From ef2036a4e73cab89c72cc406536657d458662f2f Mon Sep 17 00:00:00 2001 From: Eric Holk Date: Wed, 18 Oct 2017 18:20:34 -0700 Subject: [PATCH] [wasm] add a test for accidental sign extension The bug reference has been fixed, probably due to the new WasmContext changes. We should keep a regression test for this anyway though. Bug: v8:6931 Change-Id: Ie9d94690e764498d2153691d96414d0d26258794 Reviewed-on: https://chromium-review.googlesource.com/727022 Reviewed-by: Deepti Gandluri Commit-Queue: Eric Holk Cr-Commit-Position: refs/heads/master@{#48712} --- test/mjsunit/regress/wasm/regress-6931.js | 30 +++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 test/mjsunit/regress/wasm/regress-6931.js diff --git a/test/mjsunit/regress/wasm/regress-6931.js b/test/mjsunit/regress/wasm/regress-6931.js new file mode 100644 index 0000000000..364e95a680 --- /dev/null +++ b/test/mjsunit/regress/wasm/regress-6931.js @@ -0,0 +1,30 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + + +load('test/mjsunit/wasm/wasm-constants.js'); +load('test/mjsunit/wasm/wasm-module-builder.js'); + + +// This test checks for accidental sign extension. The Wasm spec says we do +// arbitrary precision unsigned arithmetic to compute the memory address, +// meaning this test should do 0xfffffffc + 8, which is 0x100000004 and out of +// bounds. However, if we interpret 0xfffffffc as -4, then the result is 4 and +// succeeds erroneously. + + +(function() { + let builder = new WasmModuleBuilder(); + builder.addMemory(1, 1, false); + builder.addFunction('test', kSig_v_v) + .addBody([ + kExprI32Const, 0x7c, // address = -4 + kExprI32Const, 0, + kExprI32StoreMem, 0, 8, // align = 0, offset = 8 + ]) + .exportFunc(); + let module = builder.instantiate(); + + assertTraps(kTrapMemOutOfBounds, module.exports.test); +})();