On Wed, May 14, 2003 at 11:30:44AM +0200, Berend-Jan Wever wrote: > <snip> > > That's a strange result, but are you sure it's actually meaningful? I > > don't know Javascript to this level of detial, but I belive in C, at > > least, the results of those expressions are undefined, since the compiler > > would have no good reason to evaluate either of the prefix increments > > first. > Not true: "++i" will increase i first and return the result of that > increased i where "i++" will return i and then increase it: Actually, you misunderstood him. While ++i and i++ are distinct and perfectly defined, "a = ++i + 2 * --i" isn't. As isn't "printf("%d %d\n", ++i, i++)". In the second example, what should the compiler execute first? ++i or i++? I believe C standards advised against that and let it be an undefined behaviour. I don't know about C99, neither javascript. Regards, Luciano Rocha > -- example.js -- > var i=1; > document.write(++i); // prints 2, i=2; > document.write(i++); // prints 2, i=3; > -- cut here -- > > > <snip> > > Well the javascript interpreter seems like a not-so-good place to look. > > Really all these results say is that Javascript integers can overflow, > > which is vacuously true. As long as the interpreter handles these > > overflows sanely, they're completely benign (although the Javascript > > containging them could very well be buggy). If you can find an overflow > > in the interpreter itself, as opposed to the language it's interpreting, > > then you would have something interesting. > The interpreter is not handling them sanely, alltough I have not found > anything security related that's wrong. The examples clearly show that > the interpreter and some of the internal methods return unexpected > behaviour. I tried the array's first to see if I could read/overwrite any > memory I would normally not have access to. > > > > The 'undefined' result you got when pop()ing 'c' is a little strange, > > though. Why did you get an undefined result after the array index had > > already wrapped? If -2147483648 is a valid index, why isn't -2147483647? > See > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht > ml/js56jsmthPop.asp > (url wrapped) > <quote>If the array is empty, undefined is returned.</quote> > So somehow it's still popping the value but then it returns "undefined", > meaning it thinks the array is empty. Btw. try a negative index on an array > (like "i[-1]"): It doesn't work, its NOT a valid index. > > > Cheers, > > Berend-Jan Wever
This archive was generated by hypermail 2b30 : Thu May 15 2003 - 23:38:30 PDT