I'm not a Javascript expert, but I think the issue isn't one of overflow, it's that the engine doesn't really store those ints with 64 bits of precision. Therefore, with high numbers, large == large+1; because there isn't enough precision to know the difference. Observe: -------------------------------------------------- <script language="javascript"> for (test=56; test<64; test++) { large = Math.pow(2,test); document.write('Starting with 2^'+test+' ('+large+')<br>'); for (n=0, i=0; n<5; n++) { while (large+i == large) i++; larger = large + i; document.write(large+' != '+larger+'<br>'); large = larger; } document.write('<br><br>'); } </script> -------------------------------------------------- Produces the following: -------------------------------------------------- Starting with 2^56 (72057594037927940) 72057594037927940 != 72057594037927950 72057594037927950 != 72057594037927970 72057594037927970 != 72057594037927980 72057594037927980 != 72057594037928000 72057594037928000 != 72057594037928010 Starting with 2^57 (144115188075855870) 144115188075855870 != 144115188075855900 144115188075855900 != 144115188075855940 144115188075855940 != 144115188075855970 144115188075855970 != 144115188075856000 144115188075856000 != 144115188075856030 Starting with 2^58 (288230376151711750) 288230376151711750 != 288230376151711800 288230376151711800 != 288230376151711900 288230376151711900 != 288230376151711930 288230376151711930 != 288230376151712000 288230376151712000 != 288230376151712060 Starting with 2^59 (576460752303423500) 576460752303423500 != 576460752303423600 576460752303423600 != 576460752303423700 576460752303423700 != 576460752303423900 576460752303423900 != 576460752303424000 576460752303424000 != 576460752303424100 Starting with 2^60 (1152921504606847000) 1152921504606847000 != 1152921504606847200 1152921504606847200 != 1152921504606847500 1152921504606847500 != 1152921504606847700 1152921504606847700 != 1152921504606848000 1152921504606848000 != 1152921504606848200 Starting with 2^61 (2305843009213694000) 2305843009213694000 != 2305843009213694500 2305843009213694500 != 2305843009213695000 2305843009213695000 != 2305843009213695500 2305843009213695500 != 2305843009213696000 2305843009213696000 != 2305843009213696500 Starting with 2^62 (4611686018427388000) 4611686018427388000 != 4611686018427389000 4611686018427389000 != 4611686018427390000 4611686018427390000 != 4611686018427391000 4611686018427391000 != 4611686018427392000 4611686018427392000 != 4611686018427393000 Starting with 2^63 (9223372036854776000) 9223372036854776000 != 9223372036854777000 9223372036854777000 != 9223372036854780000 9223372036854780000 != 9223372036854781000 9223372036854781000 != 9223372036854784000 9223372036854784000 != 9223372036854786000 -------------------------------------------------- This shows the resolution of the integer space at various value ranges. Cameron -----Original Message----- From: Berend-Jan Wever [mailto:SkyLinedat_private] Sent: Wednesday, May 14, 2003 4:00 PM To: vuln-devat_private Subject: Re: MSIE integer overflows Yes: -- i=32*256*256*256*256*256*256*256; a=i; b=i+1; alert(a+'=='+b+' evaluates to '+(a==b)); -- evaluates to true Berend-Jan Wever ----- Original Message ----- From: "xenophi1e" <oliver.laveryat_private> To: <vuln-devat_private> Sent: Wednesday, May 14, 2003 19:02 Subject: Re: MSIE integer overflows > In-Reply-To: <004e01c319fb$7ec41050$0100a8c0@grotedoos> > > > > >Not true: "++i" will increase i first and return the result of that > > >increased i where "i++" will return i and then increase it: > > >-- example.js -- > > >var i=1; > > >document.write(++i); // prints 2, i=2; > > >document.write(i++); // prints 2, i=3; > > >-- cut here -- > > > > > > > Yes, of course. > > > > Again, I'm talking about C here, simply because I don't know JS to > this > > level of detail. But... > > > > document.write((i==++i) + ' ' + (i==++i) + '<BR>'); > > > > Seems like ambiguous code that might rely on unspecified behaviours. > > Postincrement and preincrement are gotchas in C. For example the > > following code: > > > > i = 2; > > printf ("%d", i++ * i++); > > > > Often does not print 6 as you might think, but rather prints 4. The > > reason is that the postincrement operator increments the values before > > the next sequence point, not necessarily the next _operation_. > > > > I was just pointing out that using expressions like i == ++i s eems a > bit > > suspect. I'm not certain, but I believe a C compiler is free to do > both > > increments prior to the rest of the expression. It does seem like it > > should always be a tautology, though. > > > > Do you get the same results if you write the same code less > ambiguously? > > > > Cheers, > > ~ol >
This archive was generated by hypermail 2b30 : Fri May 16 2003 - 08:49:15 PDT