Bug 185038

Summary: Atomics.*: all Atomic operations and functions must allow "undefined" or non-existant index argument
Product: WebKit Reporter: Rick Waldron <rwaldron>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: amal, fpizlo, mark.lam, msaboff, ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Rick Waldron
Reported 2018-04-26 11:50:06 PDT
Atomics.* functions all call ToIndex(...) on the "requestedIndex" argument. This abstract operation will turn "undefined" or "not actually present" into 0. Using a specially compiled JSC with this patch: https://gist.github.com/rwaldron/89ed9a4bb7a459db8d54c8fe77ead4b1, I observe the following: 1. To demonstrate that ToIndex is not broken elsewhere, in JSC: >>> new SharedArrayBuffer(undefined); [object SharedArrayBuffer] >>> new ArrayBuffer(undefined); [object ArrayBuffer] >>> new Int32Array(undefined); >>> var view = new DataView(new ArrayBuffer(4)); undefined >>> view.getUint8() 0 2. To demonstrate that ToIndex is broken for Atomics: >>> var sab = new SharedArrayBuffer(4); undefined >>> var i32a = new Int32Array(sab); undefined >>> Atomics.add(i32a, undefined, 1); Exception: RangeError: Access index is not an integer. >>> Atomics.store(i32a, undefined, 1); Exception: RangeError: Access index is not an integer. >>> Atomics.xor(i32a, undefined, 1); Exception: RangeError: Access index is not an integer. >>> Atomics.and(i32a, undefined, 1); Exception: RangeError: Access index is not an integer. >>> Atomics.sub(i32a, undefined, 1); Exception: RangeError: Access index is not an integer. >>> Atomics.compareExchange(i32a, undefined, 0, 1); Exception: RangeError: Access index is not an integer. >>> Atomics.exchange(i32a, undefined, 0, 1); Exception: RangeError: Access index is not an integer. >>> Atomics.load(i32a) Exception: RangeError: Access index is not an integer. Other engines produce the expected outcome: $ js js> var sab = new SharedArrayBuffer(4); js> var i32a = new Int32Array(sab); js> Atomics.load(i32a) 0 js> Atomics.add(i32a, undefined, 1); 0 js> Atomics.load(i32a); 1 js> Atomics.xor(i32a, undefined, 1); 1 js> Atomics.add(i32a, undefined, 1); 0 js> Atomics.add(i32a, undefined, 1); 1 js> Atomics.add(i32a, undefined, 1); 2 js> Atomics.or(i32a, undefined, 1); 3 js> Atomics.sub(i32a, undefined, 1); 3 js> Atomics.load(i32a); 2 $ v8 --harmony_sharedarraybuffer V8 version 6.8.72 d8> var sab = new SharedArrayBuffer(4); var i32a = new Int32Array(sab); Atomics.load(i32a) undefined d8> undefined d8> 0 d8> Atomics.add(i32a, undefined, 1); 0 d8> Atomics.load(i32a); 1 d8> Atomics.xor(i32a, undefined, 1); 1 d8> Atomics.add(i32a, undefined, 1); 0 d8> Atomics.add(i32a, undefined, 1); 1 d8> Atomics.add(i32a, undefined, 1); 2 d8> Atomics.or(i32a, undefined, 1); 3 d8> Atomics.sub(i32a, undefined, 1); 3 d8> Atomics.load(i32a); 2
Attachments
Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2020-11-04 01:57:14 PST
Will be fixed as a part of bug 212069. *** This bug has been marked as a duplicate of bug 212069 ***
Note You need to log in before you can comment on or make changes to this bug.