Fix Array index normalize helper when index is large.

dbatyai · dbatyai · commit 9da491daaea6 · 2015-07-23T13:57:17.000+02:00
JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai dbatyai.u-szeged@partner.samsung.com
diff --git a/jerry-core/ecma/builtin-objects/ecma-builtin-helpers.cpp b/jerry-core/ecma/builtin-objects/ecma-builtin-helpers.cpp
@@ -299,16 +299,14 @@ ecma_builtin_helper_array_index_normalize (ecma_number_t index, /**< index */
     }
     else
     {
-      const int32_t int_index = ecma_number_to_int32 (index);
-
-      if (int_index < 0)
+      if (ecma_number_is_negative (index))
       {
-        const uint32_t uint_index = (uint32_t) - int_index;
+        const uint32_t uint_index = ecma_number_to_uint32 (ecma_number_negate (index));
         norm_index = uint_index > length ? 0 : length - uint_index;
       }
       else
       {
-        norm_index = (uint32_t) int_index;
+        norm_index = ecma_number_to_uint32 (index);
 
         if (norm_index > length)
         {
diff --git a/tests/jerry/array-prototype-slice.js b/tests/jerry/array-prototype-slice.js
@@ -58,6 +58,18 @@ assert (array7[3] == -127);
 
 assert (array8.length == 0);
 
+var array = [];
+array[4294967293] = "foo";
+array.length = 4294967295;
+var result = array.slice(4294967293, -1)
+assert(result.length === 1)
+assert(result[0] === "foo")
+
+array[0] = "bar";
+var result = array.slice(-4294967295, -4294967294)
+assert(result.length === 1)
+assert(result[0] === "bar")
+
 // Checking behavior when unable to get length
 var obj = { slice : Array.prototype.slice };
 Object.defineProperty(obj, 'length', { 'get' : function () { throw new ReferenceError ("foo"); } });
diff --git a/tests/jerry/array-prototype-splice.js b/tests/jerry/array-prototype-splice.js
@@ -119,6 +119,19 @@ assert (array[2] == -127);
 assert (array[3] == "sunshine");
 assert (array9.length == 0);
 
+var array = [];
+array[4294967294] = "foo";
+var result = array.splice(4294967294, 1, "x")
+assert(result.length === 1)
+assert(result[0] === "foo")
+assert(array[4294967294] === "x")
+
+array[0] = "bar";
+var result = array.splice(-4294967295, 1, "y");
+assert(result.length === 1)
+assert(result[0] === "bar")
+assert(array[0] === "y")
+
 // Checking behavior when unable to get length
 var obj = {splice : Array.prototype.splice};
 Object.defineProperty(obj, 'length', { 'get' : function () { throw new ReferenceError ("foo"); } });

Original file line number	Diff line number	Diff line change
`@@ -299,16 +299,14 @@ ecma_builtin_helper_array_index_normalize (ecma_number_t index, /*< index /`
`299`	`299`	`}`
`300`	`300`	`else`
`301`	`301`	`{`
`302`		`- const int32_t int_index = ecma_number_to_int32 (index);`
`303`		`-`
`304`		`- if (int_index < 0)`
	`302`	`+ if (ecma_number_is_negative (index))`
`305`	`303`	`{`
`306`		`- const uint32_t uint_index = (uint32_t) - int_index;`
	`304`	`+ const uint32_t uint_index = ecma_number_to_uint32 (ecma_number_negate (index));`
`307`	`305`	`norm_index = uint_index > length ? 0 : length - uint_index;`
`308`	`306`	`}`
`309`	`307`	`else`
`310`	`308`	`{`
`311`		`- norm_index = (uint32_t) int_index;`
	`309`	`+ norm_index = ecma_number_to_uint32 (index);`
`312`	`310`
`313`	`311`	`if (norm_index > length)`
`314`	`312`	`{`