a0e66bca78
When generating a 64bit memory operation on ia32, we need to emit two
operations, one at {offset+4}, one at {offset}. The computation
{offset+4} can overflow, which is ok because
1) it won't be used for code generation later, and
2) the generated code will not be reached because the memory access is
always out of bounds anyway.
R=ahaas@chromium.org
Bug: v8:7499, v8:6600
Change-Id: Ia4660688c3291700c48efc201d15fc370b4dd854
Reviewed-on: https://chromium-review.googlesource.com/939389
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51604}
20 lines
702 B
JavaScript
20 lines
702 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
load('test/mjsunit/wasm/wasm-constants.js');
|
|
load('test/mjsunit/wasm/wasm-module-builder.js');
|
|
|
|
const builder = new WasmModuleBuilder();
|
|
builder.addMemory(16, 32);
|
|
builder.addFunction(undefined, kSig_v_v).addBody([
|
|
kExprI32Const, 0, // i32.const 0
|
|
kExprI64LoadMem, 0, 0xff, 0xff, 0xff, 0xff,
|
|
0x0f, // i64.load align=0 offset=0xffffffff
|
|
kExprDrop, // drop
|
|
]);
|
|
builder.addExport('main', 0);
|
|
const module = builder.instantiate();
|
|
assertThrows(
|
|
() => module.exports.main(), WebAssembly.RuntimeError, /out of bounds/);
|