LibJS: Only cache TypedArray data pointers for owned buffers

WebAssembly.Memory-backed ArrayBuffers wrap external ByteBuffer storage. When that memory grows, ByteBuffer::try_resize() may realloc the backing storage while old fixed-length buffer objects remain reachable from JS. TypedArrayBase cached m_data for all fixed-length buffers, and the asm interpreter fast path dereferenced that cached pointer directly. For wasm memory views this could leave a stale pointer behind across grow(). Restrict cached typed-array data pointers to fixed-length ArrayBuffers that own stable ByteBuffer storage. External/unowned buffers, including WebAssembly.Memory buffers, now keep m_data == nullptr and fall back to code that re-derives buffer().data() on each access. Add regressions for both the original shared-memory grow case and the second-grow stale-view case.
Author: https://github.com/Yayoi-cs Commit: https://github.com/LadybirdBrowser/ladybird/commit/0b9636fadfc Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/9086
2026-04-26 01:35:08 +02:00 · 2026-04-25 02:10:20 +09:00 · 2026-04-25 04:12:12 +00:00
parent 5d69c6d2b7
commit 0b9636fadf
6 changed files with 53 additions and 59 deletions
--- a/Libraries/LibWeb/WebAssembly/Memory.cpp
+++ b/Libraries/LibWeb/WebAssembly/Memory.cpp
@@ -216,8 +216,6 @@ void Memory::refresh_the_memory_buffer(JS::VM& vm, JS::Realm& realm, Wasm::Memor
        if (!buffer->is_shared_array_buffer()) {
            // 1. Perform ! DetachArrayBuffer(buffer, "WebAssembly.Memory").
            MUST(JS::detach_array_buffer(vm, *buffer, JS::PrimitiveString::create(vm, "WebAssembly.Memory"_string)));
-        } else {
-            buffer->refresh_cached_typed_array_view_data_pointers();
        }

        // 2. Let newBuffer be the result of creating a fixed length memory buffer from memaddr.