v8
diff --git a/‎include/v8-typed-array.h
+97-7 b/‎include/v8-typed-array.h
+97-7
diff --git a/‎src/api/api.cc
+3-5 b/‎src/api/api.cc
+3-5
diff --git a/‎src/builtins/base.tq
-2 b/‎src/builtins/base.tq
-2
diff --git a/‎src/builtins/builtins-arraybuffer.cc
+3-8 b/‎src/builtins/builtins-arraybuffer.cc
+3-8
diff --git a/‎src/builtins/typed-array-createtypedarray.tq
+1-2 b/‎src/builtins/typed-array-createtypedarray.tq
+1-2
diff --git a/‎src/builtins/typed-array.tq
+2-5 b/‎src/builtins/typed-array.tq
+2-5
diff --git a/‎src/codegen/code-stub-assembler.cc
+1-1 b/‎src/codegen/code-stub-assembler.cc
+1-1
diff --git a/‎src/common/globals.h
+1 b/‎src/common/globals.h
+1
diff --git a/‎src/compiler/type-cache.h
+2-2 b/‎src/compiler/type-cache.h
+2-2
diff --git a/‎src/diagnostics/objects-debug.cc
+1-1 b/‎src/diagnostics/objects-debug.cc
+1-1
diff --git a/‎src/heap/factory.cc
+2-4 b/‎src/heap/factory.cc
+2-4
diff --git a/‎src/objects/js-array-buffer.h
+2-4 b/‎src/objects/js-array-buffer.h
+2-4
diff --git a/‎src/runtime/runtime-debug.cc
+2-5 b/‎src/runtime/runtime-debug.cc
+2-5
diff --git a/‎src/runtime/runtime-test.cc
-8 b/‎src/runtime/runtime-test.cc
-8
diff --git a/‎src/runtime/runtime.h
+1-2 b/‎src/runtime/runtime.h
+1-2
@@ -5,27 +5,40 @@
 #ifndef INCLUDE_V8_TYPED_ARRAY_H_
 #define INCLUDE_V8_TYPED_ARRAY_H_
 
+#include <limits>
+
 #include "v8-array-buffer.h"  // NOLINT(build/include_directory)
 #include "v8-local-handle.h"  // NOLINT(build/include_directory)
 #include "v8config.h"         // NOLINT(build/include_directory)
 
 namespace v8 {
 
-class SharedArrayBuffer;
-
 /**
  * A base class for an instance of TypedArray series of constructors
  * (ES6 draft 15.13.6).
  */
 class V8_EXPORT TypedArray : public ArrayBufferView {
  public:
   /*
-   * The largest typed array size that can be constructed using New.
+   * The largest supported typed array byte size. Each subclass defines a
+   * type-specific kMaxLength for the maximum length that can be passed to New.
    */
-  static constexpr size_t kMaxLength =
-      internal::kApiSystemPointerSize == 4
-          ? internal::kSmiMaxValue
-          : static_cast<size_t>(uint64_t{1} << 32);
+#if V8_ENABLE_SANDBOX
+  static constexpr size_t kMaxByteLength =
+      internal::kMaxSafeBufferSizeForSandbox;
+#elif V8_HOST_ARCH_32_BIT
+  static constexpr size_t kMaxByteLength = std::numeric_limits<int>::max();
+#else
+  // The maximum safe integer (2^53 - 1).
+  static constexpr size_t kMaxByteLength =
+      static_cast<size_t>((uint64_t{1} << 53) - 1);
+#endif
+
+  /*
+   * Deprecated: Use |kMaxByteLength| or the type-specific |kMaxLength| fields.
+   */
+  V8_DEPRECATE_SOON("Use kMaxByteLength")
+  static constexpr size_t kMaxLength = kMaxByteLength;
 
