deps: V8: cherry-pick 53c4d057974a

Original commit message:

    Reland "[regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition"

    This is a reland of 164cf80bbb0a6e091300bfc4cbbe70a6e6bd3e49

    The reland fixes UB (left-shift of negative integer type) with a
    static_cast<uint32_t>.

    Original change's description:
    > [regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition
    >
    > Drive-by: Range checks in `Emit(byte, twenty_four_bits)` to ensure the
    > given packed bits actually fit into 24 bits.
    >
    > Bug: chromium:1166138
    > Change-Id: I2e711e6466bb48d7b9897f68dfe621d12bd92508
    > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625877
    > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    > Commit-Queue: Leszek Swirski <leszeks@chromium.org>
    > Auto-Submit: Jakob Gruber <jgruber@chromium.org>
    > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    > Cr-Commit-Position: refs/heads/master@{#72064}

    (cherry picked from commit ff8d0f92d423774cf773b5b4fb48b6744971e27a)

    No-Try: true
    No-Presubmit: true
    No-Tree-Checks: true
    Tbr: leszeks@chromium.org
    Bug: chromium:1166138
    Change-Id: I514495e14bb99dfc9588fdb4a9f35d67d8d64acb
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2626663
    Reviewed-by: Jakob Gruber <jgruber@chromium.org>
    Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    Cr-Original-Commit-Position: refs/heads/master@{#72088}
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742954
    Reviewed-by: Jana Grill <janagrill@chromium.org>
    Commit-Queue: Victor-Gabriel Savu <vsavu@google.com>
    Cr-Commit-Position: refs/branch-heads/8.6@{#64}
    Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
    Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

Refs: v8/v8@53c4d05

PR-URL: #38275
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>

Author: targos

common.gypi

@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.44',
+    'v8_embedder_string': '-node.45',
 
     ##### V8 defaults for Node.js #####
 

deps/v8/src/regexp/regexp-bytecode-generator-inl.h

@@ -14,13 +14,13 @@ namespace v8 {
 namespace internal {
 
 void RegExpBytecodeGenerator::Emit(uint32_t byte, uint32_t twenty_four_bits) {
-  uint32_t word = ((twenty_four_bits << BYTECODE_SHIFT) | byte);
-  DCHECK(pc_ <= buffer_.length());
-  if (pc_ + 3 >= buffer_.length()) {
-    Expand();
-  }
-  *reinterpret_cast<uint32_t*>(buffer_.begin() + pc_) = word;
-  pc_ += 4;
+  DCHECK(is_uint24(twenty_four_bits));
+  Emit32((twenty_four_bits << BYTECODE_SHIFT) | byte);
+}
+
+void RegExpBytecodeGenerator::Emit(uint32_t byte, int32_t twenty_four_bits) {
+  DCHECK(is_int24(twenty_four_bits));
+  Emit32((static_cast<uint32_t>(twenty_four_bits) << BYTECODE_SHIFT) | byte);
 }
 
 void RegExpBytecodeGenerator::Emit16(uint32_t word) {

deps/v8/src/regexp/regexp-bytecode-generator.cc

@@ -161,8 +161,10 @@ bool RegExpBytecodeGenerator::Succeed() {
 void RegExpBytecodeGenerator::Fail() { Emit(BC_FAIL, 0); }
 
 void RegExpBytecodeGenerator::AdvanceCurrentPosition(int by) {
-  DCHECK_LE(kMinCPOffset, by);
-  DCHECK_GE(kMaxCPOffset, by);
+  // TODO(chromium:1166138): Turn back into DCHECKs once the underlying issue
+  // is fixed.
+  CHECK_LE(kMinCPOffset, by);
+  CHECK_GE(kMaxCPOffset, by);
   advance_current_start_ = pc_;
   advance_current_offset_ = by;
   Emit(BC_ADVANCE_CP, by);

deps/v8/src/regexp/regexp-bytecode-generator.h

@@ -85,6 +85,7 @@ class V8_EXPORT_PRIVATE RegExpBytecodeGenerator : public RegExpMacroAssembler {
   inline void Emit16(uint32_t x);
   inline void Emit8(uint32_t x);
   inline void Emit(uint32_t bc, uint32_t arg);
+  inline void Emit(uint32_t bc, int32_t arg);
   // Bytecode buffer.
   int length();
   void Copy(byte* a);

deps/v8/test/mjsunit/mjsunit.status

@@ -73,6 +73,9 @@
   # Enable once multi-byte prefixed opcodes are correctly handled
   'regress/wasm/regress-1065599': [SKIP],
 
+  # https://crbug.com/1166138
+  'regress/regress-1166138': SKIP,
+
   ##############################################################################
   # Tests where variants make no sense.
   'd8/enable-tracing': [PASS, NO_VARIANTS],

deps/v8/test/mjsunit/regress/regress-1166138.js

@@ -0,0 +1,7 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let badregexp =  "(?:" +  " ".repeat(32768*2)+  ")*";
+reg = RegExp(badregexp);
+reg.test()