From f9086fba9522edc016ca10f28c543e31eecb48e5 Mon Sep 17 00:00:00 2001
From: wangyuxin <wangyuxin53@huawei.com>
Date: Tue, 3 Sep 2024 20:00:55 +0800
Subject: [PATCH] Fix bug of array map segmentation fault

Add retyping process for array opcodes

Issue:https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IAOJCW

Signed-off-by: wangyuxin <wangyuxin53@huawei.com>
Change-Id: I46a53d6320a4cfc1609849f865cb4390ed7964d9
---
 .../compiler/number_speculative_retype.cpp    | 25 +++++++++++++++++
 .../compiler/number_speculative_retype.h      |  1 +
 .../compiler/typed_native_inline_lowering.cpp |  2 +-
 test/aottest/BUILD.gn                         |  1 +
 test/aottest/inline_array_exception/BUILD.gn  | 21 +++++++++++++++
 .../inline_array_exception/expect_output.txt  | 15 +++++++++++
 .../inline_array_exception.ts                 | 27 +++++++++++++++++++
 .../pgo_expect_output.txt                     | 15 +++++++++++
 8 files changed, 106 insertions(+), 1 deletion(-)
 create mode 100644 test/aottest/inline_array_exception/BUILD.gn
 create mode 100644 test/aottest/inline_array_exception/expect_output.txt
 create mode 100644 test/aottest/inline_array_exception/inline_array_exception.ts
 create mode 100644 test/aottest/inline_array_exception/pgo_expect_output.txt

diff --git a/ecmascript/compiler/number_speculative_retype.cpp b/ecmascript/compiler/number_speculative_retype.cpp
index 1892df6d9c..b226543983 100644
--- a/ecmascript/compiler/number_speculative_retype.cpp
+++ b/ecmascript/compiler/number_speculative_retype.cpp
@@ -192,6 +192,8 @@ GateRef NumberSpeculativeRetype::VisitGate(GateRef gate)
             return VisitIntermediateValue(gate);
         case OpCode::NUMBER_TO_STRING:
             return VisitNumberToString(gate);
+        case OpCode::ARRAY_FIND_OR_FINDINDEX:
+            return VisitArrayFindOrFindIndex(gate);
         case OpCode::MATH_LOG:
         case OpCode::MATH_LOG2:
         case OpCode::MATH_LOG10:
@@ -326,11 +328,16 @@ GateRef NumberSpeculativeRetype::VisitGate(GateRef gate)
         case OpCode::FUNCTION_PROTOTYPE_CALL:
         case OpCode::BUILTIN_PROTOTYPE_HCLASS_CHECK:
         case OpCode::FLATTEN_TREE_STRING_CHECK:
+        case OpCode::ARRAY_POP:
+        case OpCode::ARRAY_SOME:
+        case OpCode::ARRAY_EVERY:
+        case OpCode::ARRAY_FOR_EACH:
         case OpCode::HEAP_OBJECT_CHECK:
         case OpCode::ARRAY_FILTER:
         case OpCode::ARRAY_MAP:
         case OpCode::ARRAY_SLICE:
         case OpCode::FINISH_ALLOCATE:
+        case OpCode::IS_CALLABLE_CHECK:
             return VisitOthers(gate);
         default:
             return Circuit::NullGate();
@@ -355,6 +362,24 @@ GateRef NumberSpeculativeRetype::VisitTypedBinaryOp(GateRef gate)
     return VisitEqualCompareOrNotEqualCompare(gate);
 }
 
