[Webkit-unassigned] [Bug 185738] New: Atomics.load() resulting in segmentation fault

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 17 11:49:29 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=185738

            Bug ID: 185738
           Summary: Atomics.load() resulting in segmentation fault
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rick at bocoup.com

Created attachment 340614

  --> https://bugs.webkit.org/attachment.cgi?id=340614&action=review

wake-in-order-seg-fault.txt

For the purpose of testing Atomics & SharedArrayBuffer, I've been working with a build of JavaScriptCore that I've patched to "#define ENABLE_SHARED_ARRAY_BUFFER 1", that can be found here: https://gist.github.com/rwaldron/89ed9a4bb7a459db8d54c8fe77ead4b1

While using this build, I've encountered a test in Test262 that consistently produces a "Segmentation fault: 11". 

I've attached a standalone copy of the test, as well as a complete seg fault dump. 

To run the test: 

1. Enable SharedArrayBuffers (either manually, or apply the patch I've provided in the gist above

    wget https://gist.githubusercontent.com/rwaldron/89ed9a4bb7a459db8d54c8fe77ead4b1/raw/0001-Enable-SharedArrayBuffer-for-Testing.patch
    git apply 0001-Enable-SharedArrayBuffer-for-Testing.patch

2. Build a JSC:

    Tools/Scripts/build-jsc --debug

3. Download test file: wake-in-order-standalone.js

   wget https://gist.githubusercontent.com/rwaldron/90f5ce7ceb318c1030942ca074a6daa8/raw/wake-in-order-standalone.js

4. Run the test file: 

   ./WebKitBuild/Debug/jsc wake-in-order-standalone.js


If this test runs successfully, it will output nothing at all. 



The key portion of the test that causes the seg fault is this code:


    while (Atomics.load(i32a, ${SPIN + i}) === 0)
        /* nothing */ ;


Which is found in the source string of the agent, lines 35-36. Changing that to: 


    while (Atomics.load(i32a, ${SPIN + i}) === 0) {
      $262.agent.sleep(1);
    }


Will prevent the seg fault, but the issue remains.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180517/ecaa87bd/attachment.html>

More information about the webkit-unassigned mailing list