The testcase I added for bug 738277 fails with JM-without-TI. The problem is that stubs::ConvertToTypedInt converts strings to int32 instead of converting to double and clamping the double. The typed array IC's are not used if TI is enabled, so this is not hugely important, but the fix is easy and necessary to get tbpl green again.

Patch is based on setElementTail in jstypedarray.cpp. I'm not sure about the JS_ALWAYS_TRUE, as far as I can see StringToNumberType can fail if getChars returns false. This seems easy to fix in jstypedarray.cpp but it makes the JM fix more complicated since stubs::ConvertToTypedInt has to be fallible. I'm not sure if doing that is worth it since the IC is only used without TI. What do you think?

Adding complexity here definitely isn't worth it, but I don't think it's good to ignore an OOM under ToNumber --- we could end up executing code while there is a pending exception, which would confuse things. (I don't know if reporting OOM normally sets a pending exception, but it looks like debugger hooks can post a catchable exception on OOM). It might be simplest to just disable the typed array IC.