TypedArray.prototype.set uses internal length property, not real one.

TypedArrays store their true length in an internal slot. This is
normally reflected in the .length property, but that property is
configurable. Algorithms which need the length of a typed array are to
use the internal slot, not the property; TypedArray.prototype.set was
not doing this.

BUG=v8:5133

Review-Url: https://codereview.chromium.org/2091153002
Cr-Commit-Position: refs/heads/master@{#37232}

src/js/typedarray.js

@@ -349,7 +349,7 @@ function TypedArraySetFromArrayLike(target, source, sourceLength, offset) {
 function TypedArraySetFromOverlappingTypedArray(target, source, offset) {
   var sourceElementSize = source.BYTES_PER_ELEMENT;
   var targetElementSize = target.BYTES_PER_ELEMENT;
-  var sourceLength = source.length;
+  var sourceLength = %_TypedArrayGetLength(source);
 
   // Copy left part.
   function CopyLeftPart() {
@@ -369,7 +369,7 @@ function TypedArraySetFromOverlappingTypedArray(target, source, offset) {
   }
   var leftIndex = CopyLeftPart();
 
-  // Copy rigth part;
+  // Copy right part;
   function CopyRightPart() {
     // First unmutated byte before the next write
     var targetPtr =
@@ -413,7 +413,8 @@ function TypedArraySet(obj, offset) {
       TypedArraySetFromOverlappingTypedArray(this, obj, intOffset);
       return;
     case 2: // TYPED_ARRAY_SET_TYPED_ARRAY_NONOVERLAPPING
-      TypedArraySetFromArrayLike(this, obj, obj.length, intOffset);
+      TypedArraySetFromArrayLike(this,
+          obj, %_TypedArrayGetLength(obj), intOffset);
       return;
     case 3: // TYPED_ARRAY_SET_NON_TYPED_ARRAY
       var l = obj.length;
@@ -428,7 +429,7 @@ function TypedArraySet(obj, offset) {
         return;
       }
       l = TO_LENGTH(l);
-      if (intOffset + l > this.length) {
+      if (intOffset + l > %_TypedArrayGetLength(this)) {
         throw MakeRangeError(kTypedArraySetSourceTooLarge);
       }
       TypedArraySetFromArrayLike(this, obj, l, intOffset);

test/mjsunit/es6/typedarray-set-length-internal.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var typedArrayConstructors = [
+  Uint8Array,
+  Int8Array,
+  Uint16Array,
+  Int16Array,
+  Uint32Array,
+  Int32Array,
+  Uint8ClampedArray,
+  Float32Array,
+  Float64Array
+];
+
+var descriptor = { get: function() { throw new Error("accessed length"); } };
+
+for (var constructor of typedArrayConstructors) {
+  var differentConstructor =
+    constructor === Uint8Array ? Int8Array : Uint8Array;
+  var target = new constructor(16);
+  Object.defineProperty(target, "length", descriptor);
+
+  var sameBuffer = new differentConstructor(target.buffer, 0, 2);
+  Object.defineProperty(sameBuffer, "length", descriptor);
+  target.set(sameBuffer);
+
+  var differentBuffer = new differentConstructor(16);
+  Object.defineProperty(differentBuffer, "length", descriptor);
+  target.set(differentBuffer);
+
+  var array = [0, 1, 2];
+  target.set(array);
+}

test/test262/test262.status

@@ -453,9 +453,6 @@
   'annexB/built-ins/Object/prototype/__lookupSetter__/lookup-proto-get-err': [FAIL],
   'annexB/built-ins/Object/prototype/__lookupSetter__/lookup-proto-proto-err': [FAIL],
 
-  # https://bugs.chromium.org/p/v8/issues/detail?id=5133
-  'built-ins/TypedArray/prototype/set/array-arg-target-arraylength-internal': [FAIL],
-
   # https://bugs.chromium.org/p/v8/issues/detail?id=5134
   'built-ins/Array/prototype/concat/is-concat-spreadable-is-array-proxy-revoked': [FAIL],