From c1eda52ab32c75e4014230ffeaecf2a1d3702971 Mon Sep 17 00:00:00 2001 From: wuxiesaber Date: Tue, 17 Dec 2024 17:06:11 +0800 Subject: [PATCH 1/7] fix OHPSIRT-2024-128300 Issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IBBW7J Signed-off-by: wuxiesaber Change-Id: I7183f550c57f61144d75c8e30c66beb750f1b927 --- ecmascript/base/typed_array_helper.cpp | 2 ++ test/moduletest/BUILD.gn | 3 ++ test/moduletest/typedarrayiterator/BUILD.gn | 18 +++++++++++ .../typedarrayiterator/expect_output.txt | 14 +++++++++ .../typedarrayiterator/typedarrayiterator.js | 31 +++++++++++++++++++ 5 files changed, 68 insertions(+) create mode 100644 test/moduletest/typedarrayiterator/BUILD.gn create mode 100644 test/moduletest/typedarrayiterator/expect_output.txt create mode 100644 test/moduletest/typedarrayiterator/typedarrayiterator.js diff --git a/ecmascript/base/typed_array_helper.cpp b/ecmascript/base/typed_array_helper.cpp index cac26efd04..0d6f5620f6 100644 --- a/ecmascript/base/typed_array_helper.cpp +++ b/ecmascript/base/typed_array_helper.cpp @@ -1162,6 +1162,8 @@ bool TypedArrayHelper::IsNativeArrayIterator(JSThread *thread, if (iterNext->IsJSFunction()) { nextMethod = Method::Cast( JSHandle::Cast(iterNext)->GetMethod().GetTaggedObject()); + } else { + return false; } // Array and TypedArray use the same JSArrayIterator. return nextMethod->GetNativePointer() == reinterpret_cast(JSArrayIterator::Next); diff --git a/test/moduletest/BUILD.gn b/test/moduletest/BUILD.gn index 76a8f9e277..696fb2b84c 100644 --- a/test/moduletest/BUILD.gn +++ b/test/moduletest/BUILD.gn @@ -158,6 +158,7 @@ group("ark_js_moduletest") { "typedarrayfill", "typedarrayfindlast", "typedarrayfrom", + "typedarrayiterator", "typedarraynan", "typedarraysort", "typedarraysubarray", @@ -364,6 +365,7 @@ group("ark_asm_test") { "typedarrayfill", "typedarrayfindlast", "typedarrayfrom", + "typedarrayiterator", "typedarraynan", "typedarraysort", "typedarraytosorted", @@ -545,6 +547,7 @@ group("ark_asm_single_step_test") { "typedarrayfill", "typedarrayfindlast", "typedarrayfrom", + "typedarrayiterator", "typedarraynan", "typedarraysort", "typedarraytosorted", diff --git a/test/moduletest/typedarrayiterator/BUILD.gn b/test/moduletest/typedarrayiterator/BUILD.gn new file mode 100644 index 0000000000..158b9a2c19 --- /dev/null +++ b/test/moduletest/typedarrayiterator/BUILD.gn @@ -0,0 +1,18 @@ +# Copyright (c) 2023 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//arkcompiler/ets_runtime/test/test_helper.gni") + +host_moduletest_action("typedarrayiterator") { + deps = [] +} diff --git a/test/moduletest/typedarrayiterator/expect_output.txt b/test/moduletest/typedarrayiterator/expect_output.txt new file mode 100644 index 0000000000..2faecb946a --- /dev/null +++ b/test/moduletest/typedarrayiterator/expect_output.txt @@ -0,0 +1,14 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +TypeError: Callable is false diff --git a/test/moduletest/typedarrayiterator/typedarrayiterator.js b/test/moduletest/typedarrayiterator/typedarrayiterator.js new file mode 100644 index 0000000000..6e54f6a9b1 --- /dev/null +++ b/test/moduletest/typedarrayiterator/typedarrayiterator.js @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * @tc.name:typedarrayiterator + * @tc.desc:test TypedArray.iterator + * @tc.type: FUNC + */ + +let v2 = new Uint8Array([1, 2, 3]); +let v3 = v2[Symbol.iterator](); +let nextBak = v3.__proto__["next"]; +v3.__proto__["next"] = null; +try { + print(Uint8Array.from(v2)); +} catch (e) { + print(e); +} +v3.