deps: V8: cherry-pick c5ff7c4d6cde

Original commit message:

    [builtins] disallow ArrayBuffer transfer with a detach key

    This allows embedder to disallow `ArrayBuffer.prototype.transfer()` on
    an arraybuffer that is not detachable. This also fix the check on
    `ArrayBufferCopyAndDetach` step 8 of `ArrayBuffer.prototype.transfer`.

    Refs: #61362
    Refs: https://tc39.es/ecma262/#sec-arraybuffercopyanddetach
    Change-Id: I3c6e156a8fad007fd100218d8b16aed5c4e1db68
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7454288
    Commit-Queue: Chengzhong Wu <cwu631@bloomberg.net>
    Reviewed-by: Olivier Flückiger <olivf@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#104697}

Refs: v8/v8@c5ff7c4

Author: legendecas

common.gypi

@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.10',
+    'v8_embedder_string': '-node.11',
 
     ##### V8 defaults for Node.js #####
 

deps/v8/src/builtins/builtins-arraybuffer.cc

@@ -638,7 +638,8 @@ Tagged<Object> ArrayBufferTransfer(Isolate* isolate,
   // 8. If arrayBuffer.[[ArrayBufferDetachKey]] is not undefined, throw a
   //     TypeError exception.
 
-  if (!array_buffer->is_detachable()) {
+  if (!IsUndefined(array_buffer->detach_key()) ||
+      !array_buffer->is_detachable()) {
     THROW_NEW_ERROR_RETURN_FAILURE(
         isolate,
         NewTypeError(MessageTemplate::kDataCloneErrorNonDetachableArrayBuffer));

deps/v8/test/mjsunit/array-buffer-transfer-detach-key.js

@@ -0,0 +1,22 @@
+// Copyright 2026 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+function TestTransferSucceeds() {
+  const ab = new ArrayBuffer(100);
+  %ArrayBufferSetDetachKey(ab, undefined);
+  ab.transfer();
+  assertEquals(0, ab.byteLength);  // Detached.
+}
+
+function TestTransferFails() {
+  const ab = new ArrayBuffer(100);
+  %ArrayBufferSetDetachKey(ab, Symbol());
+  assertThrows(() => { ab.transfer(); }, TypeError);
+  assertEquals(100, ab.byteLength);  // Not detached.
+}
+
+TestTransferSucceeds();
+TestTransferFails();

deps/v8/test/unittests/BUILD.gn

@@ -263,6 +263,7 @@ v8_source_set("v8_unittests_sources") {
     "api/remote-object-unittest.cc",
     "api/resource-constraints-unittest.cc",
     "api/smi-tagging-unittest.cc",
+    "api/v8-array-buffer-unittest.cc",
     "api/v8-array-unittest.cc",
     "api/v8-maybe-unittest.cc",
     "api/v8-memory-span-unittest.cc",

deps/v8/test/unittests/api/v8-array-buffer-unittest.cc

@@ -0,0 +1,40 @@
+// Copyright 2026 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "include/v8-array-buffer.h"
+
+#include "test/unittests/test-utils.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace v8 {
+namespace {
+
+using ArrayBufferTest = TestWithContext;
+
+TEST_F(ArrayBufferTest, TransferWithDetachKey) {
+  Local<ArrayBuffer> ab = ArrayBuffer::New(isolate(), 1);
+  Local<Value> key = Symbol::New(isolate());
+  ab->SetDetachKey(key);
+  Local<Object> global = context()->Global();
+  Local<String> property_name =
+      String::NewFromUtf8Literal(isolate(), "test_ab");
+  global->Set(context(), property_name, ab).ToChecked();
+
+  {
+    TryCatch try_catch(isolate());
+    CHECK(TryRunJS("globalThis.test_ab.transfer()").IsEmpty());
+  }
+
+  // Didnot transfer.
+  EXPECT_EQ(ab->ByteLength(), 1u);
+
+  ab->SetDetachKey(Undefined(isolate()));
+  RunJS("globalThis.test_ab.transfer()");
+
+  // Transferred.
+  EXPECT_EQ(ab->ByteLength(), 0u);
+}
+
+}  // namespace
+}  // namespace v8