[sab] Make TypedArraySlice FastCopy atomic for SABs

Bug: chromium:1237153
Change-Id: If3c17d46cf53ba73cd6c199703b2854eb55fb68d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3077145
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76133}
This commit is contained in:
Santiago Aboy Solanes 2021-08-06 11:37:14 +01:00 committed by V8 LUCI CQ
parent 674517a2cc
commit 4a7abdc32a
2 changed files with 23 additions and 1 deletions

View File

@ -36,7 +36,12 @@ macro FastCopy(
assert(countBytes <= dest.byte_length); assert(countBytes <= dest.byte_length);
assert(countBytes <= src.byte_length - startOffset); assert(countBytes <= src.byte_length - startOffset);
typed_array::CallCMemmove(dest.data_ptr, srcPtr, countBytes); if (IsSharedArrayBuffer(src.buffer)) {
// SABs need a relaxed memmove to preserve atomicity.
typed_array::CallCRelaxedMemmove(dest.data_ptr, srcPtr, countBytes);
} else {
typed_array::CallCMemmove(dest.data_ptr, srcPtr, countBytes);
}
} }
macro SlowCopy(implicit context: Context)( macro SlowCopy(implicit context: Context)(

View File

@ -0,0 +1,17 @@
// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Try to catch TSAN issues with access to SharedArrayBuffer.
function onmessage([buf]) {
const arr = new Int32Array(buf);
for (let val = 1; val < 100; ++val) arr.fill(val);
}
const arr = new Int32Array(new SharedArrayBuffer(4));
const worker = new Worker(`onmessage = ${onmessage}`, { type: 'string' });
worker.postMessage([arr.buffer]);
// Wait until the worker starts filling the array.
while (Atomics.load(arr) == 0) { }
// Try creating a slice of the shared array buffer that races with the fill.
const slice = arr.slice(0, 1);