Revert "[regexp] Introduce species constructor protector for regexps."

This reverts commit 3ca32e98. Reason for revert: Breaks waterfall (V8 fuzzer) Original change's description: > [regexp] Introduce species constructor protector for regexps. > > Bug: v8:8445 > Change-Id: Iea69c65d0054b24b3f8c7234c4c556ebee2dd45f > Reviewed-on: https://chromium-review.googlesource.com/c/1335696 > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#57564} TBR=ulan@chromium.org,jarin@chromium.org,jgruber@chromium.org Change-Id: I8f926abdd129d9868f2c9c5dbb29096c08bd1ff7 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:8445 Reviewed-on: https://chromium-review.googlesource.com/c/1340239Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#57571}

Revert "[regexp] Introduce species constructor protector for regexps."
This reverts commit 3ca32e98. Reason for revert: Breaks waterfall (V8 fuzzer) Original change's description: > [regexp] Introduce species constructor protector for regexps. > > Bug: v8:8445 > Change-Id: Iea69c65d0054b24b3f8c7234c4c556ebee2dd45f > Reviewed-on: https://chromium-review.googlesource.com/c/1335696 > Reviewed-by: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Ulan Degenbaev <ulan@chromium.org> > Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#57564} TBR=ulan@chromium.org,jarin@chromium.org,jgruber@chromium.org Change-Id: I8f926abdd129d9868f2c9c5dbb29096c08bd1ff7 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: v8:8445 Reviewed-on: https://chromium-review.googlesource.com/c/1340239Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#57571}
7a682a38 · Jaroslav Sevcik · Commit Bot · 7303633b · 7a682a38 · 7a682a38
Commit 7a682a38 authored Nov 16, 2018 by Jaroslav Sevcik Committed by Commit Bot Nov 16, 2018
14 changed files
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -2532,7 +2532,6 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
      // Setup %RegExpPrototype%.
      Handle<JSObject> prototype(
          JSObject::cast(regexp_fun->instance_prototype()), isolate());
-      native_context()->set_regexp_prototype(*prototype);

      {
        Handle<JSFunction> fun = SimpleInstallFunction(

--- a/src/builtins/builtins-regexp-gen.cc
+++ b/src/builtins/builtins-regexp-gen.cc
@@ -915,10 +915,6 @@ void RegExpBuiltinsAssembler::BranchIfFastRegExp(

  GotoIfForceSlowPath(if_ismodified);

-  // This should only be needed for String.p.(split||matchAll), but we are
-  // conservative here.
-  GotoIf(IsRegExpSpeciesProtectorCellInvalid(), if_ismodified);
-
  Node* const native_context = LoadNativeContext(context);
  Node* const regexp_fun =
      LoadContextElement(native_context, Context::REGEXP_FUNCTION_INDEX);

--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@@ -5960,13 +5960,6 @@ TNode<BoolT> CodeStubAssembler::IsTypedArraySpeciesProtectorCellInvalid() {
  return WordEqual(cell_value, invalid);
 }

-TNode<BoolT> CodeStubAssembler::IsRegExpSpeciesProtectorCellInvalid() {
-  Node* invalid = SmiConstant(Isolate::kProtectorInvalid);
-  Node* cell = LoadRoot(RootIndex::kRegExpSpeciesProtector);
-  Node* cell_value = LoadObjectField(cell, PropertyCell::kValueOffset);
-  return WordEqual(cell_value, invalid);
-}
-
 TNode<BoolT> CodeStubAssembler::IsPromiseSpeciesProtectorCellInvalid() {
  Node* invalid = SmiConstant(Isolate::kProtectorInvalid);
  Node* cell = LoadRoot(RootIndex::kPromiseSpeciesProtector);

--- a/src/code-stub-assembler.h
+++ b/src/code-stub-assembler.h
@@ -33,8 +33,7 @@ enum class PrimitiveType { kBoolean, kNumber, kString, kSymbol };
  V(PromiseSpeciesProtector, promise_species_protector,                    \
    PromiseSpeciesProtector)                                               \
  V(TypedArraySpeciesProtector, typed_array_species_protector,             \
-    TypedArraySpeciesProtector)                                            \
-  V(RegExpSpeciesProtector, regexp_species_protector, RegExpSpeciesProtector)
+    TypedArraySpeciesProtector)

 #define HEAP_IMMUTABLE_IMMOVABLE_OBJECT_LIST(V)                              \
  V(AccessorInfoMap, accessor_info_map, AccessorInfoMap)                     \
@@ -2137,7 +2136,6 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
  TNode<BoolT> IsPromiseThenProtectorCellInvalid();
  TNode<BoolT> IsArraySpeciesProtectorCellInvalid();
  TNode<BoolT> IsTypedArraySpeciesProtectorCellInvalid();
-  TNode<BoolT> IsRegExpSpeciesProtectorCellInvalid();
  TNode<BoolT> IsPromiseSpeciesProtectorCellInvalid();

  // True iff |object| is a Smi or a HeapNumber.

