[fastcall] Fix internal OOB in FastCAPI.fast_call_count

The fast_call_count getter in d8 was not properly initialised as throwing when called as a constructor. As a result, it was possible to pass a new object as its `this` and then attempt to "unwrap" it, resulting in reading OOB in the new object. This CL also strenghtens slow_call_count and reset_counts and adds a regression test. Bug: chromium:1241464 Change-Id: I9b6e9a4e38a974dc111a53b911c73514c30de9df Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3110369Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/main@{#76426}

[fastcall] Fix internal OOB in FastCAPI.fast_call_count
The fast_call_count getter in d8 was not properly initialised as throwing when called as a constructor. As a result, it was possible to pass a new object as its `this` and then attempt to "unwrap" it, resulting in reading OOB in the new object. This CL also strenghtens slow_call_count and reset_counts and adds a regression test. Bug: chromium:1241464 Change-Id: I9b6e9a4e38a974dc111a53b911c73514c30de9df Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3110369Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/main@{#76426}
a92cba8c · Maya Lekova · V8 LUCI CQ · 0179f6a6 · a92cba8c · a92cba8c
Commit a92cba8c authored Aug 23, 2021 by Maya Lekova Committed by V8 LUCI CQ Aug 23, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 5 deletions

d8-test.cc src/d8/d8-test.cc +8 -5

regress-crbug-1241464.js test/mjsunit/compiler/regress-crbug-1241464.js +15 -0

No files found.
--- a/src/d8/d8-test.cc
+++ b/src/d8/d8-test.cc
@@ -631,16 +631,19 @@ Local<FunctionTemplate> Shell::CreateTestFastCApiTemplate(Isolate* isolate) {
            SideEffectType::kHasSideEffect, &is_valid_api_object_c_func));
    api_obj_ctor->PrototypeTemplate()->Set(
        isolate, "fast_call_count",
-        FunctionTemplate::New(isolate, FastCApiObject::FastCallCount,
-                              Local<Value>(), signature));
+        FunctionTemplate::New(
+            isolate, FastCApiObject::FastCallCount, Local<Value>(), signature,
+            1, ConstructorBehavior::kThrow, SideEffectType::kHasNoSideEffect));
    api_obj_ctor->PrototypeTemplate()->Set(
        isolate, "slow_call_count",
-        FunctionTemplate::New(isolate, FastCApiObject::SlowCallCount,
-                              Local<Value>(), signature));
+        FunctionTemplate::New(
+            isolate, FastCApiObject::SlowCallCount, Local<Value>(), signature,
+            1, ConstructorBehavior::kThrow, SideEffectType::kHasNoSideEffect));
    api_obj_ctor->PrototypeTemplate()->Set(
        isolate, "reset_counts",
        FunctionTemplate::New(isolate, FastCApiObject::ResetCounts,
-                              Local<Value>(), signature));
+                              Local<Value>(), signature, 1,
+                              ConstructorBehavior::kThrow));
  }
  api_obj_ctor->InstanceTemplate()->SetInternalFieldCount(
      FastCApiObject::kV8WrapperObjectIndex + 1);

--- a/test/mjsunit/compiler/regress-crbug-1241464.js
+++ b/test/mjsunit/compiler/regress-crbug-1241464.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --turbo-fast-api-calls
+
+(function() {
+  const fast_c_api = new d8.test.FastCAPI();
+  const func1 = fast_c_api.fast_call_count;
+  assertThrows(() => new func1());
+  const func2 = fast_c_api.slow_call_count;
+  assertThrows(() => new func2());
+  const func3 = fast_c_api.reset_counts;
+  assertThrows(() => new func3());
+})();