170264 2017-03-29 18:05:14 -0700 REGRESSION (Safari 10.1): Inserting elements into arrays fails when array contains very large numbers 2017-04-11 06:24:13 -0700 1 1 1 Unclassified WebKit JavaScriptCore Safari 10 Mac macOS 10.12 RESOLVED FIXED InRadar P2 Normal --- 1 calvinlough saam ap fpizlo gskachkov jonah M8ch88l minichate+webkit msaboff saam webkit-bug-importer oldest_to_newest 1292658 0 calvinlough 2017-03-29 18:05:14 -0700 The following code doesn't behave as expected on the latest version of Safari (10.1+) and on the WebKit nightly builds: var arr = [0, 2147483648]; // NOTE: the second number is greater than a signed 32bit int arr.shift(); // remove the first element so arr is [2147483648] arr[1] = 1; // Safari fails to add the new element and the array is unchanged On all other browsers and Safari 10.0, arr is [2147483648, 1]. On Safari 10.1 and newer, arr is [2147483648]. The above code works fine if the numbers in the array are less than 2147483648. 1293227 1 webkit-bug-importer 2017-03-31 11:57:42 -0700 <rdar://problem/31375593> 1293909 2 msaboff 2017-04-03 17:06:54 -0700 This is fixed with change set r214714 <https://trac.webkit.org/changeset/214714> and is a duplicate of <https://bugs.webkit.org/show_bug.cgi?id=164412> *** This bug has been marked as a duplicate of bug 164412 *** 1294012 3 M8ch88l 2017-04-04 03:03:26 -0700 Is this really a duplicate just because the fix of bug 164412 fixes this also. This was an appalling bug which demonstrates the inadequacy of the test suite. 1294013 4 saam 2017-04-04 03:25:58 -0700 (In reply to MikeM from comment #3) > Is this really a duplicate just because the fix of bug 164412 fixes this > also. Yes this is really the same bug. Note that a number larger than INT_MAX is stored using double representation. > > This was an appalling bug which demonstrates the inadequacy of the test > suite. WebKit is an open source project. You're more than welcome to add tests to help make the software better. 1294024 5 M8ch88l 2017-04-04 04:59:46 -0700 This should be marked as P1 as it's a serious security issue. For example, crypto libraries must be considered broken. Safari needs to release an immediate fix, surely. 1294072 6 ap 2017-04-04 10:57:16 -0700 That would be a serious issue indeed. Do you have examples of broken websites or apps? 1294126 7 M8ch88l 2017-04-04 13:02:52 -0700 Well, it breaks my bignumber library which is downloaded from npm by about a million users a month. https://github.com/MikeMcl/bignumber.js/issues/120 https://www.npmjs.com/package/bignumber.js 1294160 8 saam 2017-04-04 14:10:26 -0700 gonna add this as a test. 1294164 9 306199 saam 2017-04-04 14:13:23 -0700 Created attachment 306199 patch for test 1294168 10 306201 saam 2017-04-04 14:15:43 -0700 Created attachment 306201 patch with test 1294697 11 jonah 2017-04-05 16:20:50 -0700 We also ran into this as users of https://www.npmjs.com/package/bignumber.js This was painful to debug as the tab loading the library would hang with both the page content and developer tools becoming unresponsive so tracking down the source of the problem was not easy. This mode of failure is also a complete blocker for any end user of the site in question. Rather than just encountering javascript errors any invocation of this behavior renders the entire page unusable. As one consumer of bignumber.js we're temporarily disabling features to protect 10^5 users/month from being unable to use our product. 