Revert "[compiler] Replace JSDataView with direct reads"

This reverts commit b5f37051.

Reason for revert: Breaking the fuzzer https://bugs.chromium.org/p/v8/issues/detail?id=10918

Original change's description:
> [compiler] Replace JSDataView with direct reads
>
> Bug: v8:7790
> Change-Id: Id01c2e4359aa4294816ffe14c08a586a9b9b10c2
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2404768
> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69904}

Change-Id: I9a470708f06328061d5d4ecf21fa38bc0e49ff45
Bug: v8:7790, v8:10918
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2410196Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69911}

src/compiler/heap-refs.h

@@ -55,8 +55,6 @@ enum class OddballType : uint8_t {
 // Classes on this list will skip serialization when
 // FLAG_turbo_direct_heap_access is on. Otherwise, they might get serialized.
 #define HEAP_BROKER_NEVER_SERIALIZED_OBJECT_LIST(V) \
-  /* Subtypes of JSObject */                        \
-  V(JSDataView)                                     \
   /* Subtypes of FixedArray */                      \
   V(ObjectBoilerplateDescription)                   \
   /* Subtypes of FixedArrayBase */                  \
@@ -76,6 +74,7 @@ enum class OddballType : uint8_t {
   /* Subtypes of JSObject */                  \
   V(JSArray)                                  \
   V(JSBoundFunction)                          \
+  V(JSDataView)                               \
   V(JSFunction)                               \
   V(JSGlobalObject)                           \
   V(JSGlobalProxy)                            \

src/compiler/js-call-reducer.cc

@@ -7332,11 +7332,11 @@ Reduction JSCallReducer::ReduceDataViewAccess(Node* node, DataViewAccess access,
     // We only deal with DataViews here whose [[ByteLength]] is at least
     // {element_size}, as for all other DataViews it'll be out-of-bounds.
     JSDataViewRef dataview = m.Ref(broker()).AsJSDataView();
-    size_t length = dataview.byte_length();
-    if (length < element_size) return NoChange();
+    if (dataview.byte_length() < element_size) return NoChange();
 
-    // Check that the {offset} is within range of the {length}.
-    Node* byte_length = jsgraph()->Constant(length - (element_size - 1));
+    // Check that the {offset} is within range of the {byte_length}.
+    Node* byte_length =
+        jsgraph()->Constant(dataview.byte_length() - (element_size - 1));
     offset = effect = graph()->NewNode(simplified()->CheckBounds(p.feedback()),
                                        offset, byte_length, effect, control);
   } else {

src/compiler/js-heap-broker.cc

@@ -1482,9 +1482,7 @@ class FixedArrayData : public FixedArrayBaseData {
 JSDataViewData::JSDataViewData(JSHeapBroker* broker, ObjectData** storage,
                                Handle<JSDataView> object)
     : JSObjectData(broker, storage, object),
-      byte_length_(object->byte_length()) {
-  DCHECK(!FLAG_turbo_direct_heap_access);
-}
+      byte_length_(object->byte_length()) {}
 
 JSBoundFunctionData::JSBoundFunctionData(JSHeapBroker* broker,
                                          ObjectData** storage,