[regexp] Use the correct native context for the regexp species protector

The regexp species protector was recently moved from the isolate onto
the native context to avoid cross-context pollution of the regexp fast
path state.

The implementation was incomplete. We unconditionally used the isolate's
current native context, but it is possible for the object we are looking
at to come from a different context (= its creation context).

The fix is two-fold. 1. when speed is not too important (e.g. when
invalidating the protector), grab the creation context off the object.
2. in the regexp fast path check, just document how our current solution
is sufficient: although we may initially look at the wrong protector
cell, we'd later bail out when comparing the object's map against the
initial regexp map (stored on the current native context).

Bug: v8:9463
Change-Id: I653732b573f2dd456b3c6b723653dcacf9ead591
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1776078
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63520}

src/builtins/builtins-regexp-gen.cc

@@ -1000,6 +1000,10 @@ void RegExpBuiltinsAssembler::BranchIfFastRegExp(
 
   // This should only be needed for String.p.(split||matchAll), but we are
   // conservative here.
+  // Note: we are using the current native context here, which may or may not
+  // match the object's native context. That's fine: in case of a mismatch, we
+  // will bail in the next step when comparing the object's map against the
+  // current native context's initial regexp map.
   TNode<NativeContext> native_context = CAST(LoadNativeContext(context));
   GotoIf(IsRegExpSpeciesProtectorCellInvalid(native_context), if_ismodified);
 

src/objects/lookup.cc

@@ -236,10 +236,17 @@ void LookupIterator::InternalUpdateProtector() {
   if (!receiver_->IsHeapObject()) return;
   Handle<HeapObject> receiver = Handle<HeapObject>::cast(receiver_);
 
+  // Getting the native_context from the isolate as a fallback. If possible, we
+  // use the receiver's creation context instead.
   Handle<NativeContext> native_context = isolate_->native_context();
 
   ReadOnlyRoots roots(isolate_);
   if (*name_ == roots.constructor_string()) {
+    // Fetching the context in here since the operation is rather expensive.
+    if (receiver->IsJSReceiver()) {
+      native_context = Handle<JSReceiver>::cast(receiver)->GetCreationContext();
+    }
+
     if (!isolate_->IsArraySpeciesLookupChainIntact() &&
         !isolate_->IsPromiseSpeciesLookupChainIntact() &&
         !Protectors::IsRegExpSpeciesLookupChainProtectorIntact(
@@ -331,6 +338,11 @@ void LookupIterator::InternalUpdateProtector() {
       isolate_->InvalidateStringIteratorProtector();
     }
   } else if (*name_ == roots.species_symbol()) {
+    // Fetching the context in here since the operation is rather expensive.
+    if (receiver->IsJSReceiver()) {
+      native_context = Handle<JSReceiver>::cast(receiver)->GetCreationContext();
+    }
+
     if (!isolate_->IsArraySpeciesLookupChainIntact() &&
         !isolate_->IsPromiseSpeciesLookupChainIntact() &&
         !Protectors::IsRegExpSpeciesLookupChainProtectorIntact(

src/regexp/regexp-utils.cc

@@ -187,7 +187,7 @@ bool RegExpUtils::IsUnmodifiedRegExp(Isolate* isolate, Handle<Object> obj) {
   // case.
 
   if (!Protectors::IsRegExpSpeciesLookupChainProtectorIntact(
-          isolate->native_context())) {
+          recv.GetCreationContext())) {
     return false;
   }