[rab/gsab] Fix leftover IsTypedArrayElementsKind checks in map transitions

With everything related to map transitions, RAB/GSAB typed array elements kinds should behave exactly like non-RAB/GSAB typed array elements kinds. Bug: chromium:1360736, v8:11111 Change-Id: Ie5cef928a25856f0c476653275066b49dfee6e41 Fixed: chromium:1360736 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879497Reviewed-by: Shu-yu Guo <syg@chromium.org> Auto-Submit: Marja Hölttä <marja@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#83119}

[rab/gsab] Fix leftover IsTypedArrayElementsKind checks in map transitions
With everything related to map transitions, RAB/GSAB typed array elements kinds should behave exactly like non-RAB/GSAB typed array elements kinds. Bug: chromium:1360736, v8:11111 Change-Id: Ie5cef928a25856f0c476653275066b49dfee6e41 Fixed: chromium:1360736 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3879497Reviewed-by: Shu-yu Guo <syg@chromium.org> Auto-Submit: Marja Hölttä <marja@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#83119}
62635a72 · Marja Hölttä · V8 LUCI CQ · 03b99259 · 62635a72 · 62635a72
Commit 62635a72 authored Sep 08, 2022 by Marja Hölttä Committed by V8 LUCI CQ Sep 09, 2022
5 changed files
--- a/src/objects/elements-kind.cc
+++ b/src/objects/elements-kind.cc
@@ -73,7 +73,7 @@ int ElementsKindToByteSize(ElementsKind elements_kind) {
 int GetDefaultHeaderSizeForElementsKind(ElementsKind elements_kind) {
  static_assert(FixedArray::kHeaderSize == FixedDoubleArray::kHeaderSize);

-  if (IsTypedArrayElementsKind(elements_kind)) {
+  if (IsTypedArrayOrRabGsabTypedArrayElementsKind(elements_kind)) {
    return 0;
  } else {
    return FixedArray::kHeaderSize - kHeapObjectTag;
@@ -178,8 +178,8 @@ bool IsMoreGeneralElementsKindTransition(ElementsKind from_kind,
                                         ElementsKind to_kind) {
  if (!IsFastElementsKind(from_kind)) return false;
  if (!IsFastTransitionTarget(to_kind)) return false;
-  DCHECK(!IsTypedArrayElementsKind(from_kind));
-  DCHECK(!IsTypedArrayElementsKind(to_kind));
+  DCHECK(!IsTypedArrayOrRabGsabTypedArrayElementsKind(from_kind));
+  DCHECK(!IsTypedArrayOrRabGsabTypedArrayElementsKind(to_kind));
  switch (from_kind) {
    case PACKED_SMI_ELEMENTS:
      return to_kind != PACKED_SMI_ELEMENTS;

--- a/src/objects/elements-kind.h
+++ b/src/objects/elements-kind.h
@@ -239,7 +239,7 @@ inline bool IsSharedArrayElementsKind(ElementsKind kind) {

 inline bool IsTerminalElementsKind(ElementsKind kind) {
  return kind == TERMINAL_FAST_ELEMENTS_KIND ||
-         IsTypedArrayElementsKind(kind) ||
+         IsTypedArrayOrRabGsabTypedArrayElementsKind(kind) ||
         IsRabGsabTypedArrayElementsKind(kind);
 }

@@ -249,7 +249,8 @@ inline bool IsFastElementsKind(ElementsKind kind) {
 }

 inline bool IsTransitionElementsKind(ElementsKind kind) {
-  return IsFastElementsKind(kind) || IsTypedArrayElementsKind(kind) ||
+  return IsFastElementsKind(kind) ||
+         IsTypedArrayOrRabGsabTypedArrayElementsKind(kind) ||
         kind == FAST_SLOPPY_ARGUMENTS_ELEMENTS ||
         kind == FAST_STRING_WRAPPER_ELEMENTS;
 }

--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@@ -4114,7 +4114,7 @@ bool TestElementsIntegrityLevel(JSObject object, PropertyAttributes level) {
        NumberDictionary::cast(object.elements()), object.GetReadOnlyRoots(),
        level);
  }
-  if (IsTypedArrayElementsKind(kind)) {
+  if (IsTypedArrayOrRabGsabTypedArrayElementsKind(kind)) {
    if (level == FROZEN && JSArrayBufferView::cast(object).byte_length() > 0) {
      return false;  // TypedArrays with elements can't be frozen.
    }

--- a/src/objects/map-updater.cc
+++ b/src/objects/map-updater.cc
@@ -371,7 +371,7 @@ base::Optional<Map> MapUpdater::TryUpdateNoLock(Isolate* isolate, Map old_map,
    // the integrity level transition sets the elements to dictionary mode.
    DCHECK(to_kind == DICTIONARY_ELEMENTS ||
           to_kind == SLOW_STRING_WRAPPER_ELEMENTS ||
-           IsTypedArrayElementsKind(to_kind) ||
+           IsTypedArrayOrRabGsabTypedArrayElementsKind(to_kind) ||
           IsAnyHoleyNonextensibleElementsKind(to_kind));
    to_kind = info.integrity_level_source_map.elements_kind();
  }
@@ -584,7 +584,7 @@ MapUpdater::State MapUpdater::FindRootMap() {
    // the seal transitions), so change {to_kind} accordingly.
    DCHECK(to_kind == DICTIONARY_ELEMENTS ||
           to_kind == SLOW_STRING_WRAPPER_ELEMENTS ||
-           IsTypedArrayElementsKind(to_kind) ||
+           IsTypedArrayOrRabGsabTypedArrayElementsKind(to_kind) ||
           IsAnyNonextensibleElementsKind(to_kind));
    to_kind = integrity_source_map_->elements_kind();
  }

--- a/test/mjsunit/regress/regress-crbug-1360736.js
+++ b/test/mjsunit/regress/regress-crbug-1360736.js
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const rab = new ArrayBuffer(ArrayBuffer, {"maxByteLength": 7158170});
+const ta = new Uint8Array(rab);
+const proxy = new Proxy(ta, {});
+proxy.valueOf = () => {};
+Object.seal(proxy);