Fix length check for Array.prototype indexOf, lastIndexOf and fill

JerryScript-DCO-1.0-Signed-off-by: Adam Szilagyi [email protected]

Author: szilagyiadam

jerry-core/ecma/builtin-objects/ecma-builtin-array-prototype.c

@@ -1676,9 +1676,15 @@ ecma_builtin_array_prototype_object_index_of (const ecma_value_t args[], /**< ar
   {
     ecma_extended_object_t *ext_obj_p = (ecma_extended_object_t *) obj_p;
 
-    if (ext_obj_p->u.array.u.hole_count < ECMA_FAST_ARRAY_HOLE_ONE
-        && len != 0)
+    if (ext_obj_p->u.array.u.hole_count < ECMA_FAST_ARRAY_HOLE_ONE)
     {
+      if (JERRY_UNLIKELY (obj_p->u1.property_list_cp == JMEM_CP_NULL))
+      {
+        return ecma_make_integer_value (-1);
+      }
+
+      len = JERRY_MIN (ext_obj_p->u.array.length, len);
+
       ecma_value_t *buffer_p = ECMA_GET_NON_NULL_POINTER (ecma_value_t, obj_p->u1.property_list_cp);
 
       while (from_idx < len)
@@ -1775,12 +1781,16 @@ ecma_builtin_array_prototype_object_last_index_of (const ecma_value_t args[], /*
   if (ecma_op_object_is_fast_array (obj_p))
   {
     ecma_extended_object_t *ext_obj_p = (ecma_extended_object_t *) obj_p;
-    // It is possible that the length changed due to the callback performed above.
-    uint32_t array_length = ext_obj_p->u.array.length;
 
-    if (ext_obj_p->u.array.u.hole_count < ECMA_FAST_ARRAY_HOLE_ONE
-        && array_length > 0)
+    if (ext_obj_p->u.array.u.hole_count < ECMA_FAST_ARRAY_HOLE_ONE)
     {
+      if (JERRY_UNLIKELY (obj_p->u1.property_list_cp == JMEM_CP_NULL))
+      {
+        return ecma_make_integer_value (-1);
+      }
+
+      len = JERRY_MIN (ext_obj_p->u.array.length, len);
+
       ecma_value_t *buffer_p = ECMA_GET_NON_NULL_POINTER (ecma_value_t, obj_p->u1.property_list_cp);
 
       while (from_idx < len)
@@ -2294,9 +2304,14 @@ ecma_builtin_array_prototype_fill (ecma_value_t value, /**< value */
     ecma_extended_object_t *ext_obj_p = (ecma_extended_object_t *) obj_p;
 
     if (ext_obj_p->u.array.u.hole_count < ECMA_FAST_ARRAY_HOLE_ONE
-        && len != 0
         && ecma_op_ordinary_object_is_extensible (obj_p))
     {
+      if (JERRY_UNLIKELY (obj_p->u1.property_list_cp == JMEM_CP_NULL))
+      {
+        ecma_ref_object (obj_p);
+        return ecma_make_object_value (obj_p);
+      }
+
       ecma_value_t *buffer_p = ECMA_GET_NON_NULL_POINTER (ecma_value_t, obj_p->u1.property_list_cp);
 
       while (k < final)

tests/jerry/array-prototype-indexof.js

@@ -86,3 +86,33 @@ try {
   assert(e.message === "foo");
   assert(e instanceof ReferenceError);
 }
+
+// Remove the buffer
+var array = [1, 2, 3, 4, 5];
+var value = array.indexOf(4, {
+    valueOf: function() {
+        array.length = 0;
+    }
+})
+
+assert(value === -1);
+
+// Extend the buffer
+var array = [1, 2, 3];
+var value = array.indexOf(2, {
+    valueOf: function() {
+        array.length = 5;
+    }
+})
+
+assert(value === 1);
+
+// Reduce the buffer
+var array = [1, 2, 3, 4, 5, 6, 7];
+var value = array.indexOf(6, {
+    valueOf: function() {
+        array.length = 5;
+    }
+})
+
+assert(value === -1);

