diff --git a/src/builtins.cc b/src/builtins.cc index 7695ccc753f..e4ceec99be4 100644 --- a/src/builtins.cc +++ b/src/builtins.cc @@ -197,16 +197,12 @@ inline bool ClampedToInteger(Object* object, int* out) { inline bool GetSloppyArgumentsLength(Isolate* isolate, Handle object, int* out) { - Map* arguments_map = - isolate->context()->native_context()->sloppy_arguments_map(); - if (object->map() != arguments_map || !object->HasFastElements()) { - return false; - } + Map* arguments_map = isolate->native_context()->sloppy_arguments_map(); + if (object->map() != arguments_map) return false; + DCHECK(object->HasFastElements()); Object* len_obj = object->InObjectPropertyAt(Heap::kArgumentsLengthIndex); - if (!len_obj->IsSmi()) { - return false; - } - *out = Smi::cast(len_obj)->value(); + if (!len_obj->IsSmi()) return false; + *out = Max(0, Smi::cast(len_obj)->value()); return *out <= object->elements()->length(); } @@ -993,11 +989,11 @@ bool IterateElements(Isolate* isolate, Handle receiver, uint32_t length = 0; if (receiver->IsJSArray()) { - Handle array(Handle::cast(receiver)); + Handle array = Handle::cast(receiver); length = static_cast(array->length()->Number()); } else { Handle val; - Handle key(isolate->heap()->length_string(), isolate); + Handle key = isolate->factory()->length_string(); ASSIGN_RETURN_ON_EXCEPTION_VALUE( isolate, val, Runtime::GetObjectProperty(isolate, receiver, key), false); diff --git a/test/mjsunit/regress/regress-arguments-slice.js b/test/mjsunit/regress/regress-arguments-slice.js new file mode 100644 index 00000000000..f7cd8c6ec8c --- /dev/null +++ b/test/mjsunit/regress/regress-arguments-slice.js @@ -0,0 +1,8 @@ +// Copyright 2015 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +function f() { return arguments; } +var o = f(); +o.length = -100; +Array.prototype.slice.call(o);