From c5728f9b31680ffe8047c707906402106e6263c6 Mon Sep 17 00:00:00 2001
From: Artem Udovichenko <artem.udovichenko@huawei.com>
Date: Thu, 24 Nov 2022 15:53:24 +0300
Subject: [PATCH] Fix using a raw pointer after GC in typed_array_helper.cpp

Change-Id: I8a03e27b673f82d176277c0574f51e49955fc5f1
Signed-off-by: Artem Udovichenko <artem.udovichenko@huawei.com>
---
 runtime/base/typed_array_helper.cpp       | 10 +++++-----
 runtime/builtins/builtins_arraybuffer.cpp |  4 ++--
 runtime/builtins/builtins_arraybuffer.h   |  4 ++--
 runtime/builtins/builtins_dataview.cpp    |  2 +-
 runtime/builtins/builtins_typedarray.cpp  | 15 +++++++--------
 runtime/js_typed_array.cpp                |  2 +-
 6 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/runtime/base/typed_array_helper.cpp b/runtime/base/typed_array_helper.cpp
index 436871d03..bb191f07b 100644
--- a/runtime/base/typed_array_helper.cpp
+++ b/runtime/base/typed_array_helper.cpp
@@ -204,12 +204,12 @@ JSTaggedValue TypedArrayHelper::CreateFromTypedArray(EcmaRuntimeCallInfo *argv,
     // 16. If IsSharedArrayBuffer(srcData) is false, then
     //   a. Let bufferConstructor be ? SpeciesConstructor(srcData, %ArrayBuffer%).
 
-    JSTaggedValue data;
+    JSMutableHandle<JSTaggedValue> data(thread, JSTaggedValue::Undefined());
     // 18. If elementType is the same as srcType, then
     //   a. Let data be ? CloneArrayBuffer(srcData, srcByteOffset, byteLength, bufferConstructor).
     if (elementType == srcType) {
-        data =
-            BuiltinsArrayBuffer::CloneArrayBuffer(thread, srcData, srcByteOffset, globalConst->GetHandledUndefined());
+        data.Update(
+            BuiltinsArrayBuffer::CloneArrayBuffer(thread, srcData, srcByteOffset, globalConst->GetHandledUndefined()));
         RETURN_EXCEPTION_IF_ABRUPT_COMPLETION(thread);
     } else {
         // 19. Else,
@@ -217,7 +217,7 @@ JSTaggedValue TypedArrayHelper::CreateFromTypedArray(EcmaRuntimeCallInfo *argv,
         JSHandle<JSTaggedValue> bufferConstructor =
             JSObject::SpeciesConstructor(thread, JSHandle<JSObject>(srcData), env->GetArrayBufferFunction());
         RETURN_EXCEPTION_IF_ABRUPT_COMPLETION(thread);
-        data = BuiltinsArrayBuffer::AllocateArrayBuffer(thread, bufferConstructor, byteLength);
+        data.Update(BuiltinsArrayBuffer::AllocateArrayBuffer(thread, bufferConstructor, byteLength));
         RETURN_EXCEPTION_IF_ABRUPT_COMPLETION(thread);
         //   b. If IsDetachedBuffer(srcData) is true, throw a TypeError exception.
         if (BuiltinsArrayBuffer::IsDetachedBuffer(srcData.GetTaggedValue())) {
@@ -248,7 +248,7 @@ JSTaggedValue TypedArrayHelper::CreateFromTypedArray(EcmaRuntimeCallInfo *argv,
     // 20. Set O’s [[ByteLength]] internal slot to byteLength.
     // 21. Set O’s [[ByteOffset]] internal slot to 0.
     // 22. Set O’s [[ArrayLength]] internal slot to elementLength.
