diff --git a/src/builtins/array-to-sorted.tq b/src/builtins/array-to-sorted.tq
index 0a36502825..e3fb93a0c4 100644
--- a/src/builtins/array-to-sorted.tq
+++ b/src/builtins/array-to-sorted.tq
@@ -65,7 +65,8 @@ ArrayTimSortIntoCopy(context: Context, sortState: SortState): JSArray {
       if (sortState.numberOfUndefined != 0) goto FastObject;
 
       const workArray = sortState.workArray;
-      for (let i: Smi = 0; i < workArray.length; ++i) {
+      dcheck(numberOfNonUndefined <= workArray.length);
+      for (let i: Smi = 0; i < numberOfNonUndefined; ++i) {
         const e = UnsafeCast<JSAny>(workArray.objects[i]);
         // TODO(v8:12764): ArrayTimSortImpl already boxed doubles. Support
         // PACKED_DOUBLE_ELEMENTS.
diff --git a/test/mjsunit/harmony/regress/regress-crbug-1381656.js b/test/mjsunit/harmony/regress/regress-crbug-1381656.js
new file mode 100644
index 0000000000..853ce64b9f
--- /dev/null
+++ b/test/mjsunit/harmony/regress/regress-crbug-1381656.js
@@ -0,0 +1,14 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-change-array-by-copy
+
+// Returning arguments for a function with 1 parameter results in toSorted code
+// initially under-allocating a sorting worklist of length 1 (instead of
+// 2). This then results the worklist growing to length 17, with elements 2-16
+// being holes. The hole values should not be accessed.
+let args = (function(x) {
+  return arguments;
+})(1, 2);
+Array.prototype.toSorted.call(args);