[runtime] Fix relaxed memmove in TypedArray.prototype.set

If either target or source are shared buffers, use relaxed memmove. Bug: chromium:1353555 Change-Id: Ieaad826c610b0f2f808b4061947372d851f95978 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3862209 Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/main@{#82812}
2022-08-29 16:59:09 +02:00 · 2022-08-29 16:59:09 +02:00 · d15537cf1f
commit d15537cf1f
parent af62c4f0e5
2 changed files with 18 additions and 1 deletions
--- a/src/builtins/typed-array-set.tq
+++ b/src/builtins/typed-array-set.tq
@ -274,7 +274,8 @@ TypedArrayPrototypeSetTypedArray(implicit context: Context, receiver: JSAny)(
    //                                  value, true, Unordered).
    //    iii. Set srcByteIndex to srcByteIndex + 1.
    //     iv. Set targetByteIndex to targetByteIndex + 1.
-    if (IsSharedArrayBuffer(target.buffer)) {
+    if (IsSharedArrayBuffer(target.buffer) ||
+        IsSharedArrayBuffer(source.buffer)) {
      // SABs need a relaxed memmove to preserve atomicity.
      CallCRelaxedMemmove(dstPtr, source.data_ptr, countBytes);
    } else {
--- a/test/mjsunit/regress/regress-1353555.js
+++ b/test/mjsunit/regress/regress-1353555.js
@ -0,0 +1,16 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const worker = new Worker(`function onmessage(buffer) {
+  const shared2 = new Int32Array(buffer);
+  shared2.fill(1);
+}`, {
+  type: 'string'
+});
+
+const shared = new Int32Array(new SharedArrayBuffer(4));
+worker.postMessage(shared.buffer);
+
+while (Atomics.load(shared) == 0) {}
+(new Int32Array(1)).set(shared);