[Webkit-unassigned] [Bug 151354] New: Function Incorrectly Cached

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=151354

            Bug ID: 151354
           Summary: Function Incorrectly Cached
    Classification: Unclassified
           Product: WebKit
           Version: Safari 9
          Hardware: Macintosh
                OS: Mac OS X 10.11
            Status: NEW
          Severity: Critical
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bnkuhn at gmail.com

Calling the following function many times can confuse Safari into caching the result (probably actually caching the compiled/optimized code for the function).

    function getOne(a) { return a['1']; }

This specific function is not the problem; it just represents the simplest case.  See the following live example:

    http://jsfiddle.net/60ygm4uk/15/

Steps to Reproduce:

    1) Call getOne({2: true}); many times (at least 36 times).
    2) Call getOne({1: true});

Expected Results:

    getOne({1: true}) should return true.

Actual Results:

    getOne({1: true}) returns undefined.

Severity:

    Causes bugs in major JavaScript libraries (i.e. Google Analytics).  Millions of sites potentially affected.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20151117/1e17561c/attachment-0001.html>