[es2015] Setup JSTypedArray after allocating the JSArrayBuffer.

When constructing a TypedArray by length, only actually setup the
JSTypedArray instance once the buffer is allocated, as only at that
time it's known whether the byte length is fine. Otherwise we confuse
the heap verifier.

Bug: chromium:887891
Change-Id: I407ff9a2a053dd11ef764e4e32f482abb27eb0a8
Reviewed-on: https://chromium-review.googlesource.com/1238494Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56131}

src/builtins/builtins-typed-array-gen.cc

@@ -150,9 +150,6 @@ TF_BUILTIN(TypedArrayInitialize, TypedArrayBuiltinsAssembler) {
   // SmiMul returns a heap number in case of Smi overflow.
   TNode<Number> byte_length = SmiMul(length, element_size);
 
-  SetupTypedArray(holder, length, ChangeNonnegativeNumberToUintPtr(byte_offset),
-                  ChangeNonnegativeNumberToUintPtr(byte_length));
-
   TNode<Map> fixed_typed_map = LoadMapForType(holder);
 
   // If target and new_target for the buffer differ, allocate off-heap.
@@ -311,6 +308,8 @@ TF_BUILTIN(TypedArrayInitialize, TypedArrayBuiltinsAssembler) {
   }
 
   BIND(&done);
+  SetupTypedArray(holder, length, ChangeNonnegativeNumberToUintPtr(byte_offset),
+                  ChangeNonnegativeNumberToUintPtr(byte_length));
   Return(UndefinedConstant());
 }
 

test/mjsunit/regress/regress-crbug-887891.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --verify-heap
+
+const l = 1000000000;
+const a = [];
+function foo() { var x = new Int32Array(l); }
+try { foo(); } catch (e) { }