[Webkit-unassigned] [Bug 86733] New: Setting array index -1 and looping over array causes bad behavior

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 17 07:51:02 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=86733

           Summary: Setting array index -1 and looping over array causes
                    bad behavior
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
               URL: http://stackoverflow.com/questions/10629083/unexplaine
                    d-behavior-in-safari-with-negative-array-indices
        OS/Version: Mac OS X 10.7
            Status: UNCONFIRMED
          Severity: Critical
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: gavin at phrogz.net


Steps to reproduce:

1) Open a page with the following code on Safari 5.1.7 on OS X
   (Or use this link: http://jsfiddle.net/TzCm9/)

   <label>p: <input id="p" size="3"></label>
   <script type="text/javascript">
     var p = document.getElementById('p');
     p.onkeyup = function(){
       var a = "10 20 30 40".split(/\s+/);
       foo(a, p.value*1);
     } 

     function foo(a,p){
       var count=a.length, i=0, x;
       if (p) a[i=-1]=p;
       while (i<10000) x = a[i++ % count];
       console.dir(a);
     }
     </script>

2) Open the Developer Console
3) Focus the input and type <1><Backspace><2>
4) Expand console output for the arrays.

EXPECTED OUTPUT:
a) The first and third arrays displayed should have a property named "-1" with values "1" and "2" (respectively)
b) Safari is stable

ACTUAL OUTPUT:
a) The first array has a "-1" property displayed.
   The third array has a property "4294967295" displayed (but a `length` of 4).
b) Occasionally continuing to interact with the page causes the docked Developer Tools window to disappear, and/or all tabs in Safari to become non-responsive. (Hence the "Critical" severity.)

NOTES:
This bug does not reproduce on Safari 5.1.7 on Windows 7.
This bug does not reproduce on Chrome or Firefox on OS X.
This bug does not reproduce if you delete the `while` loop.


See additional discussion, including a screenshot of the console, here:
http://stackoverflow.com/questions/10629083/unexplained-behavior-in-safari-with-negative-array-indices

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list