diff options
| author | Myles Borins <mylesborins@google.com> | 2017-11-13 11:46:22 -0500 |
|---|---|---|
| committer | Myles Borins <mylesborins@google.com> | 2017-11-13 12:30:40 -0500 |
| commit | 14d24cc4d226a8317ea4eb1938840f86588dddfe (patch) | |
| tree | e81adb3cec498940b68d934d206d100a5e4d2e0e /deps/v8/test/mjsunit/regress/wasm | |
| parent | 1601a3c2a9d82c0c235bc37c5ecbb365a4ceb47c (diff) | |
| download | android-node-v8-14d24cc4d226a8317ea4eb1938840f86588dddfe.tar.gz android-node-v8-14d24cc4d226a8317ea4eb1938840f86588dddfe.tar.bz2 android-node-v8-14d24cc4d226a8317ea4eb1938840f86588dddfe.zip | |
deps: patch V8 to 6.2.414.44
Refs: https://github.com/v8/v8/compare/6.2.414.32...6.2.414.44
PR-URL: https://github.com/nodejs/node/pull/16848
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Michaƫl Zasso <targos@protonmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Diffstat (limited to 'deps/v8/test/mjsunit/regress/wasm')
| -rw-r--r-- | deps/v8/test/mjsunit/regress/wasm/regress-776677.js | 30 | ||||
| -rw-r--r-- | deps/v8/test/mjsunit/regress/wasm/regression-763439.js | 22 |
2 files changed, 52 insertions, 0 deletions
diff --git a/deps/v8/test/mjsunit/regress/wasm/regress-776677.js b/deps/v8/test/mjsunit/regress/wasm/regress-776677.js new file mode 100644 index 0000000000..1b2357dcf2 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/wasm/regress-776677.js @@ -0,0 +1,30 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +function module(stdlib,foreign,buffer) { + "use asm"; + var fl = new stdlib.Uint32Array(buffer); + function f1(x) { + x = x | 0; + fl[0] = x; + fl[0x10000] = x; + fl[0x100000] = x; + } + return f1; +} + +var global = {Uint32Array:Uint32Array}; +var env = {}; +memory = new WebAssembly.Memory({initial:200}); +var buffer = memory.buffer; +evil_f = module(global,env,buffer); + +zz = {}; +zz.toString = function() { + Array.prototype.slice.call([]); + return 0xffffffff; +} +evil_f(3); +assertThrows(() => memory.grow(1), RangeError); +evil_f(zz); diff --git a/deps/v8/test/mjsunit/regress/wasm/regression-763439.js b/deps/v8/test/mjsunit/regress/wasm/regression-763439.js new file mode 100644 index 0000000000..0f9d2b24d8 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/wasm/regression-763439.js @@ -0,0 +1,22 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +load('test/mjsunit/wasm/wasm-constants.js'); +load('test/mjsunit/wasm/wasm-module-builder.js'); + +var builder = new WasmModuleBuilder(); +builder.addMemory(0, 1234, false); +builder.addFunction('f', kSig_i_v) + .addBody([ + kExprI32Const, 0x1d, // -- + kExprGrowMemory, 0x00, // -- + kExprI32LoadMem, 0x00, 0xff, 0xff, 0x45, // -- + ]) + .exportFunc(); + +var module = new WebAssembly.Module(builder.toBuffer()); +var instance1 = new WebAssembly.Instance(module); +instance1.exports.f(); +var instance2 = new WebAssembly.Instance(module); +instance2.exports.f(); |