LibJS: Fix two issues with array (length > INT32_MAX)

1. Allow Value(size_t) and use it for array length properties. If an array length can't fit in an Int32 value, we shouldn't go out of or way to force it into one. Instead, for values above INT32_MAX, we simply store them as Double values. 2. Switch to generic indexed property storage for large arrays. Previously we would always allocate array storage eagerly when the length property was set. This meant that "a.length = 0x80000000" would trivially DOS the engine on 32-bit since we don't have that much VM. We now switch to generic storage when changing the length moves us over the 4M entry mark. Fixes #5986.
Author: https://github.com/awesomekling Commit: 077406dc36
2025-05-10 21:22:53 +00:00 · 2021-03-30 13:32:19 +02:00 · 2021-03-30 13:32:19 +02:00 · 077406dc36 · 2024-07-18 20:57:20 +09:00
commit 077406dc36
parent 54f6b52f71
4 changed files with 34 additions and 1 deletions
--- a/Userland/Libraries/LibJS/Tests/builtins/Array/array-length-setter.js
+++ b/Userland/Libraries/LibJS/Tests/builtins/Array/array-length-setter.js
@ -34,4 +34,14 @@ describe("normal behavior", () => {
        a.length = true;
        expect(a).toHaveLength(1);
    });
+
+    test("setting a huge array length", () => {
+        var a = [];
+        a.length = 0x80000000;
+        expect(a.length).toEqual(0x80000000);
+
+        var b = [];
+        b.length = 0x80000001;
+        expect(b.length).toEqual(0x80000001);
+    });
 });