+GateRef NumberSpeculativeRetype::VisitArrayFindOrFindIndex(GateRef gate)
+{
+    constexpr size_t BUILTINS_FUNC_ID_INDEX = 3;
+    ASSERT(acc_.GetOpCode(gate) == OpCode::ARRAY_FIND_OR_FINDINDEX);
+    ASSERT(acc_.GetNumValueIn(gate) > BUILTINS_FUNC_ID_INDEX);
+    if (IsRetype()) {
+        GateRef builtinFunc = acc_.GetValueIn(gate, BUILTINS_FUNC_ID_INDEX);
+        auto builtinsID = static_cast<BuiltinsStubCSigns::ID>(acc_.GetConstantValue(builtinFunc));
+        if (builtinsID == BuiltinsStubCSigns::ID::ArrayFind) {
+            return SetOutputType(gate, GateType::AnyType());
+        } else {
+            return SetOutputType(gate, GateType::IntType());
+        }
+    }
+
+    return VisitWithConstantValue(gate, BUILTINS_FUNC_ID_INDEX); // ignoreIndex
+}
+
 GateRef NumberSpeculativeRetype::VisitEqualCompareOrNotEqualCompare(GateRef gate)
 {
     if (acc_.HasNumberType(gate)) {
diff --git a/ecmascript/compiler/number_speculative_retype.h b/ecmascript/compiler/number_speculative_retype.h
index 48d4cb4787..866e069402 100644
--- a/ecmascript/compiler/number_speculative_retype.h
+++ b/ecmascript/compiler/number_speculative_retype.h
@@ -71,6 +71,7 @@ private:
     GateRef SetOutputType(GateRef gate, TypeInfo type);
     TypeInfo GetNumberTypeInfo(GateRef gate);
     GateRef VisitPhi(GateRef gate);
+    GateRef VisitArrayFindOrFindIndex(GateRef gate);
     GateRef VisitConstant(GateRef gate);
     GateRef VisitTypedBinaryOp(GateRef gate);
     GateRef VisitNumberBinaryOp(GateRef gate);
diff --git a/ecmascript/compiler/typed_native_inline_lowering.cpp b/ecmascript/compiler/typed_native_inline_lowering.cpp
index 8ac1ba2515..7c426fdf62 100644
--- a/ecmascript/compiler/typed_native_inline_lowering.cpp
+++ b/ecmascript/compiler/typed_native_inline_lowering.cpp
@@ -3260,7 +3260,7 @@ void TypedNativeInlineLowering::LowerArrayFindOrFindIndex(GateRef gate)
     if (builtinsID == BuiltinsStubCSigns::ID::ArrayFind) {
         acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), *findRes);
     } else {
-        acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), builder_.Int32ToTaggedPtr(*res));
+        acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), *res);
     }
 }
 
diff --git a/test/aottest/BUILD.gn b/test/aottest/BUILD.gn
index f488d72bb1..4568cbc084 100644
--- a/test/aottest/BUILD.gn
+++ b/test/aottest/BUILD.gn
@@ -165,6 +165,7 @@ group("ark_aot_ts_test") {
     "ic",
     "inc",
     "inline",
+    "inline_array_exception",
     "instanceof",
     "isfalse",
     "isin",
diff --git a/test/aottest/inline_array_exception/BUILD.gn b/test/aottest/inline_array_exception/BUILD.gn
new file mode 100644
index 0000000000..42be394b2e
--- /dev/null
+++ b/test/aottest/inline_array_exception/BUILD.gn
@@ -0,0 +1,21 @@
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//arkcompiler/ets_runtime/test/test_helper.gni")
+
+host_aot_test_action("inline_array_exception") {
+  deps = []
+  is_enable_pgo = true
+  is_enable_opt_inlining = true
+  is_enable_native_inline = true
+}
diff --git a/test/aottest/inline_array_exception/expect_output.txt b/test/aottest/inline_array_exception/expect_output.txt
new file mode 100644
index 0000000000..b547fd5511
--- /dev/null
+++ b/test/aottest/inline_array_exception/expect_output.txt
@@ -0,0 +1,15 @@
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+2
+3
diff --git a/test/aottest/inline_array_exception/inline_array_exception.ts b/test/aottest/inline_array_exception/inline_array_exception.ts
new file mode 100644
index 0000000000..117b4257ff
--- /dev/null
+++ b/test/aottest/inline_array_exception/inline_array_exception.ts
@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const arr = [1,2,3,4];
+try{
+    arr.map(()=>{});
+    arr.pop();
+    arr.some(()=>{});
+    arr.every(()=>{});
+    arr.forEach(()=>{});
+    arr.find(()=>{});
+    arr.findIndex(()=>{});
+}catch(e){}
+print(arr.findIndex((num)=>{return num>2}));
+print(arr.find((num)=>{return num>2}))
diff --git a/test/aottest/inline_array_exception/pgo_expect_output.txt b/test/aottest/inline_array_exception/pgo_expect_output.txt
new file mode 100644
index 0000000000..b547fd5511
--- /dev/null
+++ b/test/aottest/inline_array_exception/pgo_expect_output.txt
@@ -0,0 +1,15 @@
+# Copyright (c) 2024 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+2
+3