Revert "[regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition"

This reverts commit 164cf80b.

Reason for revert: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux64%20UBSan/14532/overview

Original change's description:
> [regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition
>
> Drive-by: Range checks in `Emit(byte, twenty_four_bits)` to ensure the
> given packed bits actually fit into 24 bits.
>
> Bug: chromium:1166138
> Change-Id: I2e711e6466bb48d7b9897f68dfe621d12bd92508
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625877
> Commit-Queue: Jakob Gruber <jgruber@chromium.org>
> Commit-Queue: Leszek Swirski <leszeks@chromium.org>
> Auto-Submit: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#72064}

TBR=jgruber@chromium.org,leszeks@chromium.org,pthier@chromium.org

Change-Id: Ibe72ecda03518e444442a0440ecdae7669bfc4c1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:1166138
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625883Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72065}

src/regexp/regexp-bytecode-generator-inl.h

@@ -14,13 +14,13 @@ namespace v8 {
 namespace internal {
 
 void RegExpBytecodeGenerator::Emit(uint32_t byte, uint32_t twenty_four_bits) {
-  DCHECK(is_uint24(twenty_four_bits));
-  Emit32((twenty_four_bits << BYTECODE_SHIFT) | byte);
-}
-
-void RegExpBytecodeGenerator::Emit(uint32_t byte, int32_t twenty_four_bits) {
-  DCHECK(is_int24(twenty_four_bits));
-  Emit32((twenty_four_bits << BYTECODE_SHIFT) | byte);
+  uint32_t word = ((twenty_four_bits << BYTECODE_SHIFT) | byte);
+  DCHECK(pc_ <= buffer_.length());
+  if (pc_ + 3 >= buffer_.length()) {
+    Expand();
+  }
+  *reinterpret_cast<uint32_t*>(buffer_.begin() + pc_) = word;
+  pc_ += 4;
 }
 
 void RegExpBytecodeGenerator::Emit16(uint32_t word) {

src/regexp/regexp-bytecode-generator.cc

@@ -165,10 +165,8 @@ bool RegExpBytecodeGenerator::Succeed() {
 void RegExpBytecodeGenerator::Fail() { Emit(BC_FAIL, 0); }
 
 void RegExpBytecodeGenerator::AdvanceCurrentPosition(int by) {
-  // TODO(chromium:1166138): Turn back into DCHECKs once the underlying issue
-  // is fixed.
-  CHECK_LE(kMinCPOffset, by);
-  CHECK_GE(kMaxCPOffset, by);
+  DCHECK_LE(kMinCPOffset, by);
+  DCHECK_GE(kMaxCPOffset, by);
   advance_current_start_ = pc_;
   advance_current_offset_ = by;
   Emit(BC_ADVANCE_CP, by);

src/regexp/regexp-bytecode-generator.h

@@ -86,7 +86,6 @@ class V8_EXPORT_PRIVATE RegExpBytecodeGenerator : public RegExpMacroAssembler {
   inline void Emit16(uint32_t x);
   inline void Emit8(uint32_t x);
   inline void Emit(uint32_t bc, uint32_t arg);
-  inline void Emit(uint32_t bc, int32_t arg);
   // Bytecode buffer.
   int length();
   void Copy(byte* a);

test/mjsunit/mjsunit.status

@@ -73,9 +73,6 @@
   # https://crbug.com/1129854
   'tools/log': ['arch == arm or arch == arm64', SKIP],
 
-  # https://crbug.com/1166138
-  'regress/regress-1166138': SKIP,
-
   ##############################################################################
   # Tests where variants make no sense.
   'd8/enable-tracing': [PASS, NO_VARIANTS],

test/mjsunit/regress/regress-1166138.js

-// Copyright 2020 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-let badregexp =  "(?:" +  " ".repeat(32768*2)+  ")*";
-reg = RegExp(badregexp);
-reg.test()