v8
diff --git a/‎src/builtins/typed-array-createtypedarray.tq‎
Lines changed: 9 additions & 4 deletions b/‎src/builtins/typed-array-createtypedarray.tq‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎src/codegen/code-stub-assembler.cc‎
Lines changed: 21 additions & 39 deletions b/‎src/codegen/code-stub-assembler.cc‎
Lines changed: 21 additions & 39 deletions
diff --git a/‎src/codegen/code-stub-assembler.h‎
Lines changed: 4 additions & 1 deletion b/‎src/codegen/code-stub-assembler.h‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎src/compiler/access-builder.cc‎
Lines changed: 16 additions & 0 deletions b/‎src/compiler/access-builder.cc‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎src/compiler/access-builder.h‎
Lines changed: 3 additions & 0 deletions b/‎src/compiler/access-builder.h‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/compiler/graph-assembler.cc‎
Lines changed: 2 additions & 10 deletions b/‎src/compiler/graph-assembler.cc‎
Lines changed: 2 additions & 10 deletions
diff --git a/‎src/compiler/heap-refs.cc‎
Lines changed: 2 additions & 2 deletions b/‎src/compiler/heap-refs.cc‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/compiler/heap-refs.h‎
Lines changed: 1 addition & 1 deletion b/‎src/compiler/heap-refs.h‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/compiler/js-call-reducer.cc‎
Lines changed: 9 additions & 30 deletions b/‎src/compiler/js-call-reducer.cc‎
Lines changed: 9 additions & 30 deletions
diff --git a/‎src/compiler/js-native-context-specialization.cc‎
Lines changed: 2 additions & 2 deletions b/‎src/compiler/js-native-context-specialization.cc‎
Lines changed: 2 additions & 2 deletions
@@ -23,7 +23,7 @@ extern runtime GrowableSharedArrayBufferByteLength(
 transitioning macro AllocateTypedArray(
     implicit context: Context)(isOnHeap: constexpr bool, map: Map,
     buffer: JSArrayBuffer, byteOffset: uintptr, byteLength: uintptr,
-    isLengthTracking: bool): JSTypedArray {
+    length: uintptr, isLengthTracking: bool): JSTypedArray {
   let elements: ByteArray;
   if constexpr (isOnHeap) {
     dcheck(!IsResizableArrayBuffer(buffer));
@@ -60,8 +60,10 @@ transitioning macro AllocateTypedArray(
     // Set the byte_length and length fields of length-tracking TAs to zero, so
     // that we won't accidentally use them and access invalid data.
     typedArray.byte_length = 0;
+    typedArray.length = 0;
   } else {
     typedArray.byte_length = byteLength;
+    typedArray.length = length;
   }
   typedArray.bit_field.is_length_tracking = isLengthTracking;
   typedArray.bit_field.is_backed_by_rab =
@@ -97,7 +99,8 @@ transitioning macro TypedArrayInitialize(
     const isOnHeap: constexpr bool = true;
     const isLengthTracking: constexpr bool = false;
     const typedArray = AllocateTypedArray(
-        isOnHeap, map, buffer, byteOffset, byteLength, isLengthTracking);
+        isOnHeap, map, buffer, byteOffset, byteLength, length,
+        isLengthTracking);
 
     if constexpr (initialize) {
       const backingStore = typedArray.data_ptr;
@@ -117,7 +120,8 @@ transitioning macro TypedArrayInitialize(
     const isOnHeap: constexpr bool = false;
     const isLengthTracking: constexpr bool = false;
     return AllocateTypedArray(
-        isOnHeap, map, buffer, byteOffset, byteLength, isLengthTracking);
+        isOnHeap, map, buffer, byteOffset, byteLength, length,
+        isLengthTracking);
   }
 }
 
@@ -311,7 +315,8 @@ transitioning macro ConstructByArrayBuffer(
 
     const isOnHeap: constexpr bool = false;
     return AllocateTypedArray(
-        isOnHeap, map, buffer, offset, newByteLength, isLengthTracking);
+        isOnHeap, map, buffer, offset, newByteLength, newLength,
+        isLengthTracking);
   } label IfInvalidAlignment(problemString: String) deferred {
     ThrowInvalidTypedArrayAlignment(map, problemString);
   } label IfInvalidLength deferred {
 
