[Webkit-unassigned] [Bug 185038] New: Atomics.*: all Atomic operations and functions must allow "undefined" or non-existant index argument
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 26 11:50:06 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=185038
Bug ID: 185038
Summary: Atomics.*: all Atomic operations and functions must
allow "undefined" or non-existant index argument
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: rick at bocoup.com
Atomics.* functions all call ToIndex(...) on the "requestedIndex" argument. This abstract operation will turn "undefined" or "not actually present" into 0.
Using a specially compiled JSC with this patch: https://gist.github.com/rwaldron/89ed9a4bb7a459db8d54c8fe77ead4b1, I observe the following:
1. To demonstrate that ToIndex is not broken elsewhere, in JSC:
>>> new SharedArrayBuffer(undefined);
[object SharedArrayBuffer]
>>> new ArrayBuffer(undefined);
[object ArrayBuffer]
>>> new Int32Array(undefined);
>>> var view = new DataView(new ArrayBuffer(4));
undefined
>>> view.getUint8()
0
2. To demonstrate that ToIndex is broken for Atomics:
>>> var sab = new SharedArrayBuffer(4);
undefined
>>> var i32a = new Int32Array(sab);
undefined
>>> Atomics.add(i32a, undefined, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.store(i32a, undefined, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.xor(i32a, undefined, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.and(i32a, undefined, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.sub(i32a, undefined, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.compareExchange(i32a, undefined, 0, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.exchange(i32a, undefined, 0, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.load(i32a)
Exception: RangeError: Access index is not an integer.
Other engines produce the expected outcome:
$ js
js> var sab = new SharedArrayBuffer(4);
js> var i32a = new Int32Array(sab);
js> Atomics.load(i32a)
0
js> Atomics.add(i32a, undefined, 1);
0
js> Atomics.load(i32a);
1
js> Atomics.xor(i32a, undefined, 1);
1
js> Atomics.add(i32a, undefined, 1);
0
js> Atomics.add(i32a, undefined, 1);
1
js> Atomics.add(i32a, undefined, 1);
2
js> Atomics.or(i32a, undefined, 1);
3
js> Atomics.sub(i32a, undefined, 1);
3
js> Atomics.load(i32a);
2
$ v8 --harmony_sharedarraybuffer
V8 version 6.8.72
d8> var sab = new SharedArrayBuffer(4);
var i32a = new Int32Array(sab);
Atomics.load(i32a)
undefined
d8> undefined
d8> 0
d8> Atomics.add(i32a, undefined, 1);
0
d8> Atomics.load(i32a);
1
d8> Atomics.xor(i32a, undefined, 1);
1
d8> Atomics.add(i32a, undefined, 1);
0
d8> Atomics.add(i32a, undefined, 1);
1
d8> Atomics.add(i32a, undefined, 1);
2
d8> Atomics.or(i32a, undefined, 1);
3
d8> Atomics.sub(i32a, undefined, 1);
3
d8> Atomics.load(i32a);
2
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180426/48462747/attachment.html>
More information about the webkit-unassigned
mailing list