Fix for 350887: CHECK failure on new_length->IsSmi()

src/elements.cc

Index: src/elements.cc
diff --git a/src/elements.cc b/src/elements.cc
index 2e4667d4a06b81b5c9c3f78c108defc41e260bca..e80fccf5ff923d18979393b1741a3e9cff261bc4 100644
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -1859,10 +1859,18 @@ MUST_USE_RESULT MaybeObject* ElementsAccessorBase<ElementsAccessorSubclass,
       MaybeObject* result = ElementsAccessorSubclass::
           SetLengthWithoutNormalize(backing_store, array, smi_length, value);
       if (!result->ToObject(&new_length)) return result;
-      ASSERT(new_length->IsSmi() || new_length->IsUndefined());
+      // even though the proposed length was a smi, new_length could
+      // still be a heap number because SetLengthWithoutNormalize doesn't
+      // allow the array length property to drop below the index of
+      // non-deletable elements.
+      ASSERT(new_length->IsSmi() || new_length->IsHeapNumber() ||
+             new_length->IsUndefined());
       if (new_length->IsSmi()) {
         array->set_length(Smi::cast(new_length));
         return array;
+      } else if (new_length->IsHeapNumber()) {
+        array->set_length(new_length);
+        return array;
       }
     } else {
       return ThrowArrayLengthRangeError(array->GetHeap());