Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a271abef225ed90f7f5f917fae417077eb0855aa
https://github.com/WebKit/WebKit/commit/a271abef225ed90f7f5f917fae417077eb0855aa
Author: Shu-yu Guo <[email protected]>
Date: 2026-05-27 (Wed, 27 May 2026)
Changed paths:
A JSTests/stress/typedarray-forEach-transition.js
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
Log Message:
-----------
[JSC] Fix vector caching in TypedArray.prototype.forEach
https://bugs.webkit.org/show_bug.cgi?id=309918
rdar://172446537
Reviewed by Yijia Huang.
A TypedArray's vector can move even when it's fixed-length and non-shared due
to materializing its ArrayBuffer and due to BoundsChecking Wasm memories doing
reallocation. In those cases, the current code incorrectly caches the data
pointer to the vector. This PR fixes those cases by reloading the vector.
Test:
JSTests/stress/typedarray-forEach-transition.js
* JSTests/stress/typedarray-forEach-transition.js: Added.
(ta.forEach):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::typedArrayViewForEachImpl):
Originally-landed-as: 305413.485@rapid/safari-7624.2.5.110-branch
(32d01d0d2755). rdar://176061980
Canonical link:
https://flagged.apple.com:443/proxy?t2=Dv0G4O5Wk7&o=aHR0cHM6Ly9jb21taXRzLndlYmtpdC5vcmcvMzEzOTYwQG1haW4=&emid=f74f5475-4998-405d-9b95-060580225336&c=11
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
