Fix mix-up in HasEnumerableElements()

src/objects.cc

Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index bef6dba7932e0297f3471f22b7829395c6379a24..952fe8ee11045a8f9e4eba57d923858eaf688e7a 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -7985,9 +7985,8 @@ bool HasEnumerableElements(JSObject* object) {
     case FAST_SMI_ELEMENTS:
     case FAST_ELEMENTS:
     case FAST_DOUBLE_ELEMENTS: {
-      int length = object->IsJSArray()
-                       ? Smi::cast(JSArray::cast(object)->length())->value()
-                       : object->elements()->length();
+      DCHECK(object->IsJSArray());
+      int length = Smi::cast(JSArray::cast(object)->length())->value();

[Toon Verwaest, 2015/12/10 21:15:54]

This is not guaranteed; sloppy argument objects are not jsarrays but can be
packed.

[Jakob Kummerow, 2015/12/11 09:47:24]

Thanks -> https://codereview.chromium.org/1517073003/

       return length > 0;
     }
     case FAST_HOLEY_SMI_ELEMENTS:
@@ -8003,8 +8002,9 @@ bool HasEnumerableElements(JSObject* object) {
     }
     case FAST_HOLEY_DOUBLE_ELEMENTS: {
       FixedDoubleArray* elements = FixedDoubleArray::cast(object->elements());
-      DCHECK(object->IsJSArray());
-      int length = Smi::cast(JSArray::cast(object)->length())->value();
+      int length = object->IsJSArray()
+                       ? Smi::cast(JSArray::cast(object)->length())->value()
+                       : elements->length();
       for (int i = 0; i < length; i++) {
         if (!elements->is_the_hole(i)) return true;
       }