Bug 1499010: Add testcase for AutoUnsafeCallWithABI recovery fuzz bugs r=tcampbell
☠☠ backed out by 0289f2a3bdab ☠ ☠
authorIain Ireland <iireland@mozilla.com>
Mon, 22 Oct 2018 20:42:49 +0000
changeset 490818 d4cbc38654579d04aa00e04d0f676abf2066a8fe
parent 490817 bff46c89a68bebf27458b3f0aaa2715d6062c041
child 490819 926f4d264ac77e5e2d75a0f98259c647eb8b8874
push id247
push userfmarier@mozilla.com
push dateSat, 27 Oct 2018 01:06:44 +0000
reviewerstcampbell
bugs1499010
milestone65.0a1
Bug 1499010: Add testcase for AutoUnsafeCallWithABI recovery fuzz bugs r=tcampbell Differential Revision: https://phabricator.services.mozilla.com/D9381
js/src/jit-test/tests/ion/recover-autounsafe.js
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ion/recover-autounsafe.js
@@ -0,0 +1,36 @@
+// |jit-test| --ion-eager --ion-offthread-compile=off
+
+// Some AutoUnsafeCallWithABI functions can be reached via recovery instructions.
+// This testcase is designed to trigger all of the recovery paths that can reach
+// AutoUnsafeCallWithABI functions, while an exception is being thrown.
+
+(function() {
+    inputs = [];
+    f = (function(x) {
+	var o = {a: x};
+        4294967297 ** (x >>> 0) *
+	    4294967297 / x >>> 0 *
+	    4294967297 % x >>> 0 *
+	    Math.max(4294967297, x >>> 0) *
+	    Math.min(4294967, x >>> 0) *
+	    Math.atan2(4294967, x >>> 0) *
+	    Math.sin(x >>> 0) *
+	    Math.sqrt(x >>> 0) *
+	    Math.hypot(4294967, x >>> 0) *
+	    Math.ceil((x >>> 0) * 0.5) *
+	    Math.floor((x >>> 0) * 0.5) *
+	    Math.trunc((x >>> 0) * 0.5) *
+	    Math.round((x >>> 0) * 0.5) *
+	    Math.sign(x >>> 0) *
+	    Math.log(x >>> 0) *
+	    !o *
+            Math.fround(y); // Exception thrown here; y is not defined.
+    });
+    if (f) {
+        for (var j = 0; j < 2; ++j) {
+            try {
+                f(inputs[0]);
+            } catch (e) {}
+        }
+    }
+})();