[wasm] add a test for accidental sign extension

The bug reference has been fixed, probably due to the new WasmContext changes. We should keep a regression test for this anyway though. Bug: v8:6931 Change-Id: Ie9d94690e764498d2153691d96414d0d26258794 Reviewed-on: https://chromium-review.googlesource.com/727022 Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Commit-Queue: Eric Holk <eholk@chromium.org> Cr-Commit-Position: refs/heads/master@{#48712}
2017-10-18 18:20:34 -07:00 · 2017-10-18 18:20:34 -07:00 · ef2036a4e7
commit ef2036a4e7
parent aca9d69ea8
1 changed files with 30 additions and 0 deletions
--- a/test/mjsunit/regress/wasm/regress-6931.js
+++ b/test/mjsunit/regress/wasm/regress-6931.js
@ -0,0 +1,30 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+
+// This test checks for accidental sign extension. The Wasm spec says we do
+// arbitrary precision unsigned arithmetic to compute the memory address,
+// meaning this test should do 0xfffffffc + 8, which is 0x100000004 and out of
+// bounds. However, if we interpret 0xfffffffc as -4, then the result is 4 and
+// succeeds erroneously.
+
+
+(function() {
+  let builder = new WasmModuleBuilder();
+  builder.addMemory(1, 1, false);
+  builder.addFunction('test', kSig_v_v)
+      .addBody([
+        kExprI32Const, 0x7c, // address = -4
+        kExprI32Const, 0,
+        kExprI32StoreMem, 0, 8, // align = 0, offset = 8
+      ])
+      .exportFunc();
+  let module = builder.instantiate();
+
+  assertTraps(kTrapMemOutOfBounds, module.exports.test);
+})();