An issue about length of TypedArray

According to ES10.0，`TypedArray(length)` uses method `ToIndex` to avoid negative length. So the `length` of the `array` can not be negative. But when the parameter of `Float64Array` is -268435457 or smaller, the `length` of `array` is changed into a negative number. And other `TypedArray `constructors also have similar situation. Rhino achieves `TypedArray(length)` but doesn't handle negative length properly. This may be an issue of `TypedArray` constructors' parameter judgment.

#### version

```1.7.12```

#### command

```java -jar rhino/rhino-1.7.12.jar -debug -version 200 testcase.js```

#### testcase

```javascript
var NISLFuzzingFunc = function(){
	var array = new Float64Array(-268435457);
        print(array.length);
};
NISLFuzzingFunc();
```



#### output

```
-268435457
```



#### expected output

```
RangeError:Negative array length
```

Contributor:[@YuanWangC](https://github.com/YuanWangC)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

An issue about length of TypedArray #708

version

command

testcase

output

expected output

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

An issue about length of TypedArray #708

Description

version

command

testcase

output

expected output

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions