[Webkit-unassigned] [Bug 100014] IndexedDB: Bounds check for IDBCursor.advance() incorrect
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Oct 22 11:22:46 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=100014
--- Comment #2 from Joshua Bell <jsbell at chromium.org> 2012-10-22 11:23:48 PST ---
Hrm.... this actually gets tricky. The WebIDL in the spec for this is:
http://dvcs.w3.org/hg/IndexedDB/raw-file/tip/Overview.html#cursor
void advance ([EnforceRange] unsigned long count);
And WebIDL says:
http://dev.w3.org/2006/webapi/WebIDL/#es-unsigned-long
"If the conversion to an IDL value is being performed due to ... being passed as an operation argument annotated with the [EnforceRange] extended attribute ... then ... if x < 0 or x > 2^32 − 1, then throw a TypeError"
It would be 2^31-1 if it were a (signed) long. We actually have this marked as |long| in the WebKit IDL to avoid default handling of negative values since [EnforceRange] isn't implemented. Correct behavior of [EnforceRange] is in webkit.org/b/96798 which is blocked on a v8 bug.
As it stands now, passing 2^32-1 actually fails with a TypeError as well, which is incorrect. This is because V8Binding.cpp's toInt32 conversion for out of bound values returns 0.
So I should probably flip the IDL back to "unsigned long", leave only the 0 test in the code, and add 2^31-1 (ok), 2^31 (ok), 2^32-1 (ok), and 2^32 (type error) as test cases.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list