fix: 8 bit ic slot may exceed profiletypeinfo's length

Signed-off-by: Like <zhenglike@huawei.com> Change-Id: I7124eacabeb4262abcabf5362ff5ffe3b6b3d0f6
2024-11-23 10:09:54 +00:00 · 2024-02-29 11:25:31 +08:00 · 2024-02-29 11:25:31 +08:00 · 2aa1e18601
commit 2aa1e18601
parent 1bb65be932
7 changed files with 225 additions and 0 deletions
--- a/ecmascript/ic/profile_type_info.cpp
+++ b/ecmascript/ic/profile_type_info.cpp
@ -22,6 +22,10 @@
 namespace panda::ecmascript {
 void ProfileTypeAccessor::AddElementHandler(JSHandle<JSTaggedValue> hclass, JSHandle<JSTaggedValue> handler) const
 {
+    if (!IsICSlotValid()) {
+        return;
+    }
+
    auto profileData = profileTypeInfo_->Get(slotId_);
    ASSERT(!profileData.IsHole());
    auto index = slotId_;
@ -41,6 +45,10 @@ void ProfileTypeAccessor::AddElementHandler(JSHandle<JSTaggedValue> hclass, JSHa

 void ProfileTypeAccessor::AddHandlerWithoutKey(JSHandle<JSTaggedValue> hclass, JSHandle<JSTaggedValue> handler) const
 {
+    if (!IsICSlotValid()) {
+        return;
+    }
+
    auto index = slotId_;
    if (IsNamedGlobalIC(GetKind())) {
        profileTypeInfo_->Set(thread_, index, handler.GetTaggedValue());
@ -92,6 +100,10 @@ void ProfileTypeAccessor::AddHandlerWithoutKey(JSHandle<JSTaggedValue> hclass, J
 void ProfileTypeAccessor::AddHandlerWithKey(JSHandle<JSTaggedValue> key, JSHandle<JSTaggedValue> hclass,
                                            JSHandle<JSTaggedValue> handler) const
 {
+    if (!IsICSlotValid()) {
+        return;
+    }
+
    if (IsValueGlobalIC(GetKind())) {
        AddGlobalHandlerKey(key, handler);
        return;
@ -150,6 +162,10 @@ void ProfileTypeAccessor::AddHandlerWithKey(JSHandle<JSTaggedValue> key, JSHandl

 void ProfileTypeAccessor::AddGlobalHandlerKey(JSHandle<JSTaggedValue> key, JSHandle<JSTaggedValue> handler) const
 {
+    if (!IsICSlotValid()) {
+        return;
+    }
+
    auto index = slotId_;
    const uint8_t step = 2;  // key and value pair
    JSTaggedValue indexVal = profileTypeInfo_->Get(index);
@ -188,6 +204,10 @@ void ProfileTypeAccessor::AddGlobalRecordHandler(JSHandle<JSTaggedValue> handler

 void ProfileTypeAccessor::SetAsMega() const
 {
+    if (!IsICSlotValid()) {
+        return;
+    }
+
    profileTypeInfo_->Set(thread_, slotId_, JSTaggedValue::Hole());
    profileTypeInfo_->Set(thread_, slotId_ + 1, JSTaggedValue::Hole());
 }
@ -242,6 +262,10 @@ std::string ProfileTypeAccessor::ICStateToString(ProfileTypeAccessor::ICState st

 ProfileTypeAccessor::ICState ProfileTypeAccessor::GetICState() const
 {
+    if (!IsICSlotValid()) {
+        return ICState::UNINIT;
+    }
+
    auto profileData = profileTypeInfo_->Get(slotId_);
    if (profileData.IsUndefined()) {
        return ICState::UNINIT;
--- a/ecmascript/ic/profile_type_info.h
+++ b/ecmascript/ic/profile_type_info.h
@ -239,6 +239,11 @@ public:
        return kind_;
    }