   /**
    * Number of elements in this typed array
@@ -50,6 +63,13 @@ class V8_EXPORT TypedArray : public ArrayBufferView {
  */
 class V8_EXPORT Uint8Array : public TypedArray {
  public:
+  /*
+   * The largest Uint8Array size that can be constructed using New.
+   */
+  static constexpr size_t kMaxLength =
+      TypedArray::kMaxByteLength / sizeof(uint8_t);
+  static_assert(sizeof(uint8_t) == 1);
+
   static Local<Uint8Array> New(Local<ArrayBuffer> array_buffer,
                                size_t byte_offset, size_t length);
   static Local<Uint8Array> New(Local<SharedArrayBuffer> shared_array_buffer,
@@ -71,6 +91,13 @@ class V8_EXPORT Uint8Array : public TypedArray {
  */
 class V8_EXPORT Uint8ClampedArray : public TypedArray {
  public:
+  /*
+   * The largest Uint8ClampedArray size that can be constructed using New.
+   */
+  static constexpr size_t kMaxLength =
+      TypedArray::kMaxByteLength / sizeof(uint8_t);
+  static_assert(sizeof(uint8_t) == 1);
+
   static Local<Uint8ClampedArray> New(Local<ArrayBuffer> array_buffer,
                                       size_t byte_offset, size_t length);
   static Local<Uint8ClampedArray> New(
@@ -93,6 +120,13 @@ class V8_EXPORT Uint8ClampedArray : public TypedArray {
  */
 class V8_EXPORT Int8Array : public TypedArray {
  public:
+  /*
+   * The largest Int8Array size that can be constructed using New.
+   */
+  static constexpr size_t kMaxLength =
+      TypedArray::kMaxByteLength / sizeof(int8_t);
+  static_assert(sizeof(int8_t) == 1);
+
   static Local<Int8Array> New(Local<ArrayBuffer> array_buffer,
                               size_t byte_offset, size_t length);
   static Local<Int8Array> New(Local<SharedArrayBuffer> shared_array_buffer,
@@ -114,6 +148,13 @@ class V8_EXPORT Int8Array : public TypedArray {
  */
 class V8_EXPORT Uint16Array : public TypedArray {
  public:
+  /*
+   * The largest Uint16Array size that can be constructed using New.
+   */
+  static constexpr size_t kMaxLength =
+      TypedArray::kMaxByteLength / sizeof(uint16_t);
+  static_assert(sizeof(uint16_t) == 2);
+
   static Local<Uint16Array> New(Local<ArrayBuffer> array_buffer,
                                 size_t byte_offset, size_t length);
   static Local<Uint16Array> New(Local<SharedArrayBuffer> shared_array_buffer,
@@ -135,6 +176,13 @@ class V8_EXPORT Uint16Array : public TypedArray {
  */
 class V8_EXPORT Int16Array : public TypedArray {
  public:
+  /*
+   * The largest Int16Array size that can be constructed using New.
+   */
+  static constexpr size_t kMaxLength =
+      TypedArray::kMaxByteLength / sizeof(int16_t);
+  static_assert(sizeof(int16_t) == 2);
+
   static Local<Int16Array> New(Local<ArrayBuffer> array_buffer,
                                size_t byte_offset, size_t length);
   static Local<Int16Array> New(Local<SharedArrayBuffer> shared_array_buffer,
@@ -156,6 +204,13 @@ class V8_EXPORT Int16Array : public TypedArray {
  */
 class V8_EXPORT Uint32Array : public TypedArray {
  public:
+  /*
+   * The largest Uint32Array size that can be constructed using New.
+   */
+  static constexpr size_t kMaxLength =
+      TypedArray::kMaxByteLength / sizeof(uint32_t);
