AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
b0cd98500d
v8/test/mjsunit/regress/wasm/regress-1408337.js
Matthias Liedtke b0cd98500d [wasm] Fix static out of bounds check in decoder 
Bug: chromium:1408337
Change-Id: Id6026097bf6a367601ec2837d11754d784212f30
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4176734
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85364}
2023-01-18 13:11:32 +00:00

25 lines
907 B
JavaScript
Raw Blame History

// Copyright 2023 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging --experimental-wasm-gc
d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
builder.addMemory(16, 32, false);
// Generate function 1 (out of 1).
builder.addFunction(undefined, 0 /* sig */)
.addBodyWithEnd([
// signature: i_iii
// body:
kExprI32Const, 0x15, // i32.const
kSimdPrefix, kExprS128Load8x8U, 0x00, 0xff, 0xff, 0xff, 0x00, // v128.load8x8_u
kExprUnreachable, // unreachable
kExprEnd, // end @11
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertThrows(() => instance.exports.main(1, 2, 3), WebAssembly.RuntimeError, /memory access out of bounds/);
Reference in New Issue View Git Blame Copy Permalink