[sandbox] Add ApiCheck in v8::ArrayBuffer::NewBackingStore

Previously, when embedders attempted to create ArrayBuffers backed by
memory outside the sandbox, V8 would simply crash with a failed CHECK
when converting the raw backing store pointer into a SandboxedPointer.
The new ApiCheck now provides a better error message in that case.

Bug: chromium:1218005
Change-Id: I7a1ad8cbf07fa346b1f09521850df9b18b428427
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711882Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81254}

src/api/api.cc

@@ -8002,6 +8002,15 @@ std::unique_ptr<v8::BackingStore> v8::ArrayBuffer::NewBackingStore(
     void* data, size_t byte_length, v8::BackingStore::DeleterCallback deleter,
     void* deleter_data) {
   CHECK_LE(byte_length, i::JSArrayBuffer::kMaxByteLength);
+#ifdef V8_ENABLE_SANDBOX
+  Utils::ApiCheck(
+      !data || i::GetProcessWideSandbox()->Contains(data),
+      "v8_ArrayBuffer_NewBackingStore",
+      "When the V8 Sandbox is enabled, ArrayBuffer backing stores must be "
+      "allocated inside the sandbox address space. Please use an appropriate "
+      "ArrayBuffer::Allocator to allocate these buffers.");
+#endif  // V8_ENABLE_SANDBOX
+
   std::unique_ptr<i::BackingStoreBase> backing_store =
       i::BackingStore::WrapAllocation(data, byte_length, deleter, deleter_data,
                                       i::SharedFlag::kNotShared);