Fix uint64_t underflow inside Array::arrayPrototypeSplice

[farwayer]

Summary

Fixes #1912

Incorrect handling of unsigned variables causes an undeflow inside Array::arrayPrototypeSplice when calling array.splice(0). This leads to a missed call to DeleteProperty on array elements.

hermes/lib/VM/JSLib/Array.cpp

Line 2698 in 6573809

while (i > (len - actualDeleteCount + itemCount - 1)) {

If len == actualDeleteCount (as for array.splice(0)) result expression < 0 for uint64_t and the loop never executes.

Steps To Reproduce

An example with Proxy, which is a symptom:

let log = (...args) => typeof print === 'undefined' ? console.log(JSON.stringify(args)) : print(JSON.stringify(args))

let arr = new Proxy([], {
	deleteProperty(target, p) {
		log('del', target, p)
		return Reflect.deleteProperty(target, p)
	},
})

arr.push('a', 'b', 'c')
arr.splice(0)

Hermes

no messages

V8

["del",["a","b","c"],"2"]
["del",["a","b",null],"1"]
["del",["a",null,null],"0"]

Test Plan

["del",["a","b","c"],"2"]
["del",["a","b",null],"1"]
["del",["a",null,null],"0"]

[farwayer]

I also converted the counter to uint64_t, which should speed up the loop somewhat due to cheaper operations with integer variables.
And I renamed the counter from i -> k to match the specification.

[farwayer]

@lavenzg @avp @fbmal7 hi, sorry to bother, but could someone please review the pull request? If anything needs to be improved, please let me know.