[builtins] FastJSArrayForConcat as subtype of FastJSArrayForCopy

This fixes 2 cluster fuzz bugs. Bug: chromium:1229885, chromium:1229813 Change-Id: Icc2738d7fac35f36f50bd2e723ac8ab4add40068 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3034742 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#75751}

[builtins] FastJSArrayForConcat as subtype of FastJSArrayForCopy
This fixes 2 cluster fuzz bugs. Bug: chromium:1229885, chromium:1229813 Change-Id: Icc2738d7fac35f36f50bd2e723ac8ab4add40068 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3034742 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#75751}
200fd550 · Victor Gomes · V8 LUCI CQ · 8b48c59d · 200fd550 · 200fd550
Commit 200fd550 authored Jul 16, 2021 by Victor Gomes Committed by V8 LUCI CQ Jul 16, 2021
Showing with 15 additions and 6 deletions

array-concat.tq src/builtins/array-concat.tq +1 -1

cast.tq src/builtins/cast.tq +2 -2

js-array.tq src/objects/js-array.tq +3 -3

regress-crbug-1113085.js test/mjsunit/regress/regress-crbug-1113085.js +9 -0

No files found.
--- a/src/builtins/array-concat.tq
+++ b/src/builtins/array-concat.tq
@@ -12,7 +12,7 @@ ArrayPrototypeConcat(
  // Fast path if we invoke as `x.concat()`.
  if (arguments.length == 0) {
    typeswitch (receiver) {
-      case (a: FastJSArrayForCopy): {
+      case (a: FastJSArrayForConcat): {
        return CloneFastJSArray(context, a);
      }
      case (JSAny): {

--- a/src/builtins/cast.tq
+++ b/src/builtins/cast.tq
@@ -547,6 +547,7 @@ Cast<FastJSArrayForCopy>(implicit context: Context)(o: HeapObject):
    FastJSArrayForCopy
    labels CastError {
  if (IsArraySpeciesProtectorCellInvalid()) goto CastError;
+  // TODO(victorgomes): Check if we can cast from FastJSArrayForRead instead.
  const a = Cast<FastJSArray>(o) otherwise CastError;
  return %RawDownCast<FastJSArrayForCopy>(a);
 }
@@ -554,9 +555,8 @@ Cast<FastJSArrayForCopy>(implicit context: Context)(o: HeapObject):
 Cast<FastJSArrayForConcat>(implicit context: Context)(o: HeapObject):
    FastJSArrayForConcat
    labels CastError {
-  if (IsArraySpeciesProtectorCellInvalid()) goto CastError;
  if (IsIsConcatSpreadableProtectorCellInvalid()) goto CastError;
-  const a = Cast<FastJSArrayForRead>(o) otherwise CastError;
+  const a = Cast<FastJSArrayForCopy>(o) otherwise CastError;
  return %RawDownCast<FastJSArrayForConcat>(a);
 }

--- a/src/objects/js-array.tq
+++ b/src/objects/js-array.tq
@@ -66,9 +66,9 @@ transient type FastJSArrayForRead extends JSArray;
 // A FastJSArray when the global ArraySpeciesProtector is not invalidated.
 transient type FastJSArrayForCopy extends FastJSArray;
-// A FastJSArray when the global ArraySpeciesProtector and
+// A FastJSArrayForCopy when the global IsConcatSpreadableProtector is not
-// IsConcatSpreadableProtector are not invalidated.
+// invalidated.
-transient type FastJSArrayForConcat extends FastJSArrayForRead;
+transient type FastJSArrayForConcat extends FastJSArrayForCopy;
 // A FastJSArray when the global ArrayIteratorProtector is not invalidated.
 transient type FastJSArrayWithNoCustomIteration extends FastJSArray;

--- a/test/mjsunit/regress/regress-crbug-1113085.js
+++ b/test/mjsunit/regress/regress-crbug-1113085.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --force-slow-path
+let obj = [1, 2, 3];
+obj[Symbol.isConcatSpreadable] = false;
+assertEquals([obj], obj.concat());