Array.concat: properly go to dictionary mode when required

src/runtime.cc

Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index a8c1aefff432d4203594e17c983b4631342014fe..a6d609c088d1e81bded4db030d1943f97ed94f4d 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -10040,7 +10040,7 @@ class ArrayConcatVisitor {
       // getters on the arrays increasing the length of later arrays
       // during iteration.
       // This shouldn't happen in anything but pathological cases.
-      SetDictionaryMode(index);
+      SetDictionaryMode();
       // Fall-through to dictionary mode.
     }
     ASSERT(!fast_elements_);
@@ -10061,6 +10061,14 @@ class ArrayConcatVisitor {
     } else {
       index_offset_ += delta;
     }
+    // If the initial length estimate was off (see special case in visit()),
+    // but the array blowing the limit didn't contain elements beyond the
+    // provided-for index range, go to dictionary mode now.
+    if (fast_elements_ &&
+        index_offset_ >= static_cast<uint32_t>(
+            FixedArrayBase::cast(*storage_)->length())) {
+      SetDictionaryMode();
+    }
   }
 
   bool exceeds_array_limit() {
@@ -10082,7 +10090,7 @@ class ArrayConcatVisitor {
 
  private:
   // Convert storage to dictionary mode.
-  void SetDictionaryMode(uint32_t index) {
+  void SetDictionaryMode() {
     ASSERT(fast_elements_);
     Handle<FixedArray> current_storage(*storage_);
     Handle<SeededNumberDictionary> slow_storage(