[Webkit-unassigned] [Bug 261140] New: Array.splice can return `undefined` for `[].splice(0, 0)`;

Tue Sep 5 02:32:19 PDT 2023

https://bugs.webkit.org/show_bug.cgi?id=261140

            Bug ID: 261140
           Summary: Array.splice can return `undefined` for `[].splice(0,
                    0)`;
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Mac (Apple Silicon)
                OS: macOS 13
            Status: NEW
          Severity: Major
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: scythes.corms_0i at icloud.com

Created attachment 467550

  --> https://bugs.webkit.org/attachment.cgi?id=467550&action=review

repro file

Hello from the VS Code Team

We are running unit tests against various browsers and while trying to run them against Safari Tech Preview, Release 177 (Safari 17.0, WebKit 18617.1.4.3), we are encountering an issue that looks like a browser bug. It seems that Array.splice can return undefined instead of an empty array. I have created and attached a file that resembles our unit tests which should allow you to reproduce this. 

Steps:

* open Safari Tech Preview
* load the attached file
* notice how line 28 is reached, meaning Array.splice has returned undefined

Observations:

* this happens for the case of an empty array and index and deletion count being zero
* this doesn't happen when adding a breakpoint or the debugger statement hinting towards an issue with JIT
* this works fine in Safari 16.6

Excuses: 

* Sorry, for the large sample file. It's basically the one test that's failing and all its dependencies (sans tree shaking)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230905/8ff74156/attachment.htm>