Avoid calling %AddElement with a number out of array index range

src/js/runtime.js

Index: src/js/runtime.js
diff --git a/src/js/runtime.js b/src/js/runtime.js
index 7e2f12b7d2c3e0d713c5b53fbf647bfaf4b2aa8a..54fe40d45f89b9135a4a6551086f6ecbf49dc721 100644
--- a/src/js/runtime.js
+++ b/src/js/runtime.js
@@ -194,7 +194,7 @@ function SameValueZero(x, y) {
 function ConcatIterableToArray(target, iterable) {
    var index = target.length;
    for (var element of iterable) {
-     %AddElement(target, index++, element);
+     AddIndexedProperty(target, index++, element);
    }
    return target;
 }
@@ -206,6 +206,19 @@ function ConcatIterableToArray(target, iterable) {
 */
 
 
+// This function should be called rather than %AddElement in contexts where the
+// argument might not be less than 2**32-1. ES2015 ToLength semantics mean that
+// this is a concern at basically all callsites.
+function AddIndexedProperty(obj, index, value) {
+  if (index === TO_UINT32(index)) {

[Toon Verwaest, 2015/10/29 10:41:01]

kMaxUint32 isn't a valid element either. Max length of arrays is kMaxUint32, so
max element is kMaxUint32-1.

+    %AddElement(obj, index, value);
+  } else {
+    %AddNamedProperty(obj, TO_STRING(index), value, NONE);
+  }
+}
+%SetForceInlineFlag(AddIndexedProperty);
+
+
 // ES6, draft 10-14-14, section 22.1.3.1.1
 function IsConcatSpreadable(O) {
   if (!IS_SPEC_OBJECT(O)) return false;
@@ -248,6 +261,7 @@ function MinSimple(a, b) {
 // Exports
 
 utils.Export(function(to) {
+  to.AddIndexedProperty = AddIndexedProperty;
   to.MaxSimple = MaxSimple;
   to.MinSimple = MinSimple;
   to.SameValue = SameValue;