[typedarray] Fix failing DCHECK for TA.from with a length getter.

I loosened the DCHECKs here but I think they are still fundamentally
safe: `length` must be <= the actual length of the source (so that
there are actually enough elements to copy), and `length` must also be
<= the destination length, minus the offset (so there is enough space
to copy the elements into).

Bug: chromium:816317
Change-Id: Ice00ac60f4884363f6065ffee71f6ab1d1b32dbc
Reviewed-on: https://chromium-review.googlesource.com/937209
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51566}

src/elements.cc

@@ -3284,9 +3284,9 @@ class TypedElementsAccessor
         BackingStore::cast(destination->elements());
 
     DCHECK_LE(offset, destination->length_value());
-    DCHECK_LE(source->length_value(), destination->length_value() - offset);
+    DCHECK_LE(length, destination->length_value() - offset);
     DCHECK(source->length()->IsSmi());
-    DCHECK_EQ(length, source->length_value());
+    DCHECK_LE(length, source->length_value());
 
     InstanceType source_type = source_elements->map()->instance_type();
     InstanceType destination_type =

test/mjsunit/regress/regress-816317.js

@@ -0,0 +1,12 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let a = new Float64Array(15);
+Object.defineProperty(a, "length", {
+  get: function () {
+    return 6;
+  }
+});
+delete a.__proto__.__proto__[Symbol.iterator];
+Float64Array.from(a);