https://bugs.webkit.org/show_bug.cgi?id=99637

Reviewed by Tony Chang.

Source/WebCore:

The IndexedDB spec has [EnforceRange] specified on unsigned long and unsigned long long
arguments, which requires the implementation to throw TypeError for negative values or
values that exceed 2^53-1 (maximum JS number that behaves like an integer) - and 0 is
specifically forbidden by the APIs as well.

A more correct fix in the binding layer is in webkit.org/b/96798 but we can temporarily
address this in the implementation.

Also refactor to prevent IDBFactory.open(name, -1) from triggering an internal code path.

Tests: storage/indexeddb/cursor-advance.html
       storage/indexeddb/intversion-bad-parameters.html
       storage/indexeddb/intversion-encoding.html

* Modules/indexeddb/IDBCursor.cpp:
(WebCore::IDBCursor::advance): Validate argument range.
* Modules/indexeddb/IDBCursor.h:
(IDBCursor):
* Modules/indexeddb/IDBCursor.idl: Drop "unsigned" qualifier as the binding code is
not yet doing the correct validation.
* Modules/indexeddb/IDBFactory.cpp: Refactor to prevent open(name, -1)
(WebCore):
(WebCore::IDBFactory::open): Validate the int version here, then pass to...
(WebCore::IDBFactory::openInternal): ... this method.
* Modules/indexeddb/IDBFactory.h:
(IDBFactory):
* Modules/indexeddb/IDBFactory.idl: Drop "unsigned" qualifier; meaningless to binding
code right now, can be re-added once webkit.org/b/96798 lands.

LayoutTests:

Additional edge case tests and updated expectations.

* storage/indexeddb/cursor-advance-expected.txt:
* storage/indexeddb/intversion-bad-parameters-expected.txt:
* storage/indexeddb/intversion-encoding-expected.txt:
* storage/indexeddb/resources/cursor-advance.js:
(testBadAdvance.advanceBadly):
(testBadAdvance):
* storage/indexeddb/resources/intversion-bad-parameters.js:
(deleteSuccess):
* storage/indexeddb/resources/intversion-encoding.js:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131658 268f45cc-cd09-0410-ab3c-d52691b4dbfc