mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2026-04-18 18:00:31 +00:00
72fdf10248
Dictionary shapes are mutable (properties added/removed in-place via add_property_without_transition), so sharing them between objects via the NewObject premade shape cache is unsafe. When a large object literal (>64 properties) is created repeatedly in a loop, the first execution transitions to a dictionary shape, which CacheObjectShape then caches. Subsequent iterations create new objects all pointing to the same dictionary shape. If any of these objects adds a new property, it mutates the shared shape in-place, increasing its property_count, but only grows its own named property storage. Other objects sharing the shape are left with undersized storage, leading to a heap-buffer-overflow when the GC visits their edges. Fix this by not caching dictionary shapes. This means object literals with >64 properties won't get the premade-shape fast path, but such literals are uncommon. |
||
|---|---|---|
| .. | ||
| AsmInterpreter | ||
| BasicBlock.cpp | ||
| BasicBlock.h | ||
| BuiltinAbstractOperationsEnabled.h | ||
| Builtins.h | ||
| Bytecode.def | ||
| ClassBlueprint.h | ||
| Executable.cpp | ||
| Executable.h | ||
| FormatOperand.h | ||
| IdentifierTable.cpp | ||
| IdentifierTable.h | ||
| Instruction.cpp | ||
| Instruction.h | ||
| Interpreter.cpp | ||
| Interpreter.h | ||
| Label.cpp | ||
| Label.h | ||
| Operand.h | ||
| PropertyAccess.h | ||
| PropertyKeyTable.cpp | ||
| PropertyKeyTable.h | ||
| PutKind.h | ||
| RegexTable.cpp | ||
| RegexTable.h | ||
| Register.h | ||
| StringTable.cpp | ||
| StringTable.h | ||