Bug 1291003 only fixed the case when detaching the ArrayBuffer through side-effects when already in subarray. It didn't fix the case when subarray is called with an already detached ArrayBuffer:

let ab = new ArrayBuffer(16);
let ta = new Int32Array(ab, 4);

ta.constructor = {
  [Symbol.species]: function(buffer, byteOffset, length) {
    assertEq(byteOffset, 4);
    return new Int32Array(0);
  }
};

detachArrayBuffer(ab);

ta.subarray();

NOTE: [[ArrayLength]] is actually also wrong, but https://tc39.es/proposal-resizablearraybuffer/#sec-%typedarray%.prototype.subarray will change this to match our current behaviour.

JSC also sets [[ByteOffset]] to zero, only V8 keeps its original value.

We should maybe try to change the spec to insert a call to ValidateTypedArray at the start of subarray, because this issue is only observable when @@species is used. When the species constructor isn't overridden, TypedArrayCreate will throw a TypeError for detached buffers when it calls ValidateTypedArray.