From 86c87cd42d7e4c46076db4bd0fdefb985d3f815f Mon Sep 17 00:00:00 2001 From: dingding Date: Thu, 30 May 2024 15:49:54 +0800 Subject: [PATCH] [AOT Fuzz] Fix the heap object judgment in TypedCallCheck If an abnormal function object is passed in, deoptimization should be triggered immediately. https://gitee.com/openharmony/arkcompiler_ets_runtime/issues/I9THNI Signed-off-by: dingding Change-Id: I83f1211a102b8923ab93f9682f31f118605a96c0 --- ecmascript/compiler/typed_hcr_lowering.cpp | 26 ++++++++++------------ test/aottest/calls/calls.ts | 11 ++++++++- test/aottest/calls/expect_output.txt | 1 + 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/ecmascript/compiler/typed_hcr_lowering.cpp b/ecmascript/compiler/typed_hcr_lowering.cpp index 8919e7ca95..cc97768782 100644 --- a/ecmascript/compiler/typed_hcr_lowering.cpp +++ b/ecmascript/compiler/typed_hcr_lowering.cpp @@ -1465,10 +1465,10 @@ void TypedHCRLowering::LowerJSCallTargetTypeCheck(GateRef gate) GateRef constpool = argAcc.GetFrameArgsIn(frameState, FrameArgIdx::CONST_POOL); auto func = acc_.GetValueIn(gate, 0); auto methodIndex = acc_.GetValueIn(gate, 1); - GateRef isObj = builder_.TaggedIsHeapObject(func); + builder_.HeapObjectCheck(func, frameState); GateRef funcMethodTarget = builder_.GetMethodFromFunction(func); GateRef methodTarget = builder_.GetValueFromTaggedArray(constpool, methodIndex); - GateRef check = builder_.BoolAnd(isObj, builder_.Equal(funcMethodTarget, methodTarget)); + GateRef check = builder_.Equal(funcMethodTarget, methodTarget); builder_.DeoptCheck(check, frameState, DeoptType::NOTJSCALLTGT2); acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate()); } @@ -1481,10 +1481,10 @@ void TypedHCRLowering::LowerJSFastCallTargetTypeCheck(GateRef gate) GateRef constpool = argAcc.GetFrameArgsIn(frameState, FrameArgIdx::CONST_POOL); auto func = acc_.GetValueIn(gate, 0); auto methodIndex = acc_.GetValueIn(gate, 1); - GateRef isObj = builder_.TaggedIsHeapObject(func); + builder_.HeapObjectCheck(func, frameState); GateRef funcMethodTarget = builder_.GetMethodFromFunction(func); GateRef methodTarget = builder_.GetValueFromTaggedArray(constpool, methodIndex); - GateRef check = builder_.BoolAnd(isObj, builder_.Equal(funcMethodTarget, methodTarget)); + GateRef check = builder_.Equal(funcMethodTarget, methodTarget); builder_.DeoptCheck(check, frameState, DeoptType::NOTJSFASTCALLTGT1); acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate()); } @@ -1504,9 +1504,9 @@ void TypedHCRLowering::LowerJSNoGCCallThisTargetTypeCheck(GateRef gate) Environment env(gate, circuit_, &builder_); GateRef frameState = GetFrameState(gate); auto func = acc_.GetValueIn(gate, 0); - GateRef isObj = builder_.TaggedIsHeapObject(func); + builder_.HeapObjectCheck(func, frameState); GateRef methodId = builder_.GetMethodId(func); - GateRef check = builder_.BoolAnd(isObj, builder_.Equal(methodId, acc_.GetValueIn(gate, 1))); + GateRef check = builder_.Equal(methodId, acc_.GetValueIn(gate, 1)); builder_.DeoptCheck(check, frameState, DeoptType::NOTJSCALLTGT4); acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate()); } @@ -1526,9 +1526,9 @@ void TypedHCRLowering::LowerJSNoGCFastCallThisTargetTypeCheck(GateRef gate) Environment env(gate, circuit_, &builder_); GateRef frameState = GetFrameState(gate); auto func = acc_.GetValueIn(gate, 0); - GateRef isObj = builder_.TaggedIsHeapObject(func); + builder_.HeapObjectCheck(func, frameState); GateRef methodId = builder_.GetMethodId(func); - GateRef check = builder_.BoolAnd(isObj, builder_.Equal(methodId, acc_.GetValueIn(gate, 1))); + GateRef check = builder_.Equal(methodId, acc_.GetValueIn(gate, 1)); builder_.DeoptCheck(check, frameState, DeoptType::NOTJSFASTCALLTGT3); acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate()); } @@ -1538,10 +1538,9 @@ void TypedHCRLowering::LowerJSNewObjRangeCallTargetCheck(GateRef gate) Environment env(gate, circuit_, &builder_); GateRef frameState = GetFrameState(gate); auto ctor = acc_.GetValueIn(gate, 0); - GateRef isObj = builder_.TaggedIsHeapObject(ctor); + builder_.HeapObjectCheck(ctor, frameState); GateRef isJsFunc = builder_.IsJSFunction(ctor); - GateRef check = builder_.BoolAnd(isObj, isJsFunc); - builder_.DeoptCheck(check, frameState, DeoptType::NOTJSNEWCALLTGT); + builder_.DeoptCheck(isJsFunc, frameState, DeoptType::NOTJSNEWCALLTGT); acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate()); } @@ -1563,11 +1562,10 @@ void TypedHCRLowering::LowerJSInlineTargetTypeCheck(GateRef gate) Environment env(gate, circuit_, &builder_); GateRef frameState = GetFrameState(gate); auto func = acc_.GetValueIn(gate, 0); - GateRef isObj = builder_.TaggedIsHeapObject(func); + builder_.HeapObjectCheck(func, frameState); GateRef isJsFunc = builder_.IsJSFunction(func); - GateRef checkFunc = builder_.BoolAnd(isObj, isJsFunc); GateRef GetMethodId = builder_.GetMethodId(func); - GateRef check = builder_.BoolAnd(checkFunc, builder_.Equal(GetMethodId, acc_.GetValueIn(gate, 1))); + GateRef check = builder_.BoolAnd(isJsFunc, builder_.Equal(GetMethodId, acc_.GetValueIn(gate, 1))); builder_.DeoptCheck(check, frameState, DeoptType::INLINEFAIL1); acc_.ReplaceGate(gate, builder_.GetState(), builder_.GetDepend(), Circuit::NullGate()); } diff --git a/test/aottest/calls/calls.ts b/test/aottest/calls/calls.ts index f1ad1b8761..7276743eaa 100644 --- a/test/aottest/calls/calls.ts +++ b/test/aottest/calls/calls.ts @@ -208,4 +208,13 @@ function fooo(a, b, ...args) { fooo(1); fooo(1, 2); fooo(1, 2, 3); -fooo(1, 2, 3, 4, 5); \ No newline at end of file +fooo(1, 2, 3, 4, 5); + +async function f206(a207, a208, a209) { + let v210; + try {v210 = a208(a207, a209, 2); } catch (e) { print(e instanceof TypeError) } + await v210; + return v210; +} +// @ts-ignore +f206(1, f206); diff --git a/test/aottest/calls/expect_output.txt b/test/aottest/calls/expect_output.txt index 400c7e9bf5..0ea8d5d3b1 100644 --- a/test/aottest/calls/expect_output.txt +++ b/test/aottest/calls/expect_output.txt @@ -93,3 +93,4 @@ C 9 10 undefined +true -- Gitee