[rab/gsab] Fix transfer on empty ArrayBuffers

ArrayBuffers of length 0 may not have a BackingStore, so guard for that
case in ArrayBuffer.prototype.transfer.

Bug: v8:11111, chromium:1364738
Change-Id: I058d00f0f60183f9137c60682ad93973c7a6dcbb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3902517
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83301}

src/builtins/builtins-arraybuffer.cc

@@ -569,7 +569,7 @@ BUILTIN(ArrayBufferPrototypeTransfer) {
 
   // Case 2: We can reuse the same BackingStore.
   auto from_backing_store = array_buffer->GetBackingStore();
-  if (!from_backing_store->is_resizable() &&
+  if (from_backing_store && !from_backing_store->is_resizable() &&
       (new_byte_length == array_buffer->GetByteLength() ||
        from_backing_store->CanReallocate())) {
     // Reallocate covers steps 6-12.

test/mjsunit/harmony/arraybuffer-transfer.js

@@ -125,6 +125,11 @@ TestNonGrow(0, { maxByteLength: 2048 });
   }
 })();
 
+(function TestEmptySourceStore() {
+  let ab = new ArrayBuffer();
+  let xfer = ab.transfer().transfer(1024);
+})();
+
 if (typeof WebAssembly !== 'undefined') {
   // WebAssembly buffers cannot be detached.
   const memory = new WebAssembly.Memory({ initial: 1 });