[fuzz] 一些Fuzz问题修复

Issue:https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IAD1LQ Description:1.Fix elements kind assert fail when array's hclass changed; 2.delete unused assert Signed-off-by: zhangyinlu <zhangyinlu@huawei.com> Change-Id: Ie9b14f69d179165d7f41d6de9eb0f4a03897cdf4
2024-11-27 04:00:37 +00:00 · 2024-07-15 15:36:43 +08:00 · 2024-07-15 15:36:43 +08:00 · c97dd0248d
commit c97dd0248d
parent 5a19f524cd
13 changed files with 77 additions and 8 deletions
--- a/ecmascript/compiler/builtins/builtins_typedarray_stub_builder.cpp
+++ b/ecmascript/compiler/builtins/builtins_typedarray_stub_builder.cpp
@ -882,9 +882,9 @@ void BuiltinsTypedArrayStubBuilder::CopyWithin(GateRef glue, GateRef thisValue,
    Label isHeapObject(env);
    Label defaultConstr(env);
    Label typedArray(env);
-    GateRef jsType = GetObjectType(LoadHClass(thisValue));
    BRANCH(TaggedIsHeapObject(thisValue), &isHeapObject, slowPath);
    Bind(&isHeapObject);
+    GateRef jsType = GetObjectType(LoadHClass(thisValue));
    BRANCH(IsFastTypeArray(jsType), &typedArray, slowPath);
    Bind(&typedArray);
    BRANCH(HasConstructor(thisValue), slowPath, &defaultConstr);
--- a/ecmascript/compiler/circuit_builder.h
+++ b/ecmascript/compiler/circuit_builder.h
@ -797,6 +797,7 @@ public:
    GateRef ArrayPop(GateRef thisValue, GateRef frameState);
    GateRef ArraySlice(GateRef thisValue, GateRef startIndex, GateRef endIndex, GateRef frameState);
    GateRef ToNumber(GateRef gate, GateRef value, GateRef glue);
+    GateRef StringToNumber(GateRef gate, GateRef value, GateRef radix, GateRef glue);
    GateRef IsASCIICharacter(GateRef gate);

    // for in
@ -853,6 +854,7 @@ public:
    inline GateRef Int64ToBigEndianInt64(GateRef x);
    inline GateRef GetInt64OfTInt(GateRef x);
    inline GateRef GetInt32OfTInt(GateRef x);
+    inline GateRef GetInt32OfTNumber(GateRef x);
    inline GateRef TaggedCastToIntPtr(GateRef x);
    inline GateRef GetDoubleOfTInt(GateRef x);
    inline GateRef GetDoubleOfTDouble(GateRef x);
--- a/ecmascript/compiler/lcr_circuit_builder.h
+++ b/ecmascript/compiler/lcr_circuit_builder.h
@ -160,6 +160,31 @@ GateRef CircuitBuilder::GetInt32OfTInt(GateRef x)
    return TruncInt64ToInt32(tagged);
 }

+GateRef CircuitBuilder::GetInt32OfTNumber(GateRef x)
+{
+    Label subentry(env_);
+    SubCfgEntry(&subentry);
+    Label isInt(env_);
+    Label isDouble(env_);
+    Label exit(env_);
+    DEFVALUE(result, env_, VariableType::INT32(), Int32(0));
+    BRANCH_CIR2(TaggedIsInt(x), &isInt, &isDouble);
+    Bind(&isInt);
+    {
+        result = GetInt32OfTInt(x);
+        Jump(&exit);
+    }
+    Bind(&isDouble);
+    {
+        result = DoubleCheckINFInRangeInt32(GetDoubleOfTDouble(x));
+        Jump(&exit);
+    }
+    Bind(&exit);
+    GateRef ret = *result;
+    SubCfgExit();
+    return ret;
+}
+
 GateRef CircuitBuilder::TaggedCastToIntPtr(GateRef x)
 {
    return env_->Is32Bit() ? GetInt32OfTInt(x) : GetInt64OfTInt(x);
--- a/ecmascript/compiler/mcr_circuit_builder.cpp
+++ b/ecmascript/compiler/mcr_circuit_builder.cpp
@ -1682,6 +1682,11 @@ GateRef CircuitBuilder::ToNumber(GateRef gate, GateRef value, GateRef glue)
    return ret;
 }

