Fix empty push bug in Array.push

src/code-stub-assembler.cc

Index: src/code-stub-assembler.cc
diff --git a/src/code-stub-assembler.cc b/src/code-stub-assembler.cc
index 7532319bf2a8dc16f9f491b35933df73cbc6b2a6..116a9f4494784ec4d147fe2005b9d1c2032d08bf 100644
--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@@ -1491,7 +1491,7 @@ Node* CodeStubAssembler::BuildAppendJSArray(ElementsKind kind, Node* context,
   Node* growth = IntPtrSub(args.GetLength(), first);
   Node* new_length =
       IntPtrOrSmiAdd(WordToParameter(growth, mode), var_length.value(), mode);
-  GotoUnless(IntPtrOrSmiGreaterThanOrEqual(new_length, capacity, mode), &fits);
+  GotoUnless(IntPtrOrSmiGreaterThan(new_length, capacity, mode), &fits);
   Node* new_capacity = CalculateNewElementsCapacity(
       IntPtrOrSmiAdd(new_length, IntPtrOrSmiConstant(1, mode), mode), mode);
   var_elements.Bind(GrowElementsCapacity(array, var_elements.value(), kind,
@@ -8211,6 +8211,11 @@ Node* CodeStubArguments::GetReceiver() const {
 Node* CodeStubArguments::AtIndex(Node* index,
                                  CodeStubAssembler::ParameterMode mode) const {
   typedef compiler::Node Node;
+  CSA_ASSERT(assembler_, assembler_->UintPtrLessThan(
+                             mode == CodeStubAssembler::INTPTR_PARAMETERS
+                                 ? index
+                                 : assembler_->SmiUntag(index),
+                             GetLength()));
   Node* negated_index =
       assembler_->IntPtrSub(assembler_->IntPtrOrSmiConstant(0, mode), index);
   Node* offset =