--- a/src/contexts.h
+++ b/src/contexts.h
@@ -275,7 +275,6 @@ enum ContextLookupFlags {
  V(INITIAL_REGEXP_STRING_ITERATOR_PROTOTYPE_MAP_INDEX, Map,                   \
    initial_regexp_string_iterator_prototype_map)                              \
  V(REGEXP_RESULT_MAP_INDEX, Map, regexp_result_map)                           \
-  V(REGEXP_PROTOTYPE_INDEX, JSObject, regexp_prototype)                        \
  V(SCRIPT_CONTEXT_TABLE_INDEX, ScriptContextTable, script_context_table)      \
  V(SECURITY_TOKEN_INDEX, Object, security_token)                              \
  V(SERIALIZED_OBJECTS, FixedArray, serialized_objects)                        \

--- a/src/heap/setup-heap-internal.cc
+++ b/src/heap/setup-heap-internal.cc
@@ -872,10 +872,6 @@ void Heap::CreateInitialObjects() {
  cell->set_value(Smi::FromInt(Isolate::kProtectorValid));
  set_promise_species_protector(*cell);

-  cell = factory->NewPropertyCell(factory->empty_string());
-  cell->set_value(Smi::FromInt(Isolate::kProtectorValid));
-  set_regexp_species_protector(*cell);
-
  cell = factory->NewPropertyCell(factory->empty_string());
  cell->set_value(Smi::FromInt(Isolate::kProtectorValid));
  set_string_iterator_protector(*cell);

--- a/src/isolate-inl.h
+++ b/src/isolate-inl.h
@@ -163,12 +163,6 @@ bool Isolate::IsTypedArraySpeciesLookupChainIntact() {
         Smi::ToInt(species_cell->value()) == kProtectorValid;
 }

-bool Isolate::IsRegExpSpeciesLookupChainIntact() {
-  PropertyCell* species_cell = heap()->regexp_species_protector();
-  return species_cell->value()->IsSmi() &&
-         Smi::ToInt(species_cell->value()) == kProtectorValid;
-}
-
 bool Isolate::IsPromiseSpeciesLookupChainIntact() {
  PropertyCell* species_cell = heap()->promise_species_protector();
  return species_cell->value()->IsSmi() &&

--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -3793,15 +3793,6 @@ void Isolate::InvalidateTypedArraySpeciesProtector() {
  DCHECK(!IsTypedArraySpeciesLookupChainIntact());
 }

-void Isolate::InvalidateRegExpSpeciesProtector() {
-  DCHECK(factory()->regexp_species_protector()->value()->IsSmi());
-  DCHECK(IsRegExpSpeciesLookupChainIntact());
-  PropertyCell::SetValueWithInvalidation(
-      this, factory()->regexp_species_protector(),
-      handle(Smi::FromInt(kProtectorInvalid), this));
-  DCHECK(!IsRegExpSpeciesLookupChainIntact());
-}
-
 void Isolate::InvalidatePromiseSpeciesProtector() {
  DCHECK(factory()->promise_species_protector()->value()->IsSmi());
  DCHECK(IsPromiseSpeciesLookupChainIntact());

--- a/src/isolate.h
+++ b/src/isolate.h
@@ -1225,7 +1225,6 @@ class Isolate final : private HiddenFactory {

  inline bool IsArraySpeciesLookupChainIntact();
  inline bool IsTypedArraySpeciesLookupChainIntact();
-  inline bool IsRegExpSpeciesLookupChainIntact();
  inline bool IsPromiseSpeciesLookupChainIntact();
  bool IsIsConcatSpreadableLookupChainIntact();
  bool IsIsConcatSpreadableLookupChainIntact(JSReceiver* receiver);
@@ -1304,7 +1303,6 @@ class Isolate final : private HiddenFactory {
  void InvalidateArrayConstructorProtector();
  void InvalidateArraySpeciesProtector();
  void InvalidateTypedArraySpeciesProtector();
-  void InvalidateRegExpSpeciesProtector();
  void InvalidatePromiseSpeciesProtector();
  void InvalidateIsConcatSpreadableProtector();
  void InvalidateStringLengthOverflowProtector();

