Allow only JSFunction/JSBoundFunction in d8.test.verifySourcePositions

Explicitly check for JSFunction or JSBoundFunction and throw if any other
JS type is passed to d8.test.verifySourcePositions.

Bug: chromium:1195717
Change-Id: Id65875526d5d6b3f720850d41d0a8192ec407035
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807607
Auto-Submit: Patrick Thier <pthier@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73811}

src/d8/d8.cc

@@ -1814,12 +1814,14 @@ void Shell::LogGetAndStop(const v8::FunctionCallbackInfo<v8::Value>& args) {
 void Shell::TestVerifySourcePositions(
     const v8::FunctionCallbackInfo<v8::Value>& args) {
   Isolate* isolate = args.GetIsolate();
-  if (args.Length() != 1 || !args[0]->IsFunction()) {
+  // Check if the argument is a valid function.
+  if (args.Length() != 1 ||
+      !i::Handle<i::HeapObject>::cast(Utils::OpenHandle(*args[0]))
+           ->IsJSFunctionOrBoundFunction()) {
     Throw(isolate, "Expected function as single argument.");
     return;
   }
   Local<Value> arg_fun = args[0];
-  while (arg_fun->IsProxy()) arg_fun = arg_fun.As<Proxy>()->GetTarget();
 
   i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
   HandleScope handle_scope(isolate);

test/mjsunit/baseline/verify-bytecode-offsets.js

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// Flags: --always-sparkplug
+// Flags: --always-sparkplug --allow-natives-syntax
 
 // This test mainly exists to make ClusterFuzz aware of
 // d8.test.verifySourcePositions.
@@ -30,4 +30,6 @@ foo(obj, obj);
 
 d8.test.verifySourcePositions(foo);
 
-d8.test.verifySourcePositions(new Proxy(foo, {}));
+// Make sure invalid calls throw.
+assertThrows(() => {d8.test.verifySourcePositions(new Proxy(foo, {}))});
+assertThrows(() => {d8.test.verifySourcePositions(%GetUndetectable())});