+  static_assert(sizeof(uint32_t) == 4);
+
   static Local<Uint32Array> New(Local<ArrayBuffer> array_buffer,
                                 size_t byte_offset, size_t length);
   static Local<Uint32Array> New(Local<SharedArrayBuffer> shared_array_buffer,
@@ -177,6 +232,13 @@ class V8_EXPORT Uint32Array : public TypedArray {
  */
 class V8_EXPORT Int32Array : public TypedArray {
  public:
+  /*
+   * The largest Int32Array size that can be constructed using New.
+   */
+  static constexpr size_t kMaxLength =
+      TypedArray::kMaxByteLength / sizeof(int32_t);
+  static_assert(sizeof(int32_t) == 4);
+
   static Local<Int32Array> New(Local<ArrayBuffer> array_buffer,
                                size_t byte_offset, size_t length);
   static Local<Int32Array> New(Local<SharedArrayBuffer> shared_array_buffer,
@@ -198,6 +260,13 @@ class V8_EXPORT Int32Array : public TypedArray {
  */
 class V8_EXPORT Float32Array : public TypedArray {
  public:
+  /*
+   * The largest Float32Array size that can be constructed using New.
+   */
+  static constexpr size_t kMaxLength =
+      TypedArray::kMaxByteLength / sizeof(float);
+  static_assert(sizeof(float) == 4);
+
   static Local<Float32Array> New(Local<ArrayBuffer> array_buffer,
                                  size_t byte_offset, size_t length);
   static Local<Float32Array> New(Local<SharedArrayBuffer> shared_array_buffer,
@@ -219,6 +288,13 @@ class V8_EXPORT Float32Array : public TypedArray {
  */
 class V8_EXPORT Float64Array : public TypedArray {
  public:
+  /*
+   * The largest Float64Array size that can be constructed using New.
+   */
+  static constexpr size_t kMaxLength =
+      TypedArray::kMaxByteLength / sizeof(double);
+  static_assert(sizeof(double) == 8);
+
   static Local<Float64Array> New(Local<ArrayBuffer> array_buffer,
                                  size_t byte_offset, size_t length);
   static Local<Float64Array> New(Local<SharedArrayBuffer> shared_array_buffer,
@@ -240,6 +316,13 @@ class V8_EXPORT Float64Array : public TypedArray {
  */
 class V8_EXPORT BigInt64Array : public TypedArray {
  public:
+  /*
+   * The largest BigInt64Array size that can be constructed using New.
+   */
+  static constexpr size_t kMaxLength =
+      TypedArray::kMaxByteLength / sizeof(int64_t);
+  static_assert(sizeof(int64_t) == 8);
+
   static Local<BigInt64Array> New(Local<ArrayBuffer> array_buffer,
                                   size_t byte_offset, size_t length);
   static Local<BigInt64Array> New(Local<SharedArrayBuffer> shared_array_buffer,
@@ -261,6 +344,13 @@ class V8_EXPORT BigInt64Array : public TypedArray {
  */
 class V8_EXPORT BigUint64Array : public TypedArray {
  public:
+  /*
+   * The largest BigUint64Array size that can be constructed using New.
+   */
+  static constexpr size_t kMaxLength =
+      TypedArray::kMaxByteLength / sizeof(uint64_t);
+  static_assert(sizeof(uint64_t) == 8);
+
   static Local<BigUint64Array> New(Local<ArrayBuffer> array_buffer,
                                    size_t byte_offset, size_t length);
   static Local<BigUint64Array> New(Local<SharedArrayBuffer> shared_array_buffer,
 
