Skip to content

V
V8
Commit e6fed5e8 authored by binji's avatar binji Committed by Commit bot
Browse files
Options

Fix cluster-fuzz bug introduced in refs/heads/master@{#28796} 

Don't DCHECK in the atomic runtime functions.

BUG=chromium:501809,chromium:497295
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1189223003

Cr-Commit-Position: refs/heads/master@{#29159}
parent ec2eaf71
Hide whitespace changes
Inline Side-by-side
Showing with 27 additions and 18 deletions
src/runtime/runtime-atomics.cc
View file @ e6fed5e8
......@@ -445,8 +445,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsCompareExchange) {
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(oldobj, 2);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(newobj, 3);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
......@@ -472,8 +472,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsLoad) {
DCHECK(args.length() == 2);
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
......@@ -500,8 +500,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsStore) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
......@@ -528,8 +528,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsAdd) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
......@@ -558,8 +558,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsSub) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
......@@ -588,8 +588,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsAnd) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
......@@ -618,8 +618,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsOr) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
......@@ -648,8 +648,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsXor) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
......@@ -678,8 +678,8 @@ RUNTIME_FUNCTION(Runtime_AtomicsExchange) {
CONVERT_ARG_HANDLE_CHECKED(JSTypedArray, sta, 0);
CONVERT_SIZE_ARG_CHECKED(index, 1);
CONVERT_NUMBER_ARG_HANDLE_CHECKED(value, 2);
DCHECK(sta->GetBuffer()->is_shared());
DCHECK(index < NumberToSize(isolate, sta->length()));
RUNTIME_ASSERT(sta->GetBuffer()->is_shared());
RUNTIME_ASSERT(index < NumberToSize(isolate, sta->length()));
void* buffer = sta->GetBuffer()->backing_store();
......
test/mjsunit/regress/regress-crbug-501809.js 0 → 100644
View file @ e6fed5e8
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony-sharedarraybuffer --harmony-atomics
var sab = new SharedArrayBuffer(8);
var ta = new Int32Array(sab);
ta.__defineSetter__('length', function() {;});
assertThrows(function() { Atomics.compareExchange(ta, 4294967295, 0, 0); });
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment