LibJS: Don't skip indexed property storage switching in Array fast path

If we call put() directly on the underlying indexed property storage like we were doing here, we skip the checks that switch from flat to sparse property storage when a huge index is suddenly accessed. This was caught by folks hitting memory issues when running test-js.
Author: https://github.com/awesomekling Commit: https://github.com/LadybirdBrowser/ladybird/commit/7a4e74be96c Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/7366 Reviewed-by: https://github.com/trflynn89 ✅
2026-04-26 01:35:08 +02:00 · 2026-01-07 12:52:53 +01:00 · 2026-01-07 12:53:04 +00:00
parent 4c10f44e3e
commit 7a4e74be96
1 changed files with 3 additions and 1 deletions
--- a/Libraries/LibJS/Runtime/Array.cpp
+++ b/Libraries/LibJS/Runtime/Array.cpp
@@ -403,7 +403,9 @@ ThrowCompletionOr<bool> Array::internal_define_own_property(PropertyKey const& p
                    return false;
            }

-            storage->put(property_key.as_number(), property_descriptor.value.value());
+            // NB: We don't call put() directly on the underlying storage here, since we may want to switch
+            //     the storage type if the index is too large.
+            indexed_properties().put(property_key.as_number(), property_descriptor.value.value());
        } else {
            succeeded = MUST(Object::internal_define_own_property(property_key, property_descriptor, precomputed_get_own_property));
        }