AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Fix cluster-fuzz bug introduced in refs/heads/master@{#28796}

Browse Source 
Don't DCHECK in the atomic runtime functions.

BUG=chromium:501809,chromium:497295
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1189223003

Cr-Commit-Position: refs/heads/master@{#29159}
This commit is contained in:
binji 2015-06-19 09:14:03 -07:00 committed by Commit bot
parent ec2eaf712e
commit e6fed5e895
2 changed files with 27 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/runtime/runtime-atomics.cc
View File

@ -445,8 +445,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsCompareExchange) {
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(oldobj, 2);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(newobj, 3);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
@ -472,8 +472,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsLoad) {
DCHECK(args.length() == 2);
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
@ -500,8 +500,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsStore) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
@ -528,8 +528,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsAdd) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
@ -558,8 +558,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsSub) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
@ -588,8 +588,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsAnd) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
@ -618,8 +618,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsOr) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
@ -648,8 +648,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsXor) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
@ -678,8 +678,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsExchange) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();

9
test/mjsunit/regress/regress-crbug-501809.js Normal file
View File

@ -0,0 +1,9 @@
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony-sharedarraybuffer --harmony-atomics
var sab = new SharedArrayBuffer(8);
var ta = new Int32Array(sab);
ta.__defineSetter__('length', function() {;});
assertThrows(function() { Atomics.compareExchange(ta, 4294967295, 0, 0); });