1 files changed, 38 insertions, 0 deletions

diff --git a/deps/v8/test/mjsunit/regress/wasm/regress-9017.js b/deps/v8/test/mjsunit/regress/wasm/regress-9017.js
new file mode 100644
index 0000000000..7a8930a146
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/wasm/regress-9017.js
@@ -0,0 +1,38 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --liftoff --nowasm-tier-up
+//
+// This test is intended to make Liftoff generate code that uses a very large
+// stack frame, and then try to call another function (which would write to the
+// stack pointer location). On Windows, large frames need extra code to touch
+// every page in order, because the OS only leaves a small guard area for the
+// stack, and trying to access past that area, even into memory that was
+// intentionally reserved for this thread's stack, will crash the program.
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+var builder = new WasmModuleBuilder();
+
+var func_idx = builder.addFunction('helper', kSig_i_v)
+    .addLocals({i32_count: 1})
+    .addBody([
+        kExprI32Const, 0x01,
+    ]).index;
+
+var large_function_body = [];
+const num_temporaries = 16 * 1024;
+for (let i = 0; i < num_temporaries; ++i) {
+  large_function_body.push(kExprCallFunction, func_idx);
+}
+for (let i = 1; i < num_temporaries; ++i) {
+  large_function_body.push(kExprI32Add);
+}
+
+builder.addFunction('test', kSig_i_v)
+    .addBody(large_function_body)
+    .exportFunc();
+var module = builder.instantiate();
+
+assertEquals(num_temporaries, module.exports.test());