From c09beb5553939b896f0464234b628113ac3a60f0 Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Wed, 15 Apr 2020 11:08:41 +0200
Subject: [PATCH] Allow fuzzing of %GetOptimizationStatus

Bug: chromium:1070890
Change-Id: I62ad81b8d5bcb9934c7eda4eae595d41339adfdf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2149425
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67147}
---
 src/runtime/runtime-test.cc            | 11 +++++++++--
 src/runtime/runtime.cc                 |  1 +
 test/mjsunit/call-intrinsic-fuzzing.js |  6 +++---
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/runtime/runtime-test.cc b/src/runtime/runtime-test.cc
index c9d7e48882..673823163e 100644
--- a/src/runtime/runtime-test.cc
+++ b/src/runtime/runtime-test.cc
@@ -482,16 +482,23 @@ RUNTIME_FUNCTION(Runtime_GetOptimizationStatus) {
 
   CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
   if (function_object->IsUndefined()) return Smi::FromInt(status);
-  CHECK(function_object->IsJSFunction());
+  if (!function_object->IsJSFunction()) return CrashUnlessFuzzing(isolate);
   Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
 
   status |= static_cast<int>(OptimizationStatus::kIsFunction);
 
   bool sync_with_compiler_thread = true;
   if (args.length() == 2) {
-    CONVERT_ARG_HANDLE_CHECKED(String, sync, 1);
+    CONVERT_ARG_HANDLE_CHECKED(Object, sync_object, 1);
+    if (!sync_object->IsString()) return CrashUnlessFuzzing(isolate);
+    Handle<String> sync = Handle<String>::cast(sync_object);
     if (sync->IsOneByteEqualTo(StaticCharVector("no sync"))) {
       sync_with_compiler_thread = false;
+    } else if (sync->IsOneByteEqualTo(StaticCharVector("sync")) ||
+               sync->length() == 0) {
+      DCHECK(sync_with_compiler_thread);
+    } else {
+      return CrashUnlessFuzzing(isolate);
     }
   }
 
diff --git a/src/runtime/runtime.cc b/src/runtime/runtime.cc
index e51338ba6d..20feb57ab5 100644
--- a/src/runtime/runtime.cc
+++ b/src/runtime/runtime.cc
@@ -201,6 +201,7 @@ bool Runtime::IsWhitelistedForFuzzing(FunctionId id) {
     case Runtime::kDeoptimizeFunction:
     case Runtime::kDeoptimizeNow:
     case Runtime::kEnableCodeLoggingForTesting:
+    case Runtime::kGetOptimizationStatus:
     case Runtime::kGetUndetectable:
     case Runtime::kNeverOptimizeFunction:
     case Runtime::kOptimizeFunctionOnNextCall:
diff --git a/test/mjsunit/call-intrinsic-fuzzing.js b/test/mjsunit/call-intrinsic-fuzzing.js
index 3945c8d49d..f76dd42d71 100644
--- a/test/mjsunit/call-intrinsic-fuzzing.js
+++ b/test/mjsunit/call-intrinsic-fuzzing.js
@@ -2,15 +2,15 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// Flags: --allow-natives-for-fuzzing
+// Flags: --allow-natives-for-fuzzing --fuzzing
 
 // Test whitelisted/blacklisted intrinsics in the context of fuzzing.
 
 // Blacklisted intrinsics are replaced with undefined.
-assertEquals(undefined, %GetOptimizationStatus(function (){}));
+assertEquals(undefined, %ConstructConsString("a", "b"));
 
 // Blacklisted intrinsics can have wrong arguments.
-assertEquals(undefined, %GetOptimizationStatus(1, 2, 3, 4));
+assertEquals(undefined, %ConstructConsString(1, 2, 3, 4));
 
 // We don't care if an intrinsic actually exists.
 assertEquals(undefined, %FooBar());