197191 2019-04-23 01:44:20 -0700 Segmentation fault in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::sort with concurrent write access on SharedArrayBuffer 2020-11-04 00:29:22 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build Unspecified Unspecified RESOLVED DUPLICATE 212069 InRadar P2 Normal --- 1 andre.bargull ysuzuki anthony bilgorajskim fpizlo keith_miller webkit-bug-importer ysuzuki oldest_to_newest 1529542 0 andre.bargull 2019-04-23 01:44:20 -0700 SVN rev: r244537 (with ENABLE_SHARED_ARRAY_BUFFER = 1) Test case: ``` $262.agent.waitUntil = function(typedArray, index, expected) { var agents = 0; while ((agents = Atomics.load(typedArray, index)) !== expected) { /* nothing */ } }; const ITERATIONS = 10000; const RUNNING = 0; const i32a = new Int32Array( new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT * 100000) ); $262.agent.start(` $262.agent.receiveBroadcast(function(sab) { const i32a = new Int32Array(sab); Atomics.add(i32a, ${RUNNING}, 1); for (var j = 1; j < ${ITERATIONS}; ++j) { for (var i = 0; i < i32a.length; ++i) { i32a[i] = j; } } $262.agent.report("done"); $262.agent.leaving(); }); `); $262.agent.broadcast(i32a.buffer); $262.agent.waitUntil(i32a, RUNNING, 1); for (var i = 0; i < ITERATIONS; ++i) { i32a.sort(); } print("report: ", $262.agent.getReport()); ``` Crashes with seg-fault: ``` Thread 1 "jsc-debug" received signal SIGSEGV, Segmentation fault. 0x00007ffff6353454 in __gnu_cxx::__ops::_Iter_less_iter::operator()<int*, int*> (this=0x7fffffffb4b8, __it1=0x7ff000000000, __it2=0x7fe80b660000) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/predefined_ops.h:43 43 { return *__it1 < *__it2; } ``` Stacktrace: ``` #0 0x00007ffff6353454 in __gnu_cxx::__ops::_Iter_less_iter::operator()<int*, int*> (this=0x7fffffffb4b8, __it1=0x7ff000000000, __it2=0x7fe80b660000) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/predefined_ops.h:43 #1 0x00007ffff635392a in std::__unguarded_partition<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7ff000000000, __last=0x7fe80b66d008, __pivot=0x7fe80b660000, __comp=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1902 #2 0x00007ffff6353260 in std::__unguarded_partition_pivot<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b678618, __comp=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1923 #3 0x00007ffff6353107 in std::__introsort_loop<int*, long, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b678618, __depth_limit=29, __comp=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1953 #4 0x00007ffff6353089 in std::__sort<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b6c1a80, __comp=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1968 #5 0x00007ffff6350b22 in std::sort<int*> (__first=0x7fe80b660000, __last=0x7fe80b6c1a80) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:4834 #6 0x00007ffff69bfc45 in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::sort (this=0x7fffafae83a0) at ../../Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h:206 #7 0x00007ffff699c3a8 in JSC::genericTypedArrayViewPrivateFuncSort<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> > (vm=..., exec=0x7fffffffb7e0) at ../../Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:413 #8 0x00007ffff6996e93 in JSC::typedArrayViewPrivateFuncSort (exec=0x7fffffffb7e0) at ../../Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp:105 ... ``` 1529593 1 webkit-bug-importer 2019-04-23 08:31:58 -0700 <rdar://problem/50130547> 1641407 2 ysuzuki 2020-04-14 09:34:14 -0700 *** This bug has been marked as a duplicate of bug 197634 *** 1641409 3 ysuzuki 2020-04-14 09:34:33 -0700 Thanks for your report! This is fixed in bug 197634 :) 1641410 4 ysuzuki 2020-04-14 09:35:45 -0700 Ah, no. Wrong bug close. 1704337 5 ysuzuki 2020-11-03 23:38:15 -0800 The problem is that sort is assuming that we do not break total ordering of the already sorted values. But this is wrong in this case: shared array buffer is shared, and the other thread can modify it while sorting. 1704342 6 ysuzuki 2020-11-04 00:29:22 -0800 Will fix as a part of bug 212069's patch. Thanks! *** This bug has been marked as a duplicate of bug 212069 ***