[turbofan] Disable AccessMode::kDefine for TypedArrays

Bug: chromium:1408400
Change-Id: Icde985d19c55e1e72011a5ca8dd36ccf283ecb74
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4194730
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Auto-Submit: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85492}

src/compiler/js-native-context-specialization.cc

@@ -2158,6 +2158,16 @@ Reduction JSNativeContextSpecialization::ReduceElementAccess(
     return NoChange();
   }
 
+  // Do not optimize AccessMode::kDefine for typed arrays.
+  if (access_mode == AccessMode::kDefine) {
+    for (const ElementAccessInfo& access_info : access_infos) {
+      if (IsTypedArrayOrRabGsabTypedArrayElementsKind(
+              access_info.elements_kind())) {
+        return NoChange();
+      }
+    }
+  }
+
   // For holey stores or growing stores, we need to check that the prototype
   // chain contains no setters for elements, and we need to guard those checks
   // via code dependencies on the relevant prototype maps.
@@ -3486,6 +3496,9 @@ JSNativeContextSpecialization::
          IsRabGsabTypedArrayElementsKind(elements_kind));
   DCHECK_IMPLIES(IsRabGsabTypedArrayElementsKind(elements_kind),
                  v8_flags.turbo_rab_gsab);
+  // AccessMode::kDefine is not handled here. Optimization should be skipped by
+  // caller.
+  DCHECK(keyed_mode.access_mode() != AccessMode::kDefine);
 
   Node* buffer_or_receiver = receiver;
   Node* length;

test/mjsunit/regress/regress-1408400.js

@@ -0,0 +1,16 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags:
+
+for (let v0 = 0; v0 < 89; v0++) {
+  function f3() {
+  }
+  class C7 extends Uint8Array {
+      7 = f3;
+  }
+  const v8 = new C7(1111953);
+  for (let v9 = 0; v9 < 91; v9++) {
+  }
+}