__proto__["next"] = nextBak; -- Gitee From 22be68e996cfa6da7dca16f25b624ebcc281b80d Mon Sep 17 00:00:00 2001 From: wuxiesaber Date: Sat, 21 Dec 2024 19:53:12 +0800 Subject: [PATCH 2/7] fix no checking of stack overflow in proxy Issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IBCUJM Signed-off-by: wuxiesaber Change-Id: I6ac963ee4ba6f870d1288a95c42f0415af95b27f --- ecmascript/stubs/runtime_stubs-inl.h | 1 + test/moduletest/BUILD.gn | 7 +++- test/moduletest/proxyrelease/BUILD.gn | 18 ++++++++++ .../moduletest/proxyrelease/expect_output.txt | 14 ++++++++ test/moduletest/proxyrelease/proxyrelease.js | 34 +++++++++++++++++++ 5 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 test/moduletest/proxyrelease/BUILD.gn create mode 100644 test/moduletest/proxyrelease/expect_output.txt create mode 100644 test/moduletest/proxyrelease/proxyrelease.js diff --git a/ecmascript/stubs/runtime_stubs-inl.h b/ecmascript/stubs/runtime_stubs-inl.h index 639075b4c8..0256374493 100644 --- a/ecmascript/stubs/runtime_stubs-inl.h +++ b/ecmascript/stubs/runtime_stubs-inl.h @@ -2839,6 +2839,7 @@ JSTaggedValue RuntimeStubs::RuntimeOptConstructProxy(JSThread *thread, JSHandle< JSHandle newTgt, JSHandle preArgs, JSHandle args) { + STACK_LIMIT_CHECK(thread, JSTaggedValue::Exception()); // step 1 ~ 4 get ProxyHandler and ProxyTarget JSHandle handler(thread, ctor->GetHandler()); if (handler->IsNull()) { diff --git a/test/moduletest/BUILD.gn b/test/moduletest/BUILD.gn index 696fb2b84c..bc7fb5529f 100644 --- a/test/moduletest/BUILD.gn +++ b/test/moduletest/BUILD.gn @@ -237,6 +237,7 @@ group("ark_js_assert_moduletest") { "hugearray", "hugeictest", "multiconstpoolarray", + "proxyrelease", ] foreach(test, release_test_assert_list) { @@ -440,6 +441,7 @@ group("ark_asm_assert_test") { "hugearray", "hugeictest", "multiconstpoolarray", + "proxyrelease", ] foreach(test, release_test_assert_list) { @@ -614,7 +616,10 @@ group("ark_asm_single_step_assert_test") { } } if (!is_debug) { - release_test_assert_list = [ "multiconstpoolarray" ] + release_test_assert_list = [ + "multiconstpoolarray", + "proxyrelease", + ] foreach(test, release_test_assert_list) { deps += [ diff --git a/test/moduletest/proxyrelease/BUILD.gn b/test/moduletest/proxyrelease/BUILD.gn new file mode 100644 index 0000000000..3b0f1d906a --- /dev/null +++ b/test/moduletest/proxyrelease/BUILD.gn @@ -0,0 +1,18 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//arkcompiler/ets_runtime/test/test_helper.gni") + +host_moduletest_assert_action("proxyrelease") { + deps = [] +} diff --git a/test/moduletest/proxyrelease/expect_output.txt b/test/moduletest/proxyrelease/expect_output.txt new file mode 100644 index 0000000000..c716a573b9 --- /dev/null +++ b/test/moduletest/proxyrelease/expect_output.txt @@ -0,0 +1,14 @@ +# Copyright (c) 2021 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +RangeError: Stack overflow! diff --git a/test/moduletest/proxyrelease/proxyrelease.js b/test/moduletest/proxyrelease/proxyrelease.js new file mode 100644 index 0000000000..e59a33292a --- /dev/null +++ b/test/moduletest/proxyrelease/proxyrelease.js @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * @tc.name:proxy + * @tc.desc:test proxy + * @tc.type: FUNC + * @tc.require: issueIBCUJM + */ + +// This case aims to test if there's stack-overflow checking in RuntimeOptConstructProxy +{ + let v0 = new Proxy(function () {}, {}); + for (let v1 = 0; v1 < 10000; v1++) { + v0 = new Proxy(v0, {}); + } + try { + new v0(0); + } catch (error) { + print(error); + } +} -- Gitee From 507e6c95b8055039481657bd0a1941c9e2693caa Mon Sep 17 00:00:00 2001 From: wuxiesaber Date: Thu, 26 Dec 2024 19:12:51 +0800 Subject: [PATCH 