Add missing check to StringBuilderConcat runtime function.

src/string.js

Index: src/string.js
diff --git a/src/string.js b/src/string.js
index 0736b4b0fe1324416510f474015db2d718d6ecdb..daa179bd9d177ae03a88a44696c8bea7e190dcc3 100644
--- a/src/string.js
+++ b/src/string.js
@@ -931,10 +931,10 @@ ReplaceResultBuilder.prototype.add = function(str) {
 
 ReplaceResultBuilder.prototype.addSpecialSlice = function(start, end) {
   var len = end - start;
-  if (len == 0) return;
+  if (start < 0 || len <= 0) return;
   var elements = this.elements;
   if (start < 0x80000 && len < 0x800) {
-    elements[elements.length] = (start << 11) + len;
+    elements[elements.length] = (start << 11) | len;
   } else {
     // 0 < len <= String::kMaxLength and Smi::kMaxValue >= String::kMaxLength,
     // so -len is a smi.