[runtime] Check capacity according to elements kind

... in Runtime_GrowArrayElements.

Runtime_GrowArrayElements is only used when the elements kind
is fast. And we could check the requested capacity according
to the elements kind and throw error early.

Bug: v8:13285
Change-Id: I68f59bc68995d622aac23be3e8daf05ac5fd5652
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905062
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83350}

src/runtime/runtime-array.cc

@@ -155,13 +155,18 @@ RUNTIME_FUNCTION(Runtime_NormalizeElements) {
   return *array;
 }
 
-// GrowArrayElements returns a sentinel Smi if the object was normalized or if
+// GrowArrayElements grows fast kind elements and returns a sentinel Smi if the
-// the key is negative.
+// object was normalized or if the key is negative.
 RUNTIME_FUNCTION(Runtime_GrowArrayElements) {
   HandleScope scope(isolate);
   DCHECK_EQ(2, args.length());
   Handle<JSObject> object = args.at<JSObject>(0);
   Handle<Object> key = args.at(1);
+  ElementsKind kind = object->GetElementsKind();
+  CHECK(IsFastElementsKind(kind));
+  const intptr_t kMaxLength = IsDoubleElementsKind(kind)
+                                  ? FixedDoubleArray::kMaxLength
+                                  : FixedArray::kMaxLength;
   uint32_t index;
   if (key->IsSmi()) {
     int value = Smi::ToInt(*key);
@@ -170,7 +175,7 @@ RUNTIME_FUNCTION(Runtime_GrowArrayElements) {
   } else {
     CHECK(key->IsHeapNumber());
     double value = HeapNumber::cast(*key).value();
-    if (value < 0 || value > std::numeric_limits<uint32_t>::max()) {
+    if (value < 0 || value > kMaxLength) {
       return Smi::zero();
     }
     index = static_cast<uint32_t>(value);