[rab/gsab] Fix detachedness logic in TA.p.fill

Bug: v8:11111
Change-Id: Iddf021d292f44ab2a7d719792f14cdc57e40223b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3172759
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76981}

src/builtins/builtins-typed-array.cc

@@ -147,6 +147,10 @@ BUILTIN(TypedArrayPrototypeFill) {
     }
   }
 
+  if (V8_UNLIKELY(array->WasDetached())) {
+    return *array;
+  }
+
   if (V8_UNLIKELY(array->IsVariableLength())) {
     bool out_of_bounds = false;
     array->GetLengthOrOutOfBounds(out_of_bounds);
@@ -156,8 +160,6 @@ BUILTIN(TypedArrayPrototypeFill) {
           isolate->factory()->NewStringFromAsciiChecked(method);
       THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(message, operation));
     }
-  } else if (V8_UNLIKELY(array->WasDetached())) {
-    return *array;
   }
 
   int64_t count = end - start;

test/mjsunit/typedarray-helpers.js

@@ -20,6 +20,10 @@ const ctors = [
   MyBigInt64Array,
 ];
 
+function CreateResizableArrayBuffer(byteLength, maxByteLength) {
+  return new ArrayBuffer(byteLength, {maxByteLength: maxByteLength});
+}
+
 function ReadDataFromBuffer(ab, ctor) {
   let result = [];
   const ta = new ctor(ab, 0, ab.byteLength / ctor.BYTES_PER_ELEMENT);

test/mjsunit/typedarray-resizablearraybuffer-detach.js

@@ -6,25 +6,7 @@
 
 "use strict";
 
-class MyUint8Array extends Uint8Array {};
-
-const ctors = [
-  Uint8Array,
-  Int8Array,
-  Uint16Array,
-  Int16Array,
-  Int32Array,
-  Float32Array,
-  Float64Array,
-  Uint8ClampedArray,
-  BigUint64Array,
-  BigInt64Array,
-  MyUint8Array
-];
-
-function CreateResizableArrayBuffer(byteLength, maxByteLength) {
-  return new ArrayBuffer(byteLength, {maxByteLength: maxByteLength});
-}
+d8.file.execute('test/mjsunit/typedarray-helpers.js');
 
 (function ConstructorThrowsIfBufferDetached() {
   const rab = CreateResizableArrayBuffer(40, 80);
@@ -140,3 +122,16 @@ function CreateResizableArrayBuffer(byteLength, maxByteLength) {
     assertEquals(undefined, i8a[2]);
   }
 })();
+
+(function FillParameterConversionDetaches() {
+  for (let ctor of ctors) {
+    const rab = CreateResizableArrayBuffer(4 * ctor.BYTES_PER_ELEMENT,
+                                           8 * ctor.BYTES_PER_ELEMENT);
+    const fixedLength = new ctor(rab, 0, 4);
+
+    let evil = { valueOf: () => { %ArrayBufferDetach(rab); return 1;}};
+    // The length is read after converting the first parameter ('value'), so the
+    // detaching parameter has to be the 2nd ('start') or 3rd ('end').
+    FillHelper(fixedLength, 1, 0, evil);
+  }
+})();

test/mjsunit/typedarray-resizablearraybuffer.js

@@ -9,10 +9,6 @@
 
 d8.file.execute('test/mjsunit/typedarray-helpers.js');
 
-function CreateResizableArrayBuffer(byteLength, maxByteLength) {
-  return new ArrayBuffer(byteLength, {maxByteLength: maxByteLength});
-}
-
 (function TypedArrayPrototype() {
   const rab = CreateResizableArrayBuffer(40, 80);
   const ab = new ArrayBuffer(80);