[typedarray] Properly initialize JSTypedArray::length with Smi.

Even after https://codereview.chromium.org/2371963002 we still did not
always store a Smi into the JSTypedArray::length field, the runtime
function %TypedArrayInitializeFromArrayLike was still storing whatever
it got from the JavaScript code, which is highly dependent on internal
decisions of the ICs and the representation selection in the optimizing
compilers, so that's pretty fragile.

R=verwaest@chromium.org
BUG=chromium:650933

Review-Url: https://codereview.chromium.org/2377943002
Cr-Commit-Position: refs/heads/master@{#39802}

src/runtime/runtime-typedarray.cc

@@ -200,11 +200,9 @@ RUNTIME_FUNCTION(Runtime_TypedArrayInitializeFromArrayLike) {
   size_t length = 0;
   if (source->IsJSTypedArray() &&
       JSTypedArray::cast(*source)->type() == array_type) {
-    length_obj = handle(JSTypedArray::cast(*source)->length(), isolate);
     length = JSTypedArray::cast(*source)->length_value();
   } else {
     CHECK(TryNumberToSize(*length_obj, &length));
-    CHECK(length_obj->IsSmi());
   }
 
   if ((length > static_cast<unsigned>(Smi::kMaxValue)) ||
@@ -247,6 +245,7 @@ RUNTIME_FUNCTION(Runtime_TypedArrayInitializeFromArrayLike) {
   Handle<Object> byte_length_obj(
       isolate->factory()->NewNumberFromSize(byte_length));
   holder->set_byte_length(*byte_length_obj);
+  length_obj = isolate->factory()->NewNumberFromSize(length);
   holder->set_length(*length_obj);
 
   Handle<FixedTypedArrayBase> elements =

test/mjsunit/regress/regress-crbug-650933.js

@@ -0,0 +1,8 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = [0, 1, 2, 3, 4, 5, 6, 7, 8];
+var o = {length: 1e40};
+try { new Uint8Array(o); } catch (e) { }
+new Float64Array(a);