tests/jerry/array-prototype-lastindexof.js

@@ -69,3 +69,33 @@ try {
   assert(e.message === "foo");
   assert(e instanceof ReferenceError);
 }
+
+// Remove the buffer
+var array = [1, 2, 3, 4, 5];
+var value = array.lastIndexOf(4, {
+    valueOf: function() {
+        array.length = 0;
+    }
+})
+
+assert(value === -1);
+
+// Extend the buffer
+var array = [1, 2, 3];
+var value = array.lastIndexOf(1, {
+    valueOf: function() {
+        array.length = 5;
+    }
+})
+
+assert(value === 0);
+
+// Reduce the buffer
+var array = [1, 2, 3, 4, 5, 6, 7];
+var value = array.indexOf(5, {
+    valueOf: function() {
+        array.length = 2;
+    }
+})
+
+assert(value === -1);

tests/jerry/array-prototype-slice.js

@@ -151,3 +151,33 @@ try {
   assert (e.message === "foo");
   assert (e instanceof ReferenceError);
 }
+
+// Remove the buffer
+var array = [1, 2, 3, 4, 5];
+var value = array.slice(4, {
+    valueOf: function() {
+        array.length = 0;
+    }
+})
+
+print(JSON.stringify(value) === '[]')
+
+// Extend the buffer
+var array = [1, 2, 3, 4, 5];
+var value = array.slice(6, {
+    valueOf: function() {
+        array.length = 10;
+    }
+})
+
+print(JSON.stringify(value) === '[]')
+
+// Reduce the buffer
+var array = [1, 2, 3, 4, 5];
+var value = array.slice(1, {
+    valueOf: function() {
+        array.length = 3;
+    }
+})
+
+print(JSON.stringify(value) === '[]')

tests/jerry/es2015/array-prototype-copywithin.js

@@ -79,3 +79,33 @@ var obj = { '0' : 2, '2' : "foo", length : 3, copyWithin : Array.prototype.copyW
 obj.copyWithin(1);
 assert(obj[0] === 2);
 assert(obj[1] === 2);
+
+// Remove the buffer
+var array = [1, 2, 3];
+var value = array.copyWithin(0, {
+    valueOf: function() {
+        array.length = 0;
+    }
+})
+
+assert(JSON.stringify(value) === '[]');
+
+// Extend the buffer
+var array = [1, 2, 3];
+var value = array.copyWithin(1, {
+    valueOf: function() {
+        array.length = 6;
+    }
+})
+
+assert(JSON.stringify(value) === '[1,1,2,null,null,null]')
+
+// Reduce the buffer
+var array = [1, 2, 3, 4, 5, 6, 7];
+var value = array.copyWithin(4, 2, {
+    valueOf: function() {
+        array.length = 3;
+    }
+})
+
+assert(JSON.stringify(value) === '[1,2,3]')

tests/jerry/es2015/array-prototype-fill.js

@@ -177,3 +177,33 @@ function TestFillFrozenObject () {
   }
 }
 TestFillFrozenObject ();
+
+// Remove the buffer
+var array = [1, 2, 3, 4, 5];
+var value = array.fill(2, 0, {
+    valueOf: function() {
+        array.length = 0;
+    }
+})
+
+assert(JSON.stringify(value) === '[]');
+
+// Extend the buffer
+var array = [1, 2, 3];
+var value = array.fill(1, {
+    valueOf: function() {
+        array.length = 6;
+    }
+})
+
+assert(JSON.stringify(value) === '[1,1,1,null,null,null]');
+
+// Reduce the buffer
+var array = [1, 2, 3, 4, 5, 6, 7];
+var value = array.fill(4, {
+    valueOf: function() {
+        array.length = 3;
+    }
+})
+
+assert(JSON.stringify(value) === '[4,4,4]');