Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 9356c5a4a7960fc1a609000925e52c14ec9dc0ae
https://github.com/WebKit/WebKit/commit/9356c5a4a7960fc1a609000925e52c14ec9dc0ae
Author: Yusuke Suzuki <[email protected]>
Date: 2026-06-06 (Sat, 06 Jun 2026)
Changed paths:
M Source/JavaScriptCore/parser/ParserArena.h
M Source/JavaScriptCore/runtime/JSCJSValueInlines.h
M Source/JavaScriptCore/runtime/JSStringJoiner.h
M Source/JavaScriptCore/runtime/MathCommon.h
M Source/JavaScriptCore/wasm/WasmFormat.h
M Source/WTF/wtf/PlatformHave.h
Log Message:
-----------
Cherry-pick 309220@main (35208109db84).
https://bugs.webkit.org/show_bug.cgi?id=309876
[JSC] Add tryConvertToStrictInt32
https://bugs.webkit.org/show_bug.cgi?id=309876
rdar://172451302
Reviewed by Dan Hecht and Justin Michaud.
This patch adds tryConvertToStrictInt32, which quickly decides whether
we can convert double to StrictInt32. This can be efficiently
implemented with ARM64 fjcvtzs.
* Source/JavaScriptCore/parser/ParserArena.h:
(JSC::IdentifierArena::makeNumericIdentifier):
* Source/JavaScriptCore/runtime/JSCJSValueInlines.h:
(JSC::JSValue::JSValue):
(JSC::JSValue::toBigIntOrInt32 const):
* Source/JavaScriptCore/runtime/JSStringJoiner.h:
(JSC::JSStringJoiner::appendNumber):
* Source/JavaScriptCore/runtime/MathCommon.h:
(JSC::tryConvertToStrictInt32):
(JSC::canBeStrictInt32): Deleted.
(JSC::canBeInt32): Deleted.
* Source/JavaScriptCore/wasm/WasmFormat.h:
(JSC::Wasm::internalizeExternref):
* Source/WTF/wtf/PlatformHave.h:
Canonical link: https://commits.webkit.org/309220@main
Canonical link: https://commits.webkit.org/305877.699@webkitglib/2.52
Commit: 7bcdeeaa119b7b4d797d8523aa468c0a0bed5e94
https://github.com/WebKit/WebKit/commit/7bcdeeaa119b7b4d797d8523aa468c0a0bed5e94
Author: Yusuke Suzuki <[email protected]>
Date: 2026-06-06 (Sat, 06 Jun 2026)
Changed paths:
M Source/JavaScriptCore/runtime/MathCommon.h
Log Message:
-----------
Cherry-pick 309422@main (a9539aeb5791).
https://bugs.webkit.org/show_bug.cgi?id=310118
[JSC] Fix tryConvertToStrictInt32's duplicate work
https://bugs.webkit.org/show_bug.cgi?id=310118
rdar://172760056
Reviewed by Yijia Huang.
Previous patch had an issue that we convert double to int32_t again
unnecessarily. This patch fixes this efficiency problem.
* Source/JavaScriptCore/runtime/MathCommon.h:
(JSC::tryConvertToStrictInt32):
Canonical link: https://commits.webkit.org/309422@main
Canonical link: https://commits.webkit.org/305877.700@webkitglib/2.52
Commit: 3a312f5ed90e0ae0a88856a203768e59bf224813
https://github.com/WebKit/WebKit/commit/3a312f5ed90e0ae0a88856a203768e59bf224813
Author: Yusuke Suzuki <[email protected]>
Date: 2026-06-06 (Sat, 06 Jun 2026)
Changed paths:
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
M Source/JavaScriptCore/runtime/JSCJSValueInlines.h
M Source/JavaScriptCore/runtime/MathCommon.cpp
M Source/JavaScriptCore/runtime/MathCommon.h
M Source/JavaScriptCore/runtime/NumberPrototype.cpp
M Source/JavaScriptCore/wasm/WasmFormat.h
M Source/WTF/wtf/MathExtras.h
M Tools/TestWebKitAPI/CMakeLists.txt
M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
A Tools/TestWebKitAPI/Tests/WTF/TruncateFloat.cpp
Log Message:
-----------
Cherry-pick 309786@main (bd8dde5e762e).
https://bugs.webkit.org/show_bug.cgi?id=310490
[JSC] Remove UB for truncate-double-to-int32 by injecting conversion inline
asm
https://bugs.webkit.org/show_bug.cgi?id=310490
rdar://173114293
Reviewed by Keith Miller and Justin Michaud.