@@ -16547,11 +16547,12 @@ void CodeStubAssembler::StoreJSArrayBufferViewByteOffset(
 
 TNode<UintPtrT> CodeStubAssembler::LoadJSTypedArrayLength(
     TNode<JSTypedArray> typed_array) {
-  TNode<UintPtrT> byte_length = LoadBoundedSizeFromObject(
-      typed_array, JSTypedArray::kRawByteLengthOffset);
-  TNode<IntPtrT> element_size =
-      ElementsKindToElementByteSize(LoadElementsKind(typed_array));
-  return Unsigned(IntPtrDiv(Signed(byte_length), element_size));
+  return LoadBoundedSizeFromObject(typed_array, JSTypedArray::kRawLengthOffset);
+}
+
+void CodeStubAssembler::StoreJSTypedArrayLength(TNode<JSTypedArray> typed_array,
+                                                TNode<UintPtrT> value) {
+  StoreBoundedSizeToObject(typed_array, JSTypedArray::kRawLengthOffset, value);
 }
 
 TNode<UintPtrT> CodeStubAssembler::LoadJSTypedArrayLengthAndCheckDetached(
@@ -16589,7 +16590,7 @@ TNode<UintPtrT> CodeStubAssembler::LoadVariableLengthJSTypedArrayLength(
   TNode<UintPtrT> byte_length = LoadVariableLengthJSArrayBufferViewByteLength(
       array, buffer, detached_or_out_of_bounds);
   TNode<IntPtrT> element_size =
-      ElementsKindToElementByteSize(LoadElementsKind(array));
+      RabGsabElementsKindToElementByteSize(LoadElementsKind(array));
   return Unsigned(IntPtrDiv(Signed(byte_length), element_size));
 }
 
@@ -16745,7 +16746,7 @@ TNode<UintPtrT> CodeStubAssembler::LoadVariableLengthJSTypedArrayByteLength(
   TNode<UintPtrT> length =
       LoadVariableLengthJSTypedArrayLength(array, buffer, &miss);
   TNode<IntPtrT> element_size =
-      ElementsKindToElementByteSize(LoadElementsKind(array));
+      RabGsabElementsKindToElementByteSize(LoadElementsKind(array));
   // Conversion to signed is OK since length < JSArrayBuffer::kMaxByteLength.
   TNode<IntPtrT> byte_length = IntPtrMul(Signed(length), element_size);
   result = Unsigned(byte_length);
@@ -16759,44 +16760,25 @@ TNode<UintPtrT> CodeStubAssembler::LoadVariableLengthJSTypedArrayByteLength(
   return result.value();
 }
 
