Fix Array index normalize helper when index is large.

JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai dbatyai.u-szeged@partner.samsung.com
2025-12-15 16:29:21 +00:00 · 2015-07-23 13:55:54 +02:00 · 2015-07-23 13:55:54 +02:00 · 6567651b6c
commit 6567651b6c
parent ee8d65063f
3 changed files with 50 additions and 8 deletions
--- a/jerry-core/ecma/builtin-objects/ecma-builtin-helpers.cpp
+++ b/jerry-core/ecma/builtin-objects/ecma-builtin-helpers.cpp
@ -299,21 +299,29 @@ ecma_builtin_helper_array_index_normalize (ecma_number_t index, /**< index */
    }
    else
    {
-      const int32_t int_index = ecma_number_to_int32 (index);
-
-      if (int_index < 0)
+      if (ecma_number_is_negative (index))
      {
-        const uint32_t uint_index = (uint32_t) - int_index;
-        norm_index = uint_index > length ? 0 : length - uint_index;
+        ecma_number_t index_neg = ecma_number_negate (index);
+
+        if (index_neg > length)
+        {
+          norm_index = 0;
+        }
+        else
+        {
+          norm_index = length - ecma_number_to_uint32 (index_neg);
+        }
      }
      else
      {
-        norm_index = (uint32_t) int_index;
-
-        if (norm_index > length)
+        if (index > length)
        {
          norm_index = length;
        }
+        else
+        {
+          norm_index = ecma_number_to_uint32 (index);
+        }
      }
    }
  }
--- a/tests/jerry/array-prototype-slice.js
+++ b/tests/jerry/array-prototype-slice.js
@ -58,6 +58,27 @@ assert (array7[3] == -127);

 assert (array8.length == 0);

+var array = [];
+array[4294967293] = "foo";
+array.length = 4294967295;
+var result = array.slice(4294967293, -1)
+assert(result.length === 1)
+assert(result[0] === "foo")
+
+array[0] = "bar";
+var result = array.slice(-4294967295, -4294967294)
+assert(result.length === 1)
+assert(result[0] === "bar")
+
+var array = [];
+array[0] = "foo";
+var result = array.slice(4294967296, 4294967297);
+assert(result.length === 0);
+
+array[4294967293] = "bar";
+var result = array.slice(-4294967297, -4294967296);
+assert(result.length === 0);
+
 // Checking behavior when unable to get length
 var obj = { slice : Array.prototype.slice };
 Object.defineProperty(obj, 'length', { 'get' : function () { throw new ReferenceError ("foo"); } });
--- a/tests/jerry/array-prototype-splice.js
+++ b/tests/jerry/array-prototype-splice.js
@ -131,6 +131,19 @@ assert (array10[0] == undefined);
 assert (array10[1] == -127);
 assert (array10[2] == "sunshine");

+var array = [];
+array[4294967294] = "foo";
+var result = array.splice(4294967294, 1, "x")
+assert(result.length === 1)
+assert(result[0] === "foo")
+assert(array[4294967294] === "x")
+
+array[0] = "bar";
+var result = array.splice(-4294967295, 1, "y");
+assert(result.length === 1)
+assert(result[0] === "bar")
+assert(array[0] === "y")
+
 // Checking behavior when unable to get length
 var obj = {splice : Array.prototype.splice};
 Object.defineProperty(obj, 'length', { 'get' : function () { throw new ReferenceError ("foo"); } });