Recent clang does optimization based on this UB, breaking JSC when these
UB is used. But this is **really hot** code in JSC, thus we should not
use something slow-but-correct implementation. We should keep what we
are getting as a codegen as is while removing UB to prevent compilers
from breaking the meaning.
This patch introduces helper functions which convers fp to integers, and
just use these helper functions. They are just one inline asm in many
cases. The purpose is just making sure that we should have solid
semantics (not UB) for this one conversion. And the rest of code using
this is just fine if this is not UB. We move tryConvertToStrictInt32 to
WTF too, and make sure they are not having UB in slow path too. We
implemented optimized inline asm for x64 / ARM64 so that these
architectures do not see the difference from the currently generated code.
We also add WTF_PROVEN_TRUE. This leverages __builtin_constant_p to do
range analysis onto the input, so we do not lose the opportunities of
constant folding.
Tests: Tools/TestWebKitAPI/CMakeLists.txt
Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
Tools/TestWebKitAPI/Tests/WTF/TruncateFloat.cpp
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
(JSC::updateArithProfileForUnaryArithOp):
(JSC::updateArithProfileForBinaryArithOp):
(JSC::JSC_DEFINE_COMMON_SLOW_PATH):
* Source/JavaScriptCore/runtime/JSCJSValueInlines.h:
(JSC::JSValue::tryGetAsUint32Index):
(JSC::JSValue::tryGetAsInt32):
* Source/JavaScriptCore/runtime/MathCommon.cpp:
(JSC::Math::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/runtime/MathCommon.h:
(JSC::tryConvertToStrictInt32): Deleted.
* Source/JavaScriptCore/runtime/NumberPrototype.cpp:
(JSC::toStringWithRadix):
(JSC::numberToStringInternal):
* Source/JavaScriptCore/wasm/WasmFormat.h:
(JSC::Wasm::internalizeExternref):
* Source/WTF/wtf/MathExtras.h:
(WTF::truncateDoubleToInt32):
(WTF::truncateDoubleToInt64):
(WTF::truncateDoubleToUint32):
(WTF::truncateDoubleToUint64):
(WTF::truncateFloatToInt32):
(WTF::truncateFloatToInt64):
(WTF::truncateFloatToUint32):
(WTF::truncateFloatToUint64):
(WTF::tryConvertToStrictInt32):
* Tools/TestWebKitAPI/CMakeLists.txt:
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WTF/TruncateFloat.cpp: Added.
(TestWebKitAPI::opaque):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateDoubleToInt32_InRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateDoubleToInt32_InRange_Opaque)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateDoubleToInt32_OutOfRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateDoubleToUint32_InRange)):
(TestWebKitAPI::TEST(WTF_MathExtras,
TruncateDoubleToUint32_InRange_Opaque)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateDoubleToUint32_OutOfRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateDoubleToInt64_InRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateDoubleToInt64_InRange_Opaque)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateDoubleToInt64_OutOfRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateDoubleToUint64_InRange)):
(TestWebKitAPI::TEST(WTF_MathExtras,
TruncateDoubleToUint64_InRange_Opaque)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateDoubleToUint64_OutOfRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToInt32_InRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToInt32_InRange_Opaque)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToInt32_OutOfRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToUint32_InRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToUint32_InRange_Opaque)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToUint32_OutOfRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToInt64_InRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToInt64_InRange_Opaque)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToInt64_OutOfRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToUint64_InRange)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToUint64_InRange_Opaque)):
(TestWebKitAPI::TEST(WTF_MathExtras, TruncateFloatToUint64_OutOfRange)):
(TestWebKitAPI::TEST(WTF_MathExtras,
TryConvertToStrictInt32_ExactIntegers)):
(TestWebKitAPI::TEST(WTF_MathExtras,
TryConvertToStrictInt32_ExactIntegers_Opaque)):
(TestWebKitAPI::TEST(WTF_MathExtras, TryConvertToStrictInt32_NonIntegers)):
(TestWebKitAPI::TEST(WTF_MathExtras,
TryConvertToStrictInt32_NonIntegers_Opaque)):
(TestWebKitAPI::TEST(WTF_MathExtras,
TryConvertToStrictInt32_SpecialValues)):
(TestWebKitAPI::TEST(WTF_MathExtras,
TryConvertToStrictInt32_SpecialValues_Opaque)):
(TestWebKitAPI::TEST(WTF_MathExtras, TryConvertToStrictInt32_OutOfRange)):
(TestWebKitAPI::TEST(WTF_MathExtras,
TryConvertToStrictInt32_OutOfRange_Opaque)):
Canonical link: https://commits.webkit.org/309786@main
Canonical link: https://commits.webkit.org/305877.701@webkitglib/2.52
Commit: 627c96bd53e8d58e396aec401bcf46f0e034eeb1
https://github.com/WebKit/WebKit/commit/627c96bd53e8d58e396aec401bcf46f0e034eeb1
Author: Yusuke Suzuki <[email protected]>
Date: 2026-06-06 (Sat, 06 Jun 2026)
Changed paths:
M Source/WTF/wtf/MathExtras.h
Log Message:
-----------
Cherry-pick 309806@main (e5256d97edc2).
