[typedarray] Add TA.p.toLocaleString check for a detached buffer.

Bug: chromium:915783
Change-Id: I053ee6e905a98e0aafcabcf0838ada836a05c181
Reviewed-on: https://chromium-review.googlesource.com/c/1382553
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Cr-Commit-Position: refs/heads/master@{#58327}

src/builtins/array-join.tq

@@ -89,13 +89,13 @@ namespace array {
   // Verifies the current element JSArray accessor can still be safely used
   // (see LoadJoinElement<ElementsAccessor>).
   macro CannotUseSameArrayAccessor<T: type>(implicit context: Context)(
-      loadFn: LoadJoinElementFn, receiver: JSReceiver, originalMap: Map,
-      originalLen: Number): never
+      useToLocaleString: constexpr bool, loadFn: LoadJoinElementFn,
+      receiver: JSReceiver, originalMap: Map, originalLen: Number): never
       labels Cannot, Can;
 
   CannotUseSameArrayAccessor<JSArray>(implicit context: Context)(
-      loadFn: LoadJoinElementFn, receiver: JSReceiver, originalMap: Map,
-      originalLen: Number): never
+      useToLocaleString: constexpr bool, loadFn: LoadJoinElementFn,
+      receiver: JSReceiver, originalMap: Map, originalLen: Number): never
       labels Cannot, Can {
     if (loadFn == LoadJoinElement<GenericElementsAccessor>) goto Can;
 
@@ -107,14 +107,17 @@ namespace array {
   }
 
   CannotUseSameArrayAccessor<JSTypedArray>(implicit context: Context)(
-      loadFn: LoadJoinElementFn, receiver: JSReceiver, initialMap: Map,
-      initialLen: Number): never
+      useToLocaleString: constexpr bool, loadFn: LoadJoinElementFn,
+      receiver: JSReceiver, initialMap: Map, initialLen: Number): never
       labels Cannot, Can {
-    // It is assumed that neither loading a typed array element nor converting a
-    // number to string have side-effects. As such, it safe to use the initial
-    // LoadJoinElement specialization and it cannot change through out the join
-    // call.
-    assert(!IsDetachedBuffer(UnsafeCast<JSTypedArray>(receiver).buffer));
+    const typedArray: JSTypedArray = UnsafeCast<JSTypedArray>(receiver);
+    // It is assumed that calling toLocaleString is the only possible source
+    // of side-effects. Otherwise, it is safe to use the initial LoadJoinElement
+    // specialization and it cannot change through out the join call.
+    if constexpr (useToLocaleString) {
+      if (IsDetachedBuffer(typedArray.buffer)) goto Cannot;
+    }
+    assert(!IsDetachedBuffer(typedArray.buffer));
     goto Can;
   }
 
@@ -293,7 +296,7 @@ namespace array {
         // a. If k > 0, let R be the string-concatenation of R and sep.
         nofSeparators = nofSeparators + 1;
         if (CannotUseSameArrayAccessor<T>(
-                loadFn, receiver, initialMap, lengthNumber))
+                useToLocaleString, loadFn, receiver, initialMap, lengthNumber))
           deferred {
             loadFn = LoadJoinElement<GenericElementsAccessor>;
           }

test/mjsunit/regress/regress-crbug-915783.js

@@ -0,0 +1,35 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const constructors = [
+  [Uint8Array, [0, 1]],
+  [Int8Array, [0, 1]],
+  [Uint16Array, [0, 1]],
+  [Int16Array, [0, 1]],
+  [Uint32Array, [0, 1]],
+  [Int32Array, [0, 1]],
+  [Float32Array, [0, 1]],
+  [Float64Array, [0, 1]],
+  [Uint8ClampedArray, [0, 1]],
+  [BigInt64Array, [0n, 1n]],
+  [BigUint64Array, [0n, 1n]]
+];
+
+let typedArray;
+function detachBuffer() {
+  %ArrayBufferDetach(typedArray.buffer);
+  return 'a';
+}
+Number.prototype.toString = detachBuffer;
+BigInt.prototype.toString = detachBuffer;
+Number.prototype.toLocaleString = detachBuffer;
+BigInt.prototype.toLocaleString = detachBuffer;
+
+constructors.forEach(([constructor, arr]) => {
+  typedArray = new constructor(arr);
+  assertSame(typedArray.join(), '0,1');
+  assertSame(typedArray.toLocaleString(), 'a,');
+});