1 files changed, 11 insertions, 9 deletions

diff --git a/deps/v8/src/builtins/builtins-arraybuffer.cc b/deps/v8/src/builtins/builtins-arraybuffer.cc
index 808c34e43b..a4de98eb97 100644
--- a/deps/v8/src/builtins/builtins-arraybuffer.cc
+++ b/deps/v8/src/builtins/builtins-arraybuffer.cc
@@ -31,10 +31,12 @@ Object* ConstructBuffer(Isolate* isolate, Handle<JSFunction> target,
                         Handle<JSReceiver> new_target, Handle<Object> length,
                         bool initialize) {
   Handle<JSObject> result;
-  ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result,
-                                     JSObject::New(target, new_target));
+  ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+      isolate, result,
+      JSObject::New(target, new_target, Handle<AllocationSite>::null()));
   size_t byte_length;
-  if (!TryNumberToSize(*length, &byte_length)) {
+  if (!TryNumberToSize(*length, &byte_length) ||
+      byte_length > JSArrayBuffer::kMaxByteLength) {
     THROW_NEW_ERROR_RETURN_FAILURE(
         isolate, NewRangeError(MessageTemplate::kInvalidArrayBufferLength));
   }
@@ -98,7 +100,7 @@ BUILTIN(ArrayBufferPrototypeGetByteLength) {
   CHECK_SHARED(false, array_buffer, kMethodName);
   // TODO(franzih): According to the ES6 spec, we should throw a TypeError
   // here if the JSArrayBuffer is detached.
-  return array_buffer->byte_length();
+  return *isolate->factory()->NewNumberFromSize(array_buffer->byte_length());
 }
 
 // ES7 sharedmem 6.3.4.1 get SharedArrayBuffer.prototype.byteLength
@@ -108,7 +110,7 @@ BUILTIN(SharedArrayBufferPrototypeGetByteLength) {
   CHECK_RECEIVER(JSArrayBuffer, array_buffer,
                  "get SharedArrayBuffer.prototype.byteLength");
   CHECK_SHARED(true, array_buffer, kMethodName);
-  return array_buffer->byte_length();
+  return *isolate->factory()->NewNumberFromSize(array_buffer->byte_length());
 }
 
 // ES6 section 24.1.3.1 ArrayBuffer.isView ( arg )
@@ -143,7 +145,7 @@ static Object* SliceHelper(BuiltinArguments args, Isolate* isolate,
 
   // * [AB] Let len be O.[[ArrayBufferByteLength]].
   // * [SAB] Let len be O.[[ArrayBufferByteLength]].
-  double const len = array_buffer->byte_length()->Number();
+  double const len = array_buffer->byte_length();
 
   // * Let relativeStart be ? ToInteger(start).
   Handle<Object> relative_start;
@@ -242,7 +244,7 @@ static Object* SliceHelper(BuiltinArguments args, Isolate* isolate,
   }
 
   // * If new.[[ArrayBufferByteLength]] < newLen, throw a TypeError exception.
-  if (new_array_buffer->byte_length()->Number() < new_len) {
+  if (new_array_buffer->byte_length() < new_len) {
     THROW_NEW_ERROR_RETURN_FAILURE(
         isolate,
         NewTypeError(is_shared ? MessageTemplate::kSharedArrayBufferTooShort
@@ -264,10 +266,10 @@ static Object* SliceHelper(BuiltinArguments args, Isolate* isolate,
   size_t first_size = 0, new_len_size = 0;
   CHECK(TryNumberToSize(*first_obj, &first_size));
   CHECK(TryNumberToSize(*new_len_obj, &new_len_size));
-  DCHECK(NumberToSize(new_array_buffer->byte_length()) >= new_len_size);
+  DCHECK(new_array_buffer->byte_length() >= new_len_size);
 
   if (new_len_size != 0) {
-    size_t from_byte_length = NumberToSize(array_buffer->byte_length());
+    size_t from_byte_length = array_buffer->byte_length();
     USE(from_byte_length);
     DCHECK(first_size <= from_byte_length);
     DCHECK(from_byte_length - first_size >= new_len_size);