[rab/gsab] Fix zeroing of transferred ArrayBuffers

Bug: v8:13066, v8:11111
Cq-Include-Trybots: luci.v8.try:v8_win_rel_ng,v8_win_dbg_ng
Change-Id: I8066e04d713ba357e816ebaef04ef45518723d35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3759235
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81675}

src/builtins/builtins-arraybuffer.cc

@@ -609,8 +609,7 @@ BUILTIN(ArrayBufferPrototypeTransfer) {
   }
 
   // 8. Let copyLength be min(newByteLength, O.[[ArrayBufferByteLength]]).
-  size_t copy_byte_length =
-      std::min(new_byte_length, array_buffer->GetByteLength());
+  // (Size comparison is done manually below instead of using min.)
 
   // 9. Let fromBlock be O.[[ArrayBufferData]].
   uint8_t* from_data =
@@ -623,7 +622,13 @@ BUILTIN(ArrayBufferPrototypeTransfer) {
   // 12. NOTE: Neither creation of the new Data Block nor copying from the old
   // Data Block are observable. Implementations reserve the right to implement
   // this method as a zero-copy move or a realloc.
-  CopyBytes(to_data, from_data, copy_byte_length);
+  size_t from_byte_length = array_buffer->GetByteLength();
+  if (new_byte_length <= from_byte_length) {
+    CopyBytes(to_data, from_data, new_byte_length);
+  } else {
+    CopyBytes(to_data, from_data, from_byte_length);
+    memset(to_data + from_byte_length, 0, new_byte_length - from_byte_length);
+  }
 
   // 13. Perform ? DetachArrayBuffer(O).
   array_buffer->Detach();

test/test262/test262.status

@@ -1426,9 +1426,6 @@
 ['system == windows', {
   # https://crbug.com/856119
   'intl402/DateTimeFormat/prototype/resolvedOptions/basic': [SKIP],
-
-  # https://crbug.com/v8/13066
-  'built-ins/ArrayBuffer/prototype/transfer/from-resizable-to-larger': [PASS, ['arch == ia32', FAIL]],
 }],  # system == windows
 
 ################################################################################