[fuzzing] Use --fuzzing flag for allowed runtime functions

This subsumes the old behavior of --allow-natives-for-fuzzing under
--fuzzing as well. Both flags are used in a redundant way in fuzz
configs. Only --allow-natives-for-fuzzing wasn't specified as a
required argument, leading to the bug below.

We still need the flag --allow-natives-for-differential-fuzzing
to allow different functions when using differential fuzzing.

Bug: chromium:1094866
Change-Id: I398791779e58ed4d80e896c1cfea343848159212
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2246568
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68401}

src/flags/flag-definitions.h

@@ -1270,15 +1270,11 @@ DEFINE_IMPLICATION(trace_maps, log_code)
 
 // parser.cc
 DEFINE_BOOL(allow_natives_syntax, false, "allow natives syntax")
-DEFINE_BOOL(allow_natives_for_fuzzing, false,
-            "allow only natives explicitly whitelisted for fuzzers")
 DEFINE_BOOL(allow_natives_for_differential_fuzzing, false,
             "allow only natives explicitly whitelisted for differential "
             "fuzzers")
 DEFINE_IMPLICATION(allow_natives_for_differential_fuzzing, allow_natives_syntax)
-DEFINE_IMPLICATION(allow_natives_for_fuzzing, allow_natives_syntax)
+DEFINE_IMPLICATION(allow_natives_for_differential_fuzzing, fuzzing)
-DEFINE_IMPLICATION(allow_natives_for_differential_fuzzing,
-                   allow_natives_for_fuzzing)
 DEFINE_BOOL(parse_only, false, "only parse the sources")
 
 // simulator-arm.cc, simulator-arm64.cc and simulator-mips.cc

src/parsing/parser.cc

@@ -357,8 +357,8 @@ Expression* Parser::NewV8Intrinsic(const AstRawString* name,
   const Runtime::Function* function =
       Runtime::FunctionForName(name->raw_data(), name->length());
 
-  // Be more premissive when fuzzing. Intrinsics are not supported.
+  // Be more permissive when fuzzing. Intrinsics are not supported.
-  if (FLAG_allow_natives_for_fuzzing) {
+  if (FLAG_fuzzing) {
     return NewV8RuntimeFunctionForFuzzing(function, args, pos);
   }
 
@@ -392,7 +392,7 @@ Expression* Parser::NewV8Intrinsic(const AstRawString* name,
 Expression* Parser::NewV8RuntimeFunctionForFuzzing(
     const Runtime::Function* function, const ScopedPtrList<Expression>& args,
     int pos) {
-  CHECK(FLAG_allow_natives_for_fuzzing);
+  CHECK(FLAG_fuzzing);
 
   // Intrinsics are not supported for fuzzing. Only allow whitelisted runtime
   // functions. Also prevent later errors due to too few arguments and just

src/runtime/runtime.cc

@@ -193,7 +193,7 @@ bool Runtime::MayAllocate(FunctionId id) {
 }
 
 bool Runtime::IsWhitelistedForFuzzing(FunctionId id) {
-  CHECK(FLAG_allow_natives_for_fuzzing);
+  CHECK(FLAG_fuzzing);
   switch (id) {
     // Runtime functions whitelisted for all fuzzers. Only add functions that
     // help increase coverage.

test/mjsunit/call-intrinsic-fuzzing.js

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// Flags: --allow-natives-for-fuzzing --fuzzing
+// Flags: --allow-natives-syntax --fuzzing
 
 // Test whitelisted/blacklisted intrinsics in the context of fuzzing.
 

test/mjsunit/regress/regress-crbug-754177.js

@@ -9,7 +9,7 @@
 %NeverOptimizeFunction(true);
 %NeverOptimizeFunction(1);
 %NeverOptimizeFunction({});
-assertThrows("%NeverOptimizeFunction()", SyntaxError);
+%NeverOptimizeFunction();
 
 %PrepareFunctionForOptimization(print);
 %OptimizeFunctionOnNextCall(print);