-TNode<IntPtrT> CodeStubAssembler::ElementsKindToElementByteSize(
+TNode<IntPtrT> CodeStubAssembler::RabGsabElementsKindToElementByteSize(
     TNode<Int32T> elements_kind) {
   TVARIABLE(IntPtrT, result);
   Label elements_8(this), elements_16(this), elements_32(this),
       elements_64(this), not_found(this), end(this);
-  int32_t elements_kinds[] = {UINT8_ELEMENTS,
-                              UINT8_CLAMPED_ELEMENTS,
-                              INT8_ELEMENTS,
-                              UINT16_ELEMENTS,
-                              INT16_ELEMENTS,
-                              FLOAT16_ELEMENTS,
-                              UINT32_ELEMENTS,
-                              INT32_ELEMENTS,
-                              FLOAT32_ELEMENTS,
-                              FLOAT64_ELEMENTS,
-                              BIGINT64_ELEMENTS,
-                              BIGUINT64_ELEMENTS,
-                              RAB_GSAB_UINT8_ELEMENTS,
-                              RAB_GSAB_UINT8_CLAMPED_ELEMENTS,
-                              RAB_GSAB_INT8_ELEMENTS,
-                              RAB_GSAB_UINT16_ELEMENTS,
-                              RAB_GSAB_INT16_ELEMENTS,
-                              RAB_GSAB_FLOAT16_ELEMENTS,
-                              RAB_GSAB_UINT32_ELEMENTS,
-                              RAB_GSAB_INT32_ELEMENTS,
-                              RAB_GSAB_FLOAT32_ELEMENTS,
-                              RAB_GSAB_FLOAT64_ELEMENTS,
-                              RAB_GSAB_BIGINT64_ELEMENTS,
-                              RAB_GSAB_BIGUINT64_ELEMENTS};
-  Label* elements_kind_labels[] = {
-      &elements_8,  &elements_8,  &elements_8,  &elements_16, &elements_16,
-      &elements_16, &elements_32, &elements_32, &elements_32, &elements_64,
-      &elements_64, &elements_64, &elements_8,  &elements_8,  &elements_8,
-      &elements_16, &elements_16, &elements_16, &elements_32, &elements_32,
-      &elements_32, &elements_64, &elements_64, &elements_64};
+  int32_t elements_kinds[] = {
+      RAB_GSAB_UINT8_ELEMENTS,    RAB_GSAB_UINT8_CLAMPED_ELEMENTS,
+      RAB_GSAB_INT8_ELEMENTS,     RAB_GSAB_UINT16_ELEMENTS,
+      RAB_GSAB_INT16_ELEMENTS,    RAB_GSAB_FLOAT16_ELEMENTS,
+      RAB_GSAB_UINT32_ELEMENTS,   RAB_GSAB_INT32_ELEMENTS,
+      RAB_GSAB_FLOAT32_ELEMENTS,  RAB_GSAB_FLOAT64_ELEMENTS,
+      RAB_GSAB_BIGINT64_ELEMENTS, RAB_GSAB_BIGUINT64_ELEMENTS};
+  Label* elements_kind_labels[] = {&elements_8,  &elements_8,  &elements_8,
+                                   &elements_16, &elements_16, &elements_16,
+                                   &elements_32, &elements_32, &elements_32,
+                                   &elements_64, &elements_64, &elements_64};
   const size_t kTypedElementsKindCount =
       LAST_RAB_GSAB_FIXED_TYPED_ARRAY_ELEMENTS_KIND -
-      FIRST_FIXED_TYPED_ARRAY_ELEMENTS_KIND + 1;
+      FIRST_RAB_GSAB_FIXED_TYPED_ARRAY_ELEMENTS_KIND + 1;
   DCHECK_EQ(kTypedElementsKindCount, arraysize(elements_kinds));
   DCHECK_EQ(kTypedElementsKindCount, arraysize(elements_kind_labels));
   Switch(elements_kind, &not_found, elements_kinds, elements_kind_labels,
 
@@ -4059,6 +4059,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
 
   // JSTypedArray helpers
   TNode<UintPtrT> LoadJSTypedArrayLength(TNode<JSTypedArray> typed_array);
+  void StoreJSTypedArrayLength(TNode<JSTypedArray> typed_array,
+                               TNode<UintPtrT> value);
   TNode<UintPtrT> LoadJSTypedArrayLengthAndCheckDetached(
       TNode<JSTypedArray> typed_array, Label* detached);
   // Helper for length tracking JSTypedArrays and JSTypedArrays backed by
@@ -4086,7 +4088,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
                               TNode<UintPtrT> index,
                               Label* detached_or_out_of_bounds);
 
-  TNode<IntPtrT> ElementsKindToElementByteSize(TNode<Int32T> elementsKind);
+  TNode<IntPtrT> RabGsabElementsKindToElementByteSize(
+      TNode<Int32T> elementsKind);
   TNode<RawPtrT> LoadJSTypedArrayDataPtr(TNode<JSTypedArray> typed_array);
   TNode<JSArrayBuffer> GetTypedArrayBuffer(TNode<Context> context,
                                            TNode<JSTypedArray> array);
 
@@ -546,6 +546,22 @@ FieldAccess AccessBuilder::ForJSArrayBufferViewBitField() {
   return access;
 }
 
