diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
| commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
| tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /js/src/jit-test/tests/large-arraybuffers/address-offset-overflow.js | |
| parent | Initial commit. (diff) | |
| download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip | |
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'js/src/jit-test/tests/large-arraybuffers/address-offset-overflow.js')
| -rw-r--r-- | js/src/jit-test/tests/large-arraybuffers/address-offset-overflow.js | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/js/src/jit-test/tests/large-arraybuffers/address-offset-overflow.js b/js/src/jit-test/tests/large-arraybuffers/address-offset-overflow.js new file mode 100644 index 0000000000..02914237d9 --- /dev/null +++ b/js/src/jit-test/tests/large-arraybuffers/address-offset-overflow.js @@ -0,0 +1,94 @@ +// |jit-test| test-also=--spectre-mitigations=off + +// Ensure |index * ByteSize| overflowing int32_t is handled correctly in the +// backend. + +const ab = new ArrayBuffer(7 * 1024 * 1024 * 1024); + +function testInt16() { + var ta = new Int16Array(ab); + for (var i = 0; i < 2000; i++) { + var idx = 1073741824; // 2147483648 / 2, offset doesn't fit in int32_t. + assertEq(ta[idx], i); + ++ta[idx]; + + idx = 1073741823; // Largest offset that fits in int32_t. + assertEq(ta[idx], i * 2); + ta[idx] += 2; + } + ta[1073741823] = 0; + ta[1073741824] = 0; +} +testInt16(); + +function testInt32() { + var ta = new Int32Array(ab); + for (var i = 0; i < 2000; i++) { + var idx = 536870912; // 2147483648 / 4, offset doesn't fit in int32_t. + assertEq(ta[idx], i); + ++ta[idx]; + + idx = 536870911; // Largest offset that fits in int32_t. + assertEq(ta[idx], i * 2); + ta[idx] += 2; + } + ta[536870911] = 0; + ta[536870912] = 0; +} +testInt32(); + +function testFloat64() { + var ta = new Float64Array(ab); + for (var i = 0; i < 2000; i++) { + var idx = 268435456; // 2147483648 / 8 + assertEq(ta[idx], i); + ++ta[idx]; + + idx = 268435455; // Largest offset that fits in int32_t. + assertEq(ta[idx], i * 2); + ta[idx] += 2; + } + ta[268435455] = 0; + ta[268435456] = 0; +} +testFloat64(); + +function testBigInt() { + var ta = new BigInt64Array(ab); + for (var i = 0; i < 2000; i++) { + var idx = 268435456; // 2147483648 / 8 + assertEq(ta[idx], BigInt(i)); + ++ta[idx]; + + idx = 268435455; // Largest offset that fits in int32_t. + assertEq(ta[idx], BigInt(i * 2)); + ta[idx] += 2n; + } + ta[268435455] = 0n; + ta[268435456] = 0n; +} +testBigInt(); + +function testInt16Atomics() { + var ta = new Int16Array(ab); + for (var i = 0; i < 2000; i++) { + var idx = 1073741824; // 2147483648 / 2, offset doesn't fit in int32_t. + assertEq(Atomics.load(ta, idx), i); + Atomics.add(ta, idx, 1); + Atomics.exchange(ta, idx, 2); + assertEq(ta[idx], 2); + assertEq(Atomics.compareExchange(ta, idx, 2, 3), 2); + Atomics.store(ta, idx, i + 1); + + idx = 1073741823; // Largest offset that fits in int32_t. + assertEq(Atomics.load(ta, idx), i); + Atomics.add(ta, idx, 1); + Atomics.exchange(ta, idx, 2); + assertEq(ta[idx], 2); + assertEq(Atomics.compareExchange(ta, idx, 2, 3), 2); + Atomics.store(ta, idx, i + 1); + } + ta[1073741823] = 0; + ta[1073741824] = 0; +} +testInt16Atomics(); |