https://bugs.webkit.org/show_bug.cgi?id=310581
[WTF] Clean up fp -> integer trunc implementations in x64
https://bugs.webkit.org/show_bug.cgi?id=310581
rdar://173192980
Reviewed by Mark Lam.
Use x64 intrinsics instead. We intentional put WTF_PROVEN_TRUE check
duplicate for CPU(ARM64) and fallback cases to make sure that CPU(ARM64)
side code dense and concise. Once corresponding intrinsics are
introduced, just replace this part entirely in ARM64 too.
* Source/WTF/wtf/MathExtras.h:
(WTF::truncateDoubleToInt32):
(WTF::truncateDoubleToInt64):
(WTF::truncateDoubleToUint32):
(WTF::truncateDoubleToUint64):
(WTF::truncateFloatToInt32):
(WTF::truncateFloatToInt64):
(WTF::truncateFloatToUint32):
(WTF::truncateFloatToUint64):
Canonical link: https://commits.webkit.org/309806@main
Canonical link: https://commits.webkit.org/305877.702@webkitglib/2.52
Commit: a4b39d2516074bec95d3a2f0dd13ebec4c04154b
https://github.com/WebKit/WebKit/commit/a4b39d2516074bec95d3a2f0dd13ebec4c04154b
Author: Yusuke Suzuki <[email protected]>
Date: 2026-06-06 (Sat, 06 Jun 2026)
Changed paths:
M Source/WTF/wtf/CurrentTime.cpp
M Source/WTF/wtf/JSONValues.cpp
M Source/WTF/wtf/MemoryPressureHandler.cpp
M Source/WTF/wtf/StatisticsManager.cpp
M Source/WTF/wtf/text/TextStream.cpp
M Source/WebCore/html/ImageDocument.cpp
M Source/WebCore/platform/animation/AnimationUtilities.h
M Source/WebCore/platform/audio/AudioResamplerKernel.cpp
M Source/WebCore/platform/graphics/FormatConverter.cpp
M Source/WebCore/platform/graphics/GraphicsContext.cpp
M Source/WebCore/platform/graphics/IntRect.cpp
M Source/WebCore/platform/graphics/IntSize.h
M Source/WebCore/platform/graphics/ShadowBlur.cpp
Log Message:
-----------
Cherry-pick 309964@main (aa5eadc0c2eb).
https://bugs.webkit.org/show_bug.cgi?id=310697
Avoid fp->integer UB throughout WebKit repository
https://bugs.webkit.org/show_bug.cgi?id=310697
rdar://173311131
Reviewed by Chris Dumez and Dan Hecht.
Apply 309786@main change throughout the WebKit repository. When
converting fp to integers, if it is not fitting in a range of integer's
representable range, it is UB. And the recent clang is leverageing this
UB a bit too aggressively and causing breakage of semantics in the code
when it is used in an UB manner.
