[typedarray] Really check that the JSTypedArray::length is always a Smi.

Even after https://codereview.chromium.org/2371963002 we might still
create JSTypedArray instances where the length field is a HeapNumber,
especially when TurboFan no longer canonicalizes all values in Smi
range to Smis (which we try to achieve currently). This adds strict
checking for this fact now.

R=mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2373013002
Cr-Commit-Position: refs/heads/master@{#39771}

src/objects-debug.cc

@@ -888,9 +888,7 @@ void JSTypedArray::JSTypedArrayVerify() {
   CHECK(IsJSTypedArray());
   JSArrayBufferViewVerify();
   VerifyPointer(raw_length());
-  CHECK(raw_length()->IsSmi() || raw_length()->IsHeapNumber() ||
-        raw_length()->IsUndefined(GetIsolate()));
-
+  CHECK(raw_length()->IsSmi() || raw_length()->IsUndefined(GetIsolate()));
   VerifyPointer(elements());
 }
 

src/runtime/runtime-typedarray.cc

@@ -204,6 +204,7 @@ RUNTIME_FUNCTION(Runtime_TypedArrayInitializeFromArrayLike) {
     length = JSTypedArray::cast(*source)->length_value();
   } else {
     CHECK(TryNumberToSize(*length_obj, &length));
+    CHECK(length_obj->IsSmi());
   }
 
   if ((length > static_cast<unsigned>(Smi::kMaxValue)) ||