openharmony/arkcompiler_ets_runtime
1
0
Fork 0
mirror of https://gitee.com/openharmony/arkcompiler_ets_runtime synced 2024-11-23 10:09:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[AOT Fuzz] Fix the heap object judgment in TypedCallCheck

Browse Source 
If an abnormal function object is passed in, deoptimization should be
triggered immediately.

https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I9THNI

Signed-off-by: dingding <dingding5@huawei.com>
Change-Id: I83f1211a102b8923ab93f9682f31f118605a96c0
This commit is contained in:
dingding 2024-05-30 15:49:54 +08:00
parent b35b6b80f4
commit 86c87cd42d
3 changed files with 23 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
ecmascript/compiler/typed_hcr_lowering.cpp
View File

@ -1465,10 +1465,10 @@ void TypedHCRLowering::LowerJSCallTargetTypeCheck(GateRef gate)
GateRef constpool = argAcc.GetFrameArgsIn(frameState, FrameArgIdx::CONST_POOL);
auto func = acc_.GetValueIn(gate, 0);
auto methodIndex = acc_.GetValueIn(gate, 1);
GateRef isObj = builder_.TaggedIsHeapObject(func);
builder_.HeapObjectCheck(func, frameState);
GateRef funcMethodTarget = builder_.GetMethodFromFunction(func);
GateRef methodTarget = builder_.GetValueFromTaggedArray(constpool, methodIndex);
GateRef check = builder_.BoolAnd(isObj, builder_.Equal(funcMethodTarget, methodTarget));
GateRef check = builder_.Equal(funcMethodTarget, methodTarget);
builder_.DeoptCheck(check, frameState, DeoptType::NOTJSCALLTGT2);
acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate());
}
@ -1481,10 +1481,10 @@ void TypedHCRLowering::LowerJSFastCallTargetTypeCheck(GateRef gate)
GateRef constpool = argAcc.GetFrameArgsIn(frameState, FrameArgIdx::CONST_POOL);
auto func = acc_.GetValueIn(gate, 0);
auto methodIndex = acc_.GetValueIn(gate, 1);
GateRef isObj = builder_.TaggedIsHeapObject(func);
builder_.HeapObjectCheck(func, frameState);
GateRef funcMethodTarget = builder_.GetMethodFromFunction(func);
GateRef methodTarget = builder_.GetValueFromTaggedArray(constpool, methodIndex);
GateRef check = builder_.BoolAnd(isObj, builder_.Equal(funcMethodTarget, methodTarget));
GateRef check = builder_.Equal(funcMethodTarget, methodTarget);
builder_.DeoptCheck(check, frameState, DeoptType::NOTJSFASTCALLTGT1);
acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate());
}
@ -1504,9 +1504,9 @@ void TypedHCRLowering::LowerJSNoGCCallThisTargetTypeCheck(GateRef gate)
Environment env(gate, circuit_, &builder_);
GateRef frameState = GetFrameState(gate);
auto func = acc_.GetValueIn(gate, 0);
GateRef isObj = builder_.TaggedIsHeapObject(func);
builder_.HeapObjectCheck(func, frameState);
GateRef methodId = builder_.GetMethodId(func);
GateRef check = builder_.BoolAnd(isObj, builder_.Equal(methodId, acc_.GetValueIn(gate, 1)));
GateRef check = builder_.Equal(methodId, acc_.GetValueIn(gate, 1));
builder_.DeoptCheck(check, frameState, DeoptType::NOTJSCALLTGT4);
acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate());
}
@ -1526,9 +1526,9 @@ void TypedHCRLowering::LowerJSNoGCFastCallThisTargetTypeCheck(GateRef gate)
Environment env(gate, circuit_, &builder_);
GateRef frameState = GetFrameState(gate);
auto func = acc_.GetValueIn(gate, 0);
GateRef isObj = builder_.TaggedIsHeapObject(func);
builder_.HeapObjectCheck(func, frameState);
GateRef methodId = builder_.GetMethodId(func);
GateRef check = builder_.BoolAnd(isObj, builder_.Equal(methodId, acc_.GetValueIn(gate, 1)));
GateRef check = builder_.Equal(methodId, acc_.GetValueIn(gate, 1));
builder_.DeoptCheck(check, frameState, DeoptType::NOTJSFASTCALLTGT3);
acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate());
}
@ -1538,10 +1538,9 @@ void TypedHCRLowering::LowerJSNewObjRangeCallTargetCheck(GateRef gate)
Environment env(gate, circuit_, &builder_);
GateRef frameState = GetFrameState(gate);
auto ctor = acc_.GetValueIn(gate, 0);
GateRef isObj = builder_.TaggedIsHeapObject(ctor);
builder_.HeapObjectCheck(ctor, frameState);
GateRef isJsFunc = builder_.IsJSFunction(ctor);
GateRef check = builder_.BoolAnd(isObj, isJsFunc);
builder_.DeoptCheck(check, frameState, DeoptType::NOTJSNEWCALLTGT);
builder_.DeoptCheck(isJsFunc, frameState, DeoptType::NOTJSNEWCALLTGT);
acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate());
}
@ -1563,11 +1562,10 @@ void TypedHCRLowering::LowerJSInlineTargetTypeCheck(GateRef gate)
Environment env(gate, circuit_, &builder_);
GateRef frameState = GetFrameState(gate);
auto func = acc_.GetValueIn(gate, 0);
GateRef isObj = builder_.TaggedIsHeapObject(func);
builder_.HeapObjectCheck(func, frameState);
GateRef isJsFunc = builder_.IsJSFunction(func);
GateRef checkFunc = builder_.BoolAnd(isObj, isJsFunc);
GateRef GetMethodId = builder_.GetMethodId(func);
GateRef check = builder_.BoolAnd(checkFunc, builder_.Equal(GetMethodId, acc_.GetValueIn(gate, 1)));
GateRef check = builder_.BoolAnd(isJsFunc, builder_.Equal(GetMethodId, acc_.GetValueIn(gate, 1)));
builder_.DeoptCheck(check, frameState, DeoptType::INLINEFAIL1);
acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate());
}

11
test/aottest/calls/calls.ts
View File

@ -208,4 +208,13 @@ function fooo(a, b, ...args) {
fooo(1);
fooo(1, 2);
fooo(1, 2, 3);
fooo(1, 2, 3, 4, 5);
fooo(1, 2, 3, 4, 5);
async function f206(a207, a208, a209) {
let v210;
try {v210 = a208(a207, a209, 2); } catch (e) { print(e instanceof TypeError) }
await v210;
return v210;
}
// @ts-ignore
f206(1, f206);

1
test/aottest/calls/expect_output.txt
View File

@ -93,3 +93,4 @@ C
9
10
undefined
true