[turbofan] Don't embed backing store of neutered array buffer.

R=jochen@chromium.org

Review URL: https://codereview.chromium.org/1127193003

Cr-Commit-Position: refs/heads/master@{#28308}

src/compiler/js-typed-lowering.cc

@@ -829,12 +829,11 @@ Reduction JSTypedLowering::ReduceJSLoadProperty(Node* node) {
   Node* key = NodeProperties::GetValueInput(node, 1);
   Node* base = NodeProperties::GetValueInput(node, 0);
   Type* key_type = NodeProperties::GetBounds(key).upper;
-  // TODO(mstarzinger): This lowering is not correct if:
-  //   a) The typed array or it's buffer is neutered.
   HeapObjectMatcher<Object> mbase(base);
   if (mbase.HasValue() && mbase.Value().handle()->IsJSTypedArray()) {
     Handle<JSTypedArray> const array =
         Handle<JSTypedArray>::cast(mbase.Value().handle());
+    if (!array->GetBuffer()->was_neutered()) {
       array->GetBuffer()->set_is_neuterable(false);
       BufferAccess const access(array->type());
       size_t const k = ElementSizeLog2Of(access.machine_type());
@@ -850,7 +849,8 @@ Reduction JSTypedLowering::ReduceJSLoadProperty(Node* node) {
         Node* effect = NodeProperties::GetEffectInput(node);
         Node* control = NodeProperties::GetControlInput(node);
         // Check if we can avoid the bounds check.
-      if (key_type->Min() >= 0 && key_type->Max() < array->length()->Number()) {
+        if (key_type->Min() >= 0 &&
+            key_type->Max() < array->length()->Number()) {
           Node* load = graph()->NewNode(
               simplified()->LoadElement(
                   AccessBuilder::ForTypedArrayElement(array->type(), true)),
@@ -864,6 +864,7 @@ Reduction JSTypedLowering::ReduceJSLoadProperty(Node* node) {
         return ReplaceEagerly(node, load);
       }
     }
+  }
   return NoChange();
 }
 
@@ -874,12 +875,11 @@ Reduction JSTypedLowering::ReduceJSStoreProperty(Node* node) {
   Node* value = NodeProperties::GetValueInput(node, 2);
   Type* key_type = NodeProperties::GetBounds(key).upper;
   Type* value_type = NodeProperties::GetBounds(value).upper;
-  // TODO(mstarzinger): This lowering is not correct if:
-  //   a) The typed array or its buffer is neutered.
   HeapObjectMatcher<Object> mbase(base);
   if (mbase.HasValue() && mbase.Value().handle()->IsJSTypedArray()) {
     Handle<JSTypedArray> const array =
         Handle<JSTypedArray>::cast(mbase.Value().handle());
+    if (!array->GetBuffer()->was_neutered()) {
       array->GetBuffer()->set_is_neuterable(false);
       BufferAccess const access(array->type());
       size_t const k = ElementSizeLog2Of(access.machine_type());
@@ -918,7 +918,8 @@ Reduction JSTypedLowering::ReduceJSStoreProperty(Node* node) {
           value = graph()->NewNode(simplified()->NumberToUint32(), value);
         }
         // Check if we can avoid the bounds check.
-      if (key_type->Min() >= 0 && key_type->Max() < array->length()->Number()) {
+        if (key_type->Min() >= 0 &&
+            key_type->Max() < array->length()->Number()) {
           node->set_op(simplified()->StoreElement(
               AccessBuilder::ForTypedArrayElement(array->type(), true)));
           node->ReplaceInput(0, buffer);
@@ -945,6 +946,7 @@ Reduction JSTypedLowering::ReduceJSStoreProperty(Node* node) {
         return Changed(node);
       }
     }
+  }
   return NoChange();
 }