Robustify NewNumberFromSize against int-overflow on cast

As luck would have it, there doesn't seem to be a way to trigger
observable misbehavior currently (only with special flags).

BUG=chromium:380671
LOG=n
R=mvstanton@chromium.org

Review URL: https://codereview.chromium.org/1588013002

Cr-Commit-Position: refs/heads/master@{#33305}

src/factory.h

@@ -343,7 +343,9 @@ class Factory final {
                                   PretenureFlag pretenure = NOT_TENURED);
   Handle<Object> NewNumberFromSize(size_t value,
                                    PretenureFlag pretenure = NOT_TENURED) {
-    if (Smi::IsValid(static_cast<intptr_t>(value))) {
+    // We can't use Smi::IsValid() here because that operates on a signed
+    // intptr_t, and casting from size_t could create a bogus sign bit.
+    if (value <= static_cast<size_t>(Smi::kMaxValue)) {
       return Handle<Object>(Smi::FromIntptr(static_cast<intptr_t>(value)),
                             isolate());
     }

test/mjsunit/regress/regress-crbug-380671.js

+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --mock-arraybuffer-allocator
+
+var buffer = new ArrayBuffer(0xc0000000);
+assertEquals(0xc0000000, buffer.byteLength);