jit-bounds-checks.js (3494B)
1 // |jit-test| test-also=--spectre-mitigations=off 2 3 const gb = 1 * 1024 * 1024 * 1024; 4 const ab = new ArrayBuffer(7 * gb); 5 6 // Function called with Uint8Arrays of different sizes. 7 function test(u8arr) { 8 var length = u8arr.length; 9 u8arr[0] = 87; 10 11 function testExpectedOOB() { 12 var base = length - 10; 13 u8arr[base]++; 14 for (var i = 0; i < 15; i++) { 15 var val = u8arr[base + i]; 16 u8arr[base + i + 1] = (val|0) + 1; 17 } 18 } 19 for (var i = 0; i < 500; i++) { 20 testExpectedOOB(); 21 } 22 assertEq(u8arr[length - 1], 253); 23 24 function testNegativeInt32Index() { 25 var val = 0; 26 for (var i = 0; i < 1500; i++) { 27 var idx = (i < 1450) - 1; // First 0, then -1. 28 val = u8arr[idx]; 29 } 30 assertEq(val, undefined); 31 } 32 testNegativeInt32Index(); 33 34 function testNegativeDoubleIndex() { 35 var val = 0; 36 for (var i = 0; i < 1500; i++) { 37 var idx = numberToDouble(+(i < 1450)) - 1; // First 0.0, then -1.0. 38 val = u8arr[idx]; 39 assertEq(val, i < 1450 ? 87 : undefined); 40 } 41 } 42 testNegativeDoubleIndex(); 43 44 function testConstantDoubleIndex() { 45 for (var i = 0; i < 1500; i++) { 46 var idxInBounds = 4294967100; 47 assertEq(u8arr[idxInBounds], 0); 48 u8arr[idxInBounds] = 1; 49 assertEq(u8arr[idxInBounds], 1); 50 u8arr[idxInBounds] = 0; 51 var idxOOB = 7516192768; 52 assertEq(u8arr[idxOOB], undefined); 53 var idxFractional = 7516192766 - 0.1; 54 assertEq(u8arr[idxFractional], undefined); 55 var idxNeg0 = -0; 56 assertEq(u8arr[idxNeg0], 87); 57 var idxNaN = NaN; 58 assertEq(u8arr[idxNaN], undefined); 59 } 60 } 61 testConstantDoubleIndex(); 62 63 function testDoubleIndexWeird() { 64 var arr = [0.0, -0, 3.14, NaN, Infinity, -Infinity, 65 Number.MIN_SAFE_INTEGER, Number.MAX_SAFE_INTEGER]; 66 for (var i = 0; i < 1500; i++) { 67 var which = i % arr.length; 68 var idx = arr[which]; 69 assertEq(u8arr[idx], which < 2 ? 87 : undefined); 70 } 71 } 72 testDoubleIndexWeird(); 73 74 // Uses LCompare. 75 function testHasElement1() { 76 for (var i = 0; i < 1500; i++) { 77 var idx = (length - 500) + i; 78 assertEq(idx in u8arr, idx < length); 79 assertEq(-1 in u8arr, false); 80 assertEq(10737418240 in u8arr, false); 81 assertEq(0x7fff_ffff in u8arr, true); 82 assertEq(0xffff_ffff in u8arr, true); 83 } 84 } 85 testHasElement1(); 86 87 // Uses LCompareAndBranch. 88 function testHasElement2() { 89 for (var i = 0; i < 1500; i++) { 90 var idx = (length - 500) + i; 91 if (idx in u8arr) { 92 assertEq(idx < length, true); 93 } else { 94 assertEq(idx >= length, true); 95 } 96 var count = 0; 97 if (-1 in u8arr) { 98 count++; 99 } 100 if (10737418240 in u8arr) { 101 count++; 102 } 103 if (0x7fff_ffff in u8arr) { 104 } else { 105 count++; 106 } 107 if (0xffff_ffff in u8arr) { 108 } else { 109 count++; 110 } 111 assertEq(count, 0); 112 } 113 } 114 testHasElement2(); 115 } 116 test(new Uint8Array(ab)); // 7 GB 117 test(new Uint8Array(ab, 0, 4 * gb)); // 4 GB