splice must not perform HasProperty past the end of the deleted range.

(cherry picked from commit dd3d3a9)

Author: woess

graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/builtins/ArrayPrototypeBuiltins.java

@@ -1998,7 +1998,7 @@ protected Object splice(Object thisArg, Object[] args,
             if (actualDeleteCount > 0) {
                 // copy deleted elements into result array
                 branchDelete.enter(this);
-                spliceRead(thisObj, actualStart, actualDeleteCount, aObj, len);
+                spliceRead(thisObj, actualStart, actualDeleteCount, aObj);
             }
             setLength(aObj, actualDeleteCount);
 
@@ -2065,15 +2065,16 @@ final boolean mustUseElementwise(JSDynamicObject obj, long expectedLength, Scrip
                             array.length(obj) != expectedLength;
         }
 
-        private void spliceRead(Object thisObj, long actualStart, long actualDeleteCount, Object aObj, long length) {
+        private void spliceRead(Object thisObj, long actualStart, long actualDeleteCount, Object aObj) {
+            final long deleteEnd = actualDeleteCount + actualStart;
             long kPlusStart = actualStart;
             if (!hasProperty(thisObj, kPlusStart)) {
-                kPlusStart = nextElementIndex(thisObj, kPlusStart, length);
+                kPlusStart = nextElementIndex(thisObj, kPlusStart, deleteEnd);
             }
-            while (kPlusStart < (actualDeleteCount + actualStart)) {
+            while (kPlusStart < deleteEnd) {
                 Object fromValue = read(thisObj, kPlusStart);
                 writeOwn(aObj, kPlusStart - actualStart, fromValue);
-                kPlusStart = nextElementIndex(thisObj, kPlusStart, length);
+                kPlusStart = nextElementIndex(thisObj, kPlusStart, deleteEnd);
             }
         }
 

graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/nodes/array/JSArrayNextElementIndexNode.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * The Universal Permissive License (UPL), Version 1.0
@@ -161,11 +161,11 @@ public long nextObjectViaFullEnumeration(JSDynamicObject object, long currentInd
     public long nextObjectViaPolling(Object object, long currentIndex, long length, @SuppressWarnings("unused") boolean isArray,
                     @Cached @Shared JSHasPropertyNode hasPropertyNode) {
         long index = currentIndex + 1;
-        while (!hasPropertyNode.executeBoolean(object, index)) {
+        while (index < length && !hasPropertyNode.executeBoolean(object, index)) {
             index++;
-            if (index >= length) {
-                return JSRuntime.MAX_SAFE_INTEGER_LONG;
-            }
+        }
+        if (index >= length) {
+            return JSRuntime.MAX_SAFE_INTEGER_LONG;
         }
         return index;
     }