From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 02:47:55 +0200 Subject: Adding upstream version 124.0.1. Signed-off-by: Daniel Baumann --- ...ut-of-bounds-to-in-bounds-index-over-mailbox.js | 38 ++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js (limited to 'js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js') diff --git a/js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js b/js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js new file mode 100644 index 0000000000..5e5d61df25 --- /dev/null +++ b/js/src/jit-test/tests/sharedbuf/resized-out-of-bounds-to-in-bounds-index-over-mailbox.js @@ -0,0 +1,38 @@ +// |jit-test| --enable-arraybuffer-resizable; skip-if: !this.SharedArrayBuffer?.prototype?.grow||helperThreadCount()===0 + +let gsab = new SharedArrayBuffer(3, {maxByteLength: 4}); + +setSharedObject(gsab); + +function worker(gsab) { + let ta = new Int8Array(gsab); + + // Wait until `valueOf` is called. + while (Atomics.load(ta, 0) === 0); + + // Now grow the buffer. + gsab.grow(4); + + // Notify the buffer has been resized. + Atomics.store(ta, 1, 1); +} + +evalInWorker(`(${worker})(getSharedObject());`); + +let ta = new Int8Array(gsab); + +let value = { + valueOf() { + // Notify we're in `valueOf()`. + Atomics.store(ta, 0, 1); + + // Wait until buffer has been resized. + while (Atomics.load(ta, 1) === 0); + + // Continue execution. + return 0; + } +}; + +// Write into currently out-of-bounds, but later in-bounds index. +ta[3] = value; -- cgit v1.2.3