RESOLVED FIXED170264
REGRESSION (Safari 10.1): Inserting elements into arrays fails when array contains very large numbers 
https://bugs.webkit.org/show_bug.cgi?id=170264
Summary REGRESSION (Safari 10.1): Inserting elements into arrays fails when array con...
calvinlough
Reported 2017-03-29 18:05:14 PDT
The following code doesn't behave as expected on the latest version of Safari (10.1+) and on the WebKit nightly builds: var arr = [0, 2147483648]; // NOTE: the second number is greater than a signed 32bit int arr.shift(); // remove the first element so arr is [2147483648] arr[1] = 1; // Safari fails to add the new element and the array is unchanged On all other browsers and Safari 10.0, arr is [2147483648, 1]. On Safari 10.1 and newer, arr is [2147483648]. The above code works fine if the numbers in the array are less than 2147483648.
Attachments
patch for test (1.35 KB, patch)
2017-04-04 14:13 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch with test (1.48 KB, patch)
2017-04-04 14:15 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-03-31 11:57:42 PDT
<rdar://problem/31375593>
Michael Saboff
Comment 2 2017-04-03 17:06:54 PDT
This is fixed with change set r214714 <https://trac.webkit.org/changeset/214714> and is a duplicate of <https://bugs.webkit.org/show_bug.cgi?id=164412> *** This bug has been marked as a duplicate of bug 164412 ***
MikeM
Comment 3 2017-04-04 03:03:26 PDT
Is this really a duplicate just because the fix of bug 164412 fixes this also. This was an appalling bug which demonstrates the inadequacy of the test suite.
Saam Barati
Comment 4 2017-04-04 03:25:58 PDT
(In reply to MikeM from comment #3) > Is this really a duplicate just because the fix of bug 164412 fixes this > also. Yes this is really the same bug. Note that a number larger than INT_MAX is stored using double representation. > > This was an appalling bug which demonstrates the inadequacy of the test > suite. WebKit is an open source project. You're more than welcome to add tests to help make the software better.
MikeM
Comment 5 2017-04-04 04:59:46 PDT
This should be marked as P1 as it's a serious security issue. For example, crypto libraries must be considered broken. Safari needs to release an immediate fix, surely.
Alexey Proskuryakov
Comment 6 2017-04-04 10:57:16 PDT
That would be a serious issue indeed. Do you have examples of broken websites or apps?
MikeM
Comment 7 2017-04-04 13:02:52 PDT
Well, it breaks my bignumber library which is downloaded from npm by about a million users a month. https://github.com/MikeMcl/bignumber.js/issues/120 https://www.npmjs.com/package/bignumber.js
Saam Barati
Comment 8 2017-04-04 14:10:26 PDT
gonna add this as a test.
Saam Barati
Comment 9 2017-04-04 14:13:23 PDT
Created attachment 306199 [details] patch for test
Saam Barati
Comment 10 2017-04-04 14:15:43 PDT
Created attachment 306201 [details] patch with test
jonah
Comment 11 2017-04-05 16:20:50 PDT
We also ran into this as users of https://www.npmjs.com/package/bignumber.js This was painful to debug as the tab loading the library would hang with both the page content and developer tools becoming unresponsive so tracking down the source of the problem was not easy. This mode of failure is also a complete blocker for any end user of the site in question. Rather than just encountering javascript errors any invocation of this behavior renders the entire page unusable. As one consumer of bignumber.js we're temporarily disabling features to protect 10^5 users/month from being unable to use our product.
Michael Saboff
Comment 12 2017-04-05 16:34:27 PDT
Landed a test similar to what Saam posted with the exception that it loops to tier up. This test landed change set r214977 <https://trac.webkit.org/changeset/214977/webkit>
Note You need to log in before you can comment on or make changes to this bug.