Fix the private field crash for the Array object.

Fixes the following issues: 5097, 5100, 5138

Additional test cases added by: Robert Sipka <robert.sipka@h-lab.eu>

JerryScript-DCO-1.0-Signed-off-by: Baihe Jiang <baihe.jiang@outlook.com>

Author: paintedveil5

jerry-core/vm/opcodes.c

@@ -919,6 +919,11 @@ opfunc_private_method_or_accessor_add (ecma_object_t *class_object_p, /**< the f
 
     JERRY_ASSERT (prop_name_p->u.hash & ECMA_SYMBOL_FLAG_PRIVATE_INSTANCE_METHOD);
 
+    if (ecma_op_object_is_fast_array (this_obj_p))
+    {
+      ecma_fast_array_convert_to_normal (this_obj_p);
+    }
+
     prop_p = ecma_find_named_property (this_obj_p, prop_name_p);
     ecma_object_t *method_p = ecma_get_object_from_value (method);
 
@@ -1369,6 +1374,11 @@ opfunc_private_field_add (ecma_value_t base, /**< base object */
   ecma_string_t *prop_name_p = ecma_get_string_from_value (property);
   ecma_string_t *private_key_p = NULL;
 
+  if (ecma_op_object_is_fast_array (obj_p))
+  {
+      ecma_fast_array_convert_to_normal (obj_p);
+  }
+
   ecma_property_t *prop_p = opfunc_find_private_element (obj_p, prop_name_p, &private_key_p, false);
 
   if (prop_p != NULL)

tests/jerry/private_fields.js

@@ -327,3 +327,41 @@ class O {
 var var16 = new O();
 var16.b();
 assert(var16.c() == 12);
+
+// Private fields are accessible in Array object
+class P extends Array {
+  #a = 1;
+  b() {
+    return this.#a;
+  }
+}
+
+var var17 = new P();
+assert(var17.b() == 1);
+
+class Q extends Array {
+  #a() {
+    return 1;
+  }
+  b() {
+    return this.#a();
+  }
+}
+
+var var18 = new Q();
+assert(var18.b() == 1);
+
+// Issue 5097
+class Foo extends ([]).constructor {
+  #g;
+}
+new Foo();
+
+// Issue 5100
+class Foo2 extends Array {
+  #x() {
+  }
+}
+
+var bar = new Foo2();
+bar[0] = 1;