185038 – Atomics.*: all Atomic operations and functions must allow "undefined" or non-existant index argument

Bug 185038 - Atomics.*: all Atomic operations and functions must allow "undefined" or non-existant index argument

Summary: Atomics.*: all Atomic operations and functions must allow "undefined" or non-...

Status:	RESOLVED DUPLICATE of bug 212069

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Yusuke Suzuki

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-26 11:50 PDT by Rick Waldron
Modified:	2020-11-04 01:57 PST (History)
CC List:	5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rick Waldron 2018-04-26 11:50:06 PDT

Atomics.* functions all call ToIndex(...) on the "requestedIndex" argument. This abstract operation will turn "undefined" or "not actually present" into 0. 

Using a specially compiled JSC with this patch: https://gist.github.com/rwaldron/89ed9a4bb7a459db8d54c8fe77ead4b1, I observe the following: 


1. To demonstrate that ToIndex is not broken elsewhere, in JSC:

>>> new SharedArrayBuffer(undefined);
[object SharedArrayBuffer]
>>> new ArrayBuffer(undefined);
[object ArrayBuffer]
>>> new Int32Array(undefined);

>>> var view = new DataView(new ArrayBuffer(4));
undefined
>>> view.getUint8()
0


2. To demonstrate that ToIndex is broken for Atomics: 

>>> var sab = new SharedArrayBuffer(4);
undefined
>>> var i32a = new Int32Array(sab);
undefined
>>> Atomics.add(i32a, undefined, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.store(i32a, undefined, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.xor(i32a, undefined, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.and(i32a, undefined, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.sub(i32a, undefined, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.compareExchange(i32a, undefined, 0, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.exchange(i32a, undefined, 0, 1);
Exception: RangeError: Access index is not an integer.
>>> Atomics.load(i32a)
Exception: RangeError: Access index is not an integer.



Other engines produce the expected outcome: 

$ js
js> var sab = new SharedArrayBuffer(4);
js> var i32a = new Int32Array(sab);
js> Atomics.load(i32a)
0
js> Atomics.add(i32a, undefined, 1);
0
js> Atomics.load(i32a);
1
js> Atomics.xor(i32a, undefined, 1);
1
js> Atomics.add(i32a, undefined, 1);
0
js> Atomics.add(i32a, undefined, 1);
1
js> Atomics.add(i32a, undefined, 1);
2
js> Atomics.or(i32a, undefined, 1);
3
js> Atomics.sub(i32a, undefined, 1);
3
js> Atomics.load(i32a);
2


$ v8 --harmony_sharedarraybuffer
V8 version 6.8.72
d8> var sab = new SharedArrayBuffer(4);
var i32a = new Int32Array(sab);
Atomics.load(i32a)
undefined
d8> undefined
d8> 0
d8> Atomics.add(i32a, undefined, 1);
0
d8> Atomics.load(i32a);
1
d8> Atomics.xor(i32a, undefined, 1);
1
d8> Atomics.add(i32a, undefined, 1);
0
d8> Atomics.add(i32a, undefined, 1);
1
d8> Atomics.add(i32a, undefined, 1);
2
d8> Atomics.or(i32a, undefined, 1);
3
d8> Atomics.sub(i32a, undefined, 1);
3
d8> Atomics.load(i32a);
2

Comment 1 Yusuke Suzuki 2020-11-04 01:57:14 PST

Will be fixed as a part of bug 212069.

*** This bug has been marked as a duplicate of bug 212069 ***