2d89d8a926
The {cmp} instruction might add an entry to the constant pool at a time
where we didn't expect any entries to be added.
This can be fixed by moving the {CheckConstPool} call *after* the {cmp}.
R=mslekova@chromium.org
Bug: chromium:1034394
Change-Id: If075ad0b02e2973a734d70d9e58c205bd14e6a33
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1967380
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65463}
30 lines
859 B
JavaScript
30 lines
859 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
load('test/mjsunit/wasm/wasm-module-builder.js');
|
|
|
|
// Construct a big table switch. The code size will overflow 4096 bytes.
|
|
const NUM_CASES = 3073;
|
|
|
|
let body = [];
|
|
// Add one block, so we can jump to this block or to the function end.
|
|
body.push(kExprBlock);
|
|
body.push(kWasmStmt);
|
|
|
|
// Add the big BrTable.
|
|
body.push(kExprLocalGet, 0);
|
|
body.push(kExprBrTable, ...wasmSignedLeb(NUM_CASES));
|
|
for (let i = 0; i < NUM_CASES + 1; i++) {
|
|
body.push(i % 2);
|
|
}
|
|
|
|
// End the block.
|
|
body.push(kExprEnd);
|
|
|
|
// Create a module for this.
|
|
let builder = new WasmModuleBuilder();
|
|
builder.addFunction('main', kSig_v_i).addBody(body).exportFunc();
|
|
let instance = builder.instantiate();
|
|
instance.exports.main(0);
|