[builtins] FastJSArrayForConcat as subtype of FastJSArrayForCopy

This fixes 2 cluster fuzz bugs. Bug: chromium:1229885, chromium:1229813 Change-Id: Icc2738d7fac35f36f50bd2e723ac8ab4add40068 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3034742 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#75751}
2021-07-16 12:14:49 +02:00 · 2021-07-16 12:14:49 +02:00 · 200fd550f5
commit 200fd550f5
parent 8b48c59dcb
4 changed files with 15 additions and 6 deletions
--- a/src/builtins/array-concat.tq
+++ b/src/builtins/array-concat.tq
@ -12,7 +12,7 @@ ArrayPrototypeConcat(
  // Fast path if we invoke as `x.concat()`.
  if (arguments.length == 0) {
    typeswitch (receiver) {
-      case (a: FastJSArrayForCopy): {
+      case (a: FastJSArrayForConcat): {
        return CloneFastJSArray(context, a);
      }
      case (JSAny): {
--- a/src/builtins/cast.tq
+++ b/src/builtins/cast.tq
@ -547,6 +547,7 @@ Cast<FastJSArrayForCopy>(implicit context: Context)(o: HeapObject):
    FastJSArrayForCopy
    labels CastError {
  if (IsArraySpeciesProtectorCellInvalid()) goto CastError;
+  // TODO(victorgomes): Check if we can cast from FastJSArrayForRead instead.
  const a = Cast<FastJSArray>(o) otherwise CastError;
  return %RawDownCast<FastJSArrayForCopy>(a);
 }
@ -554,9 +555,8 @@ Cast<FastJSArrayForCopy>(implicit context: Context)(o: HeapObject):
 Cast<FastJSArrayForConcat>(implicit context: Context)(o: HeapObject):
    FastJSArrayForConcat
    labels CastError {
-  if (IsArraySpeciesProtectorCellInvalid()) goto CastError;
  if (IsIsConcatSpreadableProtectorCellInvalid()) goto CastError;
-  const a = Cast<FastJSArrayForRead>(o) otherwise CastError;
+  const a = Cast<FastJSArrayForCopy>(o) otherwise CastError;
  return %RawDownCast<FastJSArrayForConcat>(a);
 }

--- a/src/objects/js-array.tq
+++ b/src/objects/js-array.tq
@ -66,9 +66,9 @@ transient type FastJSArrayForRead extends JSArray;
 // A FastJSArray when the global ArraySpeciesProtector is not invalidated.
 transient type FastJSArrayForCopy extends FastJSArray;

-// A FastJSArray when the global ArraySpeciesProtector and
-// IsConcatSpreadableProtector are not invalidated.
-transient type FastJSArrayForConcat extends FastJSArrayForRead;
+// A FastJSArrayForCopy when the global IsConcatSpreadableProtector is not
+// invalidated.
+transient type FastJSArrayForConcat extends FastJSArrayForCopy;

 // A FastJSArray when the global ArrayIteratorProtector is not invalidated.
 transient type FastJSArrayWithNoCustomIteration extends FastJSArray;
--- a/test/mjsunit/regress/regress-crbug-1113085.js
+++ b/test/mjsunit/regress/regress-crbug-1113085.js
@ -0,0 +1,9 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --force-slow-path
+
+let obj = [1, 2, 3];
+obj[Symbol.isConcatSpreadable] = false;
+assertEquals([obj], obj.concat());