Bug 1965844 - Part 1: Use ToIntegerIndex for Array built-ins. r=jandem

anba · anba · commit 47a87aed4f82 · 2025-05-13T10:53:01.000Z
Use the new `ToIntegerIndex` helper function. Drive-by change: - Update spec references in the modified methods. Differential Revision: https://phabricator.services.mozilla.com/D248926
diff --git a/js/src/builtin/Array.cpp b/js/src/builtin/Array.cpp
@@ -3082,32 +3082,8 @@ static bool CopyArrayElements(JSContext* cx, HandleObject obj, uint64_t begin,
 // Helpers for array_splice_impl() and array_to_spliced()
 //
 // Initialize variables common to splice() and toSpliced():
-// - GetActualStart() returns the index at which to start deleting elements.
 // - GetItemCount() returns the number of new elements being added.
 // - GetActualDeleteCount() returns the number of elements being deleted.
-static bool GetActualStart(JSContext* cx, HandleValue start, uint64_t len,
-                           uint64_t* result) {
-  MOZ_ASSERT(len < DOUBLE_INTEGRAL_PRECISION_LIMIT);
-
-  // Steps from proposal: https://github.com/tc39/proposal-change-array-by-copy
-  // Array.prototype.toSpliced()
-
-  // Step 3. Let relativeStart be ? ToIntegerOrInfinity(start).
-  double relativeStart;
-  if (!ToInteger(cx, start, &relativeStart)) {
-    return false;
-  }
-
-  // Steps 4-5. If relativeStart is -∞, let actualStart be 0.
-  // Else if relativeStart < 0, let actualStart be max(len + relativeStart, 0).
-  if (relativeStart < 0) {
-    *result = uint64_t(std::max(double(len) + relativeStart, 0.0));
-  } else {
-    // Step 6. Else, let actualStart be min(relativeStart, len).
-    *result = uint64_t(std::min(relativeStart, double(len)));
-  }
-  return true;
-}
 
 static uint32_t GetItemCount(const CallArgs& args) {
   if (args.length() < 2) {
@@ -3124,9 +3100,6 @@ static bool GetActualDeleteCount(JSContext* cx, const CallArgs& args,
   MOZ_ASSERT(actualStart <= len);
   MOZ_ASSERT(insertCount == GetItemCount(args));
 
-  // Steps from proposal: https://github.com/tc39/proposal-change-array-by-copy
-  // Array.prototype.toSpliced()
-
   if (args.length() < 1) {
     // Step 8. If start is not present, then let actualDeleteCount be 0.
     *actualDeleteCount = 0;
@@ -3181,10 +3154,13 @@ static bool array_splice_impl(JSContext* cx, unsigned argc, Value* vp,
   /* Steps 3-6. */
   /* actualStart is the index after which elements will be
      deleted and/or new elements will be added */
-  uint64_t actualStart;
-  if (!GetActualStart(cx, args.get(0), len, &actualStart)) {
-    return false;
+  uint64_t actualStart = 0;
+  if (args.hasDefined(0)) {
+    if (!ToIntegerIndex(cx, args[0], len, &actualStart)) {
+      return false;
+    }
   }
+  MOZ_ASSERT(actualStart <= len);
 
   /* Steps 7-10.*/
   /* itemCount is the number of elements being added */
@@ -3498,8 +3474,8 @@ static void CopyDenseElementsFillHoles(ArrayObject* arr, NativeObject* nobj,
   MOZ_ASSERT(arr->denseElementsArePacked());
 }
 
-// https://github.com/tc39/proposal-change-array-by-copy
-// Array.prototype.toSpliced()
+// ES2026 draft rev a562082b031d89d00ee667181ce8a6158656bd4b
+// 23.1.3.35 Array.prototype.toSpliced ( start, skipCount, ...items )
 static bool array_toSpliced(JSContext* cx, unsigned argc, Value* vp) {
   AutoJSMethodProfilerEntry pseudoFrame(cx, "Array.prototype", "toSpliced");
   CallArgs args = CallArgsFromVp(argc, vp);
@@ -3519,9 +3495,11 @@ static bool array_toSpliced(JSContext* cx, unsigned argc, Value* vp) {
   // Steps 3-6.
   // |actualStart| is the index after which elements will be deleted and/or
   // new elements will be added
-  uint64_t actualStart;
-  if (!GetActualStart(cx, args.get(0), len, &actualStart)) {
-    return false;
+  uint64_t actualStart = 0;
+  if (args.hasDefined(0)) {
+    if (!ToIntegerIndex(cx, args[0], len, &actualStart)) {
+      return false;
+    }
   }
   MOZ_ASSERT(actualStart <= len);
 
@@ -4038,19 +4016,6 @@ static JSObject* SliceArguments(JSContext* cx, Handle<ArgumentsObject*> argsobj,
   return result;
 }
 
-template <typename T, typename ArrayLength>
-static inline ArrayLength NormalizeSliceTerm(T value, ArrayLength length) {
-  if (value < 0) {
-    value += length;
-    if (value < 0) {
-      return 0;
-    }
-  } else if (double(value) > double(length)) {
-    return length;
-  }
-  return ArrayLength(value);
-}
-
 static bool ArraySliceOrdinary(JSContext* cx, HandleObject obj, uint64_t begin,
                                uint64_t end, MutableHandleValue rval) {
   if (begin > end) {
@@ -4141,26 +4106,19 @@ static bool array_slice(JSContext* cx, unsigned argc, Value* vp) {
     return false;
   }
 
+  /* Steps 3-4. */
   uint64_t k = 0;
-  uint64_t final = length;
-  if (args.length() > 0) {
-    double d;
-    /* Step 3. */
-    if (!ToInteger(cx, args[0], &d)) {
+  if (args.hasDefined(0)) {
+    if (!ToIntegerIndex(cx, args[0], length, &k)) {
       return false;
     }
+  }
 
-    /* Step 4. */
-    k = NormalizeSliceTerm(d, length);
-
-    if (args.hasDefined(1)) {
-      /* Step 5. */
-      if (!ToInteger(cx, args[1], &d)) {
-        return false;
-      }
-
-      /* Step 6. */
-      final = NormalizeSliceTerm(d, length);
+  /* Steps 5-6. */
+  uint64_t final = length;
+  if (args.hasDefined(1)) {
+    if (!ToIntegerIndex(cx, args[1], length, &final)) {
+      return false;
     }
   }
 
@@ -4218,6 +4176,13 @@ static bool array_slice(JSContext* cx, unsigned argc, Value* vp) {
   return true;
 }
 
+static inline uint32_t NormalizeSliceTerm(int32_t value, uint32_t length) {
+  if (value >= 0) {
+    return std::min(uint32_t(value), length);
+  }
+  return uint32_t(std::max(int32_t(uint32_t(value) + length), 0));
+}
+
 static bool ArraySliceDenseKernel(JSContext* cx, ArrayObject* arr,
                                   int32_t beginArg, int32_t endArg,
                                   ArrayObject* result) {
@@ -4494,8 +4459,8 @@ static bool SearchElementDense(JSContext* cx, HandleValue val, Iter iterator,
   return iterator(cx, cmp, rval);
 }
 
-// ES2020 draft rev dc1e21c454bd316810be1c0e7af0131a2d7f38e9
-// 22.1.3.14 Array.prototype.indexOf ( searchElement [ , fromIndex ] )
+// ES2026 draft rev a562082b031d89d00ee667181ce8a6158656bd4b
+// 23.1.3.17 Array.prototype.indexOf ( searchElement [ , fromIndex ] )
 bool js::array_indexOf(JSContext* cx, unsigned argc, Value* vp) {
   AutoJSMethodProfilerEntry pseudoFrame(cx, "Array.prototype", "indexOf");
   CallArgs args = CallArgsFromVp(argc, vp);
@@ -4518,36 +4483,25 @@ bool js::array_indexOf(JSContext* cx, unsigned argc, Value* vp) {
     return true;
   }
 
-  // Steps 4-8.
+  // Steps 4-9.
   uint64_t k = 0;
-  if (args.length() > 1) {
-    double n;
-    if (!ToInteger(cx, args[1], &n)) {
+  if (args.hasDefined(1)) {
+    if (!ToIntegerIndex(cx, args[1], len, &k)) {
       return false;
     }
 
-    // Step 6.
-    if (n >= double(len)) {
+    // Return early if |k| exceeds the current length.
+    if (k >= len) {
       args.rval().setInt32(-1);
       return true;
     }
-
-    // Steps 7-8.
-    if (n >= 0) {
-      k = uint64_t(n);
-    } else {
-      double d = double(len) + n;
-      if (d >= 0) {
-        k = uint64_t(d);
-      }
-    }
   }
 
