[rab/gsab] Add more checks to elements.cc

Bug: v8:11111
Change-Id: I0c2c8c28f96723b3d586f1469ed4fdd0468c5c3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3576120Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79868}

src/objects/elements.cc

@@ -3144,7 +3144,7 @@ class TypedElementsAccessor
     Handle<JSTypedArray> typed_array = Handle<JSTypedArray>::cast(holder);
     Isolate* isolate = typed_array->GetIsolate();
     DCHECK_LT(entry.raw_value(), typed_array->GetLength());
-    DCHECK(!typed_array->WasDetached());
+    DCHECK(!typed_array->IsDetachedOrOutOfBounds());
     auto* element_ptr =
         static_cast<ElementType*>(typed_array->DataPtr()) + entry.raw_value();
     auto is_shared = typed_array->buffer().is_shared() ? kShared : kUnshared;
@@ -3300,7 +3300,7 @@ class TypedElementsAccessor
                                       Handle<Object> value, size_t start,
                                       size_t end) {
     Handle<JSTypedArray> typed_array = Handle<JSTypedArray>::cast(receiver);
-    DCHECK(!typed_array->WasDetached());
+    DCHECK(!typed_array->IsDetachedOrOutOfBounds());
     DCHECK_LE(start, end);
     DCHECK_LE(end, typed_array->GetLength());
     DisallowGarbageCollection no_gc;
@@ -3470,8 +3470,7 @@ class TypedElementsAccessor
     DisallowGarbageCollection no_gc;
     JSTypedArray typed_array = JSTypedArray::cast(*receiver);
 
-    DCHECK(!typed_array.WasDetached());
-    DCHECK(!typed_array.IsOutOfBounds());
+    DCHECK(!typed_array.IsDetachedOrOutOfBounds());
 
     ElementType typed_search_value;
 
@@ -3525,7 +3524,7 @@ class TypedElementsAccessor
     DisallowGarbageCollection no_gc;
     JSTypedArray typed_array = JSTypedArray::cast(receiver);
 
-    DCHECK(!typed_array.WasDetached());
+    DCHECK(!typed_array.IsDetachedOrOutOfBounds());
 
     size_t len = typed_array.GetLength();
     if (len == 0) return;
@@ -3570,8 +3569,8 @@ class TypedElementsAccessor
                                               size_t start, size_t end) {
     DisallowGarbageCollection no_gc;
     DCHECK_EQ(destination.GetElementsKind(), AccessorClass::kind());
-    CHECK(!source.WasDetached());
-    CHECK(!destination.WasDetached());
+    CHECK(!source.IsDetachedOrOutOfBounds());
+    CHECK(!destination.IsDetachedOrOutOfBounds());
     DCHECK_LE(start, end);
     DCHECK_LE(end, source.GetLength());
     size_t count = end - start;
@@ -3636,8 +3635,8 @@ class TypedElementsAccessor
     // side-effects, as the source elements will always be a number.
     DisallowGarbageCollection no_gc;
 
-    CHECK(!source.WasDetached());
-    CHECK(!destination.WasDetached());
+    CHECK(!source.IsDetachedOrOutOfBounds());
+    CHECK(!destination.IsDetachedOrOutOfBounds());
 
     DCHECK_LE(offset, destination.GetLength());
     DCHECK_LE(length, destination.GetLength() - offset);
@@ -3744,7 +3743,7 @@ class TypedElementsAccessor
 
     CHECK(!destination.WasDetached());
     bool out_of_bounds = false;
-    CHECK(destination.GetLengthOrOutOfBounds(out_of_bounds) >= length);
+    CHECK_GE(destination.GetLengthOrOutOfBounds(out_of_bounds), length);
     CHECK(!out_of_bounds);
 
     size_t current_length;

src/objects/js-array-buffer-inl.h

@@ -245,6 +245,15 @@ bool JSTypedArray::IsOutOfBounds() const {
   return out_of_bounds;
 }
 
+bool JSTypedArray::IsDetachedOrOutOfBounds() const {
+  if (WasDetached()) {
+    return true;
+  }
+  bool out_of_bounds = false;
+  GetLengthOrOutOfBounds(out_of_bounds);
+  return out_of_bounds;
+}
+
 size_t JSTypedArray::length() const {
   DCHECK(!is_length_tracking());
   DCHECK(!is_backed_by_rab());

src/objects/js-array-buffer.h

@@ -305,6 +305,7 @@ class JSTypedArray
   inline size_t GetLength() const;
   inline size_t GetByteLength() const;
   inline bool IsOutOfBounds() const;
+  inline bool IsDetachedOrOutOfBounds() const;
 
   static size_t LengthTrackingGsabBackedTypedArrayLength(Isolate* isolate,
                                                          Address raw_array);