Allow fuzzing of %GetOptimizationStatus

Bug: chromium:1070890 Change-Id: I62ad81b8d5bcb9934c7eda4eae595d41339adfdf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2149425 Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Auto-Submit: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#67147}
2020-04-15 11:08:41 +02:00 · 2020-04-15 11:08:41 +02:00 · c09beb5553
commit c09beb5553
parent ad55fa63d3
3 changed files with 13 additions and 5 deletions
--- a/src/runtime/runtime-test.cc
+++ b/src/runtime/runtime-test.cc
@ -482,16 +482,23 @@ RUNTIME_FUNCTION(Runtime_GetOptimizationStatus) {

  CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
  if (function_object->IsUndefined()) return Smi::FromInt(status);
-  CHECK(function_object->IsJSFunction());
+  if (!function_object->IsJSFunction()) return CrashUnlessFuzzing(isolate);
  Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);

  status |= static_cast<int>(OptimizationStatus::kIsFunction);

  bool sync_with_compiler_thread = true;
  if (args.length() == 2) {
-    CONVERT_ARG_HANDLE_CHECKED(String, sync, 1);
+    CONVERT_ARG_HANDLE_CHECKED(Object, sync_object, 1);
+    if (!sync_object->IsString()) return CrashUnlessFuzzing(isolate);
+    Handle<String> sync = Handle<String>::cast(sync_object);
    if (sync->IsOneByteEqualTo(StaticCharVector("no sync"))) {
      sync_with_compiler_thread = false;
+    } else if (sync->IsOneByteEqualTo(StaticCharVector("sync")) ||
+               sync->length() == 0) {
+      DCHECK(sync_with_compiler_thread);
+    } else {
+      return CrashUnlessFuzzing(isolate);
    }
  }

--- a/src/runtime/runtime.cc
+++ b/src/runtime/runtime.cc
@ -201,6 +201,7 @@ bool Runtime::IsWhitelistedForFuzzing(FunctionId id) {
    case Runtime::kDeoptimizeFunction:
    case Runtime::kDeoptimizeNow:
    case Runtime::kEnableCodeLoggingForTesting:
+    case Runtime::kGetOptimizationStatus:
    case Runtime::kGetUndetectable:
    case Runtime::kNeverOptimizeFunction:
    case Runtime::kOptimizeFunctionOnNextCall:
--- a/test/mjsunit/call-intrinsic-fuzzing.js
+++ b/test/mjsunit/call-intrinsic-fuzzing.js
@ -2,15 +2,15 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-// Flags: --allow-natives-for-fuzzing
+// Flags: --allow-natives-for-fuzzing --fuzzing

 // Test whitelisted/blacklisted intrinsics in the context of fuzzing.

 // Blacklisted intrinsics are replaced with undefined.
-assertEquals(undefined, %GetOptimizationStatus(function (){}));
+assertEquals(undefined, %ConstructConsString("a", "b"));

 // Blacklisted intrinsics can have wrong arguments.
-assertEquals(undefined, %GetOptimizationStatus(1, 2, 3, 4));
+assertEquals(undefined, %ConstructConsString(1, 2, 3, 4));

 // We don't care if an intrinsic actually exists.
 assertEquals(undefined, %FooBar());