From 4bffa48bd9e02f4dcec02af1904e419a4c116350 Mon Sep 17 00:00:00 2001
From: chenhantao <chenhantao3@huawei.com>
Date: Mon, 26 Feb 2024 20:17:38 +0800
Subject: [PATCH] getproperty put in slow path

Signed-off-by: chenhantao <chenhantao3@huawei.com>
Change-Id: I6b040060100dc81d4d3f67c4bf0f6a375e574800
---
 ecmascript/base/typed_array_helper-inl.h          | 12 ++++++++++++
 ecmascript/base/typed_array_helper.cpp            | 14 ++++++--------
 ecmascript/base/typed_array_helper.h              |  1 +
 ecmascript/builtins/builtins_typedarray.cpp       |  7 ++++++-
 ecmascript/object_operator.cpp                    |  4 ++++
 test/moduletest/typedarrayslice/expect_output.txt |  1 +
 test/moduletest/typedarrayslice/typearrayslice.js | 12 +++++++++++-
 7 files changed, 41 insertions(+), 10 deletions(-)

diff --git a/ecmascript/base/typed_array_helper-inl.h b/ecmascript/base/typed_array_helper-inl.h
index 4b5f35ada0..479a86a2e5 100644
--- a/ecmascript/base/typed_array_helper-inl.h
+++ b/ecmascript/base/typed_array_helper-inl.h
@@ -24,6 +24,7 @@
 #include "ecmascript/ecma_macros.h"
 #include "ecmascript/ecma_vm.h"
 #include "ecmascript/global_env.h"
+#include "ecmascript/ic/proto_change_details.h"
 #include "ecmascript/js_array_iterator.h"
 #include "ecmascript/js_arraybuffer.h"
 #include "ecmascript/js_hclass.h"
@@ -300,5 +301,16 @@ uint32_t TypedArrayHelper::GetSizeFromType(const DataViewType arrayType)
 
