Bug 1499010: Add fixed testcase for AutoUnsafeCallWithABI recovery fuzz bugs r=tcampbell
authorIain Ireland <iireland@mozilla.com>
Tue, 23 Oct 2018 14:02:59 +0000
changeset 490901 2eb4c1dd70f144a84c0eb9e96f2db53b2860742b
parent 490900 7efdeaeffda83a4440e180fc46c40c36cd79decb
child 490902 ff3ed362e82fae365afc440ccc3b662bcfcd0435
child 490930 9f1638baff13835cc75e7feebf674b42544c6360
push id247
push userfmarier@mozilla.com
push dateSat, 27 Oct 2018 01:06:44 +0000
reviewerstcampbell
bugs1499010
milestone65.0a1
Bug 1499010: Add fixed testcase for AutoUnsafeCallWithABI recovery fuzz bugs r=tcampbell Differential Revision: https://phabricator.services.mozilla.com/D9445
js/src/jit-test/tests/ion/recover-autounsafe.js
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/recover-autounsafe.js
@@ -0,0 +1,36 @@
+// |jit-test| --ion-eager; --ion-offthread-compile=off
+
+// Some AutoUnsafeCallWithABI functions can be reached via recovery instructions.
+// This testcase is designed to trigger all of the recovery paths that can reach
+// AutoUnsafeCallWithABI functions, while an exception is being thrown.
+
+(function() {
+    inputs = [];
+    f = (function(x) {
+	var o = {a: x};
+        4294967297 ** (x >>> 0) *
+	    4294967297 / x >>> 0 *
+	    4294967297 % x >>> 0 *
+	    Math.max(4294967297, x >>> 0) *
+	    Math.min(4294967, x >>> 0) *
+	    Math.atan2(4294967, x >>> 0) *
+	    Math.sin(x >>> 0) *
+	    Math.sqrt(x >>> 0) *
+	    Math.hypot(4294967, x >>> 0) *
+	    Math.ceil((x >>> 0) * 0.5) *
+	    Math.floor((x >>> 0) * 0.5) *
+	    Math.trunc((x >>> 0) * 0.5) *
+	    Math.round((x >>> 0) * 0.5) *
+	    Math.sign(x >>> 0) *
+	    Math.log(x >>> 0) *
+	    !o *
+            Math.fround(y); // Exception thrown here; y is not defined.
+    });
+    if (f) {
+        for (var j = 0; j < 2; ++j) {
+            try {
+                f(inputs[0]);
+            } catch (e) {}
+        }
+    }
+})();