubles without checking for the INT_FITS_IN_JSVAL case

Status: RESOLVED FIXED

(Core :: XPConnect, defect)

Description

[Jason Orendorff [:jorendorff]]

See bug 435288.  The bug is in xpcconvert.cpp, in the definition of JAM_DOUBLE and the places where it's used.

http://mxr.mozilla.org/mozilla-central/source/js/src/xpconnect/src/xpcconvert.cpp#174

The actual symptom:  If a value produced this way is used in certain JS switch statements, it can incorrectly fail to match any cases.

(This code also fails to report out-of-memory errors.  Should I bother fixing that?)

Comment 1

[Jason Orendorff [:jorendorff]]

Attachment: test case

You can actually get to this bug via the DOM.

Comment 2

[Jason Orendorff [:jorendorff]]

Attachment: v1

This fixes the bug ...and makes it return JS_FALSE on out of memory.

An xpconnect unit test is included.  Did I put that in the right place?

I took out a comment that said, "XXX will this break backwards compatability???"  The comment had been there since 2001, so I figure we're good.

The "Support for 64 bit conversions where 'long long' not supported" had to be touched.  As I don't even know what those platforms might be, the new code is untested.

Comment 3

[Jason Orendorff [:jorendorff]]

I ran this through the try server and everything came up green.  (2008/07/16 22:28:02)

Comment 4

[Johnny Stenback (:jst)]

Comment on attachment 327247 [details] [diff] [review]
v1

Looks good, it'd be good if Brendan could have a look at this one too.

Comment 5

[Brendan Eich [:brendan]]

Comment on attachment 327247 [details] [diff] [review]
v1

>+/*
>+* Support for 64 bit conversions where 'long long' not supported.
>+* (from John Fairhurst <mjf35@cam.ac.uk>)
>+*/

May as well fix comment style since it is moving enough not to show blame directly.

sr=me, although I think jst can r+sr with impunity ;-).

/be

Comment 6

[Jason Orendorff [:jorendorff]]

http://hg.mozilla.org/mozilla-central/rev/c898e650581d