| Index: test/mjsunit/regress/regress-bce-underflow.js
|
| diff --git a/test/mjsunit/regress/regress-bce-underflow.js b/test/mjsunit/regress/regress-bce-underflow.js
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..daa776005e7b5bcb165cd04f2c6abf226fc720b3
|
| --- /dev/null
|
| +++ b/test/mjsunit/regress/regress-bce-underflow.js
|
| @@ -0,0 +1,35 @@
|
| +// Copyright 2015 the V8 project authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +// Flags: --allow-natives-syntax
|
| +
|
| +function f(a, i, bool) {
|
| + var result;
|
| + if (bool) {
|
| + // Make sure i - -0x80000000 doesn't overflow in BCE, missing a check for
|
| + // x-0 later on.
|
| + result = f2(a, 0x7fffffff, i, i, -0x80000000);
|
| + } else {
|
| + result = f2(a, -3, 4, i, 0);
|
| + }
|
| + return result;
|
| +}
|
| +
|
| +function f2(a, c, x, i, d) {
|
| + return a[x + c] + a[x - 0] + a[i - d];
|
| +}
|
| +
|
| +
|
| +var a = [];
|
| +var i = 0;
|
| +a.push(i++);
|
| +a.push(i++);
|
| +a.push(i++);
|
| +a.push(i++);
|
| +a.push(i++);
|
| +f(a, 0, false);
|
| +f(a, 0, false);
|
| +f(a, 0, false);
|
| +%OptimizeFunctionOnNextCall(f);
|
| +%DebugPrint(f(a, -0x7fffffff, true));
|
|
|
Chromium Code Reviews
Issue 1023123003:
Ensure we don't overflow in BCE (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master