LibJS: Don't change offset when reconfiguring property in unique shape

When changing the attributes of an existing property of an object with unique shape we must not change the PropertyMetadata offset. Doing so without resizing the underlying storage vector caused an OOB write crash. Fixes #3735.
Author: https://github.com/linusg Commit: https://github.com/SerenityOS/serenity/commit/a5bf6cfff98 Pull-request: https://github.com/SerenityOS/serenity/pull/3737 Issue: https://github.com/SerenityOS/serenity/issues/3735 Reviewed-by: https://github.com/awesomekling
2026-04-25 17:25:08 +02:00 · 2020-10-10 14:42:23 +01:00 · 2024-07-19 01:56:39 +09:00
parent fcd263f17b
commit a5bf6cfff9
2 changed files with 14 additions and 2 deletions
--- a/Libraries/LibJS/Tests/builtins/Object/Object.defineProperty.js
+++ b/Libraries/LibJS/Tests/builtins/Object/Object.defineProperty.js
@@ -148,6 +148,16 @@ describe("normal functionality", () => {
        expect((o[s] = 5)).toBe(5);
        expect((o[s] = 4)).toBe(4);
    });
+
+    test("issue #3735, reconfiguring property in unique shape", () => {
+        const o = {};
+        // In LibJS an object with more than 100 properties gets a unique shape
+        for (let i = 0; i < 101; ++i) {
+            o[`property${i}`] = i;
+        }
+        Object.defineProperty(o, "x", { configurable: true });
+        Object.defineProperty(o, "x", { configurable: false });
+    });
 });

 describe("errors", () => {