[rab/gsab|turbofan] Fix JSCallReducer::ReduceDataViewAccess for RAB/GSAB

Bug: v8:11111,chromium:1412001
Change-Id: Iff5e6efbb82060a62ed55ba84809b6469da872f9
Fixed: chromium:1412001
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4208945
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85582}

src/compiler/heap-refs.cc

@@ -1470,6 +1470,10 @@ FixedArrayRef JSBoundFunctionRef::bound_arguments() const {
 
 // Immutable after initialization.
 HEAP_ACCESSOR_C(JSDataView, size_t, byte_length)
+HEAP_ACCESSOR_B(JSDataView, bit_field, is_backed_by_rab,
+                JSDataView::IsBackedByRabBit)
+HEAP_ACCESSOR_B(JSDataView, bit_field, is_length_tracking,
+                JSDataView::IsLengthTrackingBit)
 
 HEAP_ACCESSOR_B(Map, bit_field2, elements_kind, Map::Bits2::ElementsKindBits)
 HEAP_ACCESSOR_B(Map, bit_field3, is_dictionary_map,

src/compiler/heap-refs.h

@@ -432,6 +432,8 @@ class JSDataViewRef : public JSObjectRef {
   Handle<JSDataView> object() const;
 
   size_t byte_length() const;
+  bool is_backed_by_rab() const;
+  bool is_length_tracking() const;
 };
 
 class JSBoundFunctionRef : public JSObjectRef {

src/compiler/js-call-reducer.cc

@@ -7969,6 +7969,13 @@ Reduction JSCallReducer::ReduceDataViewAccess(Node* node, DataViewAccess access,
     // We only deal with DataViews here whose [[ByteLength]] is at least
     // {element_size}, as for all other DataViews it'll be out-of-bounds.
     JSDataViewRef dataview = m.Ref(broker()).AsJSDataView();
+
+    if (dataview.is_backed_by_rab() || dataview.is_length_tracking()) {
+      // Disable this optimization for RAB/GSAB. TODO(v8:11111): Don't bail out,
+      // instead generate code for reading the current length.
+      return NoChange();
+    }
+
     size_t length = dataview.byte_length();
     if (length < element_size) return NoChange();