Bug 1965844 - Part 4: Correctly update search index for resized typed array in lastIndexOf. r=jandem

Test case in <tc39/test262#4477>.

Differential Revision: https://phabricator.services.mozilla.com/D248929

Author: anba

js/src/vm/TypedArrayObject.cpp

@@ -2529,16 +2529,6 @@ static bool TypedArray_lastIndexOf(JSContext* cx, const CallArgs& args) {
       return false;
     }
 
-    // Reacquire the length because side-effects may have detached or resized
-    // the array buffer.
-    len = std::min(len, tarray->length().valueOr(0));
-
-    // Return early if the new length is zero.
-    if (len == 0) {
-      args.rval().setInt32(-1);
-      return true;
-    }
-
     // Steps 6-8.
     if (fromIndex >= 0) {
       k = size_t(std::min(fromIndex, double(len - 1)));
@@ -2550,6 +2540,24 @@ static bool TypedArray_lastIndexOf(JSContext* cx, const CallArgs& args) {
       }
       k = size_t(d);
     }
+    MOZ_ASSERT(k < len);
+
+    // Reacquire the length because side-effects may have detached or resized
+    // the array buffer.
+    size_t currentLength = tarray->length().valueOr(0);
+
+    // Restrict the search index and length if the new length is smaller.
+    if (currentLength < len) {
+      // Return early if the new length is zero.
+      if (currentLength == 0) {
+        args.rval().setInt32(-1);
+        return true;
+      }
+
+      // Otherwise just restrict |k| and |len| to the current length.
+      k = std::min(k, currentLength - 1);
+      len = currentLength;
+    }
   }
   MOZ_ASSERT(k < len);