LibJS: Introduce "dictionary" mode for object shapes

This is similar to "unique" shapes, which were removed in commit 3d92c26445. The key difference is that dictionary shapes don't have a serial number, but instead have a "cacheable" flag. Shapes become dictionaries after 64 transitions have occurred, at which point no further transitions occur. As long as properties are only added to a dictionary shape, it remains cacheable. (Since if we've cached the shape pointer in an IC somewhere, we know the IC is still valid.) Deleting a property from a dictionary shape causes it to become an uncacheable dictionary. Note that deleting a property from a non-dictionary shape still performs a delete transition. This fixes an issue on Discord where Object.freeze() would eventually OOM us, since they add more than 16000 properties to a single object before freezing it. It also yields a 15% speedup on Octane/pdfjs.js :^)
2025-07-25 14:27:35 +00:00 · 2023-12-16 11:34:01 +01:00 · 2023-12-16 11:34:01 +01:00 · 1e90379008
commit 1e90379008
parent 8255a1a5ee
4 changed files with 94 additions and 4 deletions
--- a/Userland/Libraries/LibJS/Tests/builtins/Object/Object.freeze.js
+++ b/Userland/Libraries/LibJS/Tests/builtins/Object/Object.freeze.js
@ -75,3 +75,11 @@ test("does not override frozen function name", () => {
    const obj = Object.freeze({ name: func });
    expect(obj.name()).toBe(12);
 });
+
+test("freeze with huge number of properties doesn't crash", () => {
+    const o = {};
+    for (let i = 0; i < 50_000; ++i) {
+        o["prop" + i] = 1;
+    }
+    Object.freeze(o);
+});