Bug 197191

SVN rev: r244537 (with ENABLE_SHARED_ARRAY_BUFFER = 1) Test case: ``` $262.agent.waitUntil = function(typedArray, index, expected) { var agents = 0; while ((agents = Atomics.load(typedArray, index)) !== expected) { /* nothing */ } }; const ITERATIONS = 10000; const RUNNING = 0; const i32a = new Int32Array( new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT * 100000) ); $262.agent.start(` $262.agent.receiveBroadcast(function(sab) { const i32a = new Int32Array(sab); Atomics.add(i32a, ${RUNNING}, 1); for (var j = 1; j < ${ITERATIONS}; ++j) { for (var i = 0; i < i32a.length; ++i) { i32a[i] = j; } } $262.agent.report("done"); $262.agent.leaving(); }); `); $262.agent.broadcast(i32a.buffer); $262.agent.waitUntil(i32a, RUNNING, 1); for (var i = 0; i < ITERATIONS; ++i) { i32a.sort(); } print("report: ", $262.agent.getReport()); ``` Crashes with seg-fault: ``` Thread 1 "jsc-debug" received signal SIGSEGV, Segmentation fault. 0x00007ffff6353454 in __gnu_cxx::__ops::_Iter_less_iter::operator()<int*, int*> (this=0x7fffffffb4b8, __it1=0x7ff000000000, __it2=0x7fe80b660000) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/predefined_ops.h:43 43 { return *__it1 < *__it2; } ``` Stacktrace: ``` #0 0x00007ffff6353454 in __gnu_cxx::__ops::_Iter_less_iter::operator()<int*, int*> (this=0x7fffffffb4b8, __it1=0x7ff000000000, __it2=0x7fe80b660000) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/predefined_ops.h:43 #1 0x00007ffff635392a in std::__unguarded_partition<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7ff000000000, __last=0x7fe80b66d008, __pivot=0x7fe80b660000, __comp=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1902 #2 0x00007ffff6353260 in std::__unguarded_partition_pivot<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b678618, __comp=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1923 #3 0x00007ffff6353107 in std::__introsort_loop<int*, long, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b678618, __depth_limit=29, __comp=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1953 #4 0x00007ffff6353089 in std::__sort<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b6c1a80, __comp=...) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1968 #5 0x00007ffff6350b22 in std::sort<int*> (__first=0x7fe80b660000, __last=0x7fe80b6c1a80) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:4834 #6 0x00007ffff69bfc45 in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::sort (this=0x7fffafae83a0) at ../../Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h:206 #7 0x00007ffff699c3a8 in JSC::genericTypedArrayViewPrivateFuncSort<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> > (vm=..., exec=0x7fffffffb7e0) at ../../Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:413 #8 0x00007ffff6996e93 in JSC::typedArrayViewPrivateFuncSort (exec=0x7fffffffb7e0) at ../../Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp:105 ... ```