AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
cd34523b9b
v8/test/mjsunit/regress/regress-crbug-9161.js

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

60 lines
1.6 KiB
JavaScript
Raw Normal View History

Reland "[typedarray] Fix crash when sorting SharedArrayBuffers" This is a reland of 3d846115d6b7d1a680cad775ff3c6f0ca1768451 Reland changes mjsunit.status to skip the regression test on all bots except ASAN. Original change's description: > [typedarray] Fix crash when sorting SharedArrayBuffers > > TypedArray#sort has a fast-path when the user does not provide a > comparison function. This fast-path utilizes std::sort which operates > directly on the raw data. Per spec, std::sort requires the "less than" > operation to be anti-symmetric and transitive. > > When sorting SharedArrayBuffers (SAB) that are concurrently modified during > sorting, the "less than" operator stops being consistent as the > underlying data is constantly modified. This breaks some invariants > in std::sort resulting in infinite loops or straight out segfaults. > > This CL fixes this by copying the data before sorting SABs and > writing the sorted result back. > > Note: The added regression test is tailored for ASAN bots as a > normal build would need too many iterations to consistently crash. > > R=neis@chromium.org, petermarshall@chromium.org > > Bug: v8:9161 > Change-Id: Ic089928652f75865bfdb11e7453806faa6ecb988 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581641 > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Commit-Queue: Simon Zünd <szuend@chromium.org> > Cr-Commit-Position: refs/heads/master@{#61004} Bug: v8:9161 Change-Id: Idffc3fbb5f28f4966c8f1ac6770d5b5d6003a7e7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583726 Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Simon Zünd <szuend@chromium.org> Cr-Commit-Position: refs/heads/master@{#61011}
2019-04-25 11:40:40 +00:00
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// This test is a reproduction of a crash that happens when a TypedArray
// backed by a SharedArrayBuffer is concurrently modified while sorting.
// Segfaults would need a long time to trigger in normal builds, so this
// reproduction is tailored to trigger on ASAN builds. On ASAN builds,
// out-of-bounds accesses while sorting would result in an immediate failure.
const lock = new Int32Array(new SharedArrayBuffer(4));
const kIterations = 5000;
const kLength = 2000;
const kStageIndex = 0;
const kStageInit = 0;
const kStageRunning = 1;
const kStageDone = 2;
Atomics.store(lock, kStageIndex, kStageInit);
function WaitUntil(expected) {
while (true) {
const value = Atomics.load(lock, kStageIndex);
if (value === expected) break;
}
}
const workerScript = `
onmessage = function([sab, lock]) {
const i32a = new Int32Array(sab);
Atomics.store(lock, ${kStageIndex}, ${kStageRunning});
for (let j = 1; j < ${kIterations}; ++j) {
for (let i = 0; i < i32a.length; ++i) {
i32a[i] = j;
}
}
postMessage("done");
Atomics.store(lock, ${kStageIndex}, ${kStageDone});
};`;
const worker = new Worker(workerScript, {type: 'string'});
const i32a = new Int32Array(
new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT * kLength)
);
worker.postMessage([i32a.buffer, lock]);
WaitUntil(kStageRunning);
for (let i = 0; i < kIterations; ++i) {
i32a.sort();
}
WaitUntil(kStageDone);
assertEquals(worker.getMessage(), "done");
Reference in New Issue Copy Permalink