3/7] add taggedOject check in GetIterator https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IBDZ1R Signed-off-by: wuxiesaber Change-Id: Ic82f8fb67a858e79a985ef687b5d0b8476f006dd --- ecmascript/compiler/stub_builder.cpp | 10 ++++-- ecmascript/message_string.h | 3 +- test/moduletest/BUILD.gn | 1 + test/moduletest/getiterator/BUILD.gn | 18 +++++++++++ test/moduletest/getiterator/expect_output.txt | 14 ++++++++ test/moduletest/getiterator/getiterator.js | 32 +++++++++++++++++++ 6 files changed, 74 insertions(+), 4 deletions(-) create mode 100644 test/moduletest/getiterator/BUILD.gn create mode 100644 test/moduletest/getiterator/expect_output.txt create mode 100644 test/moduletest/getiterator/getiterator.js diff --git a/ecmascript/compiler/stub_builder.cpp b/ecmascript/compiler/stub_builder.cpp index 92a62c8fa5..05b59d5206 100644 --- a/ecmascript/compiler/stub_builder.cpp +++ b/ecmascript/compiler/stub_builder.cpp @@ -8524,7 +8524,7 @@ GateRef StubBuilder::GetIterator(GateRef glue, GateRef obj, ProfileOperation cal Label exit(env); env->SubCfgEntry(&entryPass); DEFVARIABLE(result, VariableType::JS_ANY(), Exception()); - DEFVARIABLE(taggedId, VariableType::INT32(), Int32(0)); + DEFVARIABLE(taggedId, VariableType::INT32(), Int32(GET_MESSAGE_STRING_ID(ObjIsNotCallable))); Label isPendingException(env); Label noPendingException(env); @@ -8555,14 +8555,18 @@ GateRef StubBuilder::GetIterator(GateRef glue, GateRef obj, ProfileOperation cal if (env->IsBaselineBuiltin()) { callBuilder.JSCallDispatchForBaseline(&callExit); Bind(&callExit); + Jump(&exit); } else { result = callBuilder.JSCallDispatch(); + Label modifyErrorInfo(env); + BRANCH(TaggedIsHeapObject(*result), &exit, &modifyErrorInfo); + Bind(&modifyErrorInfo); + taggedId = Int32(GET_MESSAGE_STRING_ID(IterNotObject)); + Jump(&throwError); } - Jump(&exit); } Bind(&throwError); { - taggedId = Int32(GET_MESSAGE_STRING_ID(ObjIsNotCallable)); CallRuntime(glue, RTSTUB_ID(ThrowTypeError), { IntToTaggedInt(*taggedId) }); result = Exception(); Jump(&exit); diff --git a/ecmascript/message_string.h b/ecmascript/message_string.h index 062d7a4e89..33d67d4dbc 100644 --- a/ecmascript/message_string.h +++ b/ecmascript/message_string.h @@ -66,7 +66,8 @@ namespace panda::ecmascript { V(DefineFieldField, "DefineField: obj is not Object") \ V(IsNotPropertyKey, "key is not a property key") \ V(CreateDataPropertyFailed, "failed to create data property") \ - V(ValueIsNonSObject, "value is not a shared object") + V(ValueIsNonSObject, "value is not a shared object") \ + V(IterNotObject, "JSIterator::GetIterator: iter is not object") #define DEBUG_CHECK_MESSAGE_STRING_LIST(V) \ V(IsCallable) \ diff --git a/test/moduletest/BUILD.gn b/test/moduletest/BUILD.gn index bc7fb5529f..bf930c80a8 100644 --- a/test/moduletest/BUILD.gn +++ b/test/moduletest/BUILD.gn @@ -393,6 +393,7 @@ group("ark_asm_test") { "sharedJSON", "sharedic", "sendable", + "getiterator", ] deps = [] diff --git a/test/moduletest/getiterator/BUILD.gn b/test/moduletest/getiterator/BUILD.gn new file mode 100644 index 0000000000..c607331088 --- /dev/null +++ b/test/moduletest/getiterator/BUILD.gn @@ -0,0 +1,18 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//arkcompiler/ets_runtime/test/test_helper.gni") + +host_moduletest_action("getiterator") { + deps = [] +} diff --git a/test/moduletest/getiterator/expect_output.txt b/test/moduletest/getiterator/expect_output.txt new file mode 100644 index 0000000000..65a51cc345 --- /dev/null +++ b/test/moduletest/getiterator/expect_output.txt @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +TypeError: