# HG changeset patch
# User sundar
# Date 1364969502 -19800
# Node ID e63b20d4f08a6080fb2bcb680683b85fe7ee97e0
# Parent  e9af5451d2d11c3fd041b48be81afab1a1fb0dcc
8011357: Array.prototype.slice and Array.prototype.splice should not call user defined valueOf of start, end arguments more than once
Reviewed-by: lagergren, hannesw

diff -r e9af5451d2d1 -r e63b20d4f08a src/jdk/nashorn/internal/objects/NativeArray.java
--- a/src/jdk/nashorn/internal/objects/NativeArray.java	Tue Apr 02 23:01:10 2013 +0530
+++ b/src/jdk/nashorn/internal/objects/NativeArray.java	Wed Apr 03 11:41:42 2013 +0530
@@ -754,8 +754,9 @@
         final Object       obj                 = Global.toObject(self);
         final ScriptObject sobj                = (ScriptObject)obj;
         final long         len                 = JSType.toUint32(sobj.getLength());
-        final long         relativeStartUint32 = JSType.toUint32(start);
-        final long         relativeStart       = JSType.toInteger(start);
+        final double       startNum            = JSType.toNumber(start);
+        final long         relativeStartUint32 = JSType.toUint32(startNum);
+        final long         relativeStart       = JSType.toInteger(startNum);
 
         long k = relativeStart < 0 ?
                 Math.max(len + relativeStart, 0) :
@@ -763,8 +764,9 @@
                     Math.max(relativeStartUint32, relativeStart),
                     len);
 
-        final long relativeEndUint32 = end == ScriptRuntime.UNDEFINED ? len : JSType.toUint32(end);
-        final long relativeEnd       = end == ScriptRuntime.UNDEFINED ? len : JSType.toInteger(end);
+        final double endNum = (end == ScriptRuntime.UNDEFINED)? Double.NaN : JSType.toNumber(end);
+        final long relativeEndUint32 = (end == ScriptRuntime.UNDEFINED)? len : JSType.toUint32(endNum);
+        final long relativeEnd       = (end == ScriptRuntime.UNDEFINED)? len : JSType.toInteger(endNum);
 
         final long finale = relativeEnd < 0 ?
                 Math.max(len + relativeEnd, 0) :
@@ -895,8 +897,9 @@
         final ScriptObject sobj                = (ScriptObject)obj;
         final boolean      strict              = Global.isStrict();
         final long         len                 = JSType.toUint32(sobj.getLength());
-        final long         relativeStartUint32 = JSType.toUint32(start);
-        final long         relativeStart       = JSType.toInteger(start);
+        final double       startNum            = JSType.toNumber(start);
+        final long         relativeStartUint32 = JSType.toUint32(startNum);
+        final long         relativeStart       = JSType.toInteger(startNum);
 
         //TODO: workaround overflow of relativeStart for start > Integer.MAX_VALUE
         final long actualStart = relativeStart < 0 ?
diff -r e9af5451d2d1 -r e63b20d4f08a test/script/basic/JDK-8011357.js
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/script/basic/JDK-8011357.js	Wed Apr 03 11:41:42 2013 +0530
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2010, 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ * 
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ * 
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ * 
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ * 
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * JDK-8011357: Array.prototype.slice and Array.prototype.splice should not call user defined valueOf of start, end arguments more than once
+ *
+ * @test
+ * @run
+ */
+
+var startValueOf = 0;
+var endValueOf = 0;
+
+[].slice(
+    {
+        valueOf: function() {
+           startValueOf++;
+        }
+    },
+    {
+        valueOf: function() {
+            endValueOf++;
+        }
+    }
+);
+
+if (startValueOf !== 1) {
+    fail("Array.prototype.slice should call valueOf on start arg once");
+}
+
+if (endValueOf !== 1) {
+    fail("Array.prototype.slice should call valueOf on end arg once");
+}
+
+startValueOf = 0;
+
+[].splice(
+    {
+        valueOf: function() {
+           startValueOf++;
+        }
+    }
+);
+
+if (startValueOf !== 1) {
+    fail("Array.prototype.splice should call valueOf on start arg once");
+}
+