Fix empty push bug in Array.push

BUG=chromium:670981
LOG=N
R=ishell@chromium.org

Review-Url: https://codereview.chromium.org/2609973002
Cr-Commit-Position: refs/heads/master@{#42064}

src/code-stub-assembler.cc

@@ -1491,7 +1491,7 @@ Node* CodeStubAssembler::BuildAppendJSArray(ElementsKind kind, Node* context,
   Node* growth = IntPtrSub(args.GetLength(), first);
   Node* new_length =
       IntPtrOrSmiAdd(WordToParameter(growth, mode), var_length.value(), mode);
-  GotoUnless(IntPtrOrSmiGreaterThanOrEqual(new_length, capacity, mode), &fits);
+  GotoUnless(IntPtrOrSmiGreaterThan(new_length, capacity, mode), &fits);
   Node* new_capacity = CalculateNewElementsCapacity(
       IntPtrOrSmiAdd(new_length, IntPtrOrSmiConstant(1, mode), mode), mode);
   var_elements.Bind(GrowElementsCapacity(array, var_elements.value(), kind,
@@ -8211,6 +8211,11 @@ Node* CodeStubArguments::GetReceiver() const {
 Node* CodeStubArguments::AtIndex(Node* index,
                                  CodeStubAssembler::ParameterMode mode) const {
   typedef compiler::Node Node;
+  CSA_ASSERT(assembler_, assembler_->UintPtrLessThan(
+                             mode == CodeStubAssembler::INTPTR_PARAMETERS
+                                 ? index
+                                 : assembler_->SmiUntag(index),
+                             GetLength()));
   Node* negated_index =
       assembler_->IntPtrSub(assembler_->IntPtrOrSmiConstant(0, mode), index);
   Node* offset =

test/mjsunit/regress/regress-670981-array-push.js

@@ -0,0 +1,8 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var array = [];
+array.length = .6e+7;
+array.push( );
+assertEquals(array.length, .6e+7);