[Webkit-unassigned] [Bug 197191] New: Segmentation fault in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::sort with concurrent write access on SharedArrayBuffer
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Apr 23 01:44:20 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=197191
Bug ID: 197191
Summary: Segmentation fault in
JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::sort
with concurrent write access on SharedArrayBuffer
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: andre.bargull at gmail.com
SVN rev: r244537 (with ENABLE_SHARED_ARRAY_BUFFER = 1)
Test case:
```
$262.agent.waitUntil = function(typedArray, index, expected) {
var agents = 0;
while ((agents = Atomics.load(typedArray, index)) !== expected) {
/* nothing */
}
};
const ITERATIONS = 10000;
const RUNNING = 0;
const i32a = new Int32Array(
new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT * 100000)
);
$262.agent.start(`
$262.agent.receiveBroadcast(function(sab) {
const i32a = new Int32Array(sab);
Atomics.add(i32a, ${RUNNING}, 1);
for (var j = 1; j < ${ITERATIONS}; ++j) {
for (var i = 0; i < i32a.length; ++i) {
i32a[i] = j;
}
}
$262.agent.report("done");
$262.agent.leaving();
});
`);
$262.agent.broadcast(i32a.buffer);
$262.agent.waitUntil(i32a, RUNNING, 1);
for (var i = 0; i < ITERATIONS; ++i) {
i32a.sort();
}
print("report: ", $262.agent.getReport());
```
Crashes with seg-fault:
```
Thread 1 "jsc-debug" received signal SIGSEGV, Segmentation fault.
0x00007ffff6353454 in __gnu_cxx::__ops::_Iter_less_iter::operator()<int*, int*> (this=0x7fffffffb4b8, __it1=0x7ff000000000, __it2=0x7fe80b660000)
at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/predefined_ops.h:43
43 { return *__it1 < *__it2; }
```
Stacktrace:
```
#0 0x00007ffff6353454 in __gnu_cxx::__ops::_Iter_less_iter::operator()<int*, int*> (this=0x7fffffffb4b8, __it1=0x7ff000000000, __it2=0x7fe80b660000)
at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/predefined_ops.h:43
#1 0x00007ffff635392a in std::__unguarded_partition<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7ff000000000, __last=0x7fe80b66d008, __pivot=0x7fe80b660000, __comp=...)
at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1902
#2 0x00007ffff6353260 in std::__unguarded_partition_pivot<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b678618, __comp=...)
at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1923
#3 0x00007ffff6353107 in std::__introsort_loop<int*, long, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b678618, __depth_limit=29, __comp=...)
at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1953
#4 0x00007ffff6353089 in std::__sort<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b6c1a80, __comp=...)
at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1968
#5 0x00007ffff6350b22 in std::sort<int*> (__first=0x7fe80b660000, __last=0x7fe80b6c1a80) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:4834
#6 0x00007ffff69bfc45 in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::sort (this=0x7fffafae83a0) at ../../Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h:206
#7 0x00007ffff699c3a8 in JSC::genericTypedArrayViewPrivateFuncSort<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> > (vm=..., exec=0x7fffffffb7e0)
at ../../Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:413
#8 0x00007ffff6996e93 in JSC::typedArrayViewPrivateFuncSort (exec=0x7fffffffb7e0) at ../../Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp:105
...
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190423/1f39f748/attachment-0001.html>
More information about the webkit-unassigned
mailing list