[webkit-reviews] review granted: [Bug 211205] We can't cast toLength result to unsigned : [Attachment 398122] patch

[bugzilla-daemon at webkit.org]

Yusuke Suzuki <ysuzuki at apple.com> has granted Saam Barati <sbarati at apple.com>'s
request for review:
Bug 211205: We can't cast toLength result to unsigned
https://bugs.webkit.org/show_bug.cgi?id=211205

Attachment 398122: patch

https://bugs.webkit.org/attachment.cgi?id=398122&action=review




--- Comment #6 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 398122
  --> https://bugs.webkit.org/attachment.cgi?id=398122
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=398122&action=review

r=me. Please ensure that performance is neutral.

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:930
> +	   if (LIKELY(length + n <= std::numeric_limits<uint32_t>::max()))

Since maximum-array-index is not UINT32_MAX (MAX_ARRAY_INDEX is UINT32_MAX -
1), should we check `length + n <= MAX_ARRAY_INDEX` instead?

> Source/JavaScriptCore/runtime/JSObject.cpp:1963
> +    if (LIKELY(propertyName <= std::numeric_limits<unsigned>::max()))

Ditto.

> Source/JavaScriptCore/runtime/JSObject.h:214
> +	   if (LIKELY(propertyName <= std::numeric_limits<uint32_t>::max()))

Ditto.

> Source/JavaScriptCore/runtime/JSObject.h:262
> +	   if (LIKELY(propertyName <= std::numeric_limits<uint32_t>::max()))

Ditto.

> Source/JavaScriptCore/runtime/JSObject.h:312
> +	   if (LIKELY(i <= std::numeric_limits<uint32_t>::max()))

Ditto.

> Source/JavaScriptCore/runtime/JSObject.h:380
> +	   if (LIKELY(i <= std::numeric_limits<uint32_t>::max()))

Ditto.

> Source/JavaScriptCore/runtime/JSObjectInlines.h:154
> +    if (LIKELY(propertyName <= std::numeric_limits<uint32_t>::max()))

Ditto.

> Source/JavaScriptCore/runtime/JSObjectInlines.h:558
> +    if (LIKELY(propertyName <= std::numeric_limits<uint32_t>::max()))

Ditto.

> Source/JavaScriptCore/runtime/JSObjectInlines.h:566
> +    if (LIKELY(propertyName <= std::numeric_limits<uint32_t>::max()))

Ditto.