OptimizeFunctionOnNextCall and DeoptimizeFunction ignores calls on non-JSFunction objects.

Runtime_OptimizeFunctionOnNextCall and Runtime_DeoptimizeFunction asserts that the argument is a JSFunction object.These are used by fuzzers to get coverage of optimizations in compiler. Having an assert causes a fuzzer test to fail when OptimizeFunctionOnNextCall is called on objects that are not functions. We can instead, silently return on such calls. BUG=chromium:601391 LOG=N Review URL: https://codereview.chromium.org/1883603002 Cr-Commit-Position: refs/heads/master@{#35539}

OptimizeFunctionOnNextCall and DeoptimizeFunction ignores calls on non-JSFunction objects.
Runtime_OptimizeFunctionOnNextCall and Runtime_DeoptimizeFunction asserts that the argument is a JSFunction object.These are used by fuzzers to get coverage of optimizations in compiler. Having an assert causes a fuzzer test to fail when OptimizeFunctionOnNextCall is called on objects that are not functions. We can instead, silently return on such calls. BUG=chromium:601391 LOG=N Review URL: https://codereview.chromium.org/1883603002 Cr-Commit-Position: refs/heads/master@{#35539}
62801ee3 · mythria · Commit bot · 09db5406 · 62801ee3
Commit 62801ee3 authored Apr 15, 2016 by mythria Committed by Commit bot Apr 15, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 2 deletions

runtime-test.cc src/runtime/runtime-test.cc +20 -2

No files found.
--- a/src/runtime/runtime-test.cc
+++ b/src/runtime/runtime-test.cc
@@ -16,7 +16,16 @@ namespace internal {
 RUNTIME_FUNCTION(Runtime_DeoptimizeFunction) {
  HandleScope scope(isolate);
  DCHECK(args.length() == 1);
-  CONVERT_ARG_HANDLE_CHECKED(JSFunction, function, 0);
+
+  // This function is used by fuzzers to get coverage in compiler.
+  // Ignore calls on non-function objects to avoid runtime errors.
+  CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
+  // If it is not a JSFunction, just return.
+  if (!function_object->IsJSFunction()) {
+    return isolate->heap()->undefined_value();
+  }
+  Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
+
  if (!function->IsOptimized()) return isolate->heap()->undefined_value();

  // TODO(turbofan): Deoptimization is not supported yet.
@@ -84,7 +93,16 @@ RUNTIME_FUNCTION(Runtime_IsConcurrentRecompilationSupported) {
 RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {
  HandleScope scope(isolate);
  RUNTIME_ASSERT(args.length() == 1 || args.length() == 2);
-  CONVERT_ARG_HANDLE_CHECKED(JSFunction, function, 0);
+
+  // This function is used by fuzzers to get coverage for optimizations
+  // in compiler. Ignore calls on non-function objects to avoid runtime errors.
+  CONVERT_ARG_HANDLE_CHECKED(Object, function_object, 0);
+  // If it is not a JSFunction, just return.
+  if (!function_object->IsJSFunction()) {
+    return isolate->heap()->undefined_value();
+  }
+  Handle<JSFunction> function = Handle<JSFunction>::cast(function_object);
+
  // The following assertion was lifted from the DCHECK inside
  // JSFunction::MarkForOptimization().
  RUNTIME_ASSERT(function->shared()->allows_lazy_compilation() ||