AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
c0a6e85153
v8/test/mjsunit/regress/regress-crbug-754175.js
Michael Starzinger 8d2a8e0c05 [asm.js] Fail gracefully on overly large buffers. 
This makes sure instantiate of asm.js modules fails gracefully on heap
buffers exceeding the uint32_t range supported by WebAssembly.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-754175
BUG=chromium:754175

Change-Id: I4a9c6791beaab6da826b5b6b5a495f97e9d3b4e9
Reviewed-on: https://chromium-review.googlesource.com/632618
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47598}
2017-08-25 09:52:58 +00:00

20 lines
638 B
JavaScript
Raw Blame History

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --mock-arraybuffer-allocator
function Module(stdlib, foreign, buffer) {
"use asm";
var heap = new stdlib.Int8Array(buffer);
function foo() { return heap[23] | 0 }
return { foo:foo };
}
function instantiate() {
// On 32-bit architectures buffer allocation will throw.
var buffer = new ArrayBuffer(0x100000000);
// On 64-bit architectures instantiation will throw.
var module = Module(this, {}, buffer);
}
assertThrows(instantiate, RangeError);
Reference in New Issue View Git Blame Copy Permalink