[sab] Make TypedArray#set atomic for SABs

Bug: chromium:1232620 Change-Id: Ie19fe8839966a1abb3d0a01fee1fb4b105fb6bf1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3070702 Commit-Queue: Clemens Backes <clemensb@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#76085}
2021-08-04 11:05:45 +02:00 · 2021-08-04 11:05:45 +02:00 · c37c4e8adf
commit c37c4e8adf
parent fb86158a3b
7 changed files with 47 additions and 1 deletions
--- a/src/builtins/builtins-typed-array-gen.cc
+++ b/src/builtins/builtins-typed-array-gen.cc
@ -270,6 +270,17 @@ void TypedArrayBuiltinsAssembler::CallCMemmove(TNode<RawPtrT> dest_ptr,
                std::make_pair(MachineType::UintPtr(), byte_length));
 }

+void TypedArrayBuiltinsAssembler::CallCRelaxedMemmove(
+    TNode<RawPtrT> dest_ptr, TNode<RawPtrT> src_ptr,
+    TNode<UintPtrT> byte_length) {
+  TNode<ExternalReference> memmove =
+      ExternalConstant(ExternalReference::relaxed_memmove_function());
+  CallCFunction(memmove, MachineType::AnyTagged(),
+                std::make_pair(MachineType::Pointer(), dest_ptr),
+                std::make_pair(MachineType::Pointer(), src_ptr),
+                std::make_pair(MachineType::UintPtr(), byte_length));
+}
+
 void TypedArrayBuiltinsAssembler::CallCMemcpy(TNode<RawPtrT> dest_ptr,
                                              TNode<RawPtrT> src_ptr,
                                              TNode<UintPtrT> byte_length) {
--- a/src/builtins/builtins-typed-array-gen.h
+++ b/src/builtins/builtins-typed-array-gen.h
@ -52,6 +52,9 @@ class TypedArrayBuiltinsAssembler : public CodeStubAssembler {
  void CallCMemmove(TNode<RawPtrT> dest_ptr, TNode<RawPtrT> src_ptr,
                    TNode<UintPtrT> byte_length);

+  void CallCRelaxedMemmove(TNode<RawPtrT> dest_ptr, TNode<RawPtrT> src_ptr,
+                           TNode<UintPtrT> byte_length);
+
  void CallCMemcpy(TNode<RawPtrT> dest_ptr, TNode<RawPtrT> src_ptr,
                   TNode<UintPtrT> byte_length);

--- a/src/builtins/typed-array-set.tq
+++ b/src/builtins/typed-array-set.tq
@ -281,7 +281,12 @@ TypedArrayPrototypeSetTypedArray(implicit context: Context, receiver: JSAny)(
    //                                  value, true, Unordered).
    //    iii. Set srcByteIndex to srcByteIndex + 1.
    //     iv. Set targetByteIndex to targetByteIndex + 1.
+    if (IsSharedArrayBuffer(target.buffer)) {
+      // SABs need a relaxed memmove to preserve atomicity.
+      CallCRelaxedMemmove(dstPtr, typedArray.data_ptr, countBytes);
+    } else {
      CallCMemmove(dstPtr, typedArray.data_ptr, countBytes);
+    }
  } label IfSlow deferred {
    // 22. If target.[[ContentType]] is not equal to
    //   typedArray.[[ContentType]], throw a TypeError exception.
--- a/src/builtins/typed-array.tq
+++ b/src/builtins/typed-array.tq
@ -65,6 +65,8 @@ extern macro TypedArrayBuiltinsAssembler::CallCMemset(
    RawPtr, intptr, uintptr): void;
 extern macro TypedArrayBuiltinsAssembler::CallCRelaxedMemcpy(
    RawPtr, RawPtr, uintptr): void;
+extern macro TypedArrayBuiltinsAssembler::CallCRelaxedMemmove(
+    RawPtr, RawPtr, uintptr): void;
 extern macro GetTypedArrayBuffer(implicit context: Context)(JSTypedArray):
    JSArrayBuffer;
 extern macro TypedArrayBuiltinsAssembler::GetTypedArrayElementsInfo(
--- a/src/codegen/external-reference.cc
+++ b/src/codegen/external-reference.cc
@ -813,6 +813,13 @@ void relaxed_memcpy(volatile base::Atomic8* dest,

 FUNCTION_REFERENCE(relaxed_memcpy_function, relaxed_memcpy)

+void relaxed_memmove(volatile base::Atomic8* dest,
+                     volatile const base::Atomic8* src, size_t n) {
+  base::Relaxed_Memmove(dest, src, n);
+}
+
+FUNCTION_REFERENCE(relaxed_memmove_function, relaxed_memmove)
+
 ExternalReference ExternalReference::printf_function() {
  return ExternalReference(Redirect(FUNCTION_ADDR(std::printf)));
 }
--- a/src/codegen/external-reference.h
+++ b/src/codegen/external-reference.h
@ -175,6 +175,7 @@ class StatsCounter;
  V(libc_memmove_function, "libc_memmove")                                     \
  V(libc_memset_function, "libc_memset")                                       \
  V(relaxed_memcpy_function, "relaxed_memcpy")                                 \
+  V(relaxed_memmove_function, "relaxed_memmove")                               \
  V(mod_two_doubles_operation, "mod_two_doubles")                              \
  V(mutable_big_int_absolute_add_and_canonicalize_function,                    \
    "MutableBigInt_AbsoluteAddAndCanonicalize")                                \
--- a/test/mjsunit/regress/regress-1232620.js
+++ b/test/mjsunit/regress/regress-1232620.js
@ -0,0 +1,17 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Try to catch TSAN issues with access to SharedArrayBuffer.
+
+function onmessage([buf]) {
+  const arr = new Int32Array(buf);
+  for (let val = 1; val < 100; ++val) arr.fill(val);
+}
+const arr = new Int32Array(new SharedArrayBuffer(4));
+const worker = new Worker(`onmessage = ${onmessage}`, {type: 'string'});
+worker.postMessage([arr.buffer]);
+// Wait until the worker starts filling the array.
+while (Atomics.load(arr) == 0) { }
+// Try setting a value on the shared array buffer that races with the fill.
+arr.set(arr);