mirror of
https://github.com/LadybirdBrowser/ladybird
synced 2026-05-09 00:22:36 +02:00
72fdf10248
Dictionary shapes are mutable (properties added/removed in-place via add_property_without_transition), so sharing them between objects via the NewObject premade shape cache is unsafe. When a large object literal (>64 properties) is created repeatedly in a loop, the first execution transitions to a dictionary shape, which CacheObjectShape then caches. Subsequent iterations create new objects all pointing to the same dictionary shape. If any of these objects adds a new property, it mutates the shared shape in-place, increasing its property_count, but only grows its own named property storage. Other objects sharing the shape are left with undersized storage, leading to a heap-buffer-overflow when the GC visits their edges. Fix this by not caching dictionary shapes. This means object literals with >64 properties won't get the premade-shape fast path, but such literals are uncommon.