Re: MSIE integer overflows

[xenophi1e <oliver.lavery () sympatico ca>]

In-Reply-To: <000501c31800$c924bac0$0100a8c0@grotedoos>

> I've been testing MSIE for integer overflows in the DOM and jscript. I've
> found quite a few in one night testing. Nothing serious (yet) but since 
>
> A few examples of buggy jscript:
> Integers seem to be 62 bit long:
>    var i = 32*256*256 * 256*256*256*256-1;
>    document.write((i==++i) + ' ' + (i==++i) + '<BR>');
> prints:
> false true

That's a strange result, but are you sure it's actually meaningful? I 
don't know Javascript to this level of detial, but I belive in C, at 
least, the results of those expressions are undefined, since the compiler 
would have no good reason to evaluate either of the prefix increments 
first. 

> But array functions run into problems around 32 bits:
>
> I've been trying to think where I can find an integer that will cause
> troubles if it overflows, but I have not found anything... anybody got 

Well the javascript interpreter seems like a not-so-good place to look. 
Really all these results say is that Javascript integers can overflow, 
which is vacuously true. As long as the interpreter handles these 
overflows sanely, they're completely benign (although the Javascript 
containging them could very well be buggy). If you can find an overflow 
in the interpreter itself, as opposed to the language it's interpreting, 
then you would have something interesting.

The 'undefined' result you got when pop()ing 'c' is a little strange, 
though. Why did you get an undefined result after the array index had 
already wrapped? If -2147483648 is a valid index, why isn't -2147483647? 

Cheers,
~ol