+GateRef CircuitBuilder::StringToNumber(GateRef gate, GateRef value, GateRef radix, GateRef glue)
+{
+    return CallNGCRuntime(glue, RTSTUB_ID(StringToNumber), Gate::InvalidGateRef, { value, radix }, gate);
+}
+
 GateRef CircuitBuilder::BuildControlDependOp(const GateMetaData* op, std::vector<GateRef> args,
                                             std::vector<GateRef> frameStates)
 {
--- a/ecmascript/compiler/number_speculative_retype.cpp
+++ b/ecmascript/compiler/number_speculative_retype.cpp
@ -1170,7 +1170,12 @@ GateRef NumberSpeculativeRetype::CheckBoundAndConvertToInt32(GateRef gate, Conve
        case TypeInfo::INT1:
            result = builder_.ConvertBoolToInt32(gate, support);
            break;
-        case TypeInfo::CHAR:
+        case TypeInfo::CHAR: {
+            GateRef number = builder_.StringToNumber(gate, builder_.ConvertCharToEcmaString(gate),
+                builder_.Int32(0), acc_.GetGlueFromArgList());
+            result = builder_.GetInt32OfTNumber(number);
+            break;
+        }
        case TypeInfo::INT32:
            return gate;
        case TypeInfo::UINT32: {
@ -1234,6 +1239,12 @@ GateRef NumberSpeculativeRetype::CheckAndConvertToFloat64(GateRef gate, GateType
        case TypeInfo::INT1:
            result = builder_.ConvertBoolToFloat64(gate, ToConvertSupport(convert));
            break;
+        case TypeInfo::CHAR: {
+            GateRef number = builder_.StringToNumber(gate, builder_.ConvertCharToEcmaString(gate),
+                builder_.Int32(0), acc_.GetGlueFromArgList());
+            result = builder_.GetDoubleOfTNumber(number);
+            break;
+        }
        case TypeInfo::INT32:
            result = builder_.ConvertInt32ToFloat64(gate);
            break;
--- a/ecmascript/js_hclass.cpp
+++ b/ecmascript/js_hclass.cpp
@ -551,6 +551,9 @@ void JSHClass::OptimizePrototypeForIC(const JSThread *thread, const JSHandle<JST
            if (!isChangeProto) {
                thread->GetEcmaVM()->GetPGOProfiler()->UpdateRootProfileTypeSafe(*hclass, *newProtoClass);
            }
+            if (proto->IsJSObject()) {
+                TryRestoreElementsKind(thread, newProtoClass, JSHandle<JSObject>::Cast(proto));
+            }
        } else {
            // There is no sharing in AOT hclass. Therefore, it is not necessary or possible to clone here.
            hclass->SetIsPrototype(true);
--- a/ecmascript/pgo_profiler/pgo_profiler.cpp
+++ b/ecmascript/pgo_profiler/pgo_profiler.cpp
@ -2022,7 +2022,6 @@ ProfileType PGOProfiler::GetRecordProfileType(const std::shared_ptr<JSPandaFile>
    }
    ProfileType recordType {0};
    if (pf->IsBundlePack()) {
-        ASSERT(recordName == JSPandaFile::ENTRY_FUNCTION_NAME);
        recordType = CreateRecordProfileType(abcId, ProfileType::RECORD_ID_FOR_BUNDLE);
        recordInfos_->GetRecordPool()->Add(recordType, recordName);
        return recordType;
--- a/test/aottest/elements_kind/elements_kind.ts
+++ b/test/aottest/elements_kind/elements_kind.ts
@ -56,7 +56,7 @@ class OrderedCollection {
    add(elm: number):void {
      this.elms.push(elm);
    }
-    
+
    at(index: number):number{
      return this.elms[index];
    }
@ -76,4 +76,15 @@ function testReverse() {
  print("success");
 }

-testReverse();
+testReverse();
+
+function testArrayUsedAsProto() {
+  let v0 = [1];
+  let o = {
+    __proto__: v0
+  }
+  v0.length = 0;
+  print("testArrayUsedAsProto success")
+}
+
+testArrayUsedAsProto();
--- a/test/aottest/elements_kind/expect_output.txt
+++ b/test/aottest/elements_kind/expect_output.txt
@ -18,4 +18,5 @@ undefined
 1
 2
 0
-success
+success
+testArrayUsedAsProto success
--- a/test/aottest/elements_kind/pgo_expect_output.txt
+++ b/test/aottest/elements_kind/pgo_expect_output.txt
@ -18,4 +18,5 @@ undefined
 1
 2
 0
-success
+success
+testArrayUsedAsProto success
--- a/test/aottest/pgo_ldobjbyvalue_string/expect_output.txt
+++ b/test/aottest/pgo_ldobjbyvalue_string/expect_output.txt
@ -12,3 +12,4 @@
 # limitations under the License.

 [trace] Opcode: LOAD_ELEMENT Count:2
+6
--- a/test/aottest/pgo_ldobjbyvalue_string/pgo_expect_output.txt
+++ b/test/aottest/pgo_ldobjbyvalue_string/pgo_expect_output.txt
@ -11,3 +11,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+6
--- a/test/aottest/pgo_ldobjbyvalue_string/pgo_ldobjbyvalue_string.ts
+++ b/test/aottest/pgo_ldobjbyvalue_string/pgo_ldobjbyvalue_string.ts
@ -14,7 +14,7 @@
 */

 // @ts-nocheck
-declare function print(arg:any):string;
+declare function print(arg: any): string;

 function foo(a) {
    return a[0];
@ -32,3 +32,12 @@ function test() {
 test();
 ArkTools.printTypedOpProfiler("LOAD_ELEMENT");
 ArkTools.clearTypedOpProfiler();
+
+let v2 = new SharedMap();
+class C3 {
+    constructor(a5, a6) {
+        ({ "length": a5, } = "-39635");
+        print(a5 % -1713856730);
+    }
+}
+const v9 = new C3(SharedMap, "-39635");