Skip to content

Commit 4780079

Browse files
jakobkummerowV8 LUCI CQ
jakobkummerow
authored and
V8 LUCI CQ
committed
[wasm] Fix DCHECK in AtomicWait after memory growth
With the changes in crrev.com/c/7003085, calling memory.grow() via the JS API didn't immediately update the memory's array buffer any more, which triggered a DCHECK in the runtime functions for atomic waits. This patch restores immediate updating of the buffer for the current isolate, which maintains the other CL's goal to not allocate on loop back edges. Fixed: 454991459 Change-Id: Id633cebb9ac24606bc0d8a3df703c74531d3c8a0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7100806 Reviewed-by: Clemens Backes <[email protected]> Commit-Queue: Clemens Backes <[email protected]> Auto-Submit: Jakob Kummerow <[email protected]> Cr-Commit-Position: refs/heads/main@{#103431}
1 parent 98bde8d commit 4780079

2 files changed

Lines changed: 23 additions & 0 deletions

File tree

src/wasm/wasm-objects.cc

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1207,6 +1207,9 @@ int32_t WasmMemoryObject::Grow(Isolate* isolate,
12071207
if (!old_buffer->is_resizable_by_js()) {
12081208
// Broadcasting the update should update this memory object too.
12091209
CHECK(memory_object->needs_new_buffer());
1210+
// For the current isolate, immediately update the buffer.
1211+
RefreshSharedBuffer(isolate, memory_object, old_buffer,
1212+
ResizableFlag::kNotResizable);
12101213
}
12111214
// As {old_pages} was read racefully, we return here the synchronized
12121215
// value provided by {GrowWasmMemoryInPlace}, to provide the atomic

test/mjsunit/regress/wasm/regress-454991459.js

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
// Copyright 2025 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
6+
7+
let memory = new WebAssembly.Memory({ initial: 1, maximum: 2, shared: true });
8+
let builder = new WasmModuleBuilder();
9+
builder.addImportedMemory("m", "memory", 1, 2, "shared");
10+
builder.addFunction("wait", kSig_i_ii)
11+
.addBody([
12+
kExprLocalGet, 0, // address
13+
kExprLocalGet, 1, // expected_value
14+
kExprI64Const, 0, // timeout
15+
kAtomicPrefix, kExprI32AtomicWait, 2, 0
16+
])
17+
.exportFunc();
18+
let instance = builder.instantiate({m: {memory}});
19+
memory.grow(1);
20+
instance.exports.wait(kPageSize);

0 commit comments

Comments
 (0)