Skip to content

Commit

Permalink
deps: V8: cherry-pick 53c4d057974a
Browse files Browse the repository at this point in the history
Original commit message:

    Reland "[regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition"

    This is a reland of 164cf80bbb0a6e091300bfc4cbbe70a6e6bd3e49

    The reland fixes UB (left-shift of negative integer type) with a
    static_cast<uint32_t>.

    Original change's description:
    > [regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition
    >
    > Drive-by: Range checks in `Emit(byte, twenty_four_bits)` to ensure the
    > given packed bits actually fit into 24 bits.
    >
    > Bug: chromium:1166138
    > Change-Id: I2e711e6466bb48d7b9897f68dfe621d12bd92508
    > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625877
    > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    > Commit-Queue: Leszek Swirski <leszeks@chromium.org>
    > Auto-Submit: Jakob Gruber <jgruber@chromium.org>
    > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    > Cr-Commit-Position: refs/heads/master@{#72064}

    (cherry picked from commit ff8d0f92d423774cf773b5b4fb48b6744971e27a)

    No-Try: true
    No-Presubmit: true
    No-Tree-Checks: true
    Tbr: leszeks@chromium.org
    Bug: chromium:1166138
    Change-Id: I514495e14bb99dfc9588fdb4a9f35d67d8d64acb
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2626663
    Reviewed-by: Jakob Gruber <jgruber@chromium.org>
    Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    Cr-Original-Commit-Position: refs/heads/master@{#72088}
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742954
    Reviewed-by: Jana Grill <janagrill@chromium.org>
    Commit-Queue: Victor-Gabriel Savu <vsavu@google.com>
    Cr-Commit-Position: refs/branch-heads/8.6@{nodejs#64}
    Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
    Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

Refs: v8/v8@53c4d05

PR-URL: nodejs#38275
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
  • Loading branch information
targos committed Apr 30, 2021
1 parent 05530e8 commit 26cc160
Show file tree
Hide file tree
Showing 6 changed files with 23 additions and 10 deletions.
2 changes: 1 addition & 1 deletion common.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

# Reset this number to 0 on major V8 upgrades.
# Increment by one for each non-official patch applied to deps/v8.
'v8_embedder_string': '-node.44',
'v8_embedder_string': '-node.45',

##### V8 defaults for Node.js #####

Expand Down
14 changes: 7 additions & 7 deletions deps/v8/src/regexp/regexp-bytecode-generator-inl.h
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@ namespace v8 {
namespace internal {

void RegExpBytecodeGenerator::Emit(uint32_t byte, uint32_t twenty_four_bits) {
uint32_t word = ((twenty_four_bits << BYTECODE_SHIFT) | byte);
DCHECK(pc_ <= buffer_.length());
if (pc_ + 3 >= buffer_.length()) {
Expand();
}
*reinterpret_cast<uint32_t*>(buffer_.begin() + pc_) = word;
pc_ += 4;
DCHECK(is_uint24(twenty_four_bits));
Emit32((twenty_four_bits << BYTECODE_SHIFT) | byte);
}

void RegExpBytecodeGenerator::Emit(uint32_t byte, int32_t twenty_four_bits) {
DCHECK(is_int24(twenty_four_bits));
Emit32((static_cast<uint32_t>(twenty_four_bits) << BYTECODE_SHIFT) | byte);
}

void RegExpBytecodeGenerator::Emit16(uint32_t word) {
Expand Down
6 changes: 4 additions & 2 deletions deps/v8/src/regexp/regexp-bytecode-generator.cc
Original file line number Diff line number Diff line change
Expand Up @@ -161,8 +161,10 @@ bool RegExpBytecodeGenerator::Succeed() {
void RegExpBytecodeGenerator::Fail() { Emit(BC_FAIL, 0); }

void RegExpBytecodeGenerator::AdvanceCurrentPosition(int by) {
DCHECK_LE(kMinCPOffset, by);
DCHECK_GE(kMaxCPOffset, by);
// TODO(chromium:1166138): Turn back into DCHECKs once the underlying issue
// is fixed.
CHECK_LE(kMinCPOffset, by);
CHECK_GE(kMaxCPOffset, by);
advance_current_start_ = pc_;
advance_current_offset_ = by;
Emit(BC_ADVANCE_CP, by);
Expand Down
1 change: 1 addition & 0 deletions deps/v8/src/regexp/regexp-bytecode-generator.h
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ class V8_EXPORT_PRIVATE RegExpBytecodeGenerator : public RegExpMacroAssembler {
inline void Emit16(uint32_t x);
inline void Emit8(uint32_t x);
inline void Emit(uint32_t bc, uint32_t arg);
inline void Emit(uint32_t bc, int32_t arg);
// Bytecode buffer.
int length();
void Copy(byte* a);
Expand Down
3 changes: 3 additions & 0 deletions deps/v8/test/mjsunit/mjsunit.status
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,9 @@
# Enable once multi-byte prefixed opcodes are correctly handled
'regress/wasm/regress-1065599': [SKIP],

# https://crbug.com/1166138
'regress/regress-1166138': SKIP,

##############################################################################
# Tests where variants make no sense.
'd8/enable-tracing': [PASS, NO_VARIANTS],
Expand Down
7 changes: 7 additions & 0 deletions deps/v8/test/mjsunit/regress/regress-1166138.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

let badregexp = "(?:" + " ".repeat(32768*2)+ ")*";
reg = RegExp(badregexp);
reg.test()

0 comments on commit 26cc160

Please sign in to comment.