1ff3e7ea33
BUG=v8:6478, chromium:729768
R=bradnelson@chromium.org, eholk@chromium.org
Review-Url: https://codereview.chromium.org/2903153002
Cr-Original-Commit-Position: refs/heads/master@{#45931}
Committed: 7e6ed62071
Review-Url: https://codereview.chromium.org/2903153002
Cr-Commit-Position: refs/heads/master@{#45967}
27 lines
929 B
JavaScript
27 lines
929 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
load("test/mjsunit/wasm/wasm-constants.js");
|
|
load("test/mjsunit/wasm/wasm-module-builder.js");
|
|
|
|
function testGrowMemoryOutOfBoundsOffset() {
|
|
print("testGrowMemoryOutOfBoundsOffset2");
|
|
var builder = new WasmModuleBuilder();
|
|
builder.addMemory(16, 128, false);
|
|
builder.addFunction("main", kSig_v_v)
|
|
.addBody([
|
|
kExprI32Const, 20,
|
|
kExprI32Const, 29,
|
|
kExprGrowMemory, kMemoryZero,
|
|
// Assembly equivalent Move <reg>,0xf5fffff
|
|
// with wasm memory reference relocation information
|
|
kExprI32StoreMem, 0, 0xFF, 0xFF, 0xFF, 0x7A
|
|
])
|
|
.exportAs("main");
|
|
var module = builder.instantiate();
|
|
assertTraps(kTrapMemOutOfBounds, module.exports.main);
|
|
}
|
|
|
|
testGrowMemoryOutOfBoundsOffset();
|