-    JSTypedArray::Cast(*obj)->SetViewedArrayBuffer(thread, data);
+    JSTypedArray::Cast(*obj)->SetViewedArrayBuffer(thread, data.GetTaggedValue());
     JSTypedArray::Cast(*obj)->SetByteLength(thread, JSTaggedValue(byteLength));
     JSTypedArray::Cast(*obj)->SetByteOffset(thread, JSTaggedValue(0));
     JSTypedArray::Cast(*obj)->SetArrayLength(thread, JSTaggedValue(elementLength));
diff --git a/runtime/builtins/builtins_arraybuffer.cpp b/runtime/builtins/builtins_arraybuffer.cpp
index a39a09758..b38235ffe 100644
--- a/runtime/builtins/builtins_arraybuffer.cpp
+++ b/runtime/builtins/builtins_arraybuffer.cpp
@@ -363,11 +363,11 @@ JSTaggedValue BuiltinsArrayBuffer::GetValueFromBuffer(JSThread *thread, JSTagged
 }
 
 // 24.1.1.6
-JSTaggedValue BuiltinsArrayBuffer::SetValueInBuffer(JSThread *thread, JSTaggedValue arrBuf, int32_t byteIndex,
+JSTaggedValue BuiltinsArrayBuffer::SetValueInBuffer(JSThread *thread, JSHandle<JSTaggedValue> arrBuf, int32_t byteIndex,
                                                     DataViewType type, const JSHandle<JSTaggedValue> &value,
                                                     bool littleEndian)
 {
-    JSArrayBuffer *jsArrayBuffer = JSArrayBuffer::Cast(arrBuf.GetTaggedObject());
+    JSArrayBuffer *jsArrayBuffer = JSArrayBuffer::Cast(arrBuf->GetTaggedObject());
     JSTaggedValue data = jsArrayBuffer->GetArrayBufferData();
     void *pointer = JSNativePointer::Cast(data.GetTaggedObject())->GetExternalPointer();
     auto *block = reinterpret_cast<uint8_t *>(pointer);
diff --git a/runtime/builtins/builtins_arraybuffer.h b/runtime/builtins/builtins_arraybuffer.h
index 7b06a85c1..dc20d1ae7 100644
--- a/runtime/builtins/builtins_arraybuffer.h
+++ b/runtime/builtins/builtins_arraybuffer.h
@@ -64,8 +64,8 @@ public:
     static JSTaggedValue GetValueFromBuffer(JSThread *thread, JSTaggedValue arrBuf, int32_t byteIndex,
                                             DataViewType type, bool littleEndian);
     // 24.1.1.6 SetValueInBuffer ( arrayBuffer, byteIndex, type, value, isLittleEndian )
-    static JSTaggedValue SetValueInBuffer(JSThread *thread, JSTaggedValue arrBuf, int32_t byteIndex, DataViewType type,
-                                          const JSHandle<JSTaggedValue> &value, bool littleEndian);
+    static JSTaggedValue SetValueInBuffer(JSThread *thread, JSHandle<JSTaggedValue> arrBuf, int32_t byteIndex,
+                                          DataViewType type, const JSHandle<JSTaggedValue> &value, bool littleEndian);
     // 24.1.1.4 CloneArrayBuffer( srcBuffer, srcByteOffset [, cloneConstructor] )
     static JSTaggedValue CloneArrayBuffer(JSThread *thread, const JSHandle<JSTaggedValue> &srcBuffer,
                                           int32_t srcByteOffset, JSHandle<JSTaggedValue> constructor);
diff --git a/runtime/builtins/builtins_dataview.cpp b/runtime/builtins/builtins_dataview.cpp
index b099edfb8..64925d13d 100644
--- a/runtime/builtins/builtins_dataview.cpp
+++ b/runtime/builtins/builtins_dataview.cpp
@@ -451,7 +451,7 @@ JSTaggedValue BuiltinsDataView::SetViewValue(JSThread *thread, const JSHandle<JS
     {
         // We use buffer without handle and GC can move it. So we have to get buffer each time.
         // To make developer get buffer each time use scope and don't populate buffer into function's scope.
-        JSTaggedValue buffer = dataView->GetViewedArrayBuffer();
+        JSHandle<JSTaggedValue> buffer(thread, dataView->GetViewedArrayBuffer());
         // 15. Return SetValueFromBuffer(buffer, bufferIndex, type, value, isLittleEndian).
