Fix Array index normalize helper when index is large.

JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai dbatyai.u-szeged@partner.samsung.com

Author: dbatyai

jerry-core/ecma/builtin-objects/ecma-builtin-helpers.cpp

@@ -299,21 +299,29 @@ ecma_builtin_helper_array_index_normalize (ecma_number_t index, /**< index */
     }
     else
     {
-      const int32_t int_index = ecma_number_to_int32 (index);
-
-      if (int_index < 0)
+      if (ecma_number_is_negative (index))
       {
-        const uint32_t uint_index = (uint32_t) - int_index;
-        norm_index = uint_index > length ? 0 : length - uint_index;
+        ecma_number_t index_neg = ecma_number_negate (index);
+
+        if (index_neg > length)
+        {
+          norm_index = 0;
+        }
+        else
+        {
+          norm_index = length - ecma_number_to_uint32 (index_neg);
+        }
       }
       else
       {
-        norm_index = (uint32_t) int_index;
-
-        if (norm_index > length)
+        if (index > length)
         {
           norm_index = length;
         }
+        else
+        {
+          norm_index = ecma_number_to_uint32 (index);
+        }
       }
     }
   }

tests/jerry/array-prototype-slice.js

@@ -58,6 +58,27 @@ assert (array7[3] == -127);
 
 assert (array8.length == 0);
 
+var array = [];
+array[4294967293] = "foo";
+array.length = 4294967295;
+var result = array.slice(4294967293, -1)
+assert(result.length === 1)
+assert(result[0] === "foo")
+
+array[0] = "bar";
+var result = array.slice(-4294967295, -4294967294)
+assert(result.length === 1)
+assert(result[0] === "bar")
+
+var array = [];
+array[0] = "foo";
+var result = array.slice(4294967296, 4294967297);
+assert(result.length === 0);
+
+array[4294967293] = "bar";
+var result = array.slice(-4294967297, -4294967296);
+assert(result.length === 0);
+
 // Checking behavior when unable to get length
 var obj = { slice : Array.prototype.slice };
 Object.defineProperty(obj, 'length', { 'get' : function () { throw new ReferenceError ("foo"); } });

tests/jerry/array-prototype-splice.js

@@ -131,6 +131,19 @@ assert (array10[0] == undefined);
 assert (array10[1] == -127);
 assert (array10[2] == "sunshine");
 
+var array = [];
+array[4294967294] = "foo";
+var result = array.splice(4294967294, 1, "x")
+assert(result.length === 1)
+assert(result[0] === "foo")
+assert(array[4294967294] === "x")
+
+array[0] = "bar";
+var result = array.splice(-4294967295, 1, "y");
+assert(result.length === 1)
+assert(result[0] === "bar")
+assert(array[0] === "y")
+
 // Checking behavior when unable to get length
 var obj = {splice : Array.prototype.splice};
 Object.defineProperty(obj, 'length', { 'get' : function () { throw new ReferenceError ("foo"); } });