Closed
Bug 603551
Opened 14 years ago
Closed 12 years ago
XPC wrappers seem to treat uint as int
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WONTFIX
Tracking | Status | |
---|---|---|
status1.9.2 | --- | ? |
People
(Reporter: Honza, Assigned: Waldo)
Details
This bug was originally reported as Firebug issue here: http://www.google.com/url?sa=D&q=http://code.google.com/p/fbug/issues/detail%3Fid%3D3503&usg=AFQjCNFOdui98Mdxga4gKSNt9pc8-rN9rA The problem: If I create a big array on a page: var a = [] a.length = 3000000000; an access its length field from chrome as: win.a.length it returns: -1294967296 But, the maximum length allowed for an array is 4,294,967,295 --- STR: Run this on a web page: var a = []; a.length = 3000000000; var w = new XPCSafeJSObjectWrapper(a); alert("w: " + w.length + ", a: " + a.length + ", same: " + (w.length == a.length)); // Expected: w: 3000000000, a: 3000000000, same: true // Actual: w: -1294967296, a: 3000000000, same: false tested with Firefox 3.6 Works in Firefox 4.0b7pre Honza
Comment 1•14 years ago
|
||
This is a JS engine bug. XPConnect just does a property get (which is NOT what JSOP_LENGTH does by default, apparently), and array_getProperty has this wonderful code: 771 if (id == ATOM_TO_JSID(cx->runtime->atomState.lengthAtom)) 772 return IndexToValue(cx, obj->fslots[JSSLOT_ARRAY_LENGTH], vp); Now IndexToValue takes a double; obj->fslots is a jsval*, and jsval is a signed integer typedef. So the promotion to double happens from the signed integer representation. So xpconnect is just handed the wrong value. If we want to change the behavior here on 1.9.2 branch, we just need a cast here. Do we want such a behavior change?
Assignee: nobody → general
Component: XPConnect → JavaScript Engine
QA Contact: xpconnect → general
Updated•14 years ago
|
status1.9.2:
--- → ?
Updated•14 years ago
|
Assignee: general → jwalden+bmo
Comment 2•14 years ago
|
||
Is this bug present on trunk as well?
Assignee | ||
Comment 4•14 years ago
|
||
(In reply to comment #1) > If we want to change the behavior here on 1.9.2 branch, we just need a cast > here. Do we want such a behavior change? I think so, yes. It seems unlikely anyone's depending on this bug, so I don't see a reason to not fix it, especially if someone in the wild and woolly world of the web has actually stumbled across it.
Status: NEW → ASSIGNED
OS: Windows Vista → Windows 2000
Comment 5•14 years ago
|
||
(In reply to comment #3) > No (comment 0 does say that). This is pre-js::Value only. Sorry, read those as Firebug versions for some reason.
Assignee | ||
Comment 6•14 years ago
|
||
I have the patch for this. I think. For whatever reason, I keep hitting a build error when I try to actually test out the patch: ../../gfx/ots/src/libmozots.a(ots.o): In function `(anonymous namespace)::ProcessGeneric(ots::OpenTypeFile*, ots::OTSStream*, unsigned char const*, unsigned long, std::vector<(anonymous namespace)::OpenTypeTable, std::allocator<(anonymous namespace)::OpenTypeTable> > const&, ots::Buffer&)': /home/jwalden/moz/192/gfx/ots/src/ots.cc:434: undefined reference to `MOZ_Z_uncompress' /usr/bin/ld: libxul.so: hidden symbol `MOZ_Z_deflateInit_' isn't defined /usr/bin/ld: final link failed: Nonrepresentable section on output collect2: ld returned 1 exit status make[4]: *** [libxul.so] Error 1 Looks like custom-zlib symbols aren't being macro-overwritten properly. Or something. Not sure what's up, hoping someone on IRC (or perhaps here) can prescribe a cure, if I don't end up figuring it out...
Comment 7•12 years ago
|
||
I guess this is wontfix at this point, if it's fixed from Gk2 onward.
Comment 8•12 years ago
|
||
Tested this right now on Firefox 17.0 and it returns the expected number 3000000000. So it looks like this issue got fixed earlier. Sebastian
Comment 9•12 years ago
|
||
Yes, comment 0 said that. This bug was all about Firefox 3.6 only. WONTFIX, clearly. ;)
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•