[elements] Remove detach CHECK from the generic TypedArray#set

The detach CHECK is currently crashing on a non-TypedArray and non-Array
input source to TypedArray#set that detaches the destination TypedArray
in its length getter.

Bug: v8:10885
Change-Id: I80bcb4ffb4e4122afbff5c412623c008dc9509df
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2419655Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70062}

src/objects/elements.cc

@@ -3627,12 +3627,12 @@ class TypedElementsAccessor
     Handle<JSTypedArray> destination_ta =
         Handle<JSTypedArray>::cast(destination);
     DCHECK_LE(offset + length, destination_ta->length());
-    CHECK(!destination_ta->WasDetached());
 
     if (length == 0) return *isolate->factory()->undefined_value();
 
     // All conversions from TypedArrays can be done without allocation.
     if (source->IsJSTypedArray()) {
+      CHECK(!destination_ta->WasDetached());
       Handle<JSTypedArray> source_ta = Handle<JSTypedArray>::cast(source);
       ElementsKind source_kind = source_ta->GetElementsKind();
       bool source_is_bigint =
@@ -3647,6 +3647,7 @@ class TypedElementsAccessor
         return *isolate->factory()->undefined_value();
       }
     } else if (source->IsJSArray()) {
+      CHECK(!destination_ta->WasDetached());
       // Fast cases for packed numbers kinds where we don't need to allocate.
       Handle<JSArray> source_js_array = Handle<JSArray>::cast(source);
       size_t current_length;

test/mjsunit/harmony/typedarray-set-length-detach.js

+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+
+let ta = new Int32Array(10);
+assertThrows(() => {
+  ta.set({
+    get length() {
+      %ArrayBufferDetach(ta.buffer);
+      return 1;
+    },
+    get 0() {
+      return 100;
+    },
+  });
+}, TypeError);