JSIterator::GetIterator: iter is not object diff --git a/test/moduletest/getiterator/getiterator.js b/test/moduletest/getiterator/getiterator.js new file mode 100644 index 0000000000..cac74cf812 --- /dev/null +++ b/test/moduletest/getiterator/getiterator.js @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * @tc.name:getiterator + * @tc.desc:test StubBuilder::GetIterator + * @tc.type: FUNC + * @tc.require: issueIBDZ1R + */ + +// This case aims to test the logic which check the undefined result of GetIterator. +{ + class c2 extends Object {} + Array.prototype[Symbol.iterator] = function () {}; + try { + let myC2 = new c2(); + } catch (error) { + print(error); + } +} -- Gitee From 3da787e137830e42a8b2ff2077577ce26cd19268 Mon Sep 17 00:00:00 2001 From: wuxiesaber Date: Wed, 25 Dec 2024 14:31:32 +0800 Subject: [PATCH 4/7] fix double overflow in GetValueFromBuffer Issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IBDK44 Signed-off-by: wuxiesaber Change-Id: I81e42c6ae968aa2cc6f7f306f179988bf6fca5c8 --- .../builtins_typedarray_stub_builder.cpp | 12 +++++-- test/moduletest/BUILD.gn | 15 +++++++-- test/moduletest/getvaluefrombuffer/BUILD.gn | 18 +++++++++++ .../getvaluefrombuffer/getvaluefrombuffer.js | 32 +++++++++++++++++++ .../moduletest/proxyrelease/expect_output.txt | 2 +- test/moduletest/proxyrelease/proxyrelease.js | 7 ++-- test/moduletest/typedarrayiterator/BUILD.gn | 2 +- 7 files changed, 79 insertions(+), 9 deletions(-) create mode 100644 test/moduletest/getvaluefrombuffer/BUILD.gn create mode 100644 test/moduletest/getvaluefrombuffer/getvaluefrombuffer.js diff --git a/ecmascript/compiler/builtins/builtins_typedarray_stub_builder.cpp b/ecmascript/compiler/builtins/builtins_typedarray_stub_builder.cpp index 8e46ee42c2..6b3d51822b 100644 --- a/ecmascript/compiler/builtins/builtins_typedarray_stub_builder.cpp +++ b/ecmascript/compiler/builtins/builtins_typedarray_stub_builder.cpp @@ -370,8 +370,16 @@ GateRef BuiltinsTypedArrayStubBuilder::GetValueFromBuffer(GateRef buffer, GateRe { GateRef byteIndex = Int32Add(Int32Mul(index, Int32(base::ElementSize::EIGHT)), offset); GateRef block = GetDataPointFromBuffer(buffer); - GateRef re = Load(VariableType::INT64(), block, byteIndex); - result = DoubleToTaggedDoublePtr(CastInt64ToFloat64(re)); + GateRef tmpResult = CastInt64ToFloat64(Load(VariableType::INT64(), block, byteIndex)); + + Label tmpResultIsNumber(env); + Label tmpResultIsNan(env); + BRANCH(env->GetBuilder()->DoubleIsImpureNaN(tmpResult), &tmpResultIsNan, &tmpResultIsNumber); + Bind(&tmpResultIsNan); + result = DoubleToTaggedDoublePtr(Double(base::NAN_VALUE)); + Jump(&exit); + Bind(&tmpResultIsNumber); + result = DoubleToTaggedDoublePtr(tmpResult); Jump(&exit); } } diff --git a/test/moduletest/BUILD.gn b/test/moduletest/BUILD.gn index bf930c80a8..b360c8469a 100644 --- a/test/moduletest/BUILD.gn +++ b/test/moduletest/BUILD.gn @@ -222,7 +222,10 @@ group("ark_js_moduletest") { group("ark_js_assert_moduletest") { testonly = true - assert_test_list = [ "addpropertybyname" ] + assert_test_list = [ + "addpropertybyname", + "getvaluefrombuffer", + ] deps = [] foreach(test, assert_test_list) { @@ -427,7 +430,10 @@ group("ark_asm_test") { group("ark_asm_assert_test") { testonly = true - assert_test_list = [ "addpropertybyname" ] + assert_test_list = [ + "addpropertybyname", + "getvaluefrombuffer", + ] deps = [] foreach(test, assert_test_list) { @@ -607,7 +613,10 @@ group("ark_asm_single_step_test") { group("ark_asm_single_step_assert_test") { testonly = true - assert_test_list = [ "addpropertybyname" ] + assert_test_list = [ + "addpropertybyname", + "getvaluefrombuffer", + ] deps = [] foreach(test, assert_test_list) { diff --git a/test/moduletest/getvaluefrombuffer/BUILD.gn b/test/moduletest/getvaluefrombuffer/BUILD.gn new file mode 100644 index 0000000000..f351f2e169 --- /dev/null +++ b/test/moduletest/getvaluefrombuffer/BUILD.gn @@ -0,0 +1,18 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//arkcompiler/ets_runtime/test/test_helper.gni") + +host_moduletest_assert_action("getvaluefrombuffer") { + deps = [] +} diff --git a/test/moduletest/getvaluefrombuffer/getvaluefrombuffer.js b/test/moduletest/getvaluefrombuffer/getvaluefrombuffer.js new file mode 100644 index 0000000000..e8d22f7c12 --- /dev/null +++ b/test/moduletest/getvaluefrombuffer/getvaluefrombuffer.js @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * @tc.name:getvaluefrombuffer + * @tc.desc:test BuiltinsTypedArrayStubBuilder::GetValueFromBuffer + * @tc.type: FUNC + * @tc.require: issueIBDK44 + */ + +// This case aims to check overflow of double in BuiltinsTypedArrayStubBuilder::GetValueFromBuffer +{ + let v0 = new ArrayBuffer(8); + let v1 = new Int32Array(v0); + v1[0] = 0xcafe0000; + v1[1] = 0xffff0000; + let v2 = new Float64Array(v0); + Array.prototype.push.apply(v0, v2); + assert_equal(Number.isNaN(v2[0]), true); +} diff --git a/test/moduletest/proxyrelease/expect_output.txt b/test/moduletest/proxyrelease/expect_output.txt index c716a573b9..afc93c05cf 100644 --- a/test/moduletest/proxyrelease/expect_output.txt +++ b/test/moduletest/proxyrelease/expect_output.txt @@ -1,4 +1,4 @@ -# Copyright (c) 2021 Huawei Device Co., Ltd. +# Copyright (c) 2024 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at diff --git a/test/moduletest/proxyrelease/proxyrelease.js b/test/moduletest/proxyrelease/proxyrelease.js index e59a33292a..c6fe4e8b03 100644 --- a/test/moduletest/proxyrelease/proxyrelease.js +++ b/test/moduletest/proxyrelease/proxyrelease.js @@ -26,9 +26,12 @@ for (let v1 = 0; v1 < 10000; v1++) { v0 = new Proxy(v0, {}); } + let error = new Error(); try { new v0(0); - } catch (error) { - print(error); + } catch (e) { + error = e; } + assert_equal(error.name, "RangeError"); + assert_equal(error.message, "Stack overflow!"); } diff --git a/test/moduletest/typedarrayiterator/BUILD.gn b/test/moduletest/typedarrayiterator/BUILD.gn index 158b9a2c19..9a538c4664 100644 --- a/test/moduletest/typedarrayiterator/BUILD.gn +++ b/test/moduletest/typedarrayiterator/BUILD.gn @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Huawei Device Co., Ltd. +# Copyright (c) 2024 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at -- Gitee From 2dde3c02322ee65dfe77411b619448f6fb211a3b Mon Sep 17 00:00:00 2001 From: wuxiesaber Date: Sat, 4 Jan 2025 23:16:12 +0800 Subject: [PATCH 5/7] fix return of GetDeletedElementsAt Issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IBFP2E Signed-off-by: wuxiesaber Change-Id: Ia18bcef781ff04db2d911cf3aa6ec465ee75af42 --- .../linked_hashtable_stub_builder.cpp | 9 ++++- test/moduletest/BUILD.gn | 3 ++ test/moduletest/getdeletedelementsat/BUILD.gn | 18 ++++++++++ .../getdeletedelementsat/expect_output.txt | 14 ++++++++ .../getdeletedelementsat.js | 33 +++++++++++++++++++ 5 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 test/moduletest/getdeletedelementsat/BUILD.gn create mode 100644 test/moduletest/getdeletedelementsat/expect_output.txt create mode 100644 test/moduletest/getdeletedelementsat/getdeletedelementsat.js diff --git a/ecmascript/compiler/builtins/linked_hashtable_stub_builder.cpp b/ecmascript/compiler/builtins/linked_hashtable_stub_builder.cpp index 018397073f..a33fe91b04 