[builtins] Handle uintptr overflow in Array.prototype.sort

... and let it gracefully crash with OOM.

Bug: v8:4153, chromium:1018598
Change-Id: I20dd9874cdbdf78665de3a83d0bc1611dc088c68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1883551Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64589}

third_party/v8/builtins/array-sort.tq

@@ -108,9 +108,16 @@ namespace array {
       receiver: JSReceiver, initialReceiverLength: Number): intptr {
     // TODO(szuend): Implement full range sorting, not only up to MaxSmi.
     //               https://crbug.com/v8/7970.
-    let clampedReceiverLength: uintptr =
-        Convert<uintptr>(initialReceiverLength);
-    if (clampedReceiverLength > kSmiMaxValue) {
+    let clampedReceiverLength: uintptr;
+    try {
+      clampedReceiverLength =
+          ChangeSafeIntegerNumberToUintPtr(initialReceiverLength)
+          otherwise UIntPtrOverflow;
+      if (clampedReceiverLength > kSmiMaxValue) {
+        clampedReceiverLength = kSmiMaxValue;
+      }
+    }
+    label UIntPtrOverflow {
       clampedReceiverLength = kSmiMaxValue;
     }