From 89e5792d60a9c8db67efeef58b03aa886c11c60b Mon Sep 17 00:00:00 2001
From: Jakob Kummerow <jkummerow@chromium.org>
Date: Thu, 10 Aug 2017 10:52:47 -0700
Subject: [PATCH] [tests] Make %NeverOptimizeFunction ClusterFuzz safe

It expected its argument to be a JSFunction, but fuzzer tests can
pass anything. Non-JSFunction arguments should just silently be
ignored, just like similar CF-whitelisted runtime functions do.

Bug: chromium:754177
Change-Id: I41b29528bbe72f24b3d84f021b22602160769d26
Reviewed-on: https://chromium-review.googlesource.com/610706
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47316}
---
 src/runtime/runtime-test.cc                  |  8 +++++++-
 test/mjsunit/regress/regress-crbug-754177.js | 12 ++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-754177.js

diff --git a/src/runtime/runtime-test.cc b/src/runtime/runtime-test.cc
index 7c0eb6999c..b4efdad828 100644
--- a/src/runtime/runtime-test.cc
+++ b/src/runtime/runtime-test.cc
@@ -314,7 +314,13 @@ RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
 RUNTIME_FUNCTION(Runtime_NeverOptimizeFunction) {
   HandleScope scope(isolate);
   DCHECK_EQ(1, args.length());
-  CONVERT_ARG_CHECKED(JSFunction, function, 0);
+  // This function is used by fuzzers to get coverage for optimizations
+  // in compiler. Ignore calls on non-function objects to avoid runtime errors.
+  CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
+  if (!function_object->IsJSFunction()) {
+    return isolate->heap()->undefined_value();
+  }
+  Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
   function->shared()->DisableOptimization(kOptimizationDisabledForTest);
   return isolate->heap()->undefined_value();
 }
diff --git a/test/mjsunit/regress/regress-crbug-754177.js b/test/mjsunit/regress/regress-crbug-754177.js
new file mode 100644
index 0000000000..1c105a3bf2
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-754177.js
@@ -0,0 +1,12 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// Do not crash on non-JSFunction input.
+%NeverOptimizeFunction(undefined);
+%NeverOptimizeFunction(true);
+%NeverOptimizeFunction(1);
+%NeverOptimizeFunction({});
+assertThrows("%NeverOptimizeFunction()", SyntaxError);