Reland "[typedarray] Fix crash when sorting SharedArrayBuffers"
This is a reland of 3d846115 Reland changes mjsunit.status to skip the regression test on all bots except ASAN. Original change's description: > [typedarray] Fix crash when sorting SharedArrayBuffers > > TypedArray#sort has a fast-path when the user does not provide a > comparison function. This fast-path utilizes std::sort which operates > directly on the raw data. Per spec, std::sort requires the "less than" > operation to be anti-symmetric and transitive. > > When sorting SharedArrayBuffers (SAB) that are concurrently modified during > sorting, the "less than" operator stops being consistent as the > underlying data is constantly modified. This breaks some invariants > in std::sort resulting in infinite loops or straight out segfaults. > > This CL fixes this by copying the data before sorting SABs and > writing the sorted result back. > > Note: The added regression test is tailored for ASAN bots as a > normal build would need too many iterations to consistently crash. > > R=neis@chromium.org, petermarshall@chromium.org > > Bug: v8:9161 > Change-Id: Ic089928652f75865bfdb11e7453806faa6ecb988 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1581641 > Reviewed-by: Peter Marshall <petermarshall@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Commit-Queue: Simon Zünd <szuend@chromium.org> > Cr-Commit-Position: refs/heads/master@{#61004} Bug: v8:9161 Change-Id: Idffc3fbb5f28f4966c8f1ac6770d5b5d6003a7e7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1583726Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Simon Zünd <szuend@chromium.org> Cr-Commit-Position: refs/heads/master@{#61011}
Showing
Please
register
or
sign in
to comment