[sab] Make TypedArraySlice FastCopy atomic for SABs

Bug: chromium:1237153 Change-Id: If3c17d46cf53ba73cd6c199703b2854eb55fb68d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3077145 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#76133}
2021-08-06 11:37:14 +01:00 · 2021-08-06 11:37:14 +01:00 · 4a7abdc32a
commit 4a7abdc32a
parent 674517a2cc
2 changed files with 23 additions and 1 deletions
--- a/src/builtins/typed-array-slice.tq
+++ b/src/builtins/typed-array-slice.tq
@ -36,7 +36,12 @@ macro FastCopy(
  assert(countBytes <= dest.byte_length);
  assert(countBytes <= src.byte_length - startOffset);

-  typed_array::CallCMemmove(dest.data_ptr, srcPtr, countBytes);
+  if (IsSharedArrayBuffer(src.buffer)) {
+    // SABs need a relaxed memmove to preserve atomicity.
+    typed_array::CallCRelaxedMemmove(dest.data_ptr, srcPtr, countBytes);
+  } else {
+    typed_array::CallCMemmove(dest.data_ptr, srcPtr, countBytes);
+  }
 }

 macro SlowCopy(implicit context: Context)(
--- a/test/mjsunit/regress/regress-crbug-1237153.js
+++ b/test/mjsunit/regress/regress-crbug-1237153.js
@ -0,0 +1,17 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Try to catch TSAN issues with access to SharedArrayBuffer.
+
+function onmessage([buf]) {
+    const arr = new Int32Array(buf);
+    for (let val = 1; val < 100; ++val) arr.fill(val);
+}
+const arr = new Int32Array(new SharedArrayBuffer(4));
+const worker = new Worker(`onmessage = ${onmessage}`, { type: 'string' });
+worker.postMessage([arr.buffer]);
+// Wait until the worker starts filling the array.
+while (Atomics.load(arr) == 0) { }
+// Try creating a slice of the shared array buffer that races with the fill.
+const slice = arr.slice(0, 1);