resized-out-of-bounds-to-in-bounds-index-over-mailbox.js (764B)
1 // |jit-test| skip-if: helperThreadCount()===0 2 3 let gsab = new SharedArrayBuffer(3, {maxByteLength: 4}); 4 5 setSharedObject(gsab); 6 7 function worker(gsab) { 8 let ta = new Int8Array(gsab); 9 10 // Wait until `valueOf` is called. 11 while (Atomics.load(ta, 0) === 0); 12 13 // Now grow the buffer. 14 gsab.grow(4); 15 16 // Notify the buffer has been resized. 17 Atomics.store(ta, 1, 1); 18 } 19 20 evalInWorker(`(${worker})(getSharedObject());`); 21 22 let ta = new Int8Array(gsab); 23 24 let value = { 25 valueOf() { 26 // Notify we're in `valueOf()`. 27 Atomics.store(ta, 0, 1); 28 29 // Wait until buffer has been resized. 30 while (Atomics.load(ta, 1) === 0); 31 32 // Continue execution. 33 return 0; 34 } 35 }; 36 37 // Write into currently out-of-bounds, but later in-bounds index. 38 ta[3] = value;