[webkit-changes] [WebKit/WebKit] 0adb1f: Cherry-pick 308833@main (b9c004b3c5be). https://bu...

Wed, 18 Mar 2026 03:04:24 -0700 

  Branch: refs/heads/webkitglib/2.52
  Home:   https://github.com/WebKit/WebKit
  Commit: 0adb1f03a856b8c3b489ffedbc083271686153a8
      
https://github.com/WebKit/WebKit/commit/0adb1f03a856b8c3b489ffedbc083271686153a8
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-03-18 (Wed, 18 Mar 2026)

  Changed paths:
    A JSTests/stress/typedarray-sort-buffer-access-stale-pointer.js
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h

  Log Message:
  -----------
  Cherry-pick 308833@main (b9c004b3c5be). 
https://bugs.webkit.org/show_bug.cgi?id=309346

    [JSC] `TypedArray#sort` fails when comparator access `.buffer`
    https://bugs.webkit.org/show_bug.cgi?id=309346

    Reviewed by Yusuke Suzuki.

    When sorting a FastTypedArray with a comparator, accessing `.buffer` inside
    the comparator triggers slowDownAndWasteMemory(), which reallocates the
    backing store into a new ArrayBuffer and updates m_vector. The sort
    implementation was caching typedSpan() before invoking the comparator and
    writing the sorted result back through this cached span, so the result
    never reached the new backing store and the array appeared unsorted.

        let ta = new Int32Array(100);
        for (let i = 0; i < 100; i++) ta[i] = 100 - i;
        ta.sort((a, b) => { ta.buffer; return a - b; });
        // ta[0] was 100, should be 1

    The isDetached() guard does not help here because the FastTypedArray to
    WastefulTypedArray transition is not detachment. Fix by re-fetching
    typedSpan() for the write-back. length() was already being re-read at
    this point, so this just adds one m_vector load after O(n log n)
    comparator calls.

    Test: JSTests/stress/typedarray-sort-buffer-access-stale-pointer.js

    * JSTests/stress/typedarray-sort-buffer-access-stale-pointer.js: Added.
    (shouldBe):
    (throw.new.Error):
    * Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
    (JSC::genericTypedArrayViewProtoFuncSortImpl):

    Canonical link: https://commits.webkit.org/308833@main

Canonical link: https://commits.webkit.org/305877.234@webkitglib/2.52



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to