Initialize internal fields in Factory::NewJSTypedArray and NewJSDataView.

Initialize internal fields in Factory::NewJSTypedArray and NewJSDataView.

This was causing array buffer views created by ValueDeserializer to have
uninitialized internal fields, which lead to crashes in layout tests when
Blink tried to read those fields.

For array buffers, JSArrayBuffer::Setup is responsible for this logic
(as well as initializing the V8 fields); this is similar to that.

The runtime already seems to correctly initialize these for script-created
array buffer views as well, which is why this issue was not detected sooner.

Committed: https://crrev.com/879f6599eee6e1dfcbe9a24bf688b261c03e9558
Cr-Commit-Position: refs/heads/master@{#41014}

[jbroman, 2016-11-15 16:15:01]

The CQ bit was checked by jbroman@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-15 16:15:08]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[jbroman, 2016-11-15 16:16:27]

Description was changed from

==========
Initialize internal fields in Factory::NewJSTypedArray and NewJSDataView.

This was causing array buffer views created by ValueDeserializer to have
uninitialized internal fields, which lead to crashes in layout tests when
Blink tried to read those fields.
==========

to

==========
Initialize internal fields in Factory::NewJSTypedArray and NewJSDataView.

This was causing array buffer views created by ValueDeserializer to have
uninitialized internal fields, which lead to crashes in layout tests when
Blink tried to read those fields.

For array buffers, JSArrayBuffer::Setup is responsible for this logic
(as well as initializing the V8 fields); this is similar to that.

The runtime already seems to correctly initialize these for script-created
array buffer views as well, which is why this issue was not detected sooner.
==========

[commit-bot: I haz the power, 2016-11-15 16:42:41]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-15 16:42:41]

Dry run: This issue passed the CQ dry run.

[jbroman, 2016-11-15 16:49:33]

The CQ bit was checked by jbroman@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-15 16:49:39]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[jbroman, 2016-11-15 16:52:57]

jbroman@chromium.org changed reviewers:
+ jkummerow@chromium.org

[jbroman, 2016-11-15 16:52:58]

Without this patch, the tests fail with

#
# Fatal error in v8::Object::GetAlignedPointerFromInternalField()
# Not a Smi
#

Which is the same failure I see in Blink (but this test reproduces the issue
more directly).

[commit-bot: I haz the power, 2016-11-15 17:14:23]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-15 17:14:24]

Dry run: This issue passed the CQ dry run.

[Jakob Kummerow, 2016-11-15 22:39:07]

lgtm

[jbroman, 2016-11-15 22:40:16]

The CQ bit was checked by jbroman@chromium.org

[commit-bot: I haz the power, 2016-11-15 22:40:28]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-15 22:42:59]

Committed patchset #2 (id:20001)

[commit-bot: I haz the power, 2016-11-17 22:35:16]

Description was changed from

==========
Initialize internal fields in Factory::NewJSTypedArray and NewJSDataView.

This was causing array buffer views created by ValueDeserializer to have
uninitialized internal fields, which lead to crashes in layout tests when
Blink tried to read those fields.

For array buffers, JSArrayBuffer::Setup is responsible for this logic
(as well as initializing the V8 fields); this is similar to that.

The runtime already seems to correctly initialize these for script-created
array buffer views as well, which is why this issue was not detected sooner.
==========

to

==========
Initialize internal fields in Factory::NewJSTypedArray and NewJSDataView.

This was causing array buffer views created by ValueDeserializer to have
uninitialized internal fields, which lead to crashes in layout tests when
Blink tried to read those fields.

For array buffers, JSArrayBuffer::Setup is responsible for this logic
(as well as initializing the V8 fields); this is similar to that.

The runtime already seems to correctly initialize these for script-created
array buffer views as well, which is why this issue was not detected sooner.

Committed: https://crrev.com/879f6599eee6e1dfcbe9a24bf688b261c03e9558
Cr-Commit-Position: refs/heads/master@{#41014}
==========

[commit-bot: I haz the power, 2016-11-17 22:35:17]

Patchset 2 (id:??) landed as
https://crrev.com/879f6599eee6e1dfcbe9a24bf688b261c03e9558
Cr-Commit-Position: refs/heads/master@{#41014}