tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit b1ce0fdec323d9318c453fe2ae212d1694bd9647
parent d1682df686a5df5921a0ac888621b4105317c8c3
Author: Rong "Mantle" Bao <webmaster@csmantle.top>
Date:   Mon,  5 Jan 2026 15:30:18 +0000

Bug 2008301 - Part 3: Add crashing sample as jit-test/tests/wasm test case. r=jandem

Differential Revision: https://phabricator.services.mozilla.com/D277841

Diffstat:

Ajs/src/jit-test/tests/wasm/bug2008301.js | 45+++++++++++++++++++++++++++++++++++++++++++++


1 file changed, 45 insertions(+), 0 deletions(-)

diff --git a/js/src/jit-test/tests/wasm/bug2008301.js b/js/src/jit-test/tests/wasm/bug2008301.js
@@ -0,0 +1,45 @@
+// |jit-test| --fast-warmup
+
+let v0 = new WebAssembly.Memory({ initial: 7, maximum: 10449, shared: true, address: 'i32' });
+// WasmModule Code:
+// BeginWasmModule
+//     BeginWasmFunction ([.wasmRef(.Abstract(null WasmExtern))] => [.wasmRef(.Abstract(null WasmNoFunc)), .wasmi64]) -> L:v1 [v2]
+//         v3 <- WasmMemorySize v0
+//         v4 <- WasmRefNull .wasmRef(.Abstract(null WasmNoFunc))
+//         v5 <- Consti64 '-41304'
+//         v6 <- Consti64 '1168133127'
+//         v7 <- Wasmi64CompareOp v6 lt_u v6
+//         v8 <- Consti32 '4'
+//         v9 <- WasmAtomicRMW v0[v8 + 4096] i32Sub8U v7
+//     v10 <- EndWasmFunction v4, v5
+// v11 <- EndWasmModule
+// 
+const v11 = new WebAssembly.Instance(new WebAssembly.Module(new Uint8Array([
+    0x00, 0x61, 0x73, 0x6D, 0x01, 0x00, 0x00, 0x00, 0x01, 0x09,
+    0x01, 0x60, 0x01, 0x63, 0x6F, 0x02, 0x63, 0x73, 0x7E, 0x02,
+    0x1A, 0x01, 0x07, 0x69, 0x6D, 0x70, 0x6F, 0x72, 0x74, 0x73,
+    0x0B, 0x69, 0x6D, 0x70, 0x6F, 0x72, 0x74, 0x5F, 0x30, 0x5F,
+    0x76, 0x30, 0x02, 0x03, 0x07, 0xD1, 0x51, 0x03, 0x02, 0x01,
+    0x00, 0x04, 0x01, 0x00, 0x05, 0x01, 0x00, 0x06, 0x01, 0x00,
+    0x07, 0x0D, 0x02, 0x02, 0x77, 0x30, 0x00, 0x00, 0x04, 0x69,
+    0x77, 0x6D, 0x30, 0x02, 0x00, 0x0C, 0x01, 0x00, 0x0A, 0x43,
+    0x01, 0x41, 0x07, 0x01, 0x7F, 0x01, 0x63, 0x73, 0x01, 0x7E,
+    0x01, 0x7E, 0x01, 0x7F, 0x01, 0x7F, 0x01, 0x7F, 0x3F, 0x00,
+    0x21, 0x01, 0xD0, 0x73, 0x21, 0x02, 0x42, 0xA8, 0xBD, 0x7D,
+    0x21, 0x03, 0x42, 0x87, 0x98, 0x81, 0xAD, 0x04, 0x21, 0x04,
+    0x20, 0x04, 0x20, 0x04, 0x54, 0x21, 0x05, 0x41, 0x04, 0x21,
+    0x06, 0x20, 0x06, 0x20, 0x05, 0xFE, 0x27, 0x00, 0x80, 0x20,
+    0x21, 0x07, 0x20, 0x02, 0x20, 0x03, 0x0B, 0x0B, 0x01, 0x00,
+])),
+{ imports: {
+    import_0_v0: v0,
+} });
+const v12 = v11.exports;
+function F13(a15, a16, a17) {
+    if (!new.target) { throw 'must be called with new'; }
+    const v18 = this.constructor;
+    try { new v18(a16); } catch (e) {}
+    v12.w0(a17);
+}
+new F13();
+gc();