From 200fd550f523cfc6afb3073da463046744142868 Mon Sep 17 00:00:00 2001
From: Victor Gomes <victorgomes@chromium.org>
Date: Fri, 16 Jul 2021 12:14:49 +0200
Subject: [PATCH] [builtins] FastJSArrayForConcat as subtype of
 FastJSArrayForCopy

This fixes 2 cluster fuzz bugs.

Bug: chromium:1229885, chromium:1229813
Change-Id: Icc2738d7fac35f36f50bd2e723ac8ab4add40068
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3034742
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Commit-Queue: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75751}
---
 src/builtins/array-concat.tq                  | 2 +-
 src/builtins/cast.tq                          | 4 ++--
 src/objects/js-array.tq                       | 6 +++---
 test/mjsunit/regress/regress-crbug-1113085.js | 9 +++++++++
 4 files changed, 15 insertions(+), 6 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-1113085.js

diff --git a/src/builtins/array-concat.tq b/src/builtins/array-concat.tq
index ceec4ab024..5eb66e6ce8 100644
--- a/src/builtins/array-concat.tq
+++ b/src/builtins/array-concat.tq
@@ -12,7 +12,7 @@ ArrayPrototypeConcat(
   // Fast path if we invoke as `x.concat()`.
   if (arguments.length == 0) {
     typeswitch (receiver) {
-      case (a: FastJSArrayForCopy): {
+      case (a: FastJSArrayForConcat): {
         return CloneFastJSArray(context, a);
       }
       case (JSAny): {
diff --git a/src/builtins/cast.tq b/src/builtins/cast.tq
index 143025cf33..b12ea5d9fe 100644
--- a/src/builtins/cast.tq
+++ b/src/builtins/cast.tq
@@ -547,6 +547,7 @@ Cast<FastJSArrayForCopy>(implicit context: Context)(o: HeapObject):
     FastJSArrayForCopy
     labels CastError {
   if (IsArraySpeciesProtectorCellInvalid()) goto CastError;
+  // TODO(victorgomes): Check if we can cast from FastJSArrayForRead instead.
   const a = Cast<FastJSArray>(o) otherwise CastError;
   return %RawDownCast<FastJSArrayForCopy>(a);
 }
@@ -554,9 +555,8 @@ Cast<FastJSArrayForCopy>(implicit context: Context)(o: HeapObject):
 Cast<FastJSArrayForConcat>(implicit context: Context)(o: HeapObject):
     FastJSArrayForConcat
     labels CastError {
-  if (IsArraySpeciesProtectorCellInvalid()) goto CastError;
   if (IsIsConcatSpreadableProtectorCellInvalid()) goto CastError;
-  const a = Cast<FastJSArrayForRead>(o) otherwise CastError;
+  const a = Cast<FastJSArrayForCopy>(o) otherwise CastError;
   return %RawDownCast<FastJSArrayForConcat>(a);
 }
 
diff --git a/src/objects/js-array.tq b/src/objects/js-array.tq
index 2d3c6d57fb..b7b0e6c68c 100644
--- a/src/objects/js-array.tq
+++ b/src/objects/js-array.tq
@@ -66,9 +66,9 @@ transient type FastJSArrayForRead extends JSArray;
 // A FastJSArray when the global ArraySpeciesProtector is not invalidated.
 transient type FastJSArrayForCopy extends FastJSArray;
 
-// A FastJSArray when the global ArraySpeciesProtector and
-// IsConcatSpreadableProtector are not invalidated.
-transient type FastJSArrayForConcat extends FastJSArrayForRead;
+// A FastJSArrayForCopy when the global IsConcatSpreadableProtector is not
+// invalidated.
+transient type FastJSArrayForConcat extends FastJSArrayForCopy;
 
 // A FastJSArray when the global ArrayIteratorProtector is not invalidated.
 transient type FastJSArrayWithNoCustomIteration extends FastJSArray;
diff --git a/test/mjsunit/regress/regress-crbug-1113085.js b/test/mjsunit/regress/regress-crbug-1113085.js
new file mode 100644
index 0000000000..1748e46b53
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-1113085.js
@@ -0,0 +1,9 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --force-slow-path
+
+let obj = [1, 2, 3];
+obj[Symbol.isConcatSpreadable] = false;
+assertEquals([obj], obj.concat());