LibJS: Let Array.prototype.toSpliced throw RangeError for len <= 2^53-1

This aligns it with the spec again, it was clarified that the additional
range check before ArrayCreate is intentional:
https://github.com/tc39/proposal-change-array-by-copy/issues/94

Also cast the final variable to an u64 instead of size_t after we have
determined that it is safe to do so, as that's what Array::create()
takes now.

Userland/Libraries/LibJS/Runtime/ArrayPrototype.cpp

@@ -1924,13 +1924,10 @@ JS_DEFINE_NATIVE_FUNCTION(ArrayPrototype::to_spliced)
     auto new_length_double = static_cast<double>(length) + static_cast<double>(insert_count) - static_cast<double>(actual_delete_count);
 
     // 12. If newLen > 2^53 - 1, throw a TypeError exception.
-    // FIXME: ArrayCreate throws for any length > 2^32 - 1, so there's no point in letting
-    //        values up to 2^53 - 1 through (spec issue). This also prevents a potential
-    //        overflow when casting from double to size_t, which is 32 bits on x86.
-    if (new_length_double > NumericLimits<u32>::max())
+    if (new_length_double > MAX_ARRAY_LIKE_INDEX)
         return vm.throw_completion<TypeError>(global_object, ErrorType::ArrayMaxSize);
 
-    auto new_length = static_cast<size_t>(new_length_double);
+    auto new_length = static_cast<u64>(new_length_double);
 
     // 13. Let A be ? ArrayCreate(𝔽(newLen)).
     auto* array = TRY(Array::create(global_object, new_length));

Userland/Libraries/LibJS/Tests/builtins/Array/Array.prototype.toSpliced.js

@@ -97,4 +97,11 @@ describe("errors", () => {
             Array.prototype.toSpliced.call(a, 0, 0, "foo");
         }).toThrowWithMessage(TypeError, "Maximum array size exceeded");
     });
+
+    test("invalid array length", () => {
+        const a = { length: 2 ** 32 - 1 };
+        expect(() => {
+            Array.prototype.toSpliced.call(a, 0, 0, "foo");
+        }).toThrowWithMessage(RangeError, "Invalid array length");
+    });
 });