100644 --- a/ecmascript/compiler/builtins/linked_hashtable_stub_builder.cpp +++ b/ecmascript/compiler/builtins/linked_hashtable_stub_builder.cpp @@ -309,8 +309,15 @@ GateRef LinkedHashTableStubBuilder:: Label loopEnd(env); Label next(env); Label loopExit(env); + Label noNumberOfDeletedElements(env); + + BRANCH(Int32Equal(GetNumberOfDeletedElements(linkedTable), Int32(-1)), &noNumberOfDeletedElements, &loopHead); + Bind(&noNumberOfDeletedElements); + { + res = entry; + Jump(&exit); + } - Jump(&loopHead); LoopBegin(&loopHead); { BRANCH(Int32GreaterThanOrEqual(*currentEntry, Int32(0)), &next, &loopExit); diff --git a/test/moduletest/BUILD.gn b/test/moduletest/BUILD.gn index b360c8469a..2e46ee8ba2 100644 --- a/test/moduletest/BUILD.gn +++ b/test/moduletest/BUILD.gn @@ -85,6 +85,7 @@ group("ark_js_moduletest") { "funcprotochangeobjectandnew", "functionapply", "generator", + "getdeletedelementsat", "getpropertybyindex", "getunmappedargs", "global", @@ -317,6 +318,7 @@ group("ark_asm_test") { "funcprotochangeobjectandnew", "functionapply", "generator", + "getdeletedelementsat", "getunmappedargs", "global", "globalaccessor", @@ -511,6 +513,7 @@ group("ark_asm_single_step_test") { "funcprotochangeobjectandnew", "functionapply", "generator", + "getdeletedelementsat", "getunmappedargs", "global", "globalaccessor", diff --git a/test/moduletest/getdeletedelementsat/BUILD.gn b/test/moduletest/getdeletedelementsat/BUILD.gn new file mode 100644 index 0000000000..1e8c7000a9 --- /dev/null +++ b/test/moduletest/getdeletedelementsat/BUILD.gn @@ -0,0 +1,18 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//arkcompiler/ets_runtime/test/test_helper.gni") + +host_moduletest_action("getdeletedelementsat") { + deps = [] +} diff --git a/test/moduletest/getdeletedelementsat/expect_output.txt b/test/moduletest/getdeletedelementsat/expect_output.txt new file mode 100644 index 0000000000..48c2f6e60a --- /dev/null +++ b/test/moduletest/getdeletedelementsat/expect_output.txt @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +Test runs successfully! diff --git a/test/moduletest/getdeletedelementsat/getdeletedelementsat.js b/test/moduletest/getdeletedelementsat/getdeletedelementsat.js new file mode 100644 index 0000000000..bdbfed988c --- /dev/null +++ b/test/moduletest/getdeletedelementsat/getdeletedelementsat.js @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * @tc.name:getdeletedelementsat + * @tc.desc:test GetDeletedElementsAt + * @tc.type: FUNC + * @tc.require: issueIBFP2E + */ + +// This case aims to check return value of GetDeletedElementsAt +{ + let map1 = new Map(); + map1.set(0, 1); + map1.set(1, 2); + map1.set(2, 3); + map1.set(3, 4); + map1.delete(0); + map1.forEach(function () { map1.clear() }); + print("Test runs successfully!"); +} -- Gitee From 66a3e50e1b55f20be698a54b7a061f7ec539b12e Mon Sep 17 00:00:00 2001 From: wuxiesaber Date: Tue, 14 Jan 2025 19:10:49 +0800 Subject: [PATCH 6/7] fix stack overflow of regex_match Issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IBHSYW Signed-off-by: wuxiesaber Change-Id: I61cff5e9dbfd4aeb4ff6484a659d2237eb7c3368 --- ecmascript/js_date_time_format.cpp | 20 ++++++------------- ecmascript/js_date_time_format.h | 2 -- test/moduletest/datetimezone/datetimezone.js | 9 ++++++++- .../moduletest/datetimezone/expect_output.txt | 1 + test/moduletest/getiterator/getiterator.js | 2 +- .../moduletest/proxyrelease/expect_output.txt | 14 ------------- 6 files changed, 16 insertions(+), 32 deletions(-) delete mode 100644 test/moduletest/proxyrelease/expect_output.txt diff --git a/ecmascript/js_date_time_format.cpp