From c8e8f482f32e650aad7c8a30e859d63c7690014e Mon Sep 17 00:00:00 2001
From: Maya Lekova <mslekova@chromium.org>
Date: Wed, 21 Apr 2021 09:31:42 +0200
Subject: [PATCH] [test] Fix a crash in fast API interface types test

This CL hardens the test facility in d8 for interface types for
the fast C API.

Bug: chromium:1201011
Change-Id: Ibfe1bb242f86b4a5edd0d195e049852430f8a2fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2843344
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74079}
---
 src/d8/d8-test.cc                             | 19 ++++++++++++-------
 .../mjsunit/compiler/regress-crbug-1201011.js | 11 +++++++++++
 .../mjsunit/compiler/regress-crbug-1201082.js | 11 +++++++++++
 3 files changed, 34 insertions(+), 7 deletions(-)
 create mode 100644 test/mjsunit/compiler/regress-crbug-1201011.js
 create mode 100644 test/mjsunit/compiler/regress-crbug-1201082.js

diff --git a/src/d8/d8-test.cc b/src/d8/d8-test.cc
index 3ccef4c777..8ef31c1c65 100644
--- a/src/d8/d8-test.cc
+++ b/src/d8/d8-test.cc
@@ -122,6 +122,9 @@ class FastCApiObject {
       return false;
     }
 
+    if (!arg->IsObject()) {
+      return false;
+    }
     Object* object = Object::Cast(arg);
     if (!IsValidApiObject(object)) return false;
 
@@ -150,13 +153,15 @@ class FastCApiObject {
           "is_valid_api_object should be called with 2 arguments");
       return;
     }
-    Object* object = Object::Cast(*args[1]);
-    if (!IsValidApiObject(object)) {
-      result = false;
-    } else {
-      result = PerIsolateData::Get(args.GetIsolate())
-                   ->GetTestApiObjectCtor()
-                   ->IsLeafTemplateForApiObject(object);
+    if (args[1]->IsObject()) {
+      Object* object = Object::Cast(*args[1]);
+      if (!IsValidApiObject(object)) {
+        result = false;
+      } else {
+        result = PerIsolateData::Get(args.GetIsolate())
+                     ->GetTestApiObjectCtor()
+                     ->IsLeafTemplateForApiObject(object);
+      }
     }
 
     args.GetReturnValue().Set(Boolean::New(isolate, result));
diff --git a/test/mjsunit/compiler/regress-crbug-1201011.js b/test/mjsunit/compiler/regress-crbug-1201011.js
new file mode 100644
index 0000000000..f521a60b85
--- /dev/null
+++ b/test/mjsunit/compiler/regress-crbug-1201011.js
@@ -0,0 +1,11 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --turbo-fast-api-calls
+
+const fast_c_api = new d8.test.FastCAPI();
+function foo(obj) {
+  return fast_c_api.is_fast_c_api_object(false, obj);
+}
+foo();
diff --git a/test/mjsunit/compiler/regress-crbug-1201082.js b/test/mjsunit/compiler/regress-crbug-1201082.js
new file mode 100644
index 0000000000..2ec25b3a15
--- /dev/null
+++ b/test/mjsunit/compiler/regress-crbug-1201082.js
@@ -0,0 +1,11 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --turbo-fast-api-calls
+
+const fast_c_api = new d8.test.FastCAPI();
+function foo(obj) {
+  return fast_c_api.is_fast_c_api_object(false, obj);
+}
+foo(1);