openharmony/arkcompiler_ets_runtime
1
0
Fork 0
mirror of https://gitee.com/openharmony/arkcompiler_ets_runtime synced 2024-11-23 10:09:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix fuzzffer crash in plainarray and stack

Browse Source 
Fix fuzzffer crash in plainarray and stack

Issue:           https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IALHUM
Signed-off-by: yulicheng <chengyuli1@huawei.com>
This commit is contained in:
YuliCheng 2024-08-21 10:05:33 +08:00
parent 36b5848ead
commit b1aba06966
10 changed files with 38 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ecmascript/containers/containers_arraylist.cpp
View File

@ -87,7 +87,8 @@ JSTaggedValue ContainersArrayList::Insert(EcmaRuntimeCallInfo *argv)
JSHandle<JSTaggedValue> value = GetCallArg(argv, 0);
JSHandle<JSTaggedValue> index = GetCallArg(argv, 1);
if (index->IsDouble()) {
/* 将Math.floor(1)等形式的double变量处理为Int而大于INT32_MAX的整数仍然是double形式 */
// Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
// For integer which is greater than INT32_MAX, it will remain TaggedDouble
index = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(index->GetDouble()));
}
if (!index->IsInt()) {

3
ecmascript/js_api/js_api_arraylist.cpp
View File

@ -456,7 +456,8 @@ OperationResult JSAPIArrayList::GetProperty(JSThread *thread, const JSHandle<JSA
int length = obj->GetLength().GetInt();
JSHandle<JSTaggedValue> indexKey = key;
if (indexKey->IsDouble()) {
/* 将Math.floor(1)等形式的double变量处理为Int而大于INT32_MAX的整数仍然是double形式 */
// Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
// For integer which is greater than INT32_MAX, it will remain TaggedDouble
indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
}
if (!indexKey->IsInt()) {

3
ecmascript/js_api/js_api_deque.cpp
View File

@ -287,7 +287,8 @@ OperationResult JSAPIDeque::GetProperty(JSThread *thread, const JSHandle<JSAPIDe
}
JSHandle<JSTaggedValue> indexKey = key;
if (indexKey->IsDouble()) {
/* 将Math.floor(1)等形式的double变量处理为Int而大于INT32_MAX的整数仍然是double形式 */
// Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
// For integer which is greater than INT32_MAX, it will remain TaggedDouble
indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
}
if (!indexKey->IsInt()) {

3
ecmascript/js_api/js_api_linked_list.cpp
View File

@ -272,7 +272,8 @@ OperationResult JSAPILinkedList::GetProperty(JSThread *thread, const JSHandle<JS
int nodeLength = doubleList->Length();
JSHandle<JSTaggedValue> indexKey = key;
if (indexKey->IsDouble()) {
/* 将Math.floor(1)等形式的double变量处理为Int而大于INT32_MAX的整数仍然是double形式 */
// Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
// For integer which is greater than INT32_MAX, it will remain TaggedDouble
indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
}
if (!indexKey->IsInt()) {

3
ecmascript/js_api/js_api_list.cpp
View File

@ -285,7 +285,8 @@ OperationResult JSAPIList::GetProperty(JSThread *thread, const JSHandle<JSAPILis
int nodeLength = singleList->Length();
JSHandle<JSTaggedValue> indexKey = key;
if (indexKey->IsDouble()) {
/* 将Math.floor(1)等形式的double变量处理为Int而大于INT32_MAX的整数仍然是double形式 */
/* Double variables like the form of Math.floor(1) are processed as TaggedInt,
while integers greater than INT32_MAX are still TaggedDouble */
indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
}
if (!indexKey->IsInt()) {

