Commit ca4b275e authored by Mythri A's avatar Mythri A Committed by Commit Bot

[runtime-test] Check if argument passed to %OptimizeOsr is smi

Check that the argument passed to %OptimizeOsr is smi before accessing
it. If it isn't an Smi we crash unless we are fuzzing. When fuzzing,
this returns early (turns into a Nop) if the argument isn't an Smi.

Bug: chromium:1071045
Change-Id: Iff1ee3e368dfffdbbbab4107dc355d5460b996e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2150602
Commit-Queue: Mythri Alle <mythria@chromium.org>
Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67195}
parent 1d0ec7b1
......@@ -399,7 +399,11 @@ RUNTIME_FUNCTION(Runtime_OptimizeOsr) {
Handle<JSFunction> function;
// The optional parameter determines the frame being targeted.
int stack_depth = args.length() == 1 ? args.smi_at(0) : 0;
int stack_depth = 0;
if (args.length() == 1) {
if (!args[0].IsSmi()) return CrashUnlessFuzzing(isolate);
stack_depth = args.smi_at(0);
}
// Find the JavaScript function on the top of the stack.
JavaScriptFrameIterator it(isolate);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment