Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b9c004b3c5be25f15f6359c4e3a4d5fabd625ae9
https://github.com/WebKit/WebKit/commit/b9c004b3c5be25f15f6359c4e3a4d5fabd625ae9
Author: Sosuke Suzuki <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
A JSTests/stress/typedarray-sort-buffer-access-stale-pointer.js
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
Log Message:
-----------
[JSC] `TypedArray#sort` fails when comparator access `.buffer`
https://bugs.webkit.org/show_bug.cgi?id=309346
Reviewed by Yusuke Suzuki.
When sorting a FastTypedArray with a comparator, accessing `.buffer` inside
the comparator triggers slowDownAndWasteMemory(), which reallocates the
backing store into a new ArrayBuffer and updates m_vector. The sort
implementation was caching typedSpan() before invoking the comparator and
writing the sorted result back through this cached span, so the result
never reached the new backing store and the array appeared unsorted.
let ta = new Int32Array(100);
for (let i = 0; i < 100; i++) ta[i] = 100 - i;
ta.sort((a, b) => { ta.buffer; return a - b; });
// ta[0] was 100, should be 1
The isDetached() guard does not help here because the FastTypedArray to
WastefulTypedArray transition is not detachment. Fix by re-fetching
typedSpan() for the write-back. length() was already being re-read at
this point, so this just adds one m_vector load after O(n log n)
comparator calls.
Test: JSTests/stress/typedarray-sort-buffer-access-stale-pointer.js
* JSTests/stress/typedarray-sort-buffer-access-stale-pointer.js: Added.
(shouldBe):
(throw.new.Error):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncSortImpl):
Canonical link: https://commits.webkit.org/308833@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