@@ -4238,8 +4238,6 @@ void v8::ArrayBufferView::CheckCast(Value* that) {
                   "Value is not an ArrayBufferView");
 }
 
-constexpr size_t v8::TypedArray::kMaxLength;
-
 void v8::TypedArray::CheckCast(Value* that) {
   i::Handle<i::Object> obj = Utils::OpenHandle(that);
   Utils::ApiCheck(i::IsJSTypedArray(*obj), "v8::TypedArray::Cast()",
@@ -8990,9 +8988,9 @@ size_t v8::TypedArray::Length() {
   return obj->WasDetached() ? 0 : obj->GetLength();
 }
 
-static_assert(
-    v8::TypedArray::kMaxLength == i::JSTypedArray::kMaxLength,
-    "v8::TypedArray::kMaxLength must match i::JSTypedArray::kMaxLength");
+static_assert(v8::TypedArray::kMaxByteLength == i::JSTypedArray::kMaxByteLength,
+              "v8::TypedArray::kMaxByteLength must match "
+              "i::JSTypedArray::kMaxByteLength");
 
 #define TYPED_ARRAY_NEW(Type, type, TYPE, ctype)                            \
   Local<Type##Array> Type##Array::New(Local<ArrayBuffer> array_buffer,      \
 
@@ -487,8 +487,6 @@ extern enum PropertyAttributes extends int31 {
 
 const kArrayBufferMaxByteLength:
     constexpr uintptr generates 'JSArrayBuffer::kMaxByteLength';
-const kTypedArrayMaxLength:
-    constexpr uintptr generates 'JSTypedArray::kMaxLength';
 const kMaxTypedArrayInHeap:
     constexpr int31 generates 'JSTypedArray::kMaxSizeInHeap';
 // CSA does not support 64-bit types on 32-bit platforms so as a workaround the
 
@@ -73,15 +73,10 @@ Tagged<Object> ConstructBuffer(Isolate* isolate, Handle<JSFunction> target,
         BackingStore::Allocate(isolate, byte_length, shared, initialized);
     max_byte_length = byte_length;
   } else {
-    // We need to check the max length against both
-    // JSArrayBuffer::kMaxByteLength and JSTypedArray::kMaxLength, since it's
-    // possible to create length-tracking TypedArrays and resize the underlying
-    // buffer. If the max byte length was larger than JSTypedArray::kMaxLength,
-    // that'd result in having a TypedArray with length larger than
-    // JSTypedArray::kMaxLength.
+    static_assert(JSArrayBuffer::kMaxByteLength ==
+                  JSTypedArray::kMaxByteLength);
     if (!TryNumberToSize(*max_length, &max_byte_length) ||
-        max_byte_length > JSArrayBuffer::kMaxByteLength ||
-        max_byte_length > JSTypedArray::kMaxLength) {
+        max_byte_length > JSArrayBuffer::kMaxByteLength) {
       THROW_NEW_ERROR_RETURN_FAILURE(
           isolate,
           NewRangeError(MessageTemplate::kInvalidArrayBufferMaxLength));
 
@@ -297,8 +297,7 @@ transitioning macro ConstructByArrayBuffer(
         if (bufferByteLength < offset) goto IfInvalidOffset;
 
         newByteLength = bufferByteLength - offset;
-        newLength = elementsInfo.CalculateLength(newByteLength)
-            otherwise IfInvalidLength;
+        newLength = elementsInfo.CalculateLength(newByteLength);
       } else {
         // b. Else,
         //   i. Let newByteLength be newLength × elementSize.
 
@@ -25,7 +25,6 @@ type RabGsabUint8Elements extends ElementsKind;
 struct TypedArrayElementsInfo {
   // Calculates the number of bytes required for specified number of elements.
   macro CalculateByteLength(length: uintptr): uintptr labels IfInvalid {
-    if (length > kTypedArrayMaxLength) goto IfInvalid;
     const maxArrayLength = kArrayBufferMaxByteLength >>> this.sizeLog2;
     if (length > maxArrayLength) goto IfInvalid;
     const byteLength = length << this.sizeLog2;
@@ -34,10 +33,8 @@ struct TypedArrayElementsInfo {
 
   // Calculates the maximum number of elements supported by a specified number
   // of bytes.
-  macro CalculateLength(byteLength: uintptr): uintptr labels IfInvalid {
-    const length = byteLength >>> this.sizeLog2;
-    if (length > kTypedArrayMaxLength) goto IfInvalid;
-    return length;
+  macro CalculateLength(byteLength: uintptr): uintptr {
+    return byteLength >>> this.sizeLog2;
   }
 
