[typedarrays] Check detached buffer at start of typed array methods

src/compiler/js-intrinsic-lowering.cc

Index: src/compiler/js-intrinsic-lowering.cc
diff --git a/src/compiler/js-intrinsic-lowering.cc b/src/compiler/js-intrinsic-lowering.cc
index 954eaad18e66d301804ceebf393e54f1986aab6e..877a601f8485188afd2f13a2ed49b64014275e02 100644
--- a/src/compiler/js-intrinsic-lowering.cc
+++ b/src/compiler/js-intrinsic-lowering.cc
@@ -80,6 +80,8 @@ Reduction JSIntrinsicLowering::Reduce(Node* node) {
     case Runtime::kInlineArrayBufferViewGetByteOffset:
       return ReduceArrayBufferViewField(
           node, AccessBuilder::ForJSArrayBufferViewByteOffset());
+    case Runtime::kInlineArrayBufferViewWasNeutered:
+      return ReduceArrayBufferViewWasNeutered(node);
     case Runtime::kInlineMaxSmi:
       return ReduceMaxSmi(node);
     case Runtime::kInlineTypedArrayGetLength:
@@ -349,6 +351,22 @@ Reduction JSIntrinsicLowering::ReduceArrayBufferViewField(
   return Replace(value);
 }
 
+Reduction JSIntrinsicLowering::ReduceArrayBufferViewWasNeutered(Node* node) {
+  Node* receiver = NodeProperties::GetValueInput(node, 0);
+  Node* effect = NodeProperties::GetEffectInput(node);
+  Node* control = NodeProperties::GetControlInput(node);
+
+  // Check if the {receiver}s buffer was neutered.
+  Node* receiver_buffer = effect = graph()->NewNode(
+      simplified()->LoadField(AccessBuilder::ForJSArrayBufferViewBuffer()),
+      receiver, effect, control);
+  Node* value = effect = graph()->NewNode(
+      simplified()->ArrayBufferWasNeutered(), receiver_buffer, effect, control);
+
+  ReplaceWithValue(node, value, effect, control);
+  return Replace(value);
+}
+
 Reduction JSIntrinsicLowering::ReduceMaxSmi(Node* node) {
   Node* value = jsgraph()->Constant(Smi::kMaxValue);
   ReplaceWithValue(node, value);