Fix splice bug in handling of negative arguments length

Bug: chromium:778668
Change-Id: Ie75f2ecb9e6134b6eb57c7d7fb6ea33cbb2fc2bf
Reviewed-on: https://chromium-review.googlesource.com/753324
Commit-Queue: Daniel Clifford <danno@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49301}

src/builtins/builtins-array-gen.cc

@@ -1109,6 +1109,8 @@ class FastArraySliceCodeStubAssembler : public CodeStubAssembler {
     Node* elements_kind = LoadMapElementsKind(map);
     GotoIfNot(IsFastElementsKind(elements_kind), &try_simple_slice);
 
+    CSA_ASSERT(this, SmiGreaterThanOrEqual(from, SmiConstant(0)));
+
     result.Bind(CallStub(CodeFactory::ExtractFastJSArray(isolate()), context,
                          array, from, count));
     Goto(&done);
@@ -1134,6 +1136,8 @@ class FastArraySliceCodeStubAssembler : public CodeStubAssembler {
     GotoIf(SmiAboveOrEqual(count, SmiConstant(max_fast_elements)),
            &try_simple_slice);
 
+    GotoIf(SmiLessThan(from, SmiConstant(0)), slow);
+
     Node* end = SmiAdd(from, count);
 
     Node* unmapped_elements = LoadFixedArrayElement(

test/mjsunit/regress/regress-778668.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+(function () {
+  function f( __v_59960) {
+    arguments.length = -5;
+    Array.prototype.slice.call(arguments);
+  }
+  f('a')
+})();
+
+(function () {
+  function f( __v_59960) {
+    arguments.length = 2.3;
+    print(arguments.length);
+    Array.prototype.slice.call(arguments);
+  }
+  f('a')
+})();