[test] Expose %PretenureAllocationSite to fuzzer

Make %PretenureAllocationSite more resilient to fuzzer inputs/configs and allow it for fuzzing. Bug: chromium:1200724 Change-Id: I541b1410ab1719b478c4ad9516dc350fec02fbba Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2883783Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Commit-Queue: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/master@{#74479}

[test] Expose %PretenureAllocationSite to fuzzer
Make %PretenureAllocationSite more resilient to fuzzer inputs/configs and allow it for fuzzing. Bug: chromium:1200724 Change-Id: I541b1410ab1719b478c4ad9516dc350fec02fbba Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2883783Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Commit-Queue: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/master@{#74479}
e1ce9f40 · Patrick Thier · V8 LUCI CQ · 11df6ed1 · e1ce9f40 · e1ce9f40
Commit e1ce9f40 authored May 10, 2021 by Patrick Thier Committed by V8 LUCI CQ May 10, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 4 deletions

runtime-test.cc src/runtime/runtime-test.cc +13 -4

runtime.cc src/runtime/runtime.cc +1 -0

No files found.
--- a/src/runtime/runtime-test.cc
+++ b/src/runtime/runtime-test.cc
@@ -42,6 +42,11 @@ V8_WARN_UNUSED_RESULT Object CrashUnlessFuzzing(Isolate* isolate) {
  return ReadOnlyRoots(isolate).undefined_value();
 }

+// Returns |value| unless fuzzing is enabled, otherwise returns undefined_value.
+V8_WARN_UNUSED_RESULT Object ReturnFuzzSafe(Object value, Isolate* isolate) {
+  return FLAG_fuzzing ? ReadOnlyRoots(isolate).undefined_value() : value;
+}
+
 // Assert that the given argument is a number within the Int32 range
 // and convert it to int32_t.  If the argument is not an Int32 we crash if not
 // in fuzzing mode.
@@ -1032,15 +1037,19 @@ RUNTIME_FUNCTION(Runtime_InYoungGeneration) {
 RUNTIME_FUNCTION(Runtime_PretenureAllocationSite) {
  DisallowGarbageCollection no_gc;

-  DCHECK_EQ(1, args.length());
-  CONVERT_ARG_CHECKED(JSObject, object, 0);
+  if (args.length() != 1) return CrashUnlessFuzzing(isolate);
+  CONVERT_ARG_CHECKED(Object, arg, 0);
+  if (!arg.IsJSObject()) return CrashUnlessFuzzing(isolate);
+  JSObject object = JSObject::cast(arg);
+
  Heap* heap = object.GetHeap();
  AllocationMemento memento =
      heap->FindAllocationMemento<Heap::kForRuntime>(object.map(), object);
-  if (memento.is_null()) return ReadOnlyRoots(isolate).false_value();
+  if (memento.is_null())
+    return ReturnFuzzSafe(ReadOnlyRoots(isolate).false_value(), isolate);
  AllocationSite site = memento.GetAllocationSite();
  heap->PretenureAllocationSiteOnNextCollection(site);
-  return ReadOnlyRoots(isolate).true_value();
+  return ReturnFuzzSafe(ReadOnlyRoots(isolate).true_value(), isolate);
 }

 namespace {

--- a/src/runtime/runtime.cc
+++ b/src/runtime/runtime.cc
@@ -209,6 +209,7 @@ bool Runtime::IsAllowListedForFuzzing(FunctionId id) {
    case Runtime::kOptimizeFunctionOnNextCall:
    case Runtime::kOptimizeOsr:
    case Runtime::kPrepareFunctionForOptimization:
+    case Runtime::kPretenureAllocationSite:
    case Runtime::kSetAllocationTimeout:
    case Runtime::kSimulateNewspaceFull:
      return true;