AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
c4d1a00873
v8/test/mjsunit/regress/wasm/regress-776677.js

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

31 lines
708 B
JavaScript
Raw Normal View History

[wasm] Fix Memory.grow when shared with asm.js modules If the buffer associated with WebAssembly.Memory is used as memory for asm.js modules, throw a range error on Memory.Grow. Bug: chromium:776677 Change-Id: Iebcd7797fa7724002dd8073d1dbaeb98f080d316 Reviewed-on: https://chromium-review.googlesource.com/731844 Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Reviewed-by: Brad Nelson <bradnelson@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#48837}
2017-10-23 05:29:24 +00:00
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function module(stdlib,foreign,buffer) {
"use asm";
var fl = new stdlib.Uint32Array(buffer);
function f1(x) {
x = x | 0;
fl[0] = x;
fl[0x10000] = x;
fl[0x100000] = x;
}
return f1;
}
var global = {Uint32Array:Uint32Array};
var env = {};
Revert "Reland "[asmjs] Properly validate asm.js heap sizes"" This reverts commit 5c3092718e92d123366d0e5d3679c7258bda686c. Reason for revert: Broke fast/workers/worker-shared-asm-buffer.html Original change's description: > Reland "[asmjs] Properly validate asm.js heap sizes" > > This is a reland of 5d69010e269e3161a95de2030e14f0a291d00b42 > > Original change's description: > > [asmjs] Properly validate asm.js heap sizes > > > > Enforce both engine limitations and spec (http://asmjs.org/spec/latest/) > > limitations on the size of asm.js heaps. > > > > R=clemensh@chromium.org > > CC=​mstarzinger@chromium.org > > > > Bug: chromium:873600 > > Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd > > Reviewed-on: https://chromium-review.googlesource.com/1174411 > > Commit-Queue: Ben Titzer <titzer@chromium.org> > > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#55163} > > Bug: chromium:873600 > Change-Id: Id24070bda3aafb9e1a32af0732a1b18f633ef932 > Reviewed-on: https://chromium-review.googlesource.com/1179681 > Commit-Queue: Ben Titzer <titzer@chromium.org> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > Cr-Commit-Position: refs/heads/master@{#55193} TBR=mstarzinger@chromium.org,titzer@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: chromium:873600 Change-Id: I5845c584c7ac399b9b7939f5fd50c09b7b2cc3d2 Reviewed-on: https://chromium-review.googlesource.com/1182616 Commit-Queue: Aseem Garg <aseemgarg@chromium.org> Reviewed-by: Aseem Garg <aseemgarg@chromium.org> Cr-Commit-Position: refs/heads/master@{#55242}
2018-08-21 00:07:38 +00:00
memory = new WebAssembly.Memory({initial:200});
[wasm] Fix Memory.grow when shared with asm.js modules If the buffer associated with WebAssembly.Memory is used as memory for asm.js modules, throw a range error on Memory.Grow. Bug: chromium:776677 Change-Id: Iebcd7797fa7724002dd8073d1dbaeb98f080d316 Reviewed-on: https://chromium-review.googlesource.com/731844 Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Reviewed-by: Brad Nelson <bradnelson@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#48837}
2017-10-23 05:29:24 +00:00
var buffer = memory.buffer;
evil_f = module(global,env,buffer);
zz = {};
zz.toString = function() {
Array.prototype.slice.call([]);
return 0xffffffff;
}
evil_f(3);
assertThrows(() => memory.grow(1), RangeError);
evil_f(zz);
Reference in New Issue Copy Permalink