ff3a26aff3
This is a reland of 3d846115d6
Reland changes mjsunit.status to skip the regression test on
all bots except ASAN.
Original change's description:
> [typedarray] Fix crash when sorting SharedArrayBuffers
>
> TypedArray#sort has a fast-path when the user does not provide a
> comparison function. This fast-path utilizes std::sort which operates
> directly on the raw data. Per spec, std::sort requires the "less than"
> operation to be anti-symmetric and transitive.
>
> When sorting SharedArrayBuffers (SAB) that are concurrently modified during
> sorting, the "less than" operator stops being consistent as the
> underlying data is constantly modified. This breaks some invariants
> in std::sort resulting in infinite loops or straight out segfaults.
>
> This CL fixes this by copying the data before sorting SABs and
> writing the sorted result back.
>
> Note: The added regression test is tailored for ASAN bots as a
> normal build would need too many iterations to consistently crash.
>
> R=neis@chromium.org, petermarshall@chromium.org
>
> Bug: v8:9161
> Change-Id: Ic089928652f75865bfdb11e7453806faa6ecb988
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581641
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Georg Neis <neis@chromium.org>
> Commit-Queue: Simon Zünd <szuend@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#61004}
Bug: v8:9161
Change-Id: Idffc3fbb5f28f4966c8f1ac6770d5b5d6003a7e7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583726
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61011}
60 lines
1.6 KiB
JavaScript
60 lines
1.6 KiB
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
//
|
|
// This test is a reproduction of a crash that happens when a TypedArray
|
|
// backed by a SharedArrayBuffer is concurrently modified while sorting.
|
|
// Segfaults would need a long time to trigger in normal builds, so this
|
|
// reproduction is tailored to trigger on ASAN builds. On ASAN builds,
|
|
// out-of-bounds accesses while sorting would result in an immediate failure.
|
|
|
|
const lock = new Int32Array(new SharedArrayBuffer(4));
|
|
|
|
const kIterations = 5000;
|
|
const kLength = 2000;
|
|
|
|
const kStageIndex = 0;
|
|
const kStageInit = 0;
|
|
const kStageRunning = 1;
|
|
const kStageDone = 2;
|
|
|
|
Atomics.store(lock, kStageIndex, kStageInit);
|
|
|
|
function WaitUntil(expected) {
|
|
while (true) {
|
|
const value = Atomics.load(lock, kStageIndex);
|
|
if (value === expected) break;
|
|
}
|
|
}
|
|
|
|
const workerScript = `
|
|
onmessage = function([sab, lock]) {
|
|
const i32a = new Int32Array(sab);
|
|
Atomics.store(lock, ${kStageIndex}, ${kStageRunning});
|
|
|
|
for (let j = 1; j < ${kIterations}; ++j) {
|
|
for (let i = 0; i < i32a.length; ++i) {
|
|
i32a[i] = j;
|
|
}
|
|
}
|
|
|
|
postMessage("done");
|
|
Atomics.store(lock, ${kStageIndex}, ${kStageDone});
|
|
};`;
|
|
|
|
const worker = new Worker(workerScript, {type: 'string'});
|
|
|
|
const i32a = new Int32Array(
|
|
new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT * kLength)
|
|
);
|
|
|
|
worker.postMessage([i32a.buffer, lock]);
|
|
WaitUntil(kStageRunning);
|
|
|
|
for (let i = 0; i < kIterations; ++i) {
|
|
i32a.sort();
|
|
}
|
|
|
|
WaitUntil(kStageDone);
|
|
assertEquals(worker.getMessage(), "done");
|