Bug 133577

Summary: In a certain app state, Array.prototype.filter() returns incorrect results
Product: WebKit Reporter: Ryan Grove <ryan>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, mathias, msaboff, oliver
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.9   
URL: http://jsbin.com/potewaye/13/edit?js,console
Attachments:
Description Flags
Array.prototype.filter() bug test case
none
Patch
none
Patch with updated test from comment oliver: review+

Ryan Grove
Reported 2014-06-06 09:59:19 PDT
Created attachment 232618 [details] Array.prototype.filter() bug test case The Router component in the YUI JS library somehow induces a certain state that temporarily causes Array.prototype.filter() to return incorrect results (an empty array instead of a correctly filtered array). I've been unable to track down the precise cause of this state, but it's at least consistently reproducible using the attached test case, which is also visible at http://jsbin.com/potewaye/13/edit?js,console The test succeeds in all browsers except Safari 8 on OS X Yosemite and recent WebKit nightlies (I tested 9537.76.4, r169635). I don't think the problem lies with YUI, since YUI's router has been in wide production use for several years and this problem only surfaced in these brand new WebKit builds. http://www.smugmug.com/ is one production website affected by this bug, but there are many others using the YUI Router, including various Yahoo sites. Steps to Reproduce: 1. Run the attached test case. Expected Results: Three separate arrays should be logged to the console demonstrating that Array.prototype.filter() is working properly: ["started"], ["finished"], and ["foo"]. Actual Results: In Safari 8 and WebKit 9537.76.4, r169635, the logged arrays are ["started"], ["finished"], and [], and you'll see the error message "Array.prototype.filter() failed!" indicating that Array.prototype.filter() returned incorrect results when run inside a YUI router callback. I also filed this as rdar://17186034
Attachments
Array.prototype.filter() bug test case (1.22 KB, text/html)
2014-06-06 09:59 PDT, Ryan Grove 		no flags
Details
Patch (6.36 KB, patch)
2014-06-09 18:51 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Patch with updated test from comment (6.44 KB, patch)
2014-06-10 10:53 PDT, Michael Saboff 		oliver: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Benjamin Poulain
Comment 1 2014-06-06 14:45:44 PDT
<rdar://problem/17186034>
Michael Saboff
Comment 2 2014-06-09 10:31:59 PDT
Original radar - <rdar://problem/17019752>
Michael Saboff
Comment 3 2014-06-09 18:51:20 PDT
Created attachment 232757 [details] Patch
Oliver Hunt
Comment 4 2014-06-09 21:17:13 PDT
Comment on attachment 232757 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=232757&action=review > Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:1714 > + bieq ArrayStorage::m_vector + TagOffset[t0, t3, 8], EmptyValueTag, .opPutByValArrayStorageEmpty Could you add a test to make sure that we don't call setters or anything when doing a put by val direct on a hole?
Michael Saboff
Comment 5 2014-06-10 10:53:29 PDT
Created attachment 232796 [details] Patch with updated test from comment
Michael Saboff
Comment 6 2014-06-10 10:58:37 PDT
Committed r169751: <http://trac.webkit.org/changeset/169751>
Geoffrey Garen
Comment 7 2014-06-10 11:00:16 PDT
Comment on attachment 232796 [details] Patch with updated test from comment r=me
Note You need to log in before you can comment on or make changes to this bug.