+    bool IsICSlotValid() const
+    {
+        return slotId_ + 1 < profileTypeInfo_->GetLength(); // slotId_ + 1 need to be valid
+    }
+
 private:
    JSThread* thread_;
    JSHandle<ProfileTypeInfo> profileTypeInfo_;
--- a/test/aottest/BUILD.gn
+++ b/test/aottest/BUILD.gn
@ -31,6 +31,7 @@ group("ark_aot_js_test") {
    "js_string_add",
    "regressioncase",
    "definefieldbyname",
+    "definefieldbyname2",
  ]

  deps = []
--- a/test/aottest/definefieldbyname2/BUILD.gn
+++ b/test/aottest/definefieldbyname2/BUILD.gn
@ -0,0 +1,19 @@
+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//arkcompiler/ets_runtime/test/test_helper.gni")
+
+host_aot_js_test_action("definefieldbyname2") {
+  deps = []
+  is_enable_pgo = true
+}
--- a/test/aottest/definefieldbyname2/definefieldbyname2.js
+++ b/test/aottest/definefieldbyname2/definefieldbyname2.js
@ -0,0 +1,148 @@
+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+class A {
+	a = -1;
+	b = 2;
+	c = 3;
+	d = 4;
+	e = 5;
+	f = 6;
+	g = 7;
+	h = 8;
+	i = 9;
+	j = 10;
+	k = 11;
+	l = 12;
+	m = 13;
+	n = 14;
+	o = 15;
+	p = 16;
+	q = 17;
+	r = 18;
+	s = 19;
+	t = 20;
+	u = 21;
+	v = 22;
+	w = 23;
+	x = 24;
+	y = 25;
+	z = 26;
+	a1 = 1;
+	b1 = 2;
+	c1 = 3;
+	d1 = 4;
+	e1 = 5;
+	f1 = 6;
+	g1 = 7;
+	h1 = 8;
+	i1 = 9;
+	j1 = 10;
+	k1 = 11;
+	l1 = 12;
+	m1 = 13;
+	n1 = 14;
+	o1 = 15;
+	p1 = 16;
+	q1 = 17;
+	r1 = 18;
+	s1 = 19;
+	t1 = 20;
+	u1 = 21;
+	v1 = 22;
+	w1 = 23;
+	x1 = 24;
+	y1 = 25;
+	z1 = 26;
+	a2 = 1;
+	b2 = 2;
+	c2 = 3;
+	d2 = 4;
+	e2 = 5;
+	f2 = 6;
+	g2 = 7;
+	h2 = 8;
+	i2 = 9;
+	j2 = 10;
+	k2 = 11;
+	l2 = 12;
+	m2 = 13;
+	n2 = 14;
+	o2 = 15;
+	p2 = 16;
+	q2 = 17;
+	r2 = 18;
+	s2 = 19;
+	t2 = 20;
+	u2 = 21;
+	v2 = 22;
+	w2 = 23;
+	x2 = 24;
+	y2 = 25;
+	z2 = 26;
+	a3 = 1;
+	b3 = 2;
+	c3 = 3;
+	d3 = 4;
+	e3 = 5;
+	f3 = 6;
+	g3 = 7;
+	h3 = 8;
+	i3 = 9;
+	j3 = 10;
+	k3 = 11;
+	l3 = 12;
+	m3 = 13;
+	n3 = 14;
+	o3 = 15;
+	p3 = 16;
+	q3 = 17;
+	r3 = 18;
+	s3 = 19;
+	t3 = 20;
+	u3 = 21;
+	v3 = 22;
+	w3 = 23;
+	x3 = 24;
+	y3 = 25;
+	z3 = 26;
+	a4 = 1;
+	b4 = 2;
+	c4 = 3;
+	d4 = 4;
+	e4 = 5;
+	f4 = 6;
+	g4 = 7;
+	h4 = 8;
+	i4 = 9;
+	j4 = 10;
+	k4 = 11;
+	l4 = 12;
+	m4 = 13;
+	n4 = 14;
+	o4 = 15;
+	p4 = 16;
+	q4 = 17;
+	r4 = 18;
+	s4 = 19;
+	t4 = 20;
+	u4 = 21;
+	v4 = 22;
+	w4 = 23;
+	x4 = 24;
+	y4 = 25;
+	z4 = 26;
+}
+const a = new A();
+print(a.a);
--- a/test/aottest/definefieldbyname2/expect_output.txt
+++ b/test/aottest/definefieldbyname2/expect_output.txt
@ -0,0 +1,14 @@
+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+-1
--- a/test/aottest/definefieldbyname2/pgo_expect_output.txt
+++ b/test/aottest/definefieldbyname2/pgo_expect_output.txt
@ -0,0 +1,14 @@
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+-1