From bd97fcaed007caa15244b4ccdd36ae928ca1ad7e Mon Sep 17 00:00:00 2001
From: "jkummerow@chromium.org" <jkummerow@chromium.org>
Date: Thu, 11 Sep 2014 11:47:39 +0000
Subject: [PATCH] Fix regress-crbug-412203.js

R=ulan@chromium.org

Review URL: https://codereview.chromium.org/563733002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@23869 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/runtime.cc                               | 6 ++++--
 test/mjsunit/regress/regress-crbug-412203.js | 9 +++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/runtime.cc b/src/runtime.cc
index 45d5ed0..f0c1d95 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -10334,8 +10334,10 @@ static void CollectElementIndices(Handle<JSObject> object,
       break;
     }
     case SLOPPY_ARGUMENTS_ELEMENTS: {
-      uint32_t length = static_cast<uint32_t>(
-          Handle<JSArray>::cast(object)->length()->Number());
+      MaybeHandle<Object> length_obj =
+          Object::GetProperty(object, isolate->factory()->length_string());
+      double length_num = length_obj.ToHandleChecked()->Number();
+      uint32_t length = static_cast<uint32_t>(DoubleToInt32(length_num));
       ElementsAccessor* accessor = object->GetElementsAccessor();
       for (uint32_t i = 0; i < length; i++) {
         if (accessor->HasElement(object, object, i)) {
diff --git a/test/mjsunit/regress/regress-crbug-412203.js b/test/mjsunit/regress/regress-crbug-412203.js
index 6a78130..f150859 100644
--- a/test/mjsunit/regress/regress-crbug-412203.js
+++ b/test/mjsunit/regress/regress-crbug-412203.js
@@ -25,7 +25,12 @@ function foo(x, y) {
 
   a.__proto__ = arguments;
   var c = [].concat(a);
-  assertEquals(2, c[0]);
-  assertEquals(undefined, c[1]);
+  for (var i = 0; i < arguments.length; i++) {
+    assertEquals(i + 2, c[i]);
+  }
+  assertEquals(undefined, c[arguments.length]);
+  assertEquals(undefined, c[arguments.length + 1]);
 }
 foo(2);
+foo(2, 3);
+foo(2, 3, 4);
-- 
2.7.4