   // Determines if `bytes` (byte offset or length) cannot be evenly divided by
 
@@ -1720,7 +1720,7 @@ void CodeStubAssembler::StoreBoundedSizeToObject(TNode<HeapObject> object,
                                                  TNode<IntPtrT> offset,
                                                  TNode<UintPtrT> value) {
 #ifdef V8_ENABLE_SANDBOX
-  CSA_DCHECK(this, UintPtrLessThan(
+  CSA_DCHECK(this, UintPtrLessThanOrEqual(
                        value, IntPtrConstant(kMaxSafeBufferSizeForSandbox)));
   TNode<Uint64T> raw_value = ReinterpretCast<Uint64T>(value);
   TNode<Uint64T> shift_amount = Uint64Constant(kBoundedSizeShift);
 
@@ -1695,6 +1695,7 @@ constexpr uint64_t kHoleNanInt64 =
 
 // ES6 section 20.1.2.6 Number.MAX_SAFE_INTEGER
 constexpr uint64_t kMaxSafeIntegerUint64 = 9007199254740991;  // 2^53-1
+static_assert(kMaxSafeIntegerUint64 == (uint64_t{1} << 53) - 1);
 constexpr double kMaxSafeInteger = static_cast<double>(kMaxSafeIntegerUint64);
 // ES6 section 21.1.2.8 Number.MIN_SAFE_INTEGER
 constexpr double kMinSafeInteger = -kMaxSafeInteger;
 
@@ -124,9 +124,9 @@ class V8_EXPORT_PRIVATE TypeCache final {
   Type const kJSArrayBufferViewByteOffsetType = kJSArrayBufferByteLengthType;
 
   // The JSTypedArray::length property always contains an untagged number in
-  // the range [0, JSTypedArray::kMaxLength].
+  // the range [0, JSTypedArray::kMaxByteLength].
   Type const kJSTypedArrayLengthType =
-      CreateRange(0.0, JSTypedArray::kMaxLength);
+      CreateRange(0.0, JSTypedArray::kMaxByteLength);
 
   // The String::length property always contains a smi in the range
   // [0, String::kMaxLength].
 
@@ -1817,7 +1817,7 @@ void JSArrayBufferView::JSArrayBufferViewVerify(Isolate* isolate) {
 
 void JSTypedArray::JSTypedArrayVerify(Isolate* isolate) {
   TorqueGeneratedClassVerifiers::JSTypedArrayVerify(*this, isolate);
-  CHECK_LE(GetLength(), JSTypedArray::kMaxLength);
+  CHECK_LE(GetLength(), JSTypedArray::kMaxByteLength / element_size());
 }
 
 void JSDataView::JSDataViewVerify(Isolate* isolate) {
 
@@ -3241,12 +3241,10 @@ Handle<JSTypedArray> Factory::NewJSTypedArray(ExternalArrayType type,
     length = 0;
   }
 
+  CHECK_LE(length, JSTypedArray::kMaxByteLength / element_size);
+  CHECK_EQ(0, byte_offset % element_size);
   size_t byte_length = length * element_size;
 
-  CHECK_LE(length, JSTypedArray::kMaxLength);
-  CHECK_EQ(length, byte_length / element_size);
-  CHECK_EQ(0, byte_offset % ElementsKindToByteSize(elements_kind));
-
   Handle<JSTypedArray> typed_array =
       Handle<JSTypedArray>::cast(NewJSArrayBufferView(
           map, empty_byte_array(), buffer, byte_offset, byte_length));
 
@@ -279,10 +279,8 @@ class JSArrayBufferView
 class JSTypedArray
     : public TorqueGeneratedJSTypedArray<JSTypedArray, JSArrayBufferView> {
  public:
-  // TODO(v8:4153): This should be equal to JSArrayBuffer::kMaxByteLength
-  // eventually.
-  static constexpr size_t kMaxLength = v8::TypedArray::kMaxLength;
-  static_assert(kMaxLength <= JSArrayBuffer::kMaxByteLength);
+  static constexpr size_t kMaxByteLength = JSArrayBuffer::kMaxByteLength;
+  static_assert(kMaxByteLength == v8::TypedArray::kMaxByteLength);
 
