| Summary: | Exception loading Google Wave in Safari 5 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | noel gordon <noel.gordon> | ||||
| Component: | WebCore JavaScript | Assignee: | Nobody <webkit-unassigned> | ||||
| Status: | RESOLVED DUPLICATE | ||||||
| Severity: | Normal | CC: | abarth, dan, dunhamsteve, eric, jgw, knorton, oliver | ||||
| Priority: | P1 | Keywords: | GoogleBug, InRadar | ||||
| Version: | 528+ (Nightly build) | ||||||
| Hardware: | PC | ||||||
| OS: | OS X 10.5 | ||||||
| Attachments: |
|
||||||
|
Description
noel gordon
2010-06-09 00:16:10 PDT
Created attachment 58221 [details]
Test Case
This issue seems to only occur when Safari 5 is run in 32-bit mode. If you replace:
tmp = (tmp >> 1);
with
var tmp2 = (tmp >> 1);
tmp = tmp2;
the testcase passes.
If you instrument the original testcase with print statements, tmp.toString() is "3" before the shift operation and "3.0000000000000004" afterwards.
The following is a related, but slightly narrower form of the bug:
function merge(d,e,f) {
var h,i,j,k;
h = e - d;
if (h < 3) {
return
}
j = d + f;
i = e + f;
k = j + (i - j >> 1);
merge(j,k,-f);
merge(k,i,-f);
}
merge(0, 5, 0);
From the console, when you set a breakpoint in merge(2, 5, 0):
> i
5
> j
2
> (i - j)
3
> ((i - j) >> 1)
1
> j + ((i - j) >> 1)
5 <= WTF?!
Further reduced test case:
function test() {
var off = -0;
var tmp = 5 + off;
var tmp2 = (tmp >> 1);
tmp = tmp >> 1;
if (tmp != tmp2)
document.getElementById("result").innerHTML = "fail "+tmp+" != "+tmp2;
else
document.getElementById("result").innerHTML = "pass";
}
Gives:
fail 5.000000000000002 != 2
It looks like adding "-0" to an integer results in a value that will right shift correctly in some contexts but not in others. (Note that tmp2 holds the correct value, but tmp does not.)
|