v8/test/mjsunit/asm/regress-9531.js
Ben L. Titzer 9f1a7d3aa0 [arraybuffer] Use relaxed load/store for bitfield
A benign datarace can occur between the array buffer tracker and
using an arraybuffer as an asm.js memory. The former reads the
{is_shared} bit, which should never change, and the latter writes
the {is_asmjs_memory} bit, but no other bits. Since these bits are
packed into a single word, TSAN reports a race.

R=ulan@chromium.org
BUG=v8:9531

Change-Id: Icceff211368e13794b6678b5fd7748fb5b3235bf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714647
Commit-Queue: Ben Titzer <titzer@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62866}
2019-07-23 10:12:26 +00:00

29 lines
697 B
JavaScript

// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --validate-asm --allow-natives-syntax
function Module(stdlib, ffi, buffer) {
"use asm";
var MEM8 = new stdlib.Uint8Array(buffer);
function foo() { return MEM8[0] | 0; }
return { foo: foo };
}
function RunOnce() {
let buffer = new ArrayBuffer(4096);
let ffi = {};
let stdlib = {Uint8Array: Uint8Array};
let module = Module(stdlib, ffi, buffer);
assertTrue(%IsAsmWasmCode(Module));
assertEquals(0, module.foo());
}
(function RunTest() {
for (let i = 0; i < 3000; i++) {
RunOnce();
}
})();