[runtime] Follow-up fix in Object.defineProperties

... which didn't properly handle negative Smi indices with
JSTypedArray receivers.

The logic was broken by the spec violation fix
https://chromium-review.googlesource.com/c/v8/v8/+/2972727

Bug: chromium:1227476, chromium:1209405
Change-Id: I9bfa57d56bebccad00ed29666489f2003694e0a9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3086472
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Auto-Submit: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76217}

src/objects/js-array-buffer.cc

@@ -227,11 +227,12 @@ Maybe<bool> JSTypedArray::DefineOwnProperty(Isolate* isolate,
   // 2. Assert: O is an Object that has a [[ViewedArrayBuffer]] internal slot.
   // 3. If Type(P) is String, then
   PropertyKey lookup_key(isolate, key);
-  if (lookup_key.is_element() || key->IsString()) {
+  if (lookup_key.is_element() || key->IsSmi() || key->IsString()) {
     // 3a. Let numericIndex be ! CanonicalNumericIndexString(P)
     // 3b. If numericIndex is not undefined, then
-    bool is_minus_zero;
-    if (CanonicalNumericIndexString(isolate, lookup_key, &is_minus_zero)) {
+    bool is_minus_zero = false;
+    if (key->IsSmi() ||  // Smi keys are definitely canonical
+        CanonicalNumericIndexString(isolate, lookup_key, &is_minus_zero)) {
       // 3b i. If IsInteger(numericIndex) is false, return false.
       // 3b ii. If numericIndex = -0, return false.
       // 3b iii. If numericIndex < 0, return false.

test/mjsunit/regress/regress-crbug-1227476.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+assertThrows(
+    () => {
+      let ar = new Int32Array();
+      ar.__defineGetter__(-2, function() {});
+    }, TypeError);