mirror of
https://github.com/LadybirdBrowser/ladybird
synced 2026-04-25 17:25:08 +02:00
c66cab7e6b
HashMap<_, GC::Ref<_>>::ensure() crashed under UBSan whenever the initialization callback triggered a GC: lookup_for_writing() stamped the target bucket as used and added it to the ordered list before the callback ran, so the marking visitor walked the map, read the uninitialized slot, and failed the returns_nonnull check in GC::Ref. Split bucket reservation into two phases. lookup_for_writing() now hands back the target in the Free state (not in the ordered list, m_size unchanged); callers placement-new the value and then commit via commit_inserted_bucket(). The Robin Hood displacement loop still stamps the slot internally and un-stamps before returning, so probing is unchanged and the whole operation remains a single hash and a single probe.