[test] Fix null dererefence in d8.test.FastCAPI

This CL hardens the test function for unwrapping the C++ object to
only do so if the correct API object is passed from JS.

Bug: chromium:1201057
Change-Id: I81eb16efe2711bd788c775e3bcb712720bbe4782
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2843347Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74102}

src/d8/d8-test.cc

@@ -22,6 +22,19 @@
 namespace v8 {
 namespace {
 
+#define CHECK_SELF_OR_FALLBACK(return_value) \
+  if (!self) {                               \
+    options.fallback = 1;                    \
+    return return_value;                     \
+  }
+
+#define CHECK_SELF_OR_THROW()                                               \
+  if (!self) {                                                              \
+    args.GetIsolate()->ThrowError(                                          \
+        "This method is not defined on objects inheriting from FastCAPI."); \
+    return;                                                                 \
+  }
+
 class FastCApiObject {
  public:
   static double AddAllFastCallback(v8::Value* receiver, bool should_fallback,
@@ -31,6 +44,7 @@ class FastCApiObject {
                                    FastApiCallbackOptions& options) {
     CHECK(receiver->IsObject());
     FastCApiObject* self = UnwrapObject(Object::Cast(receiver));
+    CHECK_SELF_OR_FALLBACK(0);
     self->fast_call_count_++;
 
     if (should_fallback) {
@@ -46,6 +60,7 @@ class FastCApiObject {
     Isolate* isolate = args.GetIsolate();
 
     FastCApiObject* self = UnwrapObject(*args.This());
+    CHECK_SELF_OR_THROW();
     self->slow_call_count_++;
 
     HandleScope handle_scope(isolate);
@@ -82,6 +97,7 @@ class FastCApiObject {
                                      FastApiCallbackOptions& options) {
     CHECK(receiver->IsObject());
     FastCApiObject* self = UnwrapObject(Object::Cast(receiver));
+    CHECK_SELF_OR_FALLBACK(0);
     self->fast_call_count_++;
 
     if (should_fallback) {
@@ -95,6 +111,7 @@ class FastCApiObject {
     Isolate* isolate = args.GetIsolate();
 
     FastCApiObject* self = UnwrapObject(*args.This());
+    CHECK_SELF_OR_THROW();
     self->slow_call_count_++;
 
     HandleScope handle_scope(isolate);
@@ -115,6 +132,7 @@ class FastCApiObject {
                                            FastApiCallbackOptions& options) {
     CHECK(receiver->IsObject());
     FastCApiObject* self = UnwrapObject(Object::Cast(receiver));
+    CHECK_SELF_OR_FALLBACK(false);
     self->fast_call_count_++;
 
     if (should_fallback) {
@@ -143,6 +161,7 @@ class FastCApiObject {
     Isolate* isolate = args.GetIsolate();
 
     FastCApiObject* self = UnwrapObject(*args.This());
+    CHECK_SELF_OR_THROW();
     self->slow_call_count_++;
 
     HandleScope handle_scope(isolate);
@@ -169,22 +188,26 @@ class FastCApiObject {
 
   static void FastCallCount(const FunctionCallbackInfo<Value>& args) {
     FastCApiObject* self = UnwrapObject(*args.This());
+    CHECK_SELF_OR_THROW();
     args.GetReturnValue().Set(
         Number::New(args.GetIsolate(), self->fast_call_count()));
   }
   static void SlowCallCount(const FunctionCallbackInfo<Value>& args) {
     FastCApiObject* self = UnwrapObject(*args.This());
+    CHECK_SELF_OR_THROW();
     args.GetReturnValue().Set(
         Number::New(args.GetIsolate(), self->slow_call_count()));
   }
   static void ResetCounts(const FunctionCallbackInfo<Value>& args) {
     FastCApiObject* self = UnwrapObject(*args.This());
+    CHECK_SELF_OR_THROW();
     self->reset_counts();
     args.GetReturnValue().Set(Undefined(args.GetIsolate()));
   }
-  static void SupportsFPParams(const FunctionCallbackInfo<Value>& info) {
-    FastCApiObject* self = UnwrapObject(*info.This());
-    info.GetReturnValue().Set(self->supports_fp_params_);
+  static void SupportsFPParams(const FunctionCallbackInfo<Value>& args) {
+    FastCApiObject* self = UnwrapObject(*args.This());
+    CHECK_SELF_OR_THROW();
+    args.GetReturnValue().Set(self->supports_fp_params_);
   }
 
   int fast_call_count() const { return fast_call_count_; }
@@ -220,6 +243,9 @@ class FastCApiObject {
 #endif  // V8_ENABLE_FP_PARAMS_IN_C_LINKAGE
 };
 
+#undef CHECK_SELF_OR_THROW
+#undef CHECK_SELF_OR_FALLBACK
+
 // The object is statically initialized for simplicity, typically the embedder
 // will take care of managing their C++ objects lifetime.
 thread_local FastCApiObject kFastCApiObject;

test/mjsunit/compiler/regress-crbug-1201057.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --turbo-fast-api-calls
+
+const fast_c_api = new d8.test.FastCAPI();
+const fast_obj = Object.create(fast_c_api);
+assertThrows(() => fast_obj.supports_fp_params);

test/mjsunit/mjsunit.status

@@ -356,6 +356,7 @@
   'compiler/fast-api-calls': [SKIP],
   'compiler/fast-api-interface-types': [SKIP],
   'compiler/regress-crbug-1201011': [SKIP],
+  'compiler/regress-crbug-1201057': [SKIP],
   'compiler/regress-crbug-1201082': [SKIP],
 
   # These tests check that we can trace the compiler.
@@ -1328,6 +1329,7 @@
   'compiler/fast-api-calls': [SKIP],
   'compiler/fast-api-interface-types': [SKIP],
   'compiler/regress-crbug-1201011': [SKIP],
+  'compiler/regress-crbug-1201057': [SKIP],
   'compiler/regress-crbug-1201082': [SKIP],
 }],  # variant == stress_snapshot