Bug 1354974: Handle array indices greater than 2^31-1 when collecting indices for Array.prototype.slice. r=jandem

--HG-- extra : rebase_source : 833f4df43a4f67cb925511546414ff0b6e5a128a
2017-04-26 09:25:34 -07:00 · 2017-04-26 09:25:34 -07:00 · 64ab7a5b1c
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@ -2824,10 +2824,10 @@ GetIndexedPropertiesInRange(JSContext* cx, HandleObject obj, uint32_t begin, uin
            for (; !r.empty(); r.popFront()) {
                Shape& shape = r.front();
                jsid id = shape.propid();
-                if (!JSID_IS_INT(id))
+                uint32_t i;
+                if (!IdIsIndex(id, &i))
                    continue;

-                uint32_t i = uint32_t(JSID_TO_INT(id));
                if (!(begin <= i && i < end))
                    continue;

--- a/js/src/tests/ecma_7/Array/slice-sparse-with-large-index.js
+++ b/js/src/tests/ecma_7/Array/slice-sparse-with-large-index.js
@ -0,0 +1,18 @@
+var array = [];
+array[2**31 - 2] = "INT32_MAX - 1";
+array[2**31 - 1] = "INT32_MAX";
+array[2**31 - 0] = "INT32_MAX + 1";
+array[2**32 - 2] = "UINT32_MAX - 1";
+array[2**32 - 1] = "UINT32_MAX";
+array[2**32 - 0] = "UINT32_MAX + 1";
+
+var copy = array.slice();
+assertEq(copy[2**31 - 2], "INT32_MAX - 1");
+assertEq(copy[2**31 - 1], "INT32_MAX");
+assertEq(copy[2**31 - 0], "INT32_MAX + 1");
+assertEq(copy[2**32 - 2], "UINT32_MAX - 1");
+assertEq(copy[2**32 - 1], undefined);
+assertEq(copy[2**32 - 0], undefined);
+
+if (typeof reportCompare === "function")
+    reportCompare(true, true);