[wasm] Fix incorrect check for growing shared WebAssembly.memory

dtig · Commit Bot · commit 2599d3cc208a · 2019-10-23T18:14:50.000Z
Bug: chromium:1010272 Change-Id: Ieff61089255ee088fad45f15a0f1a8f93eeec94b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1869077 Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#64525}
diff --git a/src/wasm/wasm-objects.cc b/src/wasm/wasm-objects.cc
@@ -1030,7 +1030,12 @@ int32_t WasmMemoryObject::Grow(Isolate* isolate,
                                                     new_pages);
         // Broadcasting the update should update this memory object too.
         CHECK_NE(*old_buffer, memory_object->array_buffer());
-        CHECK_EQ(new_byte_length, memory_object->array_buffer().byte_length());
+        // This is a less than check, as it is not guaranteed that the SAB
+        // length here will be equal to the stashed length above as calls to
+        // grow the same memory object can come in from different workers.
+        // It is also possible that a call to Grow was in progress when
+        // handling this call.
+        CHECK_LE(new_byte_length, memory_object->array_buffer().byte_length());
         return static_cast<int32_t>(old_pages);  // success
       }
     }
diff --git a/test/mjsunit/regress/wasm/regress-1010272.js b/test/mjsunit/regress/wasm/regress-1010272.js
@@ -0,0 +1,30 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-grow-shared-memory --experimental-wasm-threads
+
+const kNumWorkers = 100;
+const kNumMessages = 50;
+
+function AllocMemory(initial, maximum = initial) {
+  return new WebAssembly.Memory({initial : initial, maximum : maximum, shared : true});
+}
+
+(function RunTest() {
+  let worker = [];
+  for (let w = 0; w < kNumWorkers; w++) {
+    worker[w] = new Worker(
+        `onmessage =
+        function(msg) {
+          msg.memory.grow(1);
+        }`, {type : 'string'});
+  }
+
+  for (let i = 0; i < kNumMessages; i++) {
+    let memory = AllocMemory(1, 128);
+    for (let w = 0; w < kNumWorkers; w++) {
+      worker[w].postMessage({memory : memory});
+    }
+  }
+})();

Original file line number	Diff line number	Diff line change
`@@ -1030,7 +1030,12 @@ int32_t WasmMemoryObject::Grow(Isolate* isolate,`
`1030`	`1030`	`new_pages);`
`1031`	`1031`	`// Broadcasting the update should update this memory object too.`
`1032`	`1032`	`CHECK_NE(*old_buffer, memory_object->array_buffer());`
`1033`		`- CHECK_EQ(new_byte_length, memory_object->array_buffer().byte_length());`
	`1033`	`+ // This is a less than check, as it is not guaranteed that the SAB`
	`1034`	`+ // length here will be equal to the stashed length above as calls to`
	`1035`	`+ // grow the same memory object can come in from different workers.`
	`1036`	`+ // It is also possible that a call to Grow was in progress when`
	`1037`	`+ // handling this call.`
	`1038`	`+ CHECK_LE(new_byte_length, memory_object->array_buffer().byte_length());`
`1034`	`1039`	`return static_cast<int32_t>(old_pages); // success`
`1035`	`1040`	`}`
`1036`	`1041`	`}`