[regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition

Drive-by: Range checks in `Emit(byte, twenty_four_bits)` to ensure the given packed bits actually fit into 24 bits. Bug: chromium:1166138 Change-Id: I2e711e6466bb48d7b9897f68dfe621d12bd92508 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625877 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#72064}

[regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition
Drive-by: Range checks in `Emit(byte, twenty_four_bits)` to ensure the given packed bits actually fit into 24 bits. Bug: chromium:1166138 Change-Id: I2e711e6466bb48d7b9897f68dfe621d12bd92508 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625877 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#72064}
164cf80b · Jakob Gruber · Commit Bot · 1e463205 · 164cf80b · 164cf80b
Commit 164cf80b authored Jan 13, 2021 by Jakob Gruber Committed by Commit Bot Jan 13, 2021
5 changed files
--- a/src/regexp/regexp-bytecode-generator-inl.h
+++ b/src/regexp/regexp-bytecode-generator-inl.h
@@ -14,13 +14,13 @@ namespace v8 {
 namespace internal {

 void RegExpBytecodeGenerator::Emit(uint32_t byte, uint32_t twenty_four_bits) {
-  uint32_t word = ((twenty_four_bits << BYTECODE_SHIFT) | byte);
-  DCHECK(pc_ <= buffer_.length());
-  if (pc_ + 3 >= buffer_.length()) {
-    Expand();
-  }
-  *reinterpret_cast<uint32_t*>(buffer_.begin() + pc_) = word;
-  pc_ += 4;
+  DCHECK(is_uint24(twenty_four_bits));
+  Emit32((twenty_four_bits << BYTECODE_SHIFT) | byte);
+}
+
+void RegExpBytecodeGenerator::Emit(uint32_t byte, int32_t twenty_four_bits) {
+  DCHECK(is_int24(twenty_four_bits));
+  Emit32((twenty_four_bits << BYTECODE_SHIFT) | byte);
 }

 void RegExpBytecodeGenerator::Emit16(uint32_t word) {

--- a/src/regexp/regexp-bytecode-generator.cc
+++ b/src/regexp/regexp-bytecode-generator.cc
@@ -165,8 +165,10 @@ bool RegExpBytecodeGenerator::Succeed() {
 void RegExpBytecodeGenerator::Fail() { Emit(BC_FAIL, 0); }

 void RegExpBytecodeGenerator::AdvanceCurrentPosition(int by) {
-  DCHECK_LE(kMinCPOffset, by);
-  DCHECK_GE(kMaxCPOffset, by);
+  // TODO(chromium:1166138): Turn back into DCHECKs once the underlying issue
+  // is fixed.
+  CHECK_LE(kMinCPOffset, by);
+  CHECK_GE(kMaxCPOffset, by);
  advance_current_start_ = pc_;
  advance_current_offset_ = by;
  Emit(BC_ADVANCE_CP, by);

--- a/src/regexp/regexp-bytecode-generator.h
+++ b/src/regexp/regexp-bytecode-generator.h
@@ -86,6 +86,7 @@ class V8_EXPORT_PRIVATE RegExpBytecodeGenerator : public RegExpMacroAssembler {
  inline void Emit16(uint32_t x);
  inline void Emit8(uint32_t x);
  inline void Emit(uint32_t bc, uint32_t arg);
+  inline void Emit(uint32_t bc, int32_t arg);
  // Bytecode buffer.
  int length();
  void Copy(byte* a);

--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -73,6 +73,9 @@
  # https://crbug.com/1129854
  'tools/log': ['arch == arm or arch == arm64', SKIP],

+  # https://crbug.com/1166138
+  'regress/regress-1166138': SKIP,
+
  ##############################################################################
  # Tests where variants make no sense.
  'd8/enable-tracing': [PASS, NO_VARIANTS],

--- a/test/mjsunit/regress/regress-1166138.js
+++ b/test/mjsunit/regress/regress-1166138.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let badregexp =  "(?:" +  " ".repeat(32768*2)+  ")*";
+reg = RegExp(badregexp);
+reg.test()