[arraybuffer] Use relaxed load/store for bitfield

A benign datarace can occur between the array buffer tracker and using an arraybuffer as an asm.js memory. The former reads the {is_shared} bit, which should never change, and the latter writes the {is_asmjs_memory} bit, but no other bits. Since these bits are packed into a single word, TSAN reports a race. R=ulan@chromium.org BUG=v8:9531 Change-Id: Icceff211368e13794b6678b5fd7748fb5b3235bf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714647 Commit-Queue: Ben Titzer <titzer@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#62866}

[arraybuffer] Use relaxed load/store for bitfield
A benign datarace can occur between the array buffer tracker and using an arraybuffer as an asm.js memory. The former reads the {is_shared} bit, which should never change, and the latter writes the {is_asmjs_memory} bit, but no other bits. Since these bits are packed into a single word, TSAN reports a race. R=ulan@chromium.org BUG=v8:9531 Change-Id: Icceff211368e13794b6678b5fd7748fb5b3235bf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1714647 Commit-Queue: Ben Titzer <titzer@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#62866}
9f1a7d3a · Ben L. Titzer · Commit Bot · b6477a7f · 9f1a7d3a · 9f1a7d3a
Commit 9f1a7d3a authored Jul 23, 2019 by Ben L. Titzer Committed by Commit Bot Jul 23, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 2 deletions

js-array-buffer-inl.h src/objects/js-array-buffer-inl.h +2 -2

regress-9531.js test/mjsunit/asm/regress-9531.js +28 -0

mjsunit.status test/mjsunit/mjsunit.status +1 -0

No files found.
--- a/src/objects/js-array-buffer-inl.h
+++ b/src/objects/js-array-buffer-inl.h
@@ -67,11 +67,11 @@ void JSArrayBuffer::clear_padding() {
 }

 void JSArrayBuffer::set_bit_field(uint32_t bits) {
-  WriteField<uint32_t>(kBitFieldOffset, bits);
+  RELAXED_WRITE_UINT32_FIELD(*this, kBitFieldOffset, bits);
 }

 uint32_t JSArrayBuffer::bit_field() const {
-  return ReadField<uint32_t>(kBitFieldOffset);
+  return RELAXED_READ_UINT32_FIELD(*this, kBitFieldOffset);
 }

 // |bit_field| fields.

--- a/test/mjsunit/asm/regress-9531.js
+++ b/test/mjsunit/asm/regress-9531.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --validate-asm --allow-natives-syntax
+
+function Module(stdlib, ffi, buffer) {
+  "use asm";
+  var MEM8 = new stdlib.Uint8Array(buffer);
+  function foo() { return MEM8[0] | 0; }
+  return { foo: foo };
+}
+
+
+function RunOnce() {
+  let buffer = new ArrayBuffer(4096);
+  let ffi = {};
+  let stdlib = {Uint8Array: Uint8Array};
+  let module = Module(stdlib, ffi, buffer);
+  assertTrue(%IsAsmWasmCode(Module));
+  assertEquals(0, module.foo());
+}
+
+(function RunTest() {
+  for (let i = 0; i < 3000; i++) {
+    RunOnce();
+  }
+})();
--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -368,6 +368,7 @@
  'asm/global-imports': [SKIP],
  'asm/regress-913822': [SKIP],
  'asm/regress-937650': [SKIP],
+  'asm/regress-9531': [SKIP],
  'asm/return-types': [SKIP],
  'regress/regress-599719': [SKIP],
  'regress/regress-6196': [SKIP],