Adding checks for the cases when array grows too big.

src/builtins.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 233 matching lines @@
 
 BUILTIN(ArrayPush) {
   JSArray* array = JSArray::cast(*args.receiver());
   ASSERT(array->HasFastElements());
 
   int len = Smi::cast(array->length())->value();
   int to_add = args.length() - 1;
   if (to_add == 0) {
     return Smi::FromInt(len);
   }
+  // Currently fixed arrays cannot grow too big, so
+  // we should never hit this case.
+  ASSERT(to_add <= (Smi::kMaxValue - len));
 
   int new_length = len + to_add;
   FixedArray* elms = FixedArray::cast(array->elements());
 
   if (new_length > elms->length()) {
     // New backing storage is needed.
     int capacity = new_length + (new_length >> 1) + 16;
     Object* obj = Heap::AllocateFixedArrayWithHoles(capacity);
     if (obj->IsFailure()) return obj;
 
@@ skipping 99 matching lines @@
   JSArray* array = JSArray::cast(*args.receiver());
   ASSERT(array->HasFastElements());
 
   int len = Smi::cast(array->length())->value();
   int to_add = args.length() - 1;
   // Note that we cannot quit early if to_add == 0 as
   // values should be lifted from prototype into
   // the array.
 
   int new_length = len + to_add;
+  // Currently fixed arrays cannot grow too big, so
+  // we should never hit this case.
+  ASSERT(to_add <= (Smi::kMaxValue - len));
+
   FixedArray* elms = FixedArray::cast(array->elements());
 
   // Fetch the prototype.
   JSFunction* array_function =
       Top::context()->global_context()->array_function();
   JSObject* prototype = JSObject::cast(array_function->prototype());
 
   if (new_length > elms->length()) {
     // New backing storage is needed.
     int capacity = new_length + (new_length >> 1) + 16;
@@ skipping 224 matching lines @@
     for (int k = actualStart; k < (len - actualDeleteCount); k++) {
       elms->set(k + itemCount,
                 GetElementToMove(k + actualDeleteCount, elms, prototype),
                 mode);
     }
 
     for (int k = len; k > new_length; k--) {
       elms->set(k - 1, Heap::the_hole_value());
     }
   } else if (itemCount > actualDeleteCount) {
+    // Currently fixed arrays cannot grow too big, so
+    // we should never hit this case.
+    ASSERT((itemCount - actualDeleteCount) <= (Smi::kMaxValue - len));
+
     FixedArray* source_elms = elms;
 
     // Check if array need to grow.
     if (new_length > elms->length()) {
       // New backing storage is needed.
       int capacity = new_length + (new_length >> 1) + 16;
       Object* obj = Heap::AllocateFixedArrayWithHoles(capacity);
       if (obj->IsFailure()) return obj;
 
       FixedArray* new_elms = FixedArray::cast(obj);
@@ skipping 668 matching lines @@
       if (entry->contains(pc)) {
         return names_[i];
       }
     }
   }
   return NULL;
 }
 
 
 } }  // namespace v8::internal