[codex] Guard array length against NaN-boxed non-pointers

[andrewtdiz]

Summary

Fix a Perry runtime crash in js_array_length when callers pass a NaN-boxed non-pointer tag through a path that expects an array-like pointer.

The OpenTUI PerryRenderLib.createRenderer(40, 10, ...) reducer crashed after before-create-renderer with SIGSEGV. LLDB showed js_array_length calling the Set/Map registry probes before rejecting a 0x7FFC... singleton/hole-style tag, causing is_registered_set to read a GC header from a fake pointer.

Changes

• Normalize NaN-boxed pointer values, and reject non-pointer NaN-boxed tags, before Set/Map registry probes in js_array_length.
• Add a regression covering undefined, null, booleans, TAG_HOLE, and an int32 tag reaching js_array_length.

Validation

• cargo fmt --check passed.
• Before rebasing onto current origin/main, cargo test -p perry-runtime test_array_length_rejects_nanboxed_non_pointers_before_registry_probe passed.
• Before rebasing, cargo build --release -p perry, cargo build --release -p perry-runtime, and cargo build --release -p perry-stdlib passed.
• Focused PTY repro passed after relinking with the fixed runtime: /tmp/opentui-perry-create-renderer-syGcGq/create-renderer-fixed reached after-create-renderer:3, after-set-use-thread, and after-destroy-renderer with rc 0.
• After rebasing, retrying the targeted test was blocked by local disk exhaustion: rustc-LLVM ERROR: IO failure on output stream: No space left on device.
• Generic OpenTUI smoke with the fixed binary compiled and ran, but is not green yet: it timed out waiting for initial visible text. Output showed the renderer no longer crashed and emitted a blank frame after intermediateRender; this is a follow-up render/content path blocker, not completion evidence.

Notes

This PR is intentionally scoped to the runtime SIGSEGV guard. It does not claim generic OpenTUI smoke completion and does not claim OpenCode/OpenTUI migration completion.