* Source/WTF/wtf/CurrentTime.cpp:
* Source/WTF/wtf/JSONValues.cpp:
(WTF::JSONImpl::Value::asInteger const):
* Source/WTF/wtf/MathExtras.h:
(WTF::truncateDoubleToInt32):
(WTF::truncateDoubleToInt64):
(WTF::truncateDoubleToUint32):
(WTF::truncateDoubleToUint64):
(WTF::truncateFloatToInt32):
(WTF::truncateFloatToInt64):
(WTF::truncateFloatToUint32):
(WTF::truncateFloatToUint64):
(WTF::tryConvertToStrictInt32):
* Source/WTF/wtf/MemoryPressureHandler.cpp:
(WTF::thresholdForMemoryKillOfActiveProcess):
(WTF::thresholdForMemoryKillOfInactiveProcess):
* Source/WTF/wtf/StatisticsManager.cpp:
(WTF::dumpHistogram):
* Source/WTF/wtf/text/TextStream.cpp:
(WTF::hasFractions):
* Source/WebCore/html/ImageDocument.cpp:
(WebCore::ImageDocument::imageClicked):
* Source/WebCore/platform/animation/AnimationUtilities.h:
(WebCore::blend):
* Source/WebCore/platform/audio/AudioResamplerKernel.cpp:
(WebCore::AudioResamplerKernel::getSourceSpan):
* Source/WebCore/platform/graphics/FormatConverter.cpp:
(WebCore::uint32_t>):
(WebCore::int32_t>):
* Source/WebCore/platform/graphics/GraphicsContext.cpp:
(WebCore::GraphicsContext::computeRectsAndStrokeColorForLinesForText):
* Source/WebCore/platform/graphics/IntRect.cpp:
(WebCore::IntRect::scale):
* Source/WebCore/platform/graphics/IntSize.h:
(WebCore::IntSize::scale):
* Source/WebCore/platform/graphics/ShadowBlur.cpp:
(WebCore::calculateLobes):
Canonical link: https://commits.webkit.org/309964@main
Canonical link: https://commits.webkit.org/305877.703@webkitglib/2.52
Commit: 2069923256ee51e04aaccc1936d818eb07901420
https://github.com/WebKit/WebKit/commit/2069923256ee51e04aaccc1936d818eb07901420
Author: Chris Dumez <[email protected]>
Date: 2026-06-06 (Sat, 06 Jun 2026)
Changed paths:
M Source/WTF/wtf/MathExtras.h
Log Message:
-----------
Cherry-pick 310270@main (dab059cbea78).
https://bugs.webkit.org/show_bug.cgi?id=311096
Drop redundant `std::isnan()` checks in MathExtras.h
https://bugs.webkit.org/show_bug.cgi?id=311096
Reviewed by Darin Adler.
Drop redundant `std::isnan()` checks in MathExtras.h. `!std::isfinite()`
already covers the NaN case.
* Source/WTF/wtf/MathExtras.h:
(WTF::truncateDoubleToInt32):
(WTF::truncateDoubleToInt64):
(WTF::truncateDoubleToUint32):
(WTF::truncateDoubleToUint64):
(WTF::truncateFloatToInt32):
(WTF::truncateFloatToInt64):
(WTF::truncateFloatToUint32):
(WTF::truncateFloatToUint64):
Canonical link: https://commits.webkit.org/310270@main
Canonical link: https://commits.webkit.org/305877.704@webkitglib/2.52
Commit: c75856f7742ba9f830b1d255a908cddd2b8c5fb3
https://github.com/WebKit/WebKit/commit/c75856f7742ba9f830b1d255a908cddd2b8c5fb3
Author: Sosuke Suzuki <[email protected]>
Date: 2026-06-06 (Sat, 06 Jun 2026)
Changed paths:
M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/parser/ASTBuilder.h
M Source/JavaScriptCore/parser/Lexer.cpp
M Source/JavaScriptCore/runtime/HashMapHelper.h
M Source/JavaScriptCore/runtime/MathCommon.cpp
M Source/JavaScriptCore/runtime/TypedArrayAdaptors.h
Log Message:
-----------
Cherry-pick 313375@main (a3aa7524f30f).
https://bugs.webkit.org/show_bug.cgi?id=314884
[JSC] Use `truncateDoubleToInt32`/`64()` in more round-trip double-to-int
checks
https://bugs.webkit.org/show_bug.cgi?id=314884
Reviewed by Yusuke Suzuki.
This patch changes to use `truncateDoubleToInt32` and
`truncateDoubleToInt64` in
more round-trip double-to-int checks.
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::processClauseList):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/parser/ASTBuilder.h:
(JSC::ASTBuilder::makeDivNode):
* Source/JavaScriptCore/parser/Lexer.cpp:
(JSC::tokenTypeForIntegerLikeToken):
* Source/JavaScriptCore/runtime/HashMapHelper.h:
(JSC::normalizeMapKey):
* Source/JavaScriptCore/runtime/MathCommon.cpp:
(JSC::isStrictInt32):
* Source/JavaScriptCore/runtime/TypedArrayAdaptors.h:
(JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
Canonical link: https://commits.webkit.org/313375@main
Canonical link: https://commits.webkit.org/305877.705@webkitglib/2.52
Commit: b775328c137ce25efd246ca030a6a95263dd51b4
https://github.com/WebKit/WebKit/commit/b775328c137ce25efd246ca030a6a95263dd51b4
Author: Sosuke Suzuki <[email protected]>
Date: 2026-06-06 (Sat, 06 Jun 2026)
Changed paths:
A JSTests/stress/get-by-val-double-subscript-out-of-uint32-range.js
A JSTests/stress/jsonp-large-array-index.js
A JSTests/stress/number-tostring-methods-out-of-range-arguments.js
A JSTests/stress/parseint-large-result-int32-boxing.js
A JSTests/stress/string-from-code-point-out-of-range.js
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp
M Source/JavaScriptCore/runtime/JSCJSValue.h
M Source/JavaScriptCore/runtime/JSCJSValueInlines.h
M Source/JavaScriptCore/runtime/LiteralParser.cpp
M Source/JavaScriptCore/runtime/NumberPrototype.cpp
M Source/JavaScriptCore/runtime/StringConstructor.cpp
Log Message:
-----------
Cherry-pick 314356@main (3825a1a93bbf).
