Load Google Wave in Safari 5 (win32, and/or mac/osx 10.5), the javascript console reports: RangeError: Maximum call stack size exceeded. and Google Wave stops working. Test results/reduction attached OSX Firefox 3.6 OK OSX Safari 4.0.4 OK OSX Chrome 5.0.375 OK OSX Safari 5.0 FAIL
Created attachment 58221 [details] Test Case
<rdar://problem/8076614>
This issue seems to only occur when Safari 5 is run in 32-bit mode.
If you replace: tmp = (tmp >> 1); with var tmp2 = (tmp >> 1); tmp = tmp2; the testcase passes. If you instrument the original testcase with print statements, tmp.toString() is "3" before the shift operation and "3.0000000000000004" afterwards.
The following is a related, but slightly narrower form of the bug: function merge(d,e,f) { var h,i,j,k; h = e - d; if (h < 3) { return } j = d + f; i = e + f; k = j + (i - j >> 1); merge(j,k,-f); merge(k,i,-f); } merge(0, 5, 0); From the console, when you set a breakpoint in merge(2, 5, 0): > i 5 > j 2 > (i - j) 3 > ((i - j) >> 1) 1 > j + ((i - j) >> 1) 5 <= WTF?!
Further reduced test case: function test() { var off = -0; var tmp = 5 + off; var tmp2 = (tmp >> 1); tmp = tmp >> 1; if (tmp != tmp2) document.getElementById("result").innerHTML = "fail "+tmp+" != "+tmp2; else document.getElementById("result").innerHTML = "pass"; } Gives: fail 5.000000000000002 != 2 It looks like adding "-0" to an integer results in a value that will right shift correctly in some contexts but not in others. (Note that tmp2 holds the correct value, but tmp does not.)
*** This bug has been marked as a duplicate of bug 40367 ***