     return ElementSize::EIGHT;
 }
+
+bool TypedArrayHelper::IsAccessorHasChanged(const JSHandle<JSTaggedValue> &obj)
+{
+    if (obj->IsHeapObject()) {
+        JSTaggedValue markerValue = obj->GetTaggedObject()->GetClass()->GetProtoChangeMarker();
+        if (markerValue.IsProtoChangeMarker()) {
+            return ProtoChangeMarker::Cast(markerValue.GetTaggedObject())->GetAccessorHasChanged();
+        }
+    }
+    return false;
+}
 }  // namespace panda::ecmascript::base
 #endif  // ECMASCRIPT_BASE_TYPED_ARRAY_HELPER_INL_H
diff --git a/ecmascript/base/typed_array_helper.cpp b/ecmascript/base/typed_array_helper.cpp
index eee3b8d784..956e57be22 100644
--- a/ecmascript/base/typed_array_helper.cpp
+++ b/ecmascript/base/typed_array_helper.cpp
@@ -502,18 +502,13 @@ JSHandle<JSObject> TypedArrayHelper::TypedArraySpeciesCreate(JSThread *thread, c
     JSHandle<JSTaggedValue> defaultConstructor =
         TypedArrayHelper::GetConstructor(thread, JSHandle<JSTaggedValue>(obj));
     JSHandle<GlobalEnv> env = thread->GetEcmaVM()->GetGlobalEnv();
-    JSHandle<JSTaggedValue> key = thread->GlobalConstants()->GetHandledConstructorString();
-    JSHandle<JSTaggedValue> objConstructor =
-        JSObject::GetProperty(thread, JSHandle<JSTaggedValue>(obj), key, JSHandle<JSTaggedValue>(obj)).GetValue();
     JSHandle<JSObject> result;
     JSHandle<JSTaggedValue> proto(thread, obj->GetJSHClass()->GetPrototype());
-    bool ctrVali = objConstructor->IsUndefined();
-    bool isJSTypedArr = proto->IsJSTypedArray();
     bool isCtrUnchanged = PropertyDetector::IsTypedArraySpeciesProtectDetectorValid(env) &&
-        !objConstructor->IsClassConstructor();
+        !TypedArrayHelper::IsAccessorHasChanged(proto) &&
+        !obj->GetJSHClass()->HasConstructor();
     bool isCtrBylen = buffHandle->IsInt();
-    bool isCtrObj = objConstructor->IsECMAObject();
-    if (ctrVali || (isJSTypedArr && isCtrUnchanged && isCtrBylen && isCtrObj)) {
+    if (isCtrUnchanged && isCtrBylen) {
         JSType type = obj->GetJSHClass()->GetObjectType();
         DataViewType arrayType = GetType(type);
         uint32_t length = buffHandle->GetInt();
@@ -523,6 +518,9 @@ JSHandle<JSObject> TypedArrayHelper::TypedArraySpeciesCreate(JSThread *thread, c
                                                       defaultConstructor, length, arrayType);
         RETURN_VALUE_IF_ABRUPT_COMPLETION(thread, JSHandle<JSObject>(thread, JSTaggedValue::Exception()));
     } else {
+        JSHandle<JSTaggedValue> key = thread->GlobalConstants()->GetHandledConstructorString();
+        JSHandle<JSTaggedValue> objConstructor =
+        JSObject::GetProperty(thread, JSHandle<JSTaggedValue>(obj), key, JSHandle<JSTaggedValue>(obj)).GetValue();
         // 3. Let constructor be ? SpeciesConstructor(exemplar, defaultConstructor).
         JSHandle<JSTaggedValue> thisConstructor =
             JSObject::SlowSpeciesConstructor(thread, objConstructor, defaultConstructor);
diff --git a/ecmascript/base/typed_array_helper.h b/ecmascript/base/typed_array_helper.h
index 5cb0a89917..87d8211cf9 100644
--- a/ecmascript/base/typed_array_helper.h
+++ b/ecmascript/base/typed_array_helper.h
@@ -60,6 +60,7 @@ public:
     inline static JSHandle<JSHClass> GetNotOnHeapHclassFromType(
         JSThread *thread, const JSHandle<JSTypedArray> &obj, const DataViewType arrayType);
     inline static uint32_t GetSizeFromType(const DataViewType arrayType);
+    inline static bool IsAccessorHasChanged(const JSHandle<JSTaggedValue> &obj);
     static int32_t SortCompare(JSThread *thread, const JSHandle<JSTaggedValue> &callbackfnHandle,
                                const JSHandle<JSTaggedValue> &buffer, const JSHandle<JSTaggedValue> &firstValue,
                                const JSHandle<JSTaggedValue> &secondValue);
diff --git a/ecmascript/builtins/builtins_typedarray.cpp b/ecmascript/builtins/builtins_typedarray.cpp
index 5e7a6bc5d1..54c57104e4 100644
--- a/ecmascript/builtins/builtins_typedarray.cpp
+++ b/ecmascript/builtins/builtins_typedarray.cpp
@@ -1420,7 +1420,12 @@ JSTaggedValue BuiltinsTypedArray::Slice(EcmaRuntimeCallInfo *argv)
         //     iv. Increase targetByteIndex by 1.
         uint8_t *srcBuf = (uint8_t *)BuiltinsArrayBuffer::GetDataPointFromBuffer(srcBuffer, srcByteIndex);
         uint8_t *targetBuf = (uint8_t *)BuiltinsArrayBuffer::GetDataPointFromBuffer(targetBuffer, targetByteIndex);
-        while (count--) {
+        if (srcBuffer != targetBuffer && memmove_s(
+            targetBuf, elementSize * count, srcBuf, elementSize * count) != EOK) {
+            LOG_FULL(FATAL) << "memcpy_s failed";
+            UNREACHABLE();
+        }
+        while (srcBuffer == targetBuffer && count--) {
             if (memcpy_s(targetBuf, elementSize, srcBuf, elementSize) != EOK) {
                 LOG_FULL(FATAL) << "memcpy_s failed";
                 UNREACHABLE();
diff --git a/ecmascript/object_operator.cpp b/ecmascript/object_operator.cpp
index 689f973c15..e4641f33b2 100644
--- a/ecmascript/object_operator.cpp
+++ b/ecmascript/object_operator.cpp
@@ -824,6 +824,10 @@ bool ObjectOperator::WriteDataProperty(const JSHandle<JSObject> &receiver, const
         bool success = UpdateValueAndDetails(receiver, value, attr, attrChanged);
         if (success) {
             JSHandle<JSObject> obj(receiver);
+            if (obj->GetJSHClass()->IsPrototype()) {
+                JSHandle<ProtoChangeMarker> markerHandle = thread_->GetEcmaVM()->GetFactory()->NewProtoChangeMarker();
+                obj->GetJSHClass()->SetProtoChangeMarker(thread_, markerHandle.GetTaggedValue());
+            }
             JSHClass::NotifyAccessorChanged(thread_, JSHandle<JSHClass>(thread_, obj->GetJSHClass()));
         }
         return success;
diff --git a/test/moduletest/typedarrayslice/expect_output.txt b/test/moduletest/typedarrayslice/expect_output.txt
index a35a1e4000..1bc9366881 100644
--- a/test/moduletest/typedarrayslice/expect_output.txt
+++ b/test/moduletest/typedarrayslice/expect_output.txt
@@ -21,3 +21,4 @@
 7
 8
 0
+1
diff --git a/test/moduletest/typedarrayslice/typearrayslice.js b/test/moduletest/typedarrayslice/typearrayslice.js
index 5e1690b009..6710f650bb 100644
--- a/test/moduletest/typedarrayslice/typearrayslice.js
+++ b/test/moduletest/typedarrayslice/typearrayslice.js
@@ -42,4 +42,14 @@ class Array1 extends Int8Array {
     }
 }
 const a = new Array1(1, 2, 3);
-print(a.slice(0, 1));
\ No newline at end of file
+print(a.slice(0, 1));
+
+var sample = new BigInt64Array([40n, 41n, 42n, 43n]);
+var calls = 0;
+Object.defineProperty(BigInt64Array.prototype, "constructor", {
+  get: function() {
+    calls++;
+  }
+});
+sample.slice();
+print(calls);
\ No newline at end of file