[builtins] Compare sloppy arguments length with the correct backing store length

BUG= Review-Url: https://codereview.chromium.org/2579983002 Cr-Commit-Position: refs/heads/master@{#41757}

[builtins] Compare sloppy arguments length with the correct backing store length
BUG= Review-Url: https://codereview.chromium.org/2579983002 Cr-Commit-Position: refs/heads/master@{#41757}
3238b337 · verwaest · Commit bot · 55e8c2e4 · 3238b337
Commit 3238b337 authored Dec 16, 2016 by verwaest Committed by Commit bot Dec 16, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

builtins-array.cc src/builtins/builtins-array.cc +7 -1

No files found.
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -56,7 +56,13 @@ inline bool GetSloppyArgumentsLength(Isolate* isolate, Handle<JSObject> object,
  Object* len_obj = object->InObjectPropertyAt(JSArgumentsObject::kLengthIndex);
  if (!len_obj->IsSmi()) return false;
  *out = Max(0, Smi::cast(len_obj)->value());
-  return *out <= object->elements()->length();
+  FixedArray* parameters = FixedArray::cast(object->elements());
+  if (object->HasSloppyArgumentsElements()) {
+    FixedArray* arguments = FixedArray::cast(parameters->get(1));
+    return *out <= arguments->length();
+  }
+  return *out <= parameters->length();
 }
 inline bool IsJSArrayFastElementMovingAllowed(Isolate* isolate,