[rab/gsab] TypedArray.p.slice fix in Torque: Destination can be resizable

Bug: v8:11111,chromium:1362487
Change-Id: Ifc7649ec945a0cb13e02c52a47f8ab68fa8ab848
Fixed: chromium:1362487
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3890915
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83242}

src/builtins/typed-array-slice.tq

@@ -36,8 +36,20 @@ macro FastCopy(
       otherwise unreachable;
   const srcPtr: RawPtr = src.data_ptr + Convert<intptr>(startOffset);
 
-  dcheck(countBytes <= dest.byte_length);
-  dcheck(countBytes <= src.byte_length - startOffset);
+  @if(DEBUG) {
+    const srcLength =
+        LoadJSTypedArrayLengthAndCheckDetached(src) otherwise unreachable;
+    const srcByteLength = GetTypedArrayElementsInfo(src).CalculateByteLength(
+        srcLength) otherwise unreachable;
+
+    const destLength =
+        LoadJSTypedArrayLengthAndCheckDetached(dest) otherwise unreachable;
+    const destByteLength = GetTypedArrayElementsInfo(dest).CalculateByteLength(
+        destLength) otherwise unreachable;
+
+    dcheck(countBytes <= destByteLength);
+    dcheck(countBytes <= srcByteLength - startOffset);
+  }
 
   if (IsSharedArrayBuffer(src.buffer)) {
     // SABs need a relaxed memmove to preserve atomicity.

test/mjsunit/regress/regress-crbug-1362487.js

@@ -0,0 +1,16 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-rab-gsab
+
+const rab1 = new ArrayBuffer(2000, {'maxByteLength': 4000});
+class MyInt8Array extends Int8Array {
+    constructor() {
+        super(rab1);
+    }
+};
+const rab2 = new ArrayBuffer(1000, {'maxByteLength': 4000});
+const ta = new Int8Array(rab2);
+ta.constructor = MyInt8Array;
+ta.slice();