LibJS: Grow storage when adding a property to uniquely-shaped Object

Normally the storage would be expanded by set_shape() upon transition
to a new shape, but if the shape is already unique, there is no new
transition so we have to expand the storage manually.

2 files changed, 11 insertions, 0 deletions

diff --git a/Libraries/LibJS/Runtime/Object.cpp b/Libraries/LibJS/Runtime/Object.cpp
index e0d757395e..e5a358eb3d 100644
--- a/Libraries/LibJS/Runtime/Object.cpp
+++ b/Libraries/LibJS/Runtime/Object.cpp
@@ -119,6 +119,7 @@ void Object::put_own_property(Object& this_object, const FlyString& property_nam
     if (!metadata.has_value()) {
         if (m_shape->is_unique()) {
             m_shape->add_property_to_unique_shape(property_name, attributes);
+            m_storage.resize(m_shape->property_count());
         } else {
             set_shape(*m_shape->create_put_transition(property_name, attributes));
         }
diff --git a/Libraries/LibJS/Tests/delete-globalThis-property-crash.js b/Libraries/LibJS/Tests/delete-globalThis-property-crash.js
new file mode 100644
index 0000000000..246d9debff
--- /dev/null
+++ b/Libraries/LibJS/Tests/delete-globalThis-property-crash.js
@@ -0,0 +1,10 @@
+load("test-common.js");
+
+try {
+    a = 1;
+    assert(delete globalThis.a === true);
+    a = 2;
+    console.log("PASS");
+} catch (e) {
+    console.log("FAIL: " + e);
+}