Created attachment 58221 [details] Test Case

<rdar://problem/8076614>

This issue seems to only occur when Safari 5 is run in 32-bit mode.

If you replace: tmp = (tmp >> 1); with var tmp2 = (tmp >> 1); tmp = tmp2; the testcase passes. If you instrument the original testcase with print statements, tmp.toString() is "3" before the shift operation and "3.0000000000000004" afterwards.

The following is a related, but slightly narrower form of the bug: function merge(d,e,f) { var h,i,j,k; h = e - d; if (h < 3) { return } j = d + f; i = e + f; k = j + (i - j >> 1); merge(j,k,-f); merge(k,i,-f); } merge(0, 5, 0); From the console, when you set a breakpoint in merge(2, 5, 0): > i 5 > j 2 > (i - j) 3 > ((i - j) >> 1) 1 > j + ((i - j) >> 1) 5 <= WTF?!

Further reduced test case: function test() { var off = -0; var tmp = 5 + off; var tmp2 = (tmp >> 1); tmp = tmp >> 1; if (tmp != tmp2) document.getElementById("result").innerHTML = "fail "+tmp+" != "+tmp2; else document.getElementById("result").innerHTML = "pass"; } Gives: fail 5.000000000000002 != 2 It looks like adding "-0" to an integer results in a value that will right shift correctly in some contexts but not in others. (Note that tmp2 holds the correct value, but tmp does not.)

*** This bug has been marked as a duplicate of bug 40367 ***