+// static
+FieldAccess AccessBuilder::ForJSTypedArrayLength() {
+  FieldAccess access = {kTaggedBase,
+                        JSTypedArray::kRawLengthOffset,
+                        MaybeHandle<Name>(),
+                        OptionalMapRef(),
+                        TypeCache::Get()->kJSTypedArrayLengthType,
+                        MachineType::UintPtr(),
+                        kNoWriteBarrier,
+                        "JSTypedArrayLength"};
+#ifdef V8_ENABLE_SANDBOX
+  access.is_bounded_size_access = true;
+#endif
+  return access;
+}
+
 // static
 FieldAccess AccessBuilder::ForJSTypedArrayBasePointer() {
   FieldAccess access = {kTaggedBase,           JSTypedArray::kBasePointerOffset,
 
@@ -171,6 +171,9 @@ class V8_EXPORT_PRIVATE AccessBuilder final
   // Provides access to JSArrayBufferView::bitfield() field
   static FieldAccess ForJSArrayBufferViewBitField();
 
+  // Provides access to JSTypedArray::length() field.
+  static FieldAccess ForJSTypedArrayLength();
+
   // Provides access to JSTypedArray::byteLength() field.
   static FieldAccess ForJSTypedArrayByteLength() {
     return ForJSArrayBufferViewByteLength();
 
@@ -615,16 +615,8 @@ class ArrayBufferViewAccessBuilder {
     // Case 1: Normal (backed by AB/SAB) or non-length tracking backed by GSAB
     // (can't go oob once constructed)
     auto GsabFixedOrNormal = [&]() {
-      TNode<UintPtrT> byte_length = MachineLoadField<UintPtrT>(
-          AccessBuilder::ForJSArrayBufferViewByteLength(), view,
-          UseInfo::Word());
-
-      TNode<Map> typed_array_map = a.LoadField<Map>(
-          AccessBuilder::ForMap(WriteBarrierKind::kNoWriteBarrier), view);
-      TNode<Uint32T> elements_kind = a.LoadElementsKind(typed_array_map);
-      TNode<Uint32T> element_size =
-          a.LookupByteSizeForElementsKind(elements_kind);
-      return a.UintPtrDiv(byte_length, a.ChangeUint32ToUintPtr(element_size));
+      return MachineLoadField<UintPtrT>(AccessBuilder::ForJSTypedArrayLength(),
+                                        view, UseInfo::Word());
     };
 
     // If we statically know we cannot have rab/gsab backed, we can simply
 
@@ -1809,10 +1809,10 @@ bool JSTypedArrayRef::is_on_heap() const {
   return object()->is_on_heap(kAcquireLoad);
 }
 
-size_t JSTypedArrayRef::byte_length() const {
+size_t JSTypedArrayRef::length() const {
   CHECK(!is_on_heap());
   // Immutable after initialization.
-  return object()->byte_length();
+  return object()->length();
 }
 
 HeapObjectRef JSTypedArrayRef::buffer(JSHeapBroker* broker) const {
 
@@ -1186,7 +1186,7 @@ class JSTypedArrayRef : public JSObjectRef {
   IndirectHandle<JSTypedArray> object() const;
 
   bool is_on_heap() const;
-  size_t byte_length() const;
+  size_t length() const;
   void* data_ptr() const;
   HeapObjectRef buffer(JSHeapBroker* broker) const;
 };
 
@@ -6596,23 +6596,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
   // Load the length of the {iterated_object}. Due to the map checks we
   // already know something about the length here, which we can leverage
   // to generate Word32 operations below without additional checking.
-  Node* length;
-  if (IsTypedArrayElementsKind(elements_kind)) {
-    Node* byte_length = effect = graph()->NewNode(
-        simplified()->LoadField(AccessBuilder::ForJSTypedArrayByteLength()),
-        iterated_object, effect, control);
-    Node* byte_length_shifted = graph()->NewNode(
-        jsgraph()->machine()->WordShr(), byte_length,
-        jsgraph()->UintPtrConstant(ElementsKindToShiftSize(elements_kind)));
-    length = graph()->NewNode(
-        common()->ExitMachineGraph(MachineType::PointerRepresentation(),
-                                   TypeCache::Get()->kJSTypedArrayLengthType),
-        byte_length_shifted);
-  } else {
-    length = effect = graph()->NewNode(
-        simplified()->LoadField(AccessBuilder::ForJSArrayLength(elements_kind)),
-        iterated_object, effect, control);
-  }
+  FieldAccess length_access =
+      IsTypedArrayElementsKind(elements_kind)
+          ? AccessBuilder::ForJSTypedArrayLength()
+          : AccessBuilder::ForJSArrayLength(elements_kind);
+  Node* length = effect = graph()->NewNode(
+      simplified()->LoadField(length_access), iterated_object, effect, control);
 
