[regexp] Check regexp type in %RegexpHasNativeCode

Without the type check, Code() may read OOB. Note that this is an internal, test-only runtime function. Bug: chromium:1041316 Change-Id: I8c0b21ce3c2aea8aa3d065b99d8ab45a8c9e754f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000749 Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#65775}

[regexp] Check regexp type in %RegexpHasNativeCode
Without the type check, Code() may read OOB. Note that this is an internal, test-only runtime function. Bug: chromium:1041316 Change-Id: I8c0b21ce3c2aea8aa3d065b99d8ab45a8c9e754f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2000749 Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#65775}
1bf71164 · Jakob Gruber · Commit Bot · 377b5060 · 1bf71164
Commit 1bf71164 authored Jan 15, 2020 by Jakob Gruber Committed by Commit Bot Jan 15, 2020
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

runtime-test.cc src/runtime/runtime-test.cc +7 -2

No files found.
--- a/src/runtime/runtime-test.cc
+++ b/src/runtime/runtime-test.cc
@@ -1131,8 +1131,13 @@ RUNTIME_FUNCTION(Runtime_RegexpHasNativeCode) {
  DCHECK_EQ(2, args.length());
  CONVERT_ARG_CHECKED(JSRegExp, regexp, 0);
  CONVERT_BOOLEAN_ARG_CHECKED(is_latin1, 1);
-  bool is_irregexp_native_code = regexp.Code(is_latin1).IsCode();
+  bool result;
-  return isolate->heap()->ToBoolean(is_irregexp_native_code);
+  if (regexp.TypeTag() == JSRegExp::IRREGEXP) {
+    result = regexp.Code(is_latin1).IsCode();
+  } else {
+    result = false;
+  }
+  return isolate->heap()->ToBoolean(result);
 }
 #define ELEMENTS_KIND_CHECK_RUNTIME_FUNCTION(Name)      \