LibJS: Track current shape dictionary generation in PropertyLookupCache

When an object becomes too big (currently 64 properties or more), we change its shape to a dictionary and don't do any further transitions. However, this means the Shape of the object no longer changes, so the cache invalidation check of `current_shape != cache.shape` is no longer a valid check. This fixes that by keeping track of a generation number for the Shape both on the Shape object and in the cache, allowing that to be checked instead of the Shape identity. The generation is incremented whenever the dictionary is mutated. Fixes stale cache lookups on Gmail preventing emails from being displayed. I was not able to produce a reproduction for this, plus the generation count was over the 20k mark on Gmail.
Author: https://github.com/Lubrsi Commit: d4deafe5fe Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/6115 Reviewed-by: https://github.com/kalenikaliaksandr ✅
2025-12-08 06:09:58 +00:00 · 2025-09-07 15:27:16 +01:00 · 2025-09-07 15:27:16 +01:00 · d4deafe5fe · 2025-10-24 13:36:11 +00:00
commit d4deafe5fe
parent a21d247b0e
5 changed files with 79 additions and 6 deletions
--- a/Libraries/LibJS/Bytecode/Executable.h
+++ b/Libraries/LibJS/Bytecode/Executable.h
@ -43,6 +43,7 @@ struct PropertyLookupCache {
        Optional<u32> property_offset;
        GC::Weak<Object> prototype;
        GC::Weak<PrototypeChainValidity> prototype_chain_validity;
+        Optional<u32> shape_dictionary_generation;
    };
    AK::Array<Entry, max_number_of_shapes_to_remember> entries;
 };