summaryrefslogtreecommitdiffstats
path: root/js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js
diff options
context:
space:
mode:
Diffstat (limited to 'js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js')
-rw-r--r--js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js38
1 files changed, 38 insertions, 0 deletions
diff --git a/js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js b/js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js
new file mode 100644
index 0000000000..5e5d61df25
--- /dev/null
+++ b/js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js
@@ -0,0 +1,38 @@
+// |jit-test| --enable-arraybuffer-resizable; skip-if: !this.SharedArrayBuffer?.prototype?.grow||helperThreadCount()===0
+
+let gsab = new SharedArrayBuffer(3, {maxByteLength: 4});
+
+setSharedObject(gsab);
+
+function worker(gsab) {
+ let ta = new Int8Array(gsab);
+
+ // Wait until `valueOf` is called.
+ while (Atomics.load(ta, 0) === 0);
+
+ // Now grow the buffer.
+ gsab.grow(4);
+
+ // Notify the buffer has been resized.
+ Atomics.store(ta, 1, 1);
+}
+
+evalInWorker(`(${worker})(getSharedObject());`);
+
+let ta = new Int8Array(gsab);
+
+let value = {
+ valueOf() {
+ // Notify we're in `valueOf()`.
+ Atomics.store(ta, 0, 1);
+
+ // Wait until buffer has been resized.
+ while (Atomics.load(ta, 1) === 0);
+
+ // Continue execution.
+ return 0;
+ }
+};
+
+// Write into currently out-of-bounds, but later in-bounds index.
+ta[3] = value;
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-14 09:01:50 +0000