Fix Check failure on OOB access in Atomics.wait

Bug: chromium:724973
Change-Id: I227b30b50f92fac7d6cf3ec3369e324282352ccb
Reviewed-on: https://chromium-review.googlesource.com/514348Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45643}

src/builtins/builtins-sharedarraybuffer.cc

@@ -70,8 +70,9 @@ MUST_USE_RESULT Maybe<size_t> ValidateAtomicAccess(
                       MessageTemplate::kInvalidAtomicAccessIndex),
       Nothing<size_t>());
 
-  size_t access_index = NumberToSize(*access_index_obj);
-  if (access_index >= typed_array->length_value()) {
+  size_t access_index;
+  if (!TryNumberToSize(*access_index_obj, &access_index) ||
+      access_index >= typed_array->length_value()) {
     isolate->Throw(*isolate->factory()->NewRangeError(
         MessageTemplate::kInvalidAtomicAccessIndex));
     return Nothing<size_t>();

test/mjsunit/harmony/futex.js

@@ -48,7 +48,7 @@
   var i32a = new Int32Array(sab);
 
   // Valid indexes are 0-3.
-  [-1, 4, 100].forEach(function(invalidIndex) {
+  [-1, 4, 100, 0xffffffff].forEach(function(invalidIndex) {
     assertThrows(function() {
       Atomics.wait(i32a, invalidIndex, 0);
     }, RangeError);
@@ -59,7 +59,7 @@
   });
 
   i32a = new Int32Array(sab, 8);
-  [-1, 2, 100].forEach(function(invalidIndex) {
+  [-1, 2, 100, 0xffffffff].forEach(function(invalidIndex) {
     assertThrows(function() {
       Atomics.wait(i32a, invalidIndex, 0);
     }, RangeError);