[typedarrays] Fix a wrong type casting in TA.p.set

- Fix a wrong type casting triggered when a given array's length is zero
- Add a regression test case

Bug: chromium:777182, chromium:768775
Change-Id: I615b73e9d7bad657c872c96c7a204efe355d8289
Reviewed-on: https://chromium-review.googlesource.com/732865Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48821}

src/elements.cc

@@ -3368,6 +3368,8 @@ class TypedElementsAccessor
         Handle<JSTypedArray>::cast(destination);
     DCHECK_LE(offset + length, destination_ta->length_value());
 
+    if (length == 0) return *isolate->factory()->undefined_value();
+
     // All conversions from TypedArrays can be done without allocation.
     if (source->IsJSTypedArray()) {
       Handle<JSTypedArray> source_ta = Handle<JSTypedArray>::cast(source);

test/mjsunit/es6/regress/regress-777182.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --enable-slow-asserts
+
+var __v_65159 = [1.3];
+__v_65159.length = 0;
+new Int8Array(10).set(__v_65159);