[elements] limit TypedElementsAccessor::IncludesValue to backing store length

The contract is that the method is only invoked when there are no elements on
the prototype, and this elements type forbids accessor elements. So it is safe
to limit the search to the end of the backing store.

BUG=chromium:634269, v8:5162
R=cbruni@chromium.org, mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2209273002
Cr-Commit-Position: refs/heads/master@{#38344}

src/elements.cc

@@ -2551,6 +2551,12 @@ class TypedElementsAccessor
       return Just(false);
     }
 
+    // Prototype has no elements, and not searching for the hole --- limit
+    // search to backing store length.
+    if (static_cast<uint32_t>(elements->length()) < length) {
+      length = elements->length();
+    }
+
     if (!std::isnan(search_value)) {
       for (uint32_t k = start_from; k < length; ++k) {
         double element_k = elements->get_scalar(k);

test/mjsunit/es7/regress/regress-634269.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+__v_1 = new Uint8Array();
+Object.defineProperty(__v_1.__proto__, 'length', {value: 42});
+Array.prototype.includes.call(new Uint8Array(), 2);