Fix AOT RuntimeOptCopyRestArgs

The variable actualRestNum in RuntimeOptCopyRestArgs computed mistakely and may out of uint32_t range. The Bug causes the startup of cocos application crash with OOM error. Add minimal regression test case. Issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I6NAWN Signed-off-by: dingding <dingding5@huawei.com> Change-Id: Ie7118a9cc83514e9e0c23c5c6c2bed53dd53c1c2
2024-10-07 16:13:49 +00:00 · 2023-03-15 14:19:18 +08:00 · 2023-03-15 14:19:18 +08:00 · 67791cca8f
commit 67791cca8f
parent abed55fff0
3 changed files with 11 additions and 1 deletions
--- a/ecmascript/stubs/runtime_stubs-inl.h
+++ b/ecmascript/stubs/runtime_stubs-inl.h
@ -2236,7 +2236,7 @@ JSTaggedValue RuntimeStubs::RuntimeOptCopyRestArgs(JSThread *thread, uint32_t ac
 {
    // when only have three fixed args, restIndex in bytecode maybe not zero, but it actually should be zero.
    uint32_t actualRestNum = 0;
-    if (actualArgc > NUM_MANDATORY_JSFUNC_ARGS) {
+    if (actualArgc > NUM_MANDATORY_JSFUNC_ARGS + restIndex) {
        actualRestNum = actualArgc - NUM_MANDATORY_JSFUNC_ARGS - restIndex;
    }
    JSHandle<JSTaggedValue> restArray = JSArray::ArrayCreate(thread, JSTaggedNumber(actualRestNum));
--- a/test/aottest/copyrestargs/copyrestargs.ts
+++ b/test/aottest/copyrestargs/copyrestargs.ts
@ -22,3 +22,12 @@ function f(a:any,...A:any) {

 f(1, 2, 3);
 f(1, "success", "fail");
+
+// The following test cases have exposed a bug: the variable actualRestNum in RuntimeOptCopyRestArgs
+// computed mistakely and may out of uint32_t range.
+function foo(x: number, y?: number, ...restArgs: number[]):void {
+    let arr = [...restArgs];
+    print(arr.length);
+}
+
+foo(1);
--- a/test/aottest/copyrestargs/expect_output.txt
+++ b/test/aottest/copyrestargs/expect_output.txt
@ -15,3 +15,4 @@
 3
 success
 fail
+0