   // [length]: length of typed array in elements.
   DECL_PRIMITIVE_GETTER(length, size_t)
 
@@ -324,10 +324,8 @@ MaybeHandle<JSArray> Runtime::GetInternalProperties(Isolate* isolate,
           isolate->factory()->true_value());
     } else {
       const size_t byte_length = js_array_buffer->byte_length();
-      // TODO(v8:4153): Remove this code once the maximum lengths are equal (and
-      // add a static assertion that it stays that way).
-      static_assert(JSTypedArray::kMaxLength < JSArrayBuffer::kMaxByteLength);
-      CHECK_LE(byte_length, JSArrayBuffer::kMaxByteLength);
+      static_assert(JSTypedArray::kMaxByteLength ==
+                    JSArrayBuffer::kMaxByteLength);
       using DataView = std::tuple<const char*, ExternalArrayType, size_t>;
       for (auto [name, type, elem_size] :
            {DataView{"[[Int8Array]]", kExternalInt8Array, 1},
@@ -336,7 +334,6 @@ MaybeHandle<JSArray> Runtime::GetInternalProperties(Isolate* isolate,
             DataView{"[[Int32Array]]", kExternalInt32Array, 4}}) {
         if ((byte_length % elem_size) != 0) continue;
         size_t length = byte_length / elem_size;
-        if (length > JSTypedArray::kMaxLength) continue;
         result =
             ArrayList::Add(isolate, result,
                            isolate->factory()->NewStringFromAsciiChecked(name),
 
@@ -1880,14 +1880,6 @@ RUNTIME_FUNCTION(Runtime_ArrayBufferMaxByteLength) {
   return *isolate->factory()->NewNumber(JSArrayBuffer::kMaxByteLength);
 }
 
-RUNTIME_FUNCTION(Runtime_TypedArrayMaxLength) {
-  HandleScope shs(isolate);
-  if (args.length() != 0) {
-    return CrashUnlessFuzzing(isolate);
-  }
-  return *isolate->factory()->NewNumber(JSTypedArray::kMaxLength);
-}
-
 RUNTIME_FUNCTION(Runtime_CompleteInobjectSlackTracking) {
   HandleScope scope(isolate);
   if (args.length() != 1) {
 
@@ -301,8 +301,7 @@ namespace internal {
   F(NumberToStringSlow, 1, 1)            \
   F(StringParseFloat, 1, 1)              \
   F(StringParseInt, 2, 1)                \
-  F(StringToNumber, 1, 1)                \
-  F(TypedArrayMaxLength, 0, 1)
+  F(StringToNumber, 1, 1)
 
 #define FOR_EACH_INTRINSIC_OBJECT(F, I)                                \
   F(AddDictionaryProperty, 3, 1)                                       \
Original file line number	Diff line number	Diff line change
`@@ -1817,7 +1817,7 @@ void JSArrayBufferView::JSArrayBufferViewVerify(Isolate* isolate) {`
`1817`	`1817`
`1818`	`1818`	`void JSTypedArray::JSTypedArrayVerify(Isolate* isolate) {`
`1819`	`1819`	`TorqueGeneratedClassVerifiers::JSTypedArrayVerify(*this, isolate);`
`1820`		`- CHECK_LE(GetLength(), JSTypedArray::kMaxLength);`
	`1820`	`+ CHECK_LE(GetLength(), JSTypedArray::kMaxByteLength / element_size());`
`1821`	`1821`	`}`
`1822`	`1822`
`1823`	`1823`	`void JSDataView::JSDataViewVerify(Isolate* isolate) {`