Fix Array.prototype.concat for arguments object with getter.

src/runtime/runtime-array.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/v8.h"
 
 #include "src/arguments.h"
 #include "src/elements.h"
 #include "src/messages.h"
 #include "src/runtime/runtime-utils.h"
@@ skipping 344 matching lines @@
 
 
 // Used for sorting indices in a List<uint32_t>.
 static int compareUInt32(const uint32_t* ap, const uint32_t* bp) {
   uint32_t a = *ap;
   uint32_t b = *bp;
   return (a == b) ? 0 : (a < b) ? -1 : 1;
 }
 
 
-static void CollectElementIndices(Handle<JSObject> object, uint32_t range,
+// Return false on exception.
+static bool CollectElementIndices(Handle<JSObject> object, uint32_t range,
                                   List<uint32_t>* indices) {
   Isolate* isolate = object->GetIsolate();
   ElementsKind kind = object->GetElementsKind();
   switch (kind) {
     case FAST_SMI_ELEMENTS:
     case FAST_ELEMENTS:
     case FAST_HOLEY_SMI_ELEMENTS:
     case FAST_HOLEY_ELEMENTS: {
       Handle<FixedArray> elements(FixedArray::cast(object->elements()));
       uint32_t length = static_cast<uint32_t>(elements->length());
@@ skipping 49 matching lines @@
             FixedArrayBase::cast(object->elements())->length());
         if (range <= length) {
           length = range;
           // We will add all indices, so we might as well clear it first
           // and avoid duplicates.
           indices->Clear();
         }
         for (uint32_t i = 0; i < length; i++) {
           indices->Add(i);
         }
-        if (length == range) return;  // All indices accounted for already.
+        if (length == range) return true;  // All indices accounted for already.
         break;
       }
     case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
     case SLOW_SLOPPY_ARGUMENTS_ELEMENTS: {
-      MaybeHandle<Object> length_obj =
-          Object::GetProperty(object, isolate->factory()->length_string());
-      double length_num = length_obj.ToHandleChecked()->Number();
+      Handle<Object> length_obj;
+      // See ES6 22.1.3.1 step 7-a-ii

[adamk, 2015/08/05 18:05:53]

I think you mean 7-d-ii?

+      ASSIGN_RETURN_ON_EXCEPTION_VALUE(
+          isolate, length_obj,
+          Object::GetProperty(object, isolate->factory()->length_string()),
+          false);
+      ASSIGN_RETURN_ON_EXCEPTION_VALUE(
+          isolate, length_obj, Execution::ToLength(isolate, length_obj), false);
+      double length_num = length_obj->Number();
       uint32_t length = static_cast<uint32_t>(DoubleToInt32(length_num));
       ElementsAccessor* accessor = object->GetElementsAccessor();
       for (uint32_t i = 0; i < length; i++) {
         if (accessor->HasElement(object, i)) {
           indices->Add(i);
         }
       }
       break;
     }
   }
 
   PrototypeIterator iter(isolate, object);
   if (!iter.IsAtEnd()) {
     // The prototype will usually have no inherited element indices,
     // but we have to check.
-    CollectElementIndices(
+    return CollectElementIndices(
         Handle<JSObject>::cast(PrototypeIterator::GetCurrent(iter)), range,
         indices);
   }
+  return true;
 }
 
 
 static bool IterateElementsSlow(Isolate* isolate, Handle<JSObject> receiver,
                                 uint32_t length, ArrayConcatVisitor* visitor) {
   for (uint32_t i = 0; i < length; ++i) {
     HandleScope loop_scope(isolate);
     Maybe<bool> maybe = JSReceiver::HasElement(receiver, i);
     if (!maybe.IsJust()) return false;
     if (maybe.FromJust()) {
@@ skipping 110 matching lines @@
           }
         }
       }
       break;
     }
     case DICTIONARY_ELEMENTS: {
       Handle<SeededNumberDictionary> dict(receiver->element_dictionary());
       List<uint32_t> indices(dict->Capacity() / 2);
       // Collect all indices in the object and the prototypes less
       // than length. This might introduce duplicates in the indices list.
-      CollectElementIndices(receiver, length, &indices);
+      if (!CollectElementIndices(receiver, length, &indices)) return false;
       indices.Sort(&compareUInt32);
       int j = 0;
       int n = indices.length();
       while (j < n) {
         HandleScope loop_scope(isolate);
         uint32_t index = indices[j];
         Handle<Object> element;
         ASSIGN_RETURN_ON_EXCEPTION_VALUE(
             isolate, element, Object::GetElement(isolate, receiver, index),
             false);
@@ skipping 665 matching lines @@
 
 RUNTIME_FUNCTION(Runtime_FastOneByteArrayJoin) {
   SealHandleScope shs(isolate);
   DCHECK(args.length() == 2);
   // Returning undefined means that this fast path fails and one has to resort
   // to a slow path.
   return isolate->heap()->undefined_value();
 }
 }  // namespace internal
 }  // namespace v8