[rab/gsab] Fix RAB/GSABness in %TypedArray%.of

Bug: v8:11111,chromium:1377840 Change-Id: I0a3d86b9f160c0daf28f45b9ec7a37f0a88be614 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3976511 Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Auto-Submit: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#83942}
2022-10-27 09:52:53 +02:00 · 2022-10-27 09:52:53 +02:00 · 4bef10308f
commit 4bef10308f
parent fb6b3f7373
2 changed files with 31 additions and 5 deletions
--- a/src/builtins/typed-array-createtypedarray.tq
+++ b/src/builtins/typed-array-createtypedarray.tq
@ -329,11 +329,18 @@ transitioning macro TypedArrayCreateByLength(implicit context: Context)(

  // 2. Perform ? ValidateTypedArray(newTypedArray).
  //    ValidateTypedArray currently returns the array, not the ViewBuffer.
+  const newTypedArrayLength =
+      ValidateTypedArrayAndGetLength(context, newTypedArrayObj, methodName);
  const newTypedArray: JSTypedArray =
-      ValidateTypedArray(context, newTypedArrayObj, methodName);
-  // TODO(v8:11111): bit_field should be initialized to 0.
-  newTypedArray.bit_field.is_length_tracking = false;
-  newTypedArray.bit_field.is_backed_by_rab = false;
+      UnsafeCast<JSTypedArray>(newTypedArrayObj);
+
+  dcheck(
+      newTypedArray.bit_field.is_backed_by_rab ==
+      (IsResizableArrayBuffer(newTypedArray.buffer) &&
+       !IsSharedArrayBuffer(newTypedArray.buffer)));
+  dcheck(
+      !newTypedArray.bit_field.is_length_tracking ||
+      IsResizableArrayBuffer(newTypedArray.buffer));

  if (IsDetachedBuffer(newTypedArray.buffer)) deferred {
      ThrowTypeError(MessageTemplate::kDetachedOperation, methodName);
@ -342,7 +349,7 @@ transitioning macro TypedArrayCreateByLength(implicit context: Context)(
  // 3. If argumentList is a List of a single Number, then
  //   a. If newTypedArray.[[ArrayLength]] < argumentList[0], throw a
  //      TypeError exception.
-  if (newTypedArray.length < Convert<uintptr>(length)) deferred {
+  if (newTypedArrayLength < Convert<uintptr>(length)) deferred {
      ThrowTypeError(MessageTemplate::kTypedArrayTooShort);
    }

--- a/test/mjsunit/regress/regress-crbug-1377840.js
+++ b/test/mjsunit/regress/regress-crbug-1377840.js
@ -0,0 +1,19 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-rab-gsab
+
+const rab = new ArrayBuffer(3782, {maxByteLength: 4096});
+const u16a = new Int16Array(rab);
+rab.resize(0);
+
+function ctor() {
+  return u16a;
+}
+
+assertThrows(() => { Float64Array.of.call(ctor, 1); }, TypeError);
+
+rab.resize(8);
+const u16a2 = Int16Array.of.call(ctor, 3);
+assertEquals(3, u16a2[0]);