SharedArrayBuffer.prototype.slice must avoid copying a buffer onto itself

[lars-t-hansen]

(Moved from tc39/ecmascript_sharedmem#166.)

By (embedding-specific) means of transfering a SAB to another agent and back, it is possible to create a situation where two SAB objects reference the same memory in the same agent. Also, by means of manipulating the "constructor" property of an object, it is possible for a method that indirects via the constructor property, such as SAB.p.slice, to end up in a situation where the constructor returns an object that is not equal to the receiver of the method call but where the shared memory block is the same. In this case the call to CopyDataBlock from slice is not well-defined, as it requires the data blocks to be disjoint. There is a step in the algorithm for SharedArrayBuffer.prototype.slice that intends to guard against that but it only compares the identities of the two objects, not the identities of the underlying buffers (their Shared Data Block IDs).

The algorithm's step 14 should therefore be modified to grab the Shared Data Block IDs and to compare those instead, as that test would subsume the identity test on the SAB objects.

(Thanks to @anba for digging this one up.)

Also see https://bugzilla.mozilla.org/show_bug.cgi?id=1333436.

cc @syg.

[anba]

I went ahead and already added a fix for this issue in #799.

[anba]

I went ahead and already added a fix for this issue in #799.

[littledan]

Looks like the fix has been pulled into master.

[littledan]

Looks like the fix has been pulled into master.