deps: V8: cherry-pick 53c4d057974a

Original commit message: Reland "[regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition" This is a reland of 164cf80bbb0a6e091300bfc4cbbe70a6e6bd3e49 The reland fixes UB (left-shift of negative integer type) with a static_cast<uint32_t>. Original change's description: > [regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition > > Drive-by: Range checks in `Emit(byte, twenty_four_bits)` to ensure the > given packed bits actually fit into 24 bits. > > Bug: chromium:1166138 > Change-Id: I2e711e6466bb48d7b9897f68dfe621d12bd92508 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625877 > Commit-Queue: Jakob Gruber <jgruber@chromium.org> > Commit-Queue: Leszek Swirski <leszeks@chromium.org> > Auto-Submit: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Leszek Swirski <leszeks@chromium.org> > Cr-Commit-Position: refs/heads/master@{#72064} (cherry picked from commit ff8d0f92d423774cf773b5b4fb48b6744971e27a) No-Try: true No-Presubmit: true No-Tree-Checks: true Tbr: leszeks@chromium.org Bug: chromium:1166138 Change-Id: I514495e14bb99dfc9588fdb4a9f35d67d8d64acb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2626663 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#72088} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742954 Reviewed-by: Jana Grill <janagrill@chromium.org> Commit-Queue: Victor-Gabriel Savu <vsavu@google.com> Cr-Commit-Position: refs/branch-heads/8.6@{#64} Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} Refs: v8/v8@53c4d05 PR-URL: #38275 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Shelley Vohr <codebytere@gmail.com>
nodejs · Apr 30, 2021 · 26cc160 · 26cc160
1 parent 05530e8
commit 26cc160
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 10 deletions.
diff --git a/common.gypi b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.44',
+    'v8_embedder_string': '-node.45',
 
     ##### V8 defaults for Node.js #####
 

diff --git a/deps/v8/src/regexp/regexp-bytecode-generator-inl.h b/deps/v8/src/regexp/regexp-bytecode-generator-inl.h
@@ -14,13 +14,13 @@ namespace v8 {
 namespace internal {
 
 void RegExpBytecodeGenerator::Emit(uint32_t byte, uint32_t twenty_four_bits) {
-  uint32_t word = ((twenty_four_bits << BYTECODE_SHIFT) | byte);
-  DCHECK(pc_ <= buffer_.length());
-  if (pc_ + 3 >= buffer_.length()) {
-    Expand();
-  }
-  *reinterpret_cast<uint32_t*>(buffer_.begin() + pc_) = word;
-  pc_ += 4;
+  DCHECK(is_uint24(twenty_four_bits));
+  Emit32((twenty_four_bits << BYTECODE_SHIFT) | byte);
+}
+
+void RegExpBytecodeGenerator::Emit(uint32_t byte, int32_t twenty_four_bits) {
+  DCHECK(is_int24(twenty_four_bits));
+  Emit32((static_cast<uint32_t>(twenty_four_bits) << BYTECODE_SHIFT) | byte);
 }
 
 void RegExpBytecodeGenerator::Emit16(uint32_t word) {

diff --git a/deps/v8/src/regexp/regexp-bytecode-generator.cc b/deps/v8/src/regexp/regexp-bytecode-generator.cc
@@ -161,8 +161,10 @@ bool RegExpBytecodeGenerator::Succeed() {
 void RegExpBytecodeGenerator::Fail() { Emit(BC_FAIL, 0); }
 
 void RegExpBytecodeGenerator::AdvanceCurrentPosition(int by) {
-  DCHECK_LE(kMinCPOffset, by);
-  DCHECK_GE(kMaxCPOffset, by);
+  // TODO(chromium:1166138): Turn back into DCHECKs once the underlying issue
+  // is fixed.
+  CHECK_LE(kMinCPOffset, by);
+  CHECK_GE(kMaxCPOffset, by);
   advance_current_start_ = pc_;
   advance_current_offset_ = by;
   Emit(BC_ADVANCE_CP, by);

diff --git a/deps/v8/src/regexp/regexp-bytecode-generator.h b/deps/v8/src/regexp/regexp-bytecode-generator.h
@@ -85,6 +85,7 @@ class V8_EXPORT_PRIVATE RegExpBytecodeGenerator : public RegExpMacroAssembler {
   inline void Emit16(uint32_t x);
   inline void Emit8(uint32_t x);
   inline void Emit(uint32_t bc, uint32_t arg);
+  inline void Emit(uint32_t bc, int32_t arg);
   // Bytecode buffer.
   int length();
   void Copy(byte* a);

diff --git a/deps/v8/test/mjsunit/mjsunit.status b/deps/v8/test/mjsunit/mjsunit.status
@@ -73,6 +73,9 @@
   # Enable once multi-byte prefixed opcodes are correctly handled
   'regress/wasm/regress-1065599': [SKIP],
 
+  # https://crbug.com/1166138
+  'regress/regress-1166138': SKIP,
+
   ##############################################################################
   # Tests where variants make no sense.
   'd8/enable-tracing': [PASS, NO_VARIANTS],

diff --git a/deps/v8/test/mjsunit/regress/regress-1166138.js b/deps/v8/test/mjsunit/regress/regress-1166138.js
@@ -0,0 +1,7 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let badregexp =  "(?:" +  " ".repeat(32768*2)+  ")*";
+reg = RegExp(badregexp);
+reg.test()