[runtime-test] Check if argument passed to %OptimizeOsr is smi

Check that the argument passed to %OptimizeOsr is smi before accessing it. If it isn't an Smi we crash unless we are fuzzing. When fuzzing, this returns early (turns into a Nop) if the argument isn't an Smi. Bug: chromium:1071045 Change-Id: Iff1ee3e368dfffdbbbab4107dc355d5460b996e9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2150602 Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#67195}

[runtime-test] Check if argument passed to %OptimizeOsr is smi
Check that the argument passed to %OptimizeOsr is smi before accessing it. If it isn't an Smi we crash unless we are fuzzing. When fuzzing, this returns early (turns into a Nop) if the argument isn't an Smi. Bug: chromium:1071045 Change-Id: Iff1ee3e368dfffdbbbab4107dc355d5460b996e9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2150602 Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#67195}
ca4b275e · Mythri A · Commit Bot · 1d0ec7b1 · ca4b275e
Commit ca4b275e authored Apr 16, 2020 by Mythri A Committed by Commit Bot Apr 17, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

runtime-test.cc src/runtime/runtime-test.cc +5 -1

No files found.
--- a/src/runtime/runtime-test.cc
+++ b/src/runtime/runtime-test.cc
@@ -399,7 +399,11 @@ RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
  Handle<JSFunction> function;

  // The optional parameter determines the frame being targeted.
-  int stack_depth = args.length() == 1 ? args.smi_at(0) : 0;
+  int stack_depth = 0;
+  if (args.length() == 1) {
+    if (!args[0].IsSmi()) return CrashUnlessFuzzing(isolate);
+    stack_depth = args.smi_at(0);
+  }

  // Find the JavaScript function on the top of the stack.
  JavaScriptFrameIterator it(isolate);