| Index: src/runtime.cc
|
| diff --git a/src/runtime.cc b/src/runtime.cc
|
| index 45d5ed016d981b2b5863d9d82a03bff0894a59d7..f0c1d95f88275bc3b5a6af003d149d27ffa51c12 100644
|
| --- a/src/runtime.cc
|
| +++ b/src/runtime.cc
|
| @@ -10334,8 +10334,10 @@ static void CollectElementIndices(Handle<JSObject> object,
|
| break;
|
| }
|
| case SLOPPY_ARGUMENTS_ELEMENTS: {
|
| - uint32_t length = static_cast<uint32_t>(
|
| - Handle<JSArray>::cast(object)->length()->Number());
|
| + MaybeHandle<Object> length_obj =
|
| + Object::GetProperty(object, isolate->factory()->length_string());
|
| + double length_num = length_obj.ToHandleChecked()->Number();
|
| + uint32_t length = static_cast<uint32_t>(DoubleToInt32(length_num));
|
| ElementsAccessor* accessor = object->GetElementsAccessor();
|
| for (uint32_t i = 0; i < length; i++) {
|
| if (accessor->HasElement(object, object, i)) {
|
|
|
Chromium Code Reviews
Issue 563733002:
Fix regress-crbug-412203.js (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge