diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
tree | f435a8308119effd964b339f76abb83a57c29483 /js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js | |
parent | Initial commit. (diff) | |
download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js')
-rw-r--r-- | js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js b/js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js new file mode 100644 index 0000000000..5e5d61df25 --- /dev/null +++ b/js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js @@ -0,0 +1,38 @@ +// |jit-test| --enable-arraybuffer-resizable; skip-if: !this.SharedArrayBuffer?.prototype?.grow||helperThreadCount()===0 + +let gsab = new SharedArrayBuffer(3, {maxByteLength: 4}); + +setSharedObject(gsab); + +function worker(gsab) { + let ta = new Int8Array(gsab); + + // Wait until `valueOf` is called. + while (Atomics.load(ta, 0) === 0); + + // Now grow the buffer. + gsab.grow(4); + + // Notify the buffer has been resized. + Atomics.store(ta, 1, 1); +} + +evalInWorker(`(${worker})(getSharedObject());`); + +let ta = new Int8Array(gsab); + +let value = { + valueOf() { + // Notify we're in `valueOf()`. + Atomics.store(ta, 0, 1); + + // Wait until buffer has been resized. + while (Atomics.load(ta, 1) === 0); + + // Continue execution. + return 0; + } +}; + +// Write into currently out-of-bounds, but later in-bounds index. +ta[3] = value; |