Bug 40355

Summary: Exception loading Google Wave in Safari 5
Product: WebKit Reporter: noel gordon <noel.gordon>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: abarth, dan, dunhamsteve, eric, jgw, knorton, oliver
Priority: P1 Keywords: GoogleBug, InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Test Case none

noel gordon
Reported 2010-06-09 00:16:10 PDT
Load Google Wave in Safari 5 (win32, and/or mac/osx 10.5), the javascript console reports: RangeError: Maximum call stack size exceeded. and Google Wave stops working. Test results/reduction attached OSX Firefox 3.6 OK OSX Safari 4.0.4 OK OSX Chrome 5.0.375 OK OSX Safari 5.0 FAIL
Attachments
Test Case (579 bytes, text/html)
2010-06-09 01:09 PDT, noel gordon 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
noel gordon
Comment 1 2010-06-09 01:09:54 PDT
Created attachment 58221 [details] Test Case
Gavin Barraclough
Comment 2 2010-06-09 13:43:38 PDT
<rdar://problem/8076614>
Steve Dunham
Comment 3 2010-06-09 14:34:37 PDT
This issue seems to only occur when Safari 5 is run in 32-bit mode.
Steve Dunham
Comment 4 2010-06-09 16:04:55 PDT
If you replace: tmp = (tmp >> 1); with var tmp2 = (tmp >> 1); tmp = tmp2; the testcase passes. If you instrument the original testcase with print statements, tmp.toString() is "3" before the shift operation and "3.0000000000000004" afterwards.
Joel Webber
Comment 5 2010-06-09 16:36:25 PDT
The following is a related, but slightly narrower form of the bug: function merge(d,e,f) { var h,i,j,k; h = e - d; if (h < 3) { return } j = d + f; i = e + f; k = j + (i - j >> 1); merge(j,k,-f); merge(k,i,-f); } merge(0, 5, 0); From the console, when you set a breakpoint in merge(2, 5, 0): > i 5 > j 2 > (i - j) 3 > ((i - j) >> 1) 1 > j + ((i - j) >> 1) 5 <= WTF?!
Steve Dunham
Comment 6 2010-06-11 08:56:41 PDT
Further reduced test case: function test() { var off = -0; var tmp = 5 + off; var tmp2 = (tmp >> 1); tmp = tmp >> 1; if (tmp != tmp2) document.getElementById("result").innerHTML = "fail "+tmp+" != "+tmp2; else document.getElementById("result").innerHTML = "pass"; } Gives: fail 5.000000000000002 != 2 It looks like adding "-0" to an integer results in a value that will right shift correctly in some contexts but not in others. (Note that tmp2 holds the correct value, but tmp does not.)
Oliver Hunt
Comment 7 2010-06-11 09:42:56 PDT
*** This bug has been marked as a duplicate of bug 40367 ***
Note You need to log in before you can comment on or make changes to this bug.