HashMapHelper: range-check before double→int cast in normalizeMapKey

[robobun]

Fixes oven-sh/bun#30757.

Problem

static_cast<int>(double) is undefined behavior for out-of-range values (LLVM IR fptosi on such inputs produces poison). Under LTO the optimizer exploits the UB and folds the subsequent i == d round-trip check to true, so the integer path is taken even for doubles that do not fit in an int32. Every oversized integer-valued double Map/Set key is then silently normalized to jsNumber(INT32_MIN).

[...new Set([1751241600000])][0]       // -2147483648, want 1751241600000
new Set([1751241600000]).has(-1 << 31) // true (spurious)

.has(originalValue) still worked because the stored (corrupted) normalized key round-trips with itself; iteration paths surfaced the corrupted value. Tagged Int32s, fractional doubles, strings, etc. are unaffected because they never enter the static_cast<int> branch.

Fix

Range-check d against [INT32_MIN, INT32_MAX] before the cast. Defined-behavior gate keeps the integer fast path correct and preserves the original double for out-of-range keys.

if (d >= static_cast<double>(INT32_MIN) && d <= static_cast<double>(INT32_MAX)) {
    int i = static_cast<int>(d);
    if (i == d)
        return jsNumber(i);
}
return key;

The DFG/FTL NormalizeMapKey lowering is already safe because it uses branchConvertDoubleToInt32 (hardware overflow branch); the C++ helper just needed to match that behavior.

Testing

Verified against an LTO release build of bun at the affected WebKit pin:

value	before	after
1751241600000	-2147483648 ❌	1751241600000 ✅
2147483648 (INT32_MAX+1)	-2147483648 ❌	2147483648 ✅
-2147483649 (INT32_MIN−1)	-2147483648 ❌	-2147483649 ✅
Number.MAX_SAFE_INTEGER	-2147483648 ❌	9007199254740991 ✅
Infinity / -Infinity	-2147483648 ❌	Infinity / -Infinity ✅
Int32s, fractional doubles, strings	OK	OK
new Set([a, b, c]) with distinct large doubles	collapsed	distinct ✅

Regression test going up in oven-sh/bun (see WebKit#30757).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 185014a5-08fc-4ff7-ab5d-02eba6d66297

📥 Commits

Reviewing files that changed from the base of the PR and between 3167a44 and b0366015ea1c36e94ba3fc4010d9f672a7809556.

📒 Files selected for processing (1)

• Source/JavaScriptCore/runtime/HashMapHelper.h

---

Walkthrough

The normalizeMapKey function in HashMapHelper.h now performs a bounds check before casting a double value to int, preventing undefined behavior for out-of-range values such as large epoch milliseconds that would wrap to INT_MIN or other invalid integers.

Changes

Map Key Bounds Check

Layer / File(s)	Summary
Double-to-int bounds check in key normalization Source/JavaScriptCore/runtime/HashMapHelper.h	Before converting a normalized double to int for map/set key storage, an explicit range check ensures the value is within INT_MIN to INT_MAX; out-of-range doubles like large epoch milliseconds are now returned unchanged instead of undergoing unsafe casts that cause value corruption.

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description does not follow the WebKit pull request template, which requires a Bugzilla bug URL, 'Reviewed by' line, and structured file/function listing.	Reformat the description to match the WebKit template: include Bugzilla URL, 'Reviewed by' field, and organized change listing with file paths and affected functions.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: adding a range check before casting double to int in normalizeMapKey function.
Linked Issues check	✅ Passed	The code changes directly address the corruption issue [#30757] by adding range validation before double-to-int casting in normalizeMapKey, preventing out-of-range doubles from being incorrectly coerced to INT32_MIN.
Out of Scope Changes check	✅ Passed	All changes are scoped to HashMapHelper.h's normalizeMapKey implementation, directly addressing the undefined behavior and data corruption described in the linked issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Preview Builds

Commit	Release	Date
1cf55aaf	autobuild-preview-pr-232-1cf55aaf	2026-05-18 10:48:05 UTC
b0366015	autobuild-preview-pr-232-b0366015	2026-05-15 04:59:20 UTC

[Jarred-Sumner]

@robobun could this use oen of those specialized int conversion methods for avoiding UB in C++ that WebKit uses in several places?