Check that array length stays a safe integer in Array.prototype.push

src/js/array.js

Index: src/js/array.js
diff --git a/src/js/array.js b/src/js/array.js
index b13e4e239223093af848f17b0b61d4a02390e371..d9ae35d4e8609d9ef513795f80d253682a91c227 100644
--- a/src/js/array.js
+++ b/src/js/array.js
@@ -517,6 +517,13 @@ function ArrayPush() {
   var n = TO_LENGTH_OR_UINT32(array.length);
   var m = %_ArgumentsLength();
 
+  // The length of arguments can never be more than 2 ** 32, so

[adamk, 2015/10/26 21:21:02]

It looks to me like it can't be more than 2**16, actually...

[Dan Ehrenberg, 2015/10/26 22:59:31]

We talked about this offline. Apparently it can be more...

+  // we can do the comparison after subtracting that much from
+  // the length in order to avoid integer overflow.

[adamk, 2015/10/26 21:21:03]

Is this math necessary to get the right answer or is it an optimization? If the
latter, did this actually show up in some benchmark? It's definitely a little
funny-looking for a the "slow" path.

[Dan Ehrenberg, 2015/10/26 22:59:31]

It's necessary for the answer. Without that change, it was just not detecting a
single element push.

+  if ((n - (1 << 32)) + m > kMaxSafeInteger - (1 << 32)) {
+   throw MakeTypeError(kPushPastSafeLength, m, n);

[adamk, 2015/10/26 21:21:02]

Nit: indentation off, needs one more leading space.

[Dan Ehrenberg, 2015/10/26 22:59:31]

Fixed

+  }
+
   for (var i = 0; i < m; i++) {
     array[i+n] = %_Arguments(i);
   }