   MOZ_ASSERT(k < len);
 
   HandleValue searchElement = args.get(0);
 
-  // Steps 9 and 10 optimized for dense elements.
+  // Step 10 optimized for dense elements.
   if (CanOptimizeForDenseStorage<ArrayAccess::Read>(obj, len)) {
     MOZ_ASSERT(len <= UINT32_MAX);
 
@@ -4591,7 +4545,7 @@ bool js::array_indexOf(JSContext* cx, unsigned argc, Value* vp) {
                                                    args.rval());
   }
 
-  // Step 9.
+  // Step 10.
   RootedValue v(cx);
   for (; k < len; k++) {
     if (!CheckForInterrupt(cx)) {
@@ -4616,7 +4570,7 @@ bool js::array_indexOf(JSContext* cx, unsigned argc, Value* vp) {
     }
   }
 
-  // Step 10.
+  // Step 11.
   args.rval().setInt32(-1);
   return true;
 }
@@ -4735,8 +4689,8 @@ bool js::array_lastIndexOf(JSContext* cx, unsigned argc, Value* vp) {
   return true;
 }
 
-// ES2020 draft rev dc1e21c454bd316810be1c0e7af0131a2d7f38e9
-// 22.1.3.13 Array.prototype.includes ( searchElement [ , fromIndex ] )
+// ES2026 draft rev a562082b031d89d00ee667181ce8a6158656bd4b
+// 23.1.3.16 Array.prototype.includes ( searchElement [ , fromIndex ] )
 bool js::array_includes(JSContext* cx, unsigned argc, Value* vp) {
   AutoJSMethodProfilerEntry pseudoFrame(cx, "Array.prototype", "includes");
   CallArgs args = CallArgsFromVp(argc, vp);
@@ -4759,35 +4713,25 @@ bool js::array_includes(JSContext* cx, unsigned argc, Value* vp) {
     return true;
   }
 
-  // Steps 4-7.
+  // Steps 4-9.
   uint64_t k = 0;
-  if (args.length() > 1) {
-    double n;
-    if (!ToInteger(cx, args[1], &n)) {
+  if (args.hasDefined(1)) {
+    if (!ToIntegerIndex(cx, args[1], len, &k)) {
       return false;
     }
 
-    if (n >= double(len)) {
+    // Return early if |k| exceeds the current length.
+    if (k >= len) {
       args.rval().setBoolean(false);
       return true;
     }
-
-    // Steps 6-7.
-    if (n >= 0) {
-      k = uint64_t(n);
-    } else {
-      double d = double(len) + n;
-      if (d >= 0) {
-        k = uint64_t(d);
-      }
-    }
   }
 
   MOZ_ASSERT(k < len);
 
   HandleValue searchElement = args.get(0);
 
-  // Steps 8 and 9 optimized for dense elements.
+  // Step 10 optimized for dense elements.
   if (CanOptimizeForDenseStorage<ArrayAccess::Read>(obj, len)) {
     MOZ_ASSERT(len <= UINT32_MAX);
 
@@ -4836,7 +4780,7 @@ bool js::array_includes(JSContext* cx, unsigned argc, Value* vp) {
                                                     args.rval());
   }
 
-  // Step 8.
+  // Step 10.
   RootedValue v(cx);
   for (; k < len; k++) {
     if (!CheckForInterrupt(cx)) {
@@ -4857,7 +4801,7 @@ bool js::array_includes(JSContext* cx, unsigned argc, Value* vp) {
     }
   }
 
-  // Step 9.
+  // Step 11.
   args.rval().setBoolean(false);
   return true;
 }
@@ -5211,7 +5155,6 @@ static const JSFunctionSpec array_methods[] = {
     JS_SELF_HOSTED_FN("flatMap", "ArrayFlatMap", 1, 0),
     JS_SELF_HOSTED_FN("flat", "ArrayFlat", 0, 0),
 
-    /* Proposal */
     JS_SELF_HOSTED_FN("at", "ArrayAt", 1, 0),
     JS_SELF_HOSTED_FN("findLast", "ArrayFindLast", 1, 0),
     JS_SELF_HOSTED_FN("findLastIndex", "ArrayFindLastIndex", 1, 0),
