[regexp] Additional range checks

... in regexp bytecode {length,name} accessors and in peephole
optimization.

Bug: chromium:1095866
Change-Id: I78c89d35d796776b61eabf82b921f7582e431be7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2250243Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68400}

src/base/logging.h

@@ -134,6 +134,12 @@ V8_BASE_EXPORT void SetDcheckFunction(void (*dcheck_Function)(const char*, int,
 
 #endif
 
+#if V8_HAS_CXX14_CONSTEXPR
+#define CONSTEXPR_DCHECK(cond) DCHECK(cond)
+#else
+#define CONSTEXPR_DCHECK(cond)
+#endif
+
 // Define PrintCheckOperand<T> for each T which defines operator<< for ostream.
 template <typename T>
 typename std::enable_if<

src/regexp/regexp-bytecode-peephole.cc

@@ -187,7 +187,8 @@ class RegExpBytecodePeephole {
   BytecodeSequenceNode& CreateSequence(int bytecode);
   // Checks for optimization candidates at pc and emits optimized bytecode to
   // the internal buffer. Returns the length of replaced bytecodes in bytes.
-  int TryOptimizeSequence(const byte* bytecode, int start_pc);
+  int TryOptimizeSequence(const byte* bytecode, int bytecode_length,
+                          int start_pc);
   // Emits optimized bytecode to the internal buffer. start_pc points to the
   // start of the sequence in bytecode and last_node is the last
   // BytecodeSequenceNode of the matching sequence found.
@@ -626,7 +627,7 @@ bool RegExpBytecodePeephole::OptimizeBytecode(const byte* bytecode,
   bool did_optimize = false;
 
   while (old_pc < length) {
-    int replaced_len = TryOptimizeSequence(bytecode, old_pc);
+    int replaced_len = TryOptimizeSequence(bytecode, length, old_pc);
     if (replaced_len > 0) {
       old_pc += replaced_len;
       did_optimize = true;
@@ -659,6 +660,7 @@ BytecodeSequenceNode& RegExpBytecodePeephole::CreateSequence(int bytecode) {
 }
 
 int RegExpBytecodePeephole::TryOptimizeSequence(const byte* bytecode,
+                                                int bytecode_length,
                                                 int start_pc) {
   BytecodeSequenceNode* seq_node = sequences_;
   BytecodeSequenceNode* valid_seq_end = nullptr;
@@ -667,13 +669,12 @@ int RegExpBytecodePeephole::TryOptimizeSequence(const byte* bytecode,
 
   // Check for the longest valid sequence matching any of the pre-defined
   // sequences in the Trie data structure.
-  while ((seq_node = seq_node->Find(bytecode[current_pc]))) {
-    if (!seq_node->CheckArguments(bytecode, start_pc)) {
-      break;
-    }
-    if (seq_node->IsSequence()) {
-      valid_seq_end = seq_node;
-    }
+  while (current_pc < bytecode_length) {
+    seq_node = seq_node->Find(bytecode[current_pc]);
+    if (seq_node == nullptr) break;
+    if (!seq_node->CheckArguments(bytecode, start_pc)) break;
+
+    if (seq_node->IsSequence()) valid_seq_end = seq_node;
     current_pc += RegExpBytecodeLength(bytecode[current_pc]);
   }
 

src/regexp/regexp-bytecodes.h

@@ -5,6 +5,7 @@
 #ifndef V8_REGEXP_REGEXP_BYTECODES_H_
 #define V8_REGEXP_REGEXP_BYTECODES_H_
 
+#include "src/base/bounds.h"
 #include "src/base/macros.h"
 #include "src/common/globals.h"
 
@@ -230,16 +231,18 @@ static constexpr int kRegExpBytecodeLengths[] = {
 };
 
 inline constexpr int RegExpBytecodeLength(int bytecode) {
+  CONSTEXPR_DCHECK(base::IsInRange(bytecode, 0, kRegExpBytecodeCount - 1));
   return kRegExpBytecodeLengths[bytecode];
 }
 
-static const char* const kRegExpBytecodeNames[] = {
+static constexpr const char* const kRegExpBytecodeNames[] = {
 #define DECLARE_BYTECODE_NAME(name, ...) #name,
     BYTECODE_ITERATOR(DECLARE_BYTECODE_NAME)
 #undef DECLARE_BYTECODE_NAME
 };
 
-inline const char* RegExpBytecodeName(int bytecode) {
+inline constexpr const char* RegExpBytecodeName(int bytecode) {
+  CONSTEXPR_DCHECK(base::IsInRange(bytecode, 0, kRegExpBytecodeCount - 1));
   return kRegExpBytecodeNames[bytecode];
 }