https://bugs.webkit.org/show_bug.cgi?id=316051
[JSC] Fix undefined behavior in double-to-int conversions
https://bugs.webkit.org/show_bug.cgi?id=316051
Reviewed by Yusuke Suzuki.
Several call sites convert unbounded, caller-controlled doubles to narrow
integer types with a plain cast, which is undefined behavior when the
truncated value is not representable ([conv.fpint]). With inputs reachable
from JS (e.g. parseInt("80000000", 16), (1.5).toExponential(Infinity),
String.fromCodePoint(-1), o[2 ** 32]), every conversion fixed here trips
UBSan's float-cast-overflow check.
This is not purely theoretical: in Bun, this UB caused user-observable
bugs, e.g. parseInt("80000000", 16) returning a negative int32.
Make the conversions defined via truncateDoubleToInt32() /
truncateDoubleToUint32() / clampTo<unsigned>(), or by range-checking the
double before narrowing. No behavior change on current WebKit toolchains.
Tests: JSTests/stress/get-by-val-double-subscript-out-of-uint32-range.js
JSTests/stress/jsonp-large-array-index.js
JSTests/stress/number-tostring-methods-out-of-range-arguments.js
JSTests/stress/parseint-large-result-int32-boxing.js
JSTests/stress/string-from-code-point-out-of-range.js
* JSTests/stress/get-by-val-double-subscript-out-of-uint32-range.js: Added.
(shouldBe):
(get put):
* JSTests/stress/jsonp-large-array-index.js: Added.
(shouldBe):
* JSTests/stress/number-tostring-methods-out-of-range-arguments.js: Added.
(shouldBe):
* JSTests/stress/parseint-large-result-int32-boxing.js: Added.
(shouldBe):
(parseIntNoRadix):
* JSTests/stress/string-from-code-point-out-of-range.js: Added.
(shouldBe):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::parseIntResult):
* Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::weakMapEntries):
(Inspector::JSInjectedScriptHost::weakSetEntries):
(Inspector::JSInjectedScriptHost::iteratorEntries):
* Source/JavaScriptCore/runtime/JSCJSValue.h:
(JSC::JSValue::getUInt32 const):
* Source/JavaScriptCore/runtime/LiteralParser.cpp:
(JSC::requires):
* Source/JavaScriptCore/runtime/NumberPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/StringConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
Canonical link: https://commits.webkit.org/314356@main
Canonical link: https://commits.webkit.org/305877.706@webkitglib/2.52
Commit: 5b52d671d2d8a520694a2dd68b6fc0b4d36e2577
https://github.com/WebKit/WebKit/commit/5b52d671d2d8a520694a2dd68b6fc0b4d36e2577
Author: Chris Dumez <[email protected]>
Date: 2026-06-06 (Sat, 06 Jun 2026)
Changed paths:
M Source/WebCore/Modules/cache/CacheStorageConnection.cpp
Log Message:
-----------
Cherry-pick 314445@main (09650e2c7ec5).
https://bugs.webkit.org/show_bug.cgi?id=316150
Fix undefined behavior in CacheStorageConnection::computeRecordBodySize()
https://bugs.webkit.org/show_bug.cgi?id=316150
Reviewed by Youenn Fablet.
The set() inside the ensure() lambda mutates the map mid-insert. This
can rehash and invalidate the iterator that ensure() then returns, so
the trailing .iterator->value reads from a stale bucket. It's also
redundant — ensure() stores the lambda's return value already.
* Source/WebCore/Modules/cache/CacheStorageConnection.cpp:
(WebCore::CacheStorageConnection::computeRecordBodySize):
Canonical link: https://commits.webkit.org/314445@main
Canonical link: https://commits.webkit.org/305877.707@webkitglib/2.52
Compare: https://github.com/WebKit/WebKit/compare/a6bc685a685c...5b52d671d2d8
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
