diff options
Diffstat (limited to 'deps/v8/test/mjsunit/regress/wasm/regression-684858.js')
-rw-r--r-- | deps/v8/test/mjsunit/regress/wasm/regression-684858.js | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/deps/v8/test/mjsunit/regress/wasm/regression-684858.js b/deps/v8/test/mjsunit/regress/wasm/regression-684858.js new file mode 100644 index 0000000000..e11d909c86 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/wasm/regression-684858.js @@ -0,0 +1,34 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +load('test/mjsunit/wasm/wasm-constants.js'); +load('test/mjsunit/wasm/wasm-module-builder.js'); + +var name = 'regression_684858'; + +function patchNameLength(buffer) { + var count = 0; + var view = new Uint8Array(buffer); + for (var i = 0, e = view.length - name.length; i < e; ++i) { + var subs = String.fromCharCode.apply(null, view.slice(i, i + name.length)); + if (subs != name) continue; + ++count; + // One byte before this name, its length is encoded. + // Patch this to 127, making it out of bounds. + if (view.length >= 127) throw Error('cannot patch reliably'); + if (view[i - 1] != name.length) throw Error('unexpected length'); + view[i - 1] = 0x7f; + } + if (count != 1) throw Error('did not find name'); +} + +var builder = new WasmModuleBuilder(); +builder.addFunction(name, kSig_i_v) + .addBody([kExprI32Const, 2, kExprI32Const, 0, kExprI32DivU]) + .exportAs('main'); +var buffer = builder.toBuffer(); +patchNameLength(buffer); +var module = new WebAssembly.Module(buffer); +var instance = new WebAssembly.Instance(module); +assertThrows(() => instance.exports.main(), WebAssembly.RuntimeError); |