14
ecmascript/js_api/js_api_plain_array.cpp
View File

@ -228,7 +228,8 @@ OperationResult JSAPIPlainArray::GetProperty(JSThread *thread, const JSHandle<JS
}
JSHandle<JSTaggedValue> indexKey = key;
if (indexKey->IsDouble()) {
/* 将Math.floor(1)等形式的double变量处理为Int而大于INT32_MAX的整数仍然是double形式 */
// Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
// For integer which is greater than INT32_MAX, it will remain TaggedDouble
indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
}
if (!indexKey->IsInt()) {
@ -260,7 +261,16 @@ bool JSAPIPlainArray::SetProperty(JSThread *thread, const JSHandle<JSAPIPlainArr
{
TaggedArray *keyArray = TaggedArray::Cast(obj->GetKeys().GetTaggedObject());
uint32_t size = obj->GetLength();
int32_t index = obj->BinarySearch(keyArray, 0, size, key.GetTaggedValue().GetInt());
JSHandle<JSTaggedValue> indexKey = key;
if (indexKey->IsDouble()) {
// Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
// For integer which is greater than INT32_MAX, it will remain TaggedDouble
indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
}
if (!indexKey->IsInt()) {
return false;
}
int32_t index = obj->BinarySearch(keyArray, 0, size, indexKey->GetInt());
if (index < 0 || index >= static_cast<int32_t>(size)) {
return false;
}

3
ecmascript/js_api/js_api_queue.cpp
View File

@ -228,7 +228,8 @@ OperationResult JSAPIQueue::GetProperty(JSThread *thread, const JSHandle<JSAPIQu
int32_t length = static_cast<int32_t>(obj->GetSize());
JSHandle<JSTaggedValue> indexKey = key;
if (indexKey->IsDouble()) {
/* 将Math.floor(1)等形式的double变量处理为Int而大于INT32_MAX的整数仍然是double形式 */
// Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
// For integer which is greater than INT32_MAX, it will remain TaggedDouble
indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
}
if (!indexKey->IsInt()) {

7
ecmascript/js_api/js_api_stack.cpp
View File

@ -105,6 +105,10 @@ JSTaggedValue JSAPIStack::Get(const uint32_t index)
JSTaggedValue JSAPIStack::Set(JSThread *thread, const uint32_t index, JSTaggedValue value)
{
uint32_t length = GetSize() + 1;
if (index >= length) {
return JSTaggedValue::Undefined();
}
TaggedArray *elements = TaggedArray::Cast(GetElements().GetTaggedObject());
elements->Set(thread, index, value);
return JSTaggedValue::Undefined();
@ -176,7 +180,8 @@ OperationResult JSAPIStack::GetProperty(JSThread *thread, const JSHandle<JSAPISt
}
JSHandle<JSTaggedValue> indexKey = key;
if (indexKey->IsDouble()) {
/* 将Math.floor(1)等形式的double变量处理为Int而大于INT32_MAX的整数仍然是double形式 */
// Math.floor(1) will produce TaggedDouble, we need to cast into TaggedInt
// For integer which is greater than INT32_MAX, it will remain TaggedDouble
indexKey = JSHandle<JSTaggedValue>(thread, JSTaggedValue::TryCastDoubleToInt32(indexKey->GetDouble()));
}
if (!indexKey->IsInt()) {

2
ecmascript/tests/js_api_plain_array_test.cpp
View File

@ -315,5 +315,7 @@ HWTEST_F_L0(JSAPIPlainArrayTest, SetProperty)
EXPECT_FALSE(JSAPIPlainArray::SetProperty(thread, plainArray, key, value));
JSHandle<JSTaggedValue> key1(thread, JSTaggedValue(elementsNums));
EXPECT_FALSE(JSAPIPlainArray::SetProperty(thread, plainArray, key1, value));
JSHandle<JSTaggedValue> key2(thread, JSTaggedValue(int64_t(-9007199254740992))); // Out-of-Bounds test
EXPECT_FALSE(JSAPIPlainArray::SetProperty(thread, plainArray, key1, value));
}
} // namespace panda::test

6
ecmascript/tests/js_api_stack_test.cpp
View File

@ -227,6 +227,12 @@ HWTEST_F_L0(JSAPIStackTest, SetProperty)
{
JSHandle<JSAPIStack> toor(thread, CreateStack());
uint32_t elementsNums = 8;
{
JSHandle<JSTaggedValue> key(thread, JSTaggedValue(-1));
JSHandle<JSTaggedValue> value(thread, JSTaggedValue(-1));
EXPECT_EQ(JSTaggedValue::Undefined(), // when length = -1, return Undefine() instead of assert error
toor->Set(thread, key->GetInt(), value.GetTaggedValue()));
}
for (uint32_t i = 0; i < elementsNums; i++) {
JSHandle<JSTaggedValue> value(thread, JSTaggedValue(i));
JSAPIStack::Push(thread, toor, value);