From 26cc1605652844c78c210f91e07ddfa22ffcea66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 17 Apr 2021 16:28:46 +0200 Subject: [PATCH] deps: V8: cherry-pick 53c4d057974a Original commit message: Reland "[regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition" This is a reland of 164cf80bbb0a6e091300bfc4cbbe70a6e6bd3e49 The reland fixes UB (left-shift of negative integer type) with a static_cast. Original change's description: > [regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition > > Drive-by: Range checks in `Emit(byte, twenty_four_bits)` to ensure the > given packed bits actually fit into 24 bits. > > Bug: chromium:1166138 > Change-Id: I2e711e6466bb48d7b9897f68dfe621d12bd92508 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625877 > Commit-Queue: Jakob Gruber > Commit-Queue: Leszek Swirski > Auto-Submit: Jakob Gruber > Reviewed-by: Leszek Swirski > Cr-Commit-Position: refs/heads/master@{#72064} (cherry picked from commit ff8d0f92d423774cf773b5b4fb48b6744971e27a) No-Try: true No-Presubmit: true No-Tree-Checks: true Tbr: leszeks@chromium.org Bug: chromium:1166138 Change-Id: I514495e14bb99dfc9588fdb4a9f35d67d8d64acb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2626663 Reviewed-by: Jakob Gruber Commit-Queue: Jakob Gruber Cr-Original-Commit-Position: refs/heads/master@{#72088} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742954 Reviewed-by: Jana Grill Commit-Queue: Victor-Gabriel Savu Cr-Commit-Position: refs/branch-heads/8.6@{#64} Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} Refs: https://github.com/v8/v8/commit/53c4d057974af3fde91fd960a9794533dda8204b PR-URL: https://github.com/nodejs/node/pull/38275 Reviewed-By: Matteo Collina Reviewed-By: Jiawen Geng Reviewed-By: Shelley Vohr --- common.gypi | 2 +- deps/v8/src/regexp/regexp-bytecode-generator-inl.h | 14 +++++++------- deps/v8/src/regexp/regexp-bytecode-generator.cc | 6 ++++-- deps/v8/src/regexp/regexp-bytecode-generator.h | 1 + deps/v8/test/mjsunit/mjsunit.status | 3 +++ deps/v8/test/mjsunit/regress/regress-1166138.js | 7 +++++++ 6 files changed, 23 insertions(+), 10 deletions(-) create mode 100644 deps/v8/test/mjsunit/regress/regress-1166138.js diff --git a/common.gypi b/common.gypi index 22ddea26774b22..5380757bf954ae 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.44', + 'v8_embedder_string': '-node.45', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/regexp/regexp-bytecode-generator-inl.h b/deps/v8/src/regexp/regexp-bytecode-generator-inl.h index bd906fea153a21..2a6ffec9297f32 100644 --- a/deps/v8/src/regexp/regexp-bytecode-generator-inl.h +++ b/deps/v8/src/regexp/regexp-bytecode-generator-inl.h @@ -14,13 +14,13 @@ namespace v8 { namespace internal { void RegExpBytecodeGenerator::Emit(uint32_t byte, uint32_t twenty_four_bits) { - uint32_t word = ((twenty_four_bits << BYTECODE_SHIFT) | byte); - DCHECK(pc_ <= buffer_.length()); - if (pc_ + 3 >= buffer_.length()) { - Expand(); - } - *reinterpret_cast(buffer_.begin() + pc_) = word; - pc_ += 4; + DCHECK(is_uint24(twenty_four_bits)); + Emit32((twenty_four_bits << BYTECODE_SHIFT) | byte); +} + +void RegExpBytecodeGenerator::Emit(uint32_t byte, int32_t twenty_four_bits) { + DCHECK(is_int24(twenty_four_bits)); + Emit32((static_cast(twenty_four_bits) << BYTECODE_SHIFT) | byte); } void RegExpBytecodeGenerator::Emit16(uint32_t word) { diff --git a/deps/v8/src/regexp/regexp-bytecode-generator.cc b/deps/v8/src/regexp/regexp-bytecode-generator.cc index e82b67b530a707..16f693c6a03999 100644 --- a/deps/v8/src/regexp/regexp-bytecode-generator.cc +++ b/deps/v8/src/regexp/regexp-bytecode-generator.cc @@ -161,8 +161,10 @@ bool RegExpBytecodeGenerator::Succeed() { void RegExpBytecodeGenerator::Fail() { Emit(BC_FAIL, 0); } void RegExpBytecodeGenerator::AdvanceCurrentPosition(int by) { - DCHECK_LE(kMinCPOffset, by); - DCHECK_GE(kMaxCPOffset, by); + // TODO(chromium:1166138): Turn back into DCHECKs once the underlying issue + // is fixed. + CHECK_LE(kMinCPOffset, by); + CHECK_GE(kMaxCPOffset, by); advance_current_start_ = pc_; advance_current_offset_ = by; Emit(BC_ADVANCE_CP, by); diff --git a/deps/v8/src/regexp/regexp-bytecode-generator.h b/deps/v8/src/regexp/regexp-bytecode-generator.h index fdb9b468619d60..0b4656f6633ad0 100644 --- a/deps/v8/src/regexp/regexp-bytecode-generator.h +++ b/deps/v8/src/regexp/regexp-bytecode-generator.h @@ -85,6 +85,7 @@ class V8_EXPORT_PRIVATE RegExpBytecodeGenerator : public RegExpMacroAssembler { inline void Emit16(uint32_t x); inline void Emit8(uint32_t x); inline void Emit(uint32_t bc, uint32_t arg); + inline void Emit(uint32_t bc, int32_t arg); // Bytecode buffer. int length(); void Copy(byte* a); diff --git a/deps/v8/test/mjsunit/mjsunit.status b/deps/v8/test/mjsunit/mjsunit.status index 42f0b970d3644f..1fb864e04a86fe 100644 --- a/deps/v8/test/mjsunit/mjsunit.status +++ b/deps/v8/test/mjsunit/mjsunit.status @@ -73,6 +73,9 @@ # Enable once multi-byte prefixed opcodes are correctly handled 'regress/wasm/regress-1065599': [SKIP], + # https://crbug.com/1166138 + 'regress/regress-1166138': SKIP, + ############################################################################## # Tests where variants make no sense. 'd8/enable-tracing': [PASS, NO_VARIANTS], diff --git a/deps/v8/test/mjsunit/regress/regress-1166138.js b/deps/v8/test/mjsunit/regress/regress-1166138.js new file mode 100644 index 00000000000000..b1a5d6b7bb8651 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-1166138.js @@ -0,0 +1,7 @@ +// Copyright 2020 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +let badregexp = "(?:" + " ".repeat(32768*2)+ ")*"; +reg = RegExp(badregexp); +reg.test()