[sab] Make TypedArraySlice FastCopy atomic for SABs

Bug: chromium:1237153
Change-Id: If3c17d46cf53ba73cd6c199703b2854eb55fb68d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3077145Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76133}

src/builtins/typed-array-slice.tq

@@ -36,7 +36,12 @@ macro FastCopy(
   assert(countBytes <= dest.byte_length);
   assert(countBytes <= src.byte_length - startOffset);
 
-  typed_array::CallCMemmove(dest.data_ptr, srcPtr, countBytes);
+  if (IsSharedArrayBuffer(src.buffer)) {
+    // SABs need a relaxed memmove to preserve atomicity.
+    typed_array::CallCRelaxedMemmove(dest.data_ptr, srcPtr, countBytes);
+  } else {
+    typed_array::CallCMemmove(dest.data_ptr, srcPtr, countBytes);
+  }
 }
 
 macro SlowCopy(implicit context: Context)(

test/mjsunit/regress/regress-crbug-1237153.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Try to catch TSAN issues with access to SharedArrayBuffer.
+
+function onmessage([buf]) {
+    const arr = new Int32Array(buf);
+    for (let val = 1; val < 100; ++val) arr.fill(val);
+}
+const arr = new Int32Array(new SharedArrayBuffer(4));
+const worker = new Worker(`onmessage = ${onmessage}`, { type: 'string' });
+worker.postMessage([arr.buffer]);
+// Wait until the worker starts filling the array.
+while (Atomics.load(arr) == 0) { }
+// Try creating a slice of the shared array buffer that races with the fill.
+const slice = arr.slice(0, 1);