Fix array.splice edge case for sealed object

The last step in array.splice slow-path is to update length of the array https://cs.chromium.org/chromium/src/v8/src/builtins/array-splice.tq?rcl=59a29d88cc5972d2323a80a70de19ffd2812e5e4&l=349. For sealed object, it should be nop.

Bug: chromium:951164
Change-Id: I0c3098526c7df6c4dd734dd6c79cc0bba3b9b213
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559217
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60793}

src/elements.cc

@@ -2744,6 +2744,12 @@ class FastPackedFrozenObjectElementsAccessor
                       uint32_t new_capacity) {
     UNREACHABLE();
   }
+
+  static void SetLengthImpl(Isolate* isolate, Handle<JSArray> array,
+                            uint32_t length,
+                            Handle<FixedArrayBase> backing_store) {
+    UNREACHABLE();
+  }
 };
 
 class FastPackedSealedObjectElementsAccessor
@@ -2787,6 +2793,18 @@ class FastPackedSealedObjectElementsAccessor
                       uint32_t new_capacity) {
     UNREACHABLE();
   }
+
+  static void SetLengthImpl(Isolate* isolate, Handle<JSArray> array,
+                            uint32_t length,
+                            Handle<FixedArrayBase> backing_store) {
+#ifdef DEBUG
+    // Can only go here if length equals old_length.
+    uint32_t old_length = 0;
+    CHECK(array->length()->ToArrayIndex(&old_length));
+    DCHECK_EQ(length, old_length);
+#endif
+    return;
+  }
 };
 
 class FastHoleyObjectElementsAccessor

test/mjsunit/object-freeze.js

@@ -420,6 +420,7 @@ function testPackedFrozenArray1(obj) {
   assertThrows(function() { obj.reverse(); }, TypeError);
   assertThrows(function() { obj.sort(); }, TypeError);
   assertThrows(function() { obj.splice(0); }, TypeError);
+  assertThrows(function() { obj.splice(0, 0); }, TypeError);
   assertTrue(Object.isFrozen(obj));
 
   // Verify search, filter, iterator

test/mjsunit/object-prevent-extensions.js

@@ -174,6 +174,7 @@ assertTrue(Array.isArray(obj));
 assertThrows(function() { obj.push(1); }, TypeError);
 assertThrows(function() { obj.unshift(1); }, TypeError);
 assertThrows(function() { obj.splice(0, 0, 1); }, TypeError);
+assertDoesNotThrow(function() {obj.splice(0, 0)});
 
 // Verify search, filter, iterator
 obj = new Array(undefined, null, 1, -1, 'a', Symbol("test"));

test/mjsunit/object-seal.js

@@ -389,7 +389,7 @@ assertDoesNotThrow(function() { return new Sealed(); });
 Sealed.prototype.prototypeExists = true;
 assertTrue((new Sealed()).prototypeExists);
 
-obj = new Int32Array(10)
+obj = new Int32Array(10);
 Object.seal(obj);
 assertTrue(Object.isSealed(obj));
 
@@ -404,6 +404,7 @@ function testPackedSealedArray1(obj) {
   assertThrows(function() { obj.push(1); }, TypeError);
   assertThrows(function() { obj.unshift(1); }, TypeError);
   assertThrows(function() { obj.splice(0); }, TypeError);
+  assertDoesNotThrow(function() { obj.splice(0, 0); });
 
   // Verify search, filter, iterator
   obj = new Array(undefined, null, 1, -1, 'a', Symbol("test"));