8011357: Array.prototype.slice and Array.prototype.splice should not call user defined valueOf of start, end arguments more than once

Reviewed-by: lagergren, hannesw
2026-02-24 09:10:08 +00:00 · 2013-04-03 11:41:42 +05:30 · 2013-04-03 11:41:42 +05:30 · d35b6ae5f6
commit d35b6ae5f6
parent e96d207c68
2 changed files with 77 additions and 6 deletions
--- a/nashorn/src/jdk/nashorn/internal/objects/NativeArray.java
+++ b/nashorn/src/jdk/nashorn/internal/objects/NativeArray.java
@ -754,8 +754,9 @@ public final class NativeArray extends ScriptObject {
        final Object       obj                 = Global.toObject(self);
        final ScriptObject sobj                = (ScriptObject)obj;
        final long         len                 = JSType.toUint32(sobj.getLength());
-        final long         relativeStartUint32 = JSType.toUint32(start);
-        final long         relativeStart       = JSType.toInteger(start);
+        final double       startNum            = JSType.toNumber(start);
+        final long         relativeStartUint32 = JSType.toUint32(startNum);
+        final long         relativeStart       = JSType.toInteger(startNum);

        long k = relativeStart < 0 ?
                Math.max(len + relativeStart, 0) :
@ -763,8 +764,9 @@ public final class NativeArray extends ScriptObject {
                    Math.max(relativeStartUint32, relativeStart),
                    len);

-        final long relativeEndUint32 = end == ScriptRuntime.UNDEFINED ? len : JSType.toUint32(end);
-        final long relativeEnd       = end == ScriptRuntime.UNDEFINED ? len : JSType.toInteger(end);
+        final double endNum = (end == ScriptRuntime.UNDEFINED)? Double.NaN : JSType.toNumber(end);
+        final long relativeEndUint32 = (end == ScriptRuntime.UNDEFINED)? len : JSType.toUint32(endNum);
+        final long relativeEnd       = (end == ScriptRuntime.UNDEFINED)? len : JSType.toInteger(endNum);

        final long finale = relativeEnd < 0 ?
                Math.max(len + relativeEnd, 0) :
@ -895,8 +897,9 @@ public final class NativeArray extends ScriptObject {
        final ScriptObject sobj                = (ScriptObject)obj;
        final boolean      strict              = Global.isStrict();
        final long         len                 = JSType.toUint32(sobj.getLength());
-        final long         relativeStartUint32 = JSType.toUint32(start);
-        final long         relativeStart       = JSType.toInteger(start);
+        final double       startNum            = JSType.toNumber(start);
+        final long         relativeStartUint32 = JSType.toUint32(startNum);
+        final long         relativeStart       = JSType.toInteger(startNum);

        //TODO: workaround overflow of relativeStart for start > Integer.MAX_VALUE
        final long actualStart = relativeStart < 0 ?
--- a/nashorn/test/script/basic/JDK-8011357.js
+++ b/nashorn/test/script/basic/JDK-8011357.js
@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ * 
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ * 
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ * 
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ * 
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * JDK-8011357: Array.prototype.slice and Array.prototype.splice should not call user defined valueOf of start, end arguments more than once
+ *
+ * @test
+ * @run
+ */
+
+var startValueOf = 0;
+var endValueOf = 0;
+
+[].slice(
+    {
+        valueOf: function() {
+           startValueOf++;
+        }
+    },
+    {
+        valueOf: function() {
+            endValueOf++;
+        }
+    }
+);
+
+if (startValueOf !== 1) {
+    fail("Array.prototype.slice should call valueOf on start arg once");
+}
+
+if (endValueOf !== 1) {
+    fail("Array.prototype.slice should call valueOf on end arg once");
+}
+
+startValueOf = 0;
+
+[].splice(
+    {
+        valueOf: function() {
+           startValueOf++;
+        }
+    }
+);
+
+if (startValueOf !== 1) {
+    fail("Array.prototype.splice should call valueOf on start arg once");
+}
+