1294706 12 msaboff 2017-04-05 16:34:27 -0700 Landed a test similar to what Saam posted with the exception that it loops to tier up. This test landed change set r214977 <https://trac.webkit.org/changeset/214977/webkit> 306199 2017-04-04 14:13:23 -0700 2017-04-04 14:15:43 -0700 patch for test b-backup.diff text/plain 1379 saam SW5kZXg6IEpTVGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIEpTVGVzdHMvQ2hhbmdlTG9n CShyZXZpc2lvbiAyMTQ4OTYpCisrKyBKU1Rlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpA QCAtMSwzICsxLDE0IEBACisyMDE3LTA0LTA0ICBTYWFtIEJhcmF0aSAgPHNiYXJhdGlAYXBwbGUu Y29tPgorCisgICAgICAgIFJFR1JFU1NJT04gKFNhZmFyaSAxMC4xKTogSW5zZXJ0aW5nIGVsZW1l bnRzIGludG8gYXJyYXlzIGZhaWxzIHdoZW4gYXJyYXkgY29udGFpbnMgdmVyeSBsYXJnZSBudW1i ZXJzCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNzAy NjQKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzMxMzc1NTkzPgorCisgICAgICAgIFJldmlld2Vk IGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogc3RyZXNzL2RvdWJsZS1hcnJheS10by1h cnJheS1zdG9yYWdlLmpzOiBBZGRlZC4KKyAgICAgICAgKGFzc2VydCk6CisKIDIwMTctMDQtMDMg IE1hcmsgTGFtICA8bWFyay5sYW1AYXBwbGUuY29tPgogCiAgICAgICAgIEZpeCBpbmNvcnJlY3Qg Y2FwYWNpdHkgZGVsdGEgY2FsY3VsYXRpb24gcmVwb3J0ZWQgaW4gU3BhcnNlQXJyYXlWYWx1ZU1h cDo6YWRkKCkuCkluZGV4OiBKU1Rlc3RzL3N0cmVzcy9kb3VibGUtYXJyYXktdG8tYXJyYXktc3Rv cmFnZS5qcwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09Ci0tLSBKU1Rlc3RzL3N0cmVzcy9kb3VibGUtYXJyYXktdG8tYXJy YXktc3RvcmFnZS5qcwkobm9uZXhpc3RlbnQpCisrKyBKU1Rlc3RzL3N0cmVzcy9kb3VibGUtYXJy YXktdG8tYXJyYXktc3RvcmFnZS5qcwkod29ya2luZyBjb3B5KQpAQCAtMCwwICsxLDE4IEBACisi dXNlIHN0cmljdCI7CisKK2Z1bmN0aW9uIGFzc2VydChiKSB7CisgICAgaWYgKCFiKQorICAgICAg ICB0aHJvdyBuZXcgRXJyb3I7Cit9CisKK2xldCBhcnIgPSBbMCwgMjE0NzQ4MzY0OF07IC8vIE5P VEU6IHRoZSBzZWNvbmQgbnVtYmVyIGlzIGdyZWF0ZXIgdGhhbiBJTlRfTUFYCithc3NlcnQoYXJy Lmxlbmd0aCA9PT0gMik7Cithc3NlcnQoYXJyWzBdID09PSAwKTsKK2Fzc2VydChhcnJbMV0gPT09 IDIxNDc0ODM2NDgpOworYXJyLnNoaWZ0KCk7Cithc3NlcnQoYXJyLmxlbmd0aCA9PT0gMSk7Cith c3NlcnQoYXJyWzBdID09PSAyMTQ3NDgzNjQ4KTsKK2FyclsxXSA9IDE7Cithc3NlcnQoYXJyLmxl bmd0aCA9PT0gMik7Cithc3NlcnQoYXJyWzBdID09PSAyMTQ3NDgzNjQ4KTsKK2Fzc2VydChhcnJb MV0gPT09IDEpOwo= 306201 2017-04-04 14:15:43 -0700 2017-04-05 16:32:14 -0700 patch with test b-backup.diff text/plain 1514 saam SW5kZXg6IEpTVGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIEpTVGVzdHMvQ2hhbmdlTG9n CShyZXZpc2lvbiAyMTQ4OTYpCisrKyBKU1Rlc3RzL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpA QCAtMSwzICsxLDE3IEBACisyMDE3LTA0LTA0ICBTYWFtIEJhcmF0aSAgPHNiYXJhdGlAYXBwbGUu Y29tPgorCisgICAgICAgIFJFR1JFU1NJT04gKFNhZmFyaSAxMC4xKTogSW5zZXJ0aW5nIGVsZW1l bnRzIGludG8gYXJyYXlzIGZhaWxzIHdoZW4gYXJyYXkgY29udGFpbnMgdmVyeSBsYXJnZSBudW1i ZXJzCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNzAy NjQKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzMxMzc1NTkzPgorCisgICAgICAgIFJldmlld2Vk IGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFRoZSBvcmlnaW5hbCBidWcgd2FzIGZpeGVk IGluOiBodHRwczovL3RyYWMud2Via2l0Lm9yZy9jaGFuZ2VzZXQvMjE0NzE0CisgICAgICAgIEkn bSBqdXN0IGFkZGluZyB0aGUgdGVzdCBmb3IgZ29vZCBtZWFzdXJlLgorCisgICAgICAgICogc3Ry ZXNzL2RvdWJsZS1hcnJheS10by1hcnJheS1zdG9yYWdlLmpzOiBBZGRlZC4KKyAgICAgICAgKGFz c2VydCk6CisKIDIwMTctMDQtMDMgIE1hcmsgTGFtICA8bWFyay5sYW1AYXBwbGUuY29tPgogCiAg ICAgICAgIEZpeCBpbmNvcnJlY3QgY2FwYWNpdHkgZGVsdGEgY2FsY3VsYXRpb24gcmVwb3J0ZWQg aW4gU3BhcnNlQXJyYXlWYWx1ZU1hcDo6YWRkKCkuCkluZGV4OiBKU1Rlc3RzL3N0cmVzcy9kb3Vi bGUtYXJyYXktdG8tYXJyYXktc3RvcmFnZS5qcwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKU1Rlc3RzL3N0cmVz cy9kb3VibGUtYXJyYXktdG8tYXJyYXktc3RvcmFnZS5qcwkobm9uZXhpc3RlbnQpCisrKyBKU1Rl c3RzL3N0cmVzcy9kb3VibGUtYXJyYXktdG8tYXJyYXktc3RvcmFnZS5qcwkod29ya2luZyBjb3B5 KQpAQCAtMCwwICsxLDE4IEBACisidXNlIHN0cmljdCI7CisKK2Z1bmN0aW9uIGFzc2VydChiKSB7 CisgICAgaWYgKCFiKQorICAgICAgICB0aHJvdyBuZXcgRXJyb3I7Cit9CisKK2xldCBhcnIgPSBb MCwgMjE0NzQ4MzY0OF07IC8vIE5PVEU6IHRoZSBzZWNvbmQgbnVtYmVyIGlzIGdyZWF0ZXIgdGhh biBJTlRfTUFYCithc3NlcnQoYXJyLmxlbmd0aCA9PT0gMik7Cithc3NlcnQoYXJyWzBdID09PSAw KTsKK2Fzc2VydChhcnJbMV0gPT09IDIxNDc0ODM2NDgpOworYXJyLnNoaWZ0KCk7Cithc3NlcnQo YXJyLmxlbmd0aCA9PT0gMSk7Cithc3NlcnQoYXJyWzBdID09PSAyMTQ3NDgzNjQ4KTsKK2Fyclsx XSA9IDE7Cithc3NlcnQoYXJyLmxlbmd0aCA9PT0gMik7Cithc3NlcnQoYXJyWzBdID09PSAyMTQ3 NDgzNjQ4KTsKK2Fzc2VydChhcnJbMV0gPT09IDEpOwo=