diff --git a/src/compiler/js-builtin-reducer.cc b/src/compiler/js-builtin-reducer.cc
index bbd5a92a7fd..8ba64211284 100644
--- a/src/compiler/js-builtin-reducer.cc
+++ b/src/compiler/js-builtin-reducer.cc
@@ -308,6 +308,10 @@ Reduction JSBuiltinReducer::ReduceArrayPush(Node* node) {
             AccessBuilder::ForFixedArrayElement(receiver_map->elements_kind())),
         elements, length, value, effect, control);
 
+    // Return the new length of the {receiver}.
+    value = graph()->NewNode(simplified()->NumberAdd(), length,
+                             jsgraph()->OneConstant());
+
     ReplaceWithValue(node, value, effect, control);
     return Replace(value);
   }
diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
index 6733bd6affe..0d07053dedd 100644
--- a/src/compiler/typer.cc
+++ b/src/compiler/typer.cc
@@ -1352,6 +1352,8 @@ Type* Typer::Visitor::JSCallFunctionTyper(Type* fun, Typer* t) {
         case kArrayIndexOf:
         case kArrayLastIndexOf:
           return Type::Range(-1, kMaxSafeInteger, t->zone());
+        case kArrayPush:
+          return t->cache_.kPositiveSafeInteger;
         // Object functions.
         case kObjectHasOwnProperty:
           return Type::Boolean();
diff --git a/test/mjsunit/regress/regress-crbug-656037.js b/test/mjsunit/regress/regress-crbug-656037.js
new file mode 100644
index 00000000000..47d09aaa4b9
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-656037.js
@@ -0,0 +1,15 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a) {
+  return a.push(true);
+}
+
+var a = [];
+assertEquals(1, foo(a));
+assertEquals(2, foo(a));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(3, foo(a));