LibJS: Fix two issues with array (length > INT32_MAX)

1. Allow Value(size_t) and use it for array length properties.

If an array length can't fit in an Int32 value, we shouldn't go out of
or way to force it into one. Instead, for values above INT32_MAX,
we simply store them as Double values.

2. Switch to generic indexed property storage for large arrays.

Previously we would always allocate array storage eagerly when the
length property was set. This meant that "a.length = 0x80000000" would
trivially DOS the engine on 32-bit since we don't have that much VM.

We now switch to generic storage when changing the length moves us over
the 4M entry mark.

Fixes #5986.

1 files changed, 10 insertions, 0 deletions

diff --git a/Userland/Libraries/LibJS/Tests/builtins/Array/array-length-setter.js b/Userland/Libraries/LibJS/Tests/builtins/Array/array-length-setter.js
index 9a1043f5d4..662fd6e04e 100644
--- a/Userland/Libraries/LibJS/Tests/builtins/Array/array-length-setter.js
+++ b/Userland/Libraries/LibJS/Tests/builtins/Array/array-length-setter.js
@@ -34,4 +34,14 @@ describe("normal behavior", () => {
         a.length = true;
         expect(a).toHaveLength(1);
     });
+
+    test("setting a huge array length", () => {
+        var a = [];
+        a.length = 0x80000000;
+        expect(a.length).toEqual(0x80000000);
+
+        var b = [];
+        b.length = 0x80000001;
+        expect(b.length).toEqual(0x80000001);
+    });
 });