tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

address-offset-overflow.js (2621B)

      1 // |jit-test| test-also=--spectre-mitigations=off
      2 
      3 // Ensure |index * ByteSize| overflowing int32_t is handled correctly in the
      4 // backend.
      5 
      6 const ab = new ArrayBuffer(7 * 1024 * 1024 * 1024);
      7 
      8 function testInt16() {
      9    var ta = new Int16Array(ab);
     10    for (var i = 0; i < 2000; i++) {
     11        var idx = 1073741824; // 2147483648 / 2, offset doesn't fit in int32_t.
     12        assertEq(ta[idx], i);
     13        ++ta[idx];
     14 
     15        idx = 1073741823; // Largest offset that fits in int32_t.
     16        assertEq(ta[idx], i * 2);
     17        ta[idx] += 2;
     18    }
     19    ta[1073741823] = 0;
     20    ta[1073741824] = 0;
     21 }
     22 testInt16();
     23 
     24 function testInt32() {
     25    var ta = new Int32Array(ab);
     26    for (var i = 0; i < 2000; i++) {
     27        var idx = 536870912; // 2147483648 / 4, offset doesn't fit in int32_t.
     28        assertEq(ta[idx], i);
     29        ++ta[idx];
     30 
     31        idx = 536870911; // Largest offset that fits in int32_t.
     32        assertEq(ta[idx], i * 2);
     33        ta[idx] += 2;
     34    }
     35    ta[536870911] = 0;
     36    ta[536870912] = 0;
     37 }
     38 testInt32();
     39 
     40 function testFloat64() {
     41    var ta = new Float64Array(ab);
     42    for (var i = 0; i < 2000; i++) {
     43        var idx = 268435456; // 2147483648 / 8
     44        assertEq(ta[idx], i);
     45        ++ta[idx];
     46 
     47        idx = 268435455; // Largest offset that fits in int32_t.
     48        assertEq(ta[idx], i * 2);
     49        ta[idx] += 2;
     50    }
     51    ta[268435455] = 0;
     52    ta[268435456] = 0;
     53 }
     54 testFloat64();
     55 
     56 function testBigInt() {
     57    var ta = new BigInt64Array(ab);
     58    for (var i = 0; i < 2000; i++) {
     59        var idx = 268435456; // 2147483648 / 8
     60        assertEq(ta[idx], BigInt(i));
     61        ++ta[idx];
     62 
     63        idx = 268435455; // Largest offset that fits in int32_t.
     64        assertEq(ta[idx], BigInt(i * 2));
     65        ta[idx] += 2n;
     66    }
     67    ta[268435455] = 0n;
     68    ta[268435456] = 0n;
     69 }
     70 testBigInt();
     71 
     72 function testInt16Atomics() {
     73    var ta = new Int16Array(ab);
     74    for (var i = 0; i < 2000; i++) {
     75        var idx = 1073741824; // 2147483648 / 2, offset doesn't fit in int32_t.
     76        assertEq(Atomics.load(ta, idx), i);
     77        Atomics.add(ta, idx, 1);
     78        Atomics.exchange(ta, idx, 2);
     79        assertEq(ta[idx], 2);
     80        assertEq(Atomics.compareExchange(ta, idx, 2, 3), 2);
     81        Atomics.store(ta, idx, i + 1);
     82 
     83        idx = 1073741823; // Largest offset that fits in int32_t.
     84        assertEq(Atomics.load(ta, idx), i);
     85        Atomics.add(ta, idx, 1);
     86        Atomics.exchange(ta, idx, 2);
     87        assertEq(ta[idx], 2);
     88        assertEq(Atomics.compareExchange(ta, idx, 2, 3), 2);
     89        Atomics.store(ta, idx, i + 1);
     90    }
     91    ta[1073741823] = 0;
     92    ta[1073741824] = 0;
     93 }
     94 testInt16Atomics();