Bug 1499010: Add fixed testcase for AutoUnsafeCallWithABI recovery fuzz bugs r=tcampbell
authorIain Ireland <iireland@mozilla.com>
Tue, 23 Oct 2018 14:02:59 +0000
changeset 442561 2eb4c1dd70f144a84c0eb9e96f2db53b2860742b
parent 442560 7efdeaeffda83a4440e180fc46c40c36cd79decb
child 442562 ff3ed362e82fae365afc440ccc3b662bcfcd0435
child 442563 9f1638baff13835cc75e7feebf674b42544c6360
push id34913
push useraciure@mozilla.com
push dateTue, 23 Oct 2018 16:49:58 +0000
treeherdermozilla-central@ff3ed362e82f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstcampbell
bugs1499010
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1499010: Add fixed testcase for AutoUnsafeCallWithABI recovery fuzz bugs r=tcampbell Differential Revision: https://phabricator.services.mozilla.com/D9445
js/src/jit-test/tests/ion/recover-autounsafe.js
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/recover-autounsafe.js
@@ -0,0 +1,36 @@
+// |jit-test| --ion-eager; --ion-offthread-compile=off
+
+// Some AutoUnsafeCallWithABI functions can be reached via recovery instructions.
+// This testcase is designed to trigger all of the recovery paths that can reach
+// AutoUnsafeCallWithABI functions, while an exception is being thrown.
+
+(function() {
+    inputs = [];
+    f = (function(x) {
+	var o = {a: x};
+        4294967297 ** (x >>> 0) *
+	    4294967297 / x >>> 0 *
+	    4294967297 % x >>> 0 *
+	    Math.max(4294967297, x >>> 0) *
+	    Math.min(4294967, x >>> 0) *
+	    Math.atan2(4294967, x >>> 0) *
+	    Math.sin(x >>> 0) *
+	    Math.sqrt(x >>> 0) *
+	    Math.hypot(4294967, x >>> 0) *
+	    Math.ceil((x >>> 0) * 0.5) *
+	    Math.floor((x >>> 0) * 0.5) *
+	    Math.trunc((x >>> 0) * 0.5) *
+	    Math.round((x >>> 0) * 0.5) *
+	    Math.sign(x >>> 0) *
+	    Math.log(x >>> 0) *
+	    !o *
+            Math.fround(y); // Exception thrown here; y is not defined.
+    });
+    if (f) {
+        for (var j = 0; j < 2; ++j) {
+            try {
+                f(inputs[0]);
+            } catch (e) {}
+        }
+    }
+})();