[typedarray] Fix a spec violation in the constructor.

Implement the new spec behavior that says construction from a neutered
buffer should throw after the ToIndex call on the length argument.

Bug: v8:6216
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I219a107730b53fca639bc813f68f7ddc27e79017
Reviewed-on: https://chromium-review.googlesource.com/789847
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49639}

src/builtins/builtins-typedarray-gen.cc

@@ -429,7 +429,7 @@ TF_BUILTIN(TypedArrayConstructByArrayBuffer, TypedArrayBuiltinsAssembler) {
       invalid_offset_error(this, Label::kDeferred);
   Label offset_is_smi(this), offset_not_smi(this, Label::kDeferred),
       check_length(this), call_init(this), invalid_length(this),
-      length_undefined(this), length_defined(this);
+      length_undefined(this), length_defined(this), detached_error(this);
 
   GotoIf(IsUndefined(byte_offset), &check_length);
 
@@ -460,11 +460,11 @@ TF_BUILTIN(TypedArrayConstructByArrayBuffer, TypedArrayBuiltinsAssembler) {
   }
 
   BIND(&check_length);
-  // TODO(petermarshall): Throw on detached typedArray.
   Branch(IsUndefined(length), &length_undefined, &length_defined);
 
   BIND(&length_undefined);
   {
+    GotoIf(IsDetachedBuffer(buffer), &detached_error);
     Node* buffer_byte_length =
         LoadObjectField(buffer, JSArrayBuffer::kByteLengthOffset);
 
@@ -486,6 +486,7 @@ TF_BUILTIN(TypedArrayConstructByArrayBuffer, TypedArrayBuiltinsAssembler) {
   BIND(&length_defined);
   {
     Node* new_length = ToSmiIndex(length, context, &invalid_length);
+    GotoIf(IsDetachedBuffer(buffer), &detached_error);
     new_byte_length.Bind(SmiMul(new_length, element_size));
     // Reading the byte length must come after the ToIndex operation, which
     // could cause the buffer to become detached.
@@ -545,6 +546,9 @@ TF_BUILTIN(TypedArrayConstructByArrayBuffer, TypedArrayBuiltinsAssembler) {
                 SmiConstant(MessageTemplate::kInvalidTypedArrayLength), length);
     Unreachable();
   }
+
+  BIND(&detached_error);
+  { ThrowTypeError(context, MessageTemplate::kDetachedOperation, "Construct"); }
 }
 
 Node* TypedArrayBuiltinsAssembler::LoadDataPtr(Node* typed_array) {

test/mjsunit/regress/regress-353004.js

@@ -6,12 +6,12 @@
 
 var buffer1 = new ArrayBuffer(100 * 1024);
 
-var array1 = new Uint8Array(buffer1, {valueOf : function() {
-  %ArrayBufferNeuter(buffer1);
-  return 0;
-}});
-
-assertEquals(0, array1.length);
+assertThrows(function() {
+  var array1 = new Uint8Array(buffer1, {valueOf : function() {
+    %ArrayBufferNeuter(buffer1);
+    return 0;
+  }});
+}, TypeError);
 
 var buffer2 = new ArrayBuffer(100 * 1024);
 
@@ -20,8 +20,21 @@ assertThrows(function() {
       %ArrayBufferNeuter(buffer2);
       return 100 * 1024;
   }});
-}, RangeError);
+}, TypeError);
 
+let convertedOffset = false;
+let convertedLength = false;
+assertThrows(() =>
+  new Uint8Array(buffer1, {valueOf : function() {
+      convertedOffset = true;
+      return 0;
+    }}, {valueOf : function() {
+      convertedLength = true;
+      %ArrayBufferNeuter(buffer1);
+      return 0;
+  }}), TypeError);
+assertTrue(convertedOffset);
+assertTrue(convertedLength);
 
 var buffer3 = new ArrayBuffer(100 * 1024 * 1024);
 var dataView1 = new DataView(buffer3, {valueOf : function() {

test/test262/test262.status

@@ -84,11 +84,6 @@
   'language/expressions/prefix-increment/S11.4.4_A5_*': [FAIL],
   'language/statements/variable/binding-resolution': [FAIL],
 
-  # https://bugs.chromium.org/p/v8/issues/detail?id=6216
-  'built-ins/TypedArrays/buffer-arg-byteoffset-to-number-detachbuffer': [FAIL],
-  'built-ins/TypedArrays/buffer-arg-length-to-number-detachbuffer': [FAIL],
-  'built-ins/TypedArrays/buffer-arg-detachedbuffer': [FAIL],
-
   # https://bugs.chromium.org/p/v8/issues/detail?id=4895
   'built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer': [FAIL],
   'built-ins/TypedArrays/internals/DefineOwnProperty/detached-buffer-realm': [FAIL],