b/ecmascript/js_date_time_format.cpp index 41c930fe34..ad75482395 100644 --- a/ecmascript/js_date_time_format.cpp +++ b/ecmascript/js_date_time_format.cpp @@ -1654,31 +1654,23 @@ std::string JSDateTimeFormat::ToTitleCaseFunction(const std::string &input) return result; } -bool JSDateTimeFormat::IsValidTimeZoneInput(const std::string &input) -{ - std::regex r("[a-zA-Z_\\-/]*"); - bool isValid = regex_match(input, r); - return isValid; -} - std::string JSDateTimeFormat::ToTitleCaseTimezonePosition(const std::string &input) { - if (!IsValidTimeZoneInput(input)) { - return std::string(); - } std::vector titleEntry; std::vector charEntry; - int32_t leftPosition = 0; - int32_t titleLength = 0; - for (int32_t i = 0; i < static_cast(input.length()); i++) { + uint32_t leftPosition = 0; + uint32_t titleLength = 0; + for (size_t i = 0; i < input.length(); i++) { if (input[i] == '_' || input[i] == '-' || input[i] == '/') { std::string s(1, input[i]); charEntry.emplace_back(s); titleLength = i - leftPosition; titleEntry.emplace_back(input.substr(leftPosition, titleLength)); leftPosition = i + 1; - } else { + } else if (JSLocale::IsAsciiAlpha(input[i]) || input[i] == '\\') { continue; + } else { + return std::string(); } } ASSERT(input.length() >= static_cast(leftPosition)); diff --git a/ecmascript/js_date_time_format.h b/ecmascript/js_date_time_format.h index 7bc5655fe9..b75dc9e133 100644 --- a/ecmascript/js_date_time_format.h +++ b/ecmascript/js_date_time_format.h @@ -214,8 +214,6 @@ private: static std::string ToTitleCaseFunction(const std::string &input); - static bool IsValidTimeZoneInput(const std::string &input); - static JSHandle ToValueString(JSThread *thread, Value value); static icu::FormattedDateInterval ConstructDTFRange(JSThread *thread, const JSHandle &dtf, diff --git a/test/moduletest/datetimezone/datetimezone.js b/test/moduletest/datetimezone/datetimezone.js index 85223757b1..e589c66e01 100755 --- a/test/moduletest/datetimezone/datetimezone.js +++ b/test/moduletest/datetimezone/datetimezone.js @@ -16,4 +16,11 @@ try { new Intl.DateTimeFormat("en" , { timeZone: "US/Alaska0" }); } catch (e) { print(e instanceof RangeError); -} \ No newline at end of file +} + +// This case aims to check stack overflow while timeZone is a long string +try { + new Intl.DateTimeFormat("en", {timeZone: Array(0x8000).join("a")}); +} catch (e) { + print(e); +} diff --git a/test/moduletest/datetimezone/expect_output.txt b/test/moduletest/datetimezone/expect_output.txt index ce415d321a..355befa022 100755 --- a/test/moduletest/datetimezone/expect_output.txt +++ b/test/moduletest/datetimezone/expect_output.txt @@ -12,3 +12,4 @@ # limitations under the License. true +RangeError: invalid timeZone diff --git a/test/moduletest/getiterator/getiterator.js b/test/moduletest/getiterator/getiterator.js index cac74cf812..8b625d6ef9 100644 --- a/test/moduletest/getiterator/getiterator.js +++ b/test/moduletest/getiterator/getiterator.js @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2025 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at diff --git a/test/moduletest/proxyrelease/expect_output.txt b/test/moduletest/proxyrelease/expect_output.txt deleted file mode 100644 index afc93c05cf..0000000000 --- a/test/moduletest/proxyrelease/expect_output.txt +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (c) 2024 Huawei Device Co., Ltd. -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -RangeError: Stack overflow! -- Gitee From b9da405bb3f74abbb049debb9afde4b000da60d4 Mon Sep 17 00:00:00 2001 From: wuxiesaber Date: Fri, 24 Jan 2025 10:44:32 +0800 Subject: [PATCH 7/7] fix no exception return Issue: https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/IBJL5S Signed-off-by: wuxiesaber Change-Id: Ic44740edf322dccf049e0c65d59cc69f1c386653 --- ecmascript/js_for_in_iterator.cpp | 1 + test/moduletest/BUILD.gn | 3 ++ test/moduletest/nextinternalslowpath/BUILD.gn | 18 ++++++++ .../nextinternalslowpath/expect_output.txt | 14 +++++++ .../nextinternalslowpath.js | 41 +++++++++++++++++++ 5 files changed, 77 insertions(+) create mode 100644 test/moduletest/nextinternalslowpath/BUILD.gn create mode 100644 test/moduletest/nextinternalslowpath/expect_output.txt create mode 100644 test/moduletest/nextinternalslowpath/nextinternalslowpath.js diff --git a/ecmascript/js_for_in_iterator.cpp b/ecmascript/js_for_in_iterator.cpp index e06af8b2f8..f940f68032 100644 --- a/ecmascript/js_for_in_iterator.cpp +++ b/ecmascript/js_for_in_iterator.cpp @@ -120,6 +120,7 @@ JSTaggedValue JSForInIterator::NextInternalSlowpath(JSThread *thread, const JSHa break; } has = HasProperty(thread, receiverHandle, keyHandle); + RETURN_EXCEPTION_IF_ABRUPT_COMPLETION(thread); if (has) { break; } diff --git a/test/moduletest/BUILD.gn b/test/moduletest/BUILD.gn index 2e46ee8ba2..279b3a8bb6 100644 --- a/test/moduletest/BUILD.gn +++ b/test/moduletest/BUILD.gn @@ -115,6 +115,7 @@ group("ark_js_moduletest") { "multiprotoic", "negintmin", "newobjdynrange", + "nextinternalslowpath", "object", "objectcloneproperties", "objectgetownproperty", @@ -341,6 +342,7 @@ group("ark_asm_test") { "multiprotoic", "negintmin", "newobjdynrange", + "nextinternalslowpath", "number", "objectcloneproperties", "objectdefineproperties", @@ -533,6 +535,7 @@ group("ark_asm_single_step_test") { "multiprotoic", "negintmin", "newobjdynrange", + "nextinternalslowpath", "objectcloneproperties", "objecthasownproperty", "objectkeys", diff --git a/test/moduletest/nextinternalslowpath/BUILD.gn b/test/moduletest/nextinternalslowpath/BUILD.gn new file mode 100644 index 0000000000..a3b9aeceef --- /dev/null +++ b/test/moduletest/nextinternalslowpath/BUILD.gn @@ -0,0 +1,18 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import("//arkcompiler/ets_runtime/test/test_helper.gni") + +host_moduletest_action("nextinternalslowpath") { + deps = [] +} diff --git a/test/moduletest/nextinternalslowpath/expect_output.txt b/test/moduletest/nextinternalslowpath/expect_output.txt new file mode 100644 index 0000000000..52a34023e7 --- /dev/null +++ b/test/moduletest/nextinternalslowpath/expect_output.txt @@ -0,0 +1,14 @@ +# Copyright (c) 2025 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +TypeError: Cannot define property diff --git a/test/moduletest/nextinternalslowpath/nextinternalslowpath.js b/test/moduletest/nextinternalslowpath/nextinternalslowpath.js new file mode 100644 index 0000000000..d77958c34b --- /dev/null +++ b/test/moduletest/nextinternalslowpath/nextinternalslowpath.js @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * @tc.name:nextinternalslowpath + * @tc.desc:test JSForInIterator::NextInternalSlowpath + * @tc.type: FUNC + * @tc.require: issueIBJL5S + */ + +// This case aims to test if JSForInIterator::NextInternalSlowpath could return exception. +{ + function test_func() {} + function f0() {} + let v12 = new Proxy(Object.create(null, {x: {enumerable: true}}), { + getOwnPropertyDescriptor(v13, v14) { + if (v13 != null && typeof v13 == "object") { + Object.defineProperty(v13, test_func(), {get: function () {}}); + } + return Reflect.getOwnPropertyDescriptor(v13, v14); + } + }); + try { + for (let v15 in v12) {} + f0([1]); + } catch (e) { + print(e); + } +} -- Gitee