[runtime] Harden OptimizeFunctionOnNextCall

Ignore invalid input for all arguments of OptimizeFunctionOnNextCall potentially produced by fuzzers. Bug: chromium:901645 Change-Id: Ic185812c228a92f8dbb48212c45685bd14892947 Reviewed-on: https://chromium-review.googlesource.com/c/1317567Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#57234}

[runtime] Harden OptimizeFunctionOnNextCall
Ignore invalid input for all arguments of OptimizeFunctionOnNextCall potentially produced by fuzzers. Bug: chromium:901645 Change-Id: Ic185812c228a92f8dbb48212c45685bd14892947 Reviewed-on: https://chromium-review.googlesource.com/c/1317567Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#57234}
7621325d · Camillo Bruni · Commit Bot · f86ee274 · 7621325d
Commit 7621325d authored Nov 05, 2018 by Camillo Bruni Committed by Commit Bot Nov 05, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

runtime-test.cc src/runtime/runtime-test.cc +7 -2

No files found.
--- a/src/runtime/runtime-test.cc
+++ b/src/runtime/runtime-test.cc
@@ -240,8 +240,13 @@ RUNTIME_FUNCTION(Runtime_OptimizeFunctionOnNextCall) {

  ConcurrencyMode concurrency_mode = ConcurrencyMode::kNotConcurrent;
  if (args.length() == 2) {
-    CONVERT_ARG_HANDLE_CHECKED(String, type, 1);
-    if (type->IsOneByteEqualTo(STATIC_CHAR_VECTOR("concurrent")) &&
+    // Ignore invalid inputs produced by fuzzers.
+    CONVERT_ARG_HANDLE_CHECKED(Object, type, 1);
+    if (!type->IsString()) {
+      return ReadOnlyRoots(isolate).undefined_value();
+    }
+    if (Handle<String>::cast(type)->IsOneByteEqualTo(
+            STATIC_CHAR_VECTOR("concurrent")) &&
        isolate->concurrent_recompilation_enabled()) {
      concurrency_mode = ConcurrencyMode::kConcurrent;
    }