Add index check in DoAccessArgumentsAt.

src/x64/lithium-codegen-x64.cc

Index: src/x64/lithium-codegen-x64.cc
diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc
index ef9fb92e0eda32a4c01a1bcedf99263d6067d4cb..3b1281debec8ff610d98c230a376492e11196736 100644
--- a/src/x64/lithium-codegen-x64.cc
+++ b/src/x64/lithium-codegen-x64.cc
@@ -2918,9 +2918,13 @@ void LCodeGen::DoAccessArgumentsAt(LAccessArgumentsAt* instr) {
       instr->index()->IsConstantOperand()) {
     int32_t const_index = ToInteger32(LConstantOperand::cast(instr->index()));
     int32_t const_length = ToInteger32(LConstantOperand::cast(instr->length()));
-    StackArgumentsAccessor args(arguments, const_length,
-                                ARGUMENTS_DONT_CONTAIN_RECEIVER);
-    __ movp(result, args.GetArgumentOperand(const_index));
+    if (const_index >= 0 && const_index < const_length) {
+      StackArgumentsAccessor args(arguments, const_length,
+                                  ARGUMENTS_DONT_CONTAIN_RECEIVER);
+      __ movp(result, args.GetArgumentOperand(const_index));

[ulan, 2014/03/24 15:43:10]

This move is guarded by HBoundsCheck at run-time, but StackArgumentsAccessor has
an assertion that index is non-negative.

+    } else if (FLAG_debug_code) {
+      __ Abort(const_index < 0 ? kIndexIsNegative : kIndexIsTooLarge);
+    }
   } else {
     Register length = ToRegister(instr->length());
     // There are two words between the frame pointer and the last argument.