         return BuiltinsArrayBuffer::SetValueInBuffer(thread, buffer, bufferIndex, type, numVal, isLittleEndian);
     }
diff --git a/runtime/builtins/builtins_typedarray.cpp b/runtime/builtins/builtins_typedarray.cpp
index 876738a5d..7e4835c08 100644
--- a/runtime/builtins/builtins_typedarray.cpp
+++ b/runtime/builtins/builtins_typedarray.cpp
@@ -1035,8 +1035,8 @@ JSTaggedValue BuiltinsTypedArray::Set(EcmaRuntimeCallInfo *argv)
                 kNumberHandle.Update(JSTaggedValue::ToNumber(thread, kValue));
             }
             RETURN_EXCEPTION_IF_ABRUPT_COMPLETION(thread);
-            BuiltinsArrayBuffer::SetValueInBuffer(thread, targetBuffer.GetTaggedValue(), targetByteIndex, targetType,
-                                                  kNumberHandle, true);
+            BuiltinsArrayBuffer::SetValueInBuffer(thread, targetBuffer, targetByteIndex, targetType, kNumberHandle,
+                                                  true);
             RETURN_EXCEPTION_IF_ABRUPT_COMPLETION(thread);
             k++;
             targetByteIndex = targetByteIndex + targetElementSize;
@@ -1101,8 +1101,7 @@ JSTaggedValue BuiltinsTypedArray::Set(EcmaRuntimeCallInfo *argv)
             JSTaggedValue taggedData =
                 BuiltinsArrayBuffer::GetValueFromBuffer(thread, srcBuffer, srcByteIndex, srcType, true);
             value.Update(taggedData);
-            BuiltinsArrayBuffer::SetValueInBuffer(thread, targetBuffer.GetTaggedValue(), targetByteIndex, targetType,
-                                                  value, true);
+            BuiltinsArrayBuffer::SetValueInBuffer(thread, targetBuffer, targetByteIndex, targetType, value, true);
             RETURN_EXCEPTION_IF_ABRUPT_COMPLETION(thread);
             srcByteIndex = srcByteIndex + srcElementSize;
             targetByteIndex = targetByteIndex + targetElementSize;
@@ -1123,8 +1122,8 @@ JSTaggedValue BuiltinsTypedArray::Set(EcmaRuntimeCallInfo *argv)
                 // SUPPRESS_CSA_NEXTLINE(alpha.core.WasteObjHeader)
                 BuiltinsArrayBuffer::GetValueFromBuffer(thread, srcBuffer, srcByteIndex, DataViewType::UINT8, true);
             value.Update(taggedData);
-            BuiltinsArrayBuffer::SetValueInBuffer(thread, targetBuffer.GetTaggedValue(), targetByteIndex,
-                                                  DataViewType::UINT8, value, true);
+            BuiltinsArrayBuffer::SetValueInBuffer(thread, targetBuffer, targetByteIndex, DataViewType::UINT8, value,
+                                                  true);
             RETURN_EXCEPTION_IF_ABRUPT_COMPLETION(thread);
             srcByteIndex = srcByteIndex + 1;
             targetByteIndex = targetByteIndex + 1;
@@ -1254,8 +1253,8 @@ JSTaggedValue BuiltinsTypedArray::Slice(EcmaRuntimeCallInfo *argv)
             JSTaggedValue taggedData = BuiltinsArrayBuffer::GetValueFromBuffer(thread, srcBuffer.GetTaggedValue(),
                                                                                srcByteIndex, DataViewType::UINT8, true);
             value.Update(taggedData);
-            BuiltinsArrayBuffer::SetValueInBuffer(thread, targetBuffer.GetTaggedValue(), targetByteIndex,
-                                                  DataViewType::UINT8, value, true);
+            BuiltinsArrayBuffer::SetValueInBuffer(thread, targetBuffer, targetByteIndex, DataViewType::UINT8, value,
+                                                  true);
         }
     }
     // 23. Return A.
diff --git a/runtime/js_typed_array.cpp b/runtime/js_typed_array.cpp
index 0ec57c30f..8029c578f 100644
--- a/runtime/js_typed_array.cpp
+++ b/runtime/js_typed_array.cpp
@@ -516,7 +516,7 @@ bool JSTypedArray::IntegerIndexedElementSet(JSThread *thread, const JSHandle<JST
     {
         // We use buffer without handle and GC can move it. So we have to get buffer each time.
         // To make developer get buffer each time use scope and don't populate buffer into function's scope.
-        JSTaggedValue buffer = JSTypedArray::Cast(*typedarrayObj)->GetViewedArrayBuffer();
+        JSHandle<JSTaggedValue> buffer(thread, JSTypedArray::Cast(*typedarrayObj)->GetViewedArrayBuffer());
         BuiltinsArrayBuffer::SetValueInBuffer(thread, buffer, byteIndex, elementType, numValueHandle, true);
     }
     // 17. Return true.
-- 
Gitee