Bug 197191

Summary:	Segmentation fault in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::sort with concurrent write access on SharedArrayBuffer
Product:	WebKit	Reporter:	André Bargull <andre.bargull>
Component:	JavaScriptCore	Assignee:	Yusuke Suzuki <ysuzuki>
Status:	RESOLVED DUPLICATE
Severity:	Normal	CC:	anthony, bilgorajskim, fpizlo, keith_miller, webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	WebKit Local Build
Hardware:	Unspecified
OS:	Unspecified

Description André Bargull 2019-04-23 01:44:20 PDT

SVN rev: r244537 (with ENABLE_SHARED_ARRAY_BUFFER = 1)


Test case:
```
$262.agent.waitUntil = function(typedArray, index, expected) {
  var agents = 0;
  while ((agents = Atomics.load(typedArray, index)) !== expected) {
    /* nothing */
  }
};

const ITERATIONS = 10000;
const RUNNING = 0;

const i32a = new Int32Array(
  new SharedArrayBuffer(Int32Array.BYTES_PER_ELEMENT * 100000)
);

$262.agent.start(`
  $262.agent.receiveBroadcast(function(sab) {
    const i32a = new Int32Array(sab);
    Atomics.add(i32a, ${RUNNING}, 1);
    
    for (var j = 1; j < ${ITERATIONS}; ++j) {
        for (var i = 0; i < i32a.length; ++i) {
            i32a[i] = j;
        }
    }
    
    $262.agent.report("done");
    $262.agent.leaving();
  });
`);

$262.agent.broadcast(i32a.buffer);
$262.agent.waitUntil(i32a, RUNNING, 1);

for (var i = 0; i < ITERATIONS; ++i) {
    i32a.sort();
}

print("report: ", $262.agent.getReport());
```


Crashes with seg-fault:
```
Thread 1 "jsc-debug" received signal SIGSEGV, Segmentation fault.
0x00007ffff6353454 in __gnu_cxx::__ops::_Iter_less_iter::operator()<int*, int*> (this=0x7fffffffb4b8, __it1=0x7ff000000000, __it2=0x7fe80b660000)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/predefined_ops.h:43
43            { return *__it1 < *__it2; }
```

Stacktrace:
```
#0  0x00007ffff6353454 in __gnu_cxx::__ops::_Iter_less_iter::operator()<int*, int*> (this=0x7fffffffb4b8, __it1=0x7ff000000000, __it2=0x7fe80b660000)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/predefined_ops.h:43
#1  0x00007ffff635392a in std::__unguarded_partition<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7ff000000000, __last=0x7fe80b66d008, __pivot=0x7fe80b660000, __comp=...)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1902
#2  0x00007ffff6353260 in std::__unguarded_partition_pivot<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b678618, __comp=...)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1923
#3  0x00007ffff6353107 in std::__introsort_loop<int*, long, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b678618, __depth_limit=29, __comp=...)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1953
#4  0x00007ffff6353089 in std::__sort<int*, __gnu_cxx::__ops::_Iter_less_iter> (__first=0x7fe80b660000, __last=0x7fe80b6c1a80, __comp=...)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:1968
#5  0x00007ffff6350b22 in std::sort<int*> (__first=0x7fe80b660000, __last=0x7fe80b6c1a80) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:4834
#6  0x00007ffff69bfc45 in JSC::JSGenericTypedArrayView<JSC::Int32Adaptor>::sort (this=0x7fffafae83a0) at ../../Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h:206
#7  0x00007ffff699c3a8 in JSC::genericTypedArrayViewPrivateFuncSort<JSC::JSGenericTypedArrayView<JSC::Int32Adaptor> > (vm=..., exec=0x7fffffffb7e0)
    at ../../Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:413
#8  0x00007ffff6996e93 in JSC::typedArrayViewPrivateFuncSort (exec=0x7fffffffb7e0) at ../../Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp:105
...
```

Comment 1 Radar WebKit Bug Importer 2019-04-23 08:31:58 PDT

<rdar://problem/50130547>

Comment 2 Yusuke Suzuki 2020-04-14 09:34:14 PDT


*** This bug has been marked as a duplicate of bug 197634 ***

Comment 3 Yusuke Suzuki 2020-04-14 09:34:33 PDT

Thanks for your report! This is fixed in bug 197634 :)

Comment 4 Yusuke Suzuki 2020-04-14 09:35:45 PDT

Ah, no. Wrong bug close.

Comment 5 Yusuke Suzuki 2020-11-03 23:38:15 PST

The problem is that sort is assuming that we do not break total ordering of the already sorted values. But this is wrong in this case: shared array buffer is shared, and the other thread can modify it while sorting.

Comment 6 Yusuke Suzuki 2020-11-04 00:29:22 PST

Will fix as a part of bug 212069's patch.
Thanks!

*** This bug has been marked as a duplicate of bug 212069 ***