From cd032391ffdfb537507676141e8a663c20043820 Mon Sep 17 00:00:00 2001
From: Lukas Kurz <lukas@shortdev.de>
Date: Thu, 6 Jun 2024 23:56:58 +0200
Subject: [PATCH 1/2] Fix assertion

---
 lib/Runtime/Library/JavascriptArray.cpp | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
index 075316f8ad5..1064cf1f4ec 100644
--- a/lib/Runtime/Library/JavascriptArray.cpp
+++ b/lib/Runtime/Library/JavascriptArray.cpp
@@ -9402,9 +9402,8 @@ using namespace Js;
         }
         else
         {
-            Assert(fromVal < MaxArrayLength);
-            Assert(toVal < MaxArrayLength);
-            Assert(direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength));
+            Assert(direction != -1 || (fromVal < MaxArrayLength && toVal < MaxArrayLength));
+            Assert(fromVal + count <= MaxArrayLength && toVal + count <= MaxArrayLength);
 
             uint32 fromIndex = static_cast<uint32>(fromVal);
             uint32 toIndex = static_cast<uint32>(toVal);

From 5ba6731fa28f51a617dd593cfd43f3109a46f356 Mon Sep 17 00:00:00 2001
From: Lukas Kurz <lukas@shortdev.de>
Date: Thu, 6 Jun 2024 23:57:03 +0200
Subject: [PATCH 2/2] Added test

---
 test/es6/ES6ArrayAPI_slow.js | 20 ++++++++++++++++++++
 test/es6/rlexe.xml           |  7 +++++++
 2 files changed, 27 insertions(+)
 create mode 100644 test/es6/ES6ArrayAPI_slow.js

diff --git a/test/es6/ES6ArrayAPI_slow.js b/test/es6/ES6ArrayAPI_slow.js
new file mode 100644
index 00000000000..81167810c31
--- /dev/null
+++ b/test/es6/ES6ArrayAPI_slow.js
@@ -0,0 +1,20 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Copyright (c) ChakraCore Project Contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+WScript.LoadScriptFile("..\\UnitTestFramework\\UnitTestFramework.js");
+
+const uint32Max = 4294967295;
+const tests = [
+    {
+        name: "Issue #6770 (Assertion failure in copyWithin)",
+        body() {
+            const array = [];
+            array.length = uint32Max;
+            array.copyWithin();
+        }
+    }
+];
+testRunner.runTests(tests, { verbose: WScript.Arguments[0] != "summary" });
diff --git a/test/es6/rlexe.xml b/test/es6/rlexe.xml
index 1ff8919fd9a..ee0227e2088 100644
--- a/test/es6/rlexe.xml
+++ b/test/es6/rlexe.xml
@@ -508,6 +508,13 @@
       <compile-flags>-ES6ObjectLiterals -args summary -endargs</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>ES6ArrayAPI_slow.js</files>
+      <compile-flags>-ES6ObjectLiterals -args summary -endargs</compile-flags>
+      <tags>Slow</tags>
+    </default>
+  </test>
   <test>
     <default>
       <files>ES6ArrayUseConstructor.js</files>