   // Check whether {index} is within the valid range for the {iterated_object}.
   Node* check = graph()->NewNode(simplified()->NumberLessThan(), index, length);
@@ -7794,9 +7783,9 @@ Reduction JSCallReducer::ReduceTypedArrayPrototypeLength(Node* node) {
     Reduction unused_reduction = inference.NoChange();
     USE(unused_reduction);
     // Call default implementation for non-rab/gsab TAs.
-    return ReduceArrayBufferViewAccessor(
-        node, JS_TYPED_ARRAY_TYPE, AccessBuilder::ForJSTypedArrayByteLength(),
-        Builtin::kTypedArrayPrototypeLength);
+    return ReduceArrayBufferViewAccessor(node, JS_TYPED_ARRAY_TYPE,
+                                         AccessBuilder::ForJSTypedArrayLength(),
+                                         Builtin::kTypedArrayPrototypeLength);
   }
 
   if (!inference.RelyOnMapsViaStability(dependencies())) {
@@ -8382,16 +8371,6 @@ Reduction JSCallReducer::ReduceArrayBufferViewAccessor(
                                       BranchHint::kFalse);
   }
 
-  if (builtin == Builtin::kTypedArrayPrototypeLength) {
-    TNode<UintPtrT> byte_length = value;
-    // Divide the byte length by element size.
-    TNode<Map> map = a.LoadMap(TNode<HeapObject>::UncheckedCast(receiver));
-    TNode<Uint32T> elements_kind = a.LoadElementsKind(map);
-    TNode<Uint32T> shift = a.LookupByteShiftForElementsKind(elements_kind);
-    value = TNode<UintPtrT>::UncheckedCast(
-        a.WordShr(byte_length, a.ChangeUint32ToUintPtr(shift)));
-  }
-
   TNode<Number> result =
       a.ExitMachineGraph<Number>(value, MachineType::PointerRepresentation(),
                                  TypeCache::Get()->kJSTypedArrayLengthType);
 
@@ -3767,8 +3767,8 @@ JSNativeContextSpecialization::
       Node* dead = jsgraph_->Dead();
       return ValueEffectControl{dead, dead, dead};
     } else {
-      length = jsgraph()->ConstantNoHole(
-          typed_array->byte_length() >> ElementsKindToShiftSize(elements_kind));
+      length =
+          jsgraph()->ConstantNoHole(static_cast<double>(typed_array->length()));
 
       DCHECK(!typed_array->is_on_heap());
       // Load the (known) data pointer for the {receiver} and set
Original file line number	Diff line number	Diff line change
`@@ -1809,10 +1809,10 @@ bool JSTypedArrayRef::is_on_heap() const {`
`1809`	`1809`	`return object()->is_on_heap(kAcquireLoad);`
`1810`	`1810`	`}`
`1811`	`1811`
`1812`		`-size_t JSTypedArrayRef::byte_length() const {`
	`1812`	`+size_t JSTypedArrayRef::length() const {`
`1813`	`1813`	`CHECK(!is_on_heap());`
`1814`	`1814`	`// Immutable after initialization.`
`1815`		`- return object()->byte_length();`
	`1815`	`+ return object()->length();`
`1816`	`1816`	`}`
`1817`	`1817`
`1818`	`1818`	`HeapObjectRef JSTypedArrayRef::buffer(JSHeapBroker* broker) const {`