--- a/src/lookup.cc
+++ b/src/lookup.cc
@@ -279,11 +279,9 @@ void LookupIterator::InternalUpdateProtector() {
  ReadOnlyRoots roots(heap());
  if (*name_ == roots.constructor_string()) {
    if (!isolate_->IsArraySpeciesLookupChainIntact() &&
-        !isolate_->IsPromiseSpeciesLookupChainIntact() &&
-        !isolate_->IsRegExpSpeciesLookupChainIntact() &&
-        !isolate_->IsTypedArraySpeciesLookupChainIntact()) {
+        !isolate_->IsTypedArraySpeciesLookupChainIntact() &&
+        !isolate_->IsPromiseSpeciesLookupChainIntact())
      return;
-    }
    // Setting the constructor property could change an instance's @@species
    if (holder_->IsJSArray()) {
      if (!isolate_->IsArraySpeciesLookupChainIntact()) return;
@@ -295,10 +293,6 @@ void LookupIterator::InternalUpdateProtector() {
      if (!isolate_->IsPromiseSpeciesLookupChainIntact()) return;
      isolate_->InvalidatePromiseSpeciesProtector();
      return;
-    } else if (holder_->IsJSRegExp()) {
-      if (!isolate_->IsRegExpSpeciesLookupChainIntact()) return;
-      isolate_->InvalidateRegExpSpeciesProtector();
-      return;
    } else if (holder_->IsJSTypedArray()) {
      if (!isolate_->IsTypedArraySpeciesLookupChainIntact()) return;
      isolate_->InvalidateTypedArraySpeciesProtector();
@@ -306,8 +300,9 @@ void LookupIterator::InternalUpdateProtector() {
    }
    if (holder_->map()->is_prototype_map()) {
      DisallowHeapAllocation no_gc;
-      // Setting the constructor of any prototype with the @@species protector
-      // (of any realm) also needs to invalidate the protector.
+      // Setting the constructor of Array.prototype, Promise.prototype or
+      // %TypedArray%.prototype of any realm also needs to invalidate the
+      // @@species protector.
      // For typed arrays, we check a prototype of this holder since TypedArrays
      // have different prototypes for each type, and their parent prototype is
      // pointing the same TYPED_ARRAY_PROTOTYPE.
@@ -321,10 +316,6 @@ void LookupIterator::InternalUpdateProtector() {
                                          Context::PROMISE_PROTOTYPE_INDEX)) {
        if (!isolate_->IsPromiseSpeciesLookupChainIntact()) return;
        isolate_->InvalidatePromiseSpeciesProtector();
-      } else if (isolate_->IsInAnyContext(*holder_,
-                                          Context::REGEXP_PROTOTYPE_INDEX)) {
-        if (!isolate_->IsRegExpSpeciesLookupChainIntact()) return;
-        isolate_->InvalidateRegExpSpeciesProtector();
      } else if (isolate_->IsInAnyContext(
                     holder_->map()->prototype(),
                     Context::TYPED_ARRAY_PROTOTYPE_INDEX)) {
@@ -357,11 +348,9 @@ void LookupIterator::InternalUpdateProtector() {
    }
  } else if (*name_ == roots.species_symbol()) {
    if (!isolate_->IsArraySpeciesLookupChainIntact() &&
-        !isolate_->IsPromiseSpeciesLookupChainIntact() &&
-        !isolate_->IsRegExpSpeciesLookupChainIntact() &&
-        !isolate_->IsTypedArraySpeciesLookupChainIntact()) {
+        !isolate_->IsTypedArraySpeciesLookupChainIntact() &&
+        !isolate_->IsPromiseSpeciesLookupChainIntact())
      return;
-    }
    // Setting the Symbol.species property of any Array, Promise or TypedArray
    // constructor invalidates the @@species protector
    if (isolate_->IsInAnyContext(*holder_, Context::ARRAY_FUNCTION_INDEX)) {
@@ -373,10 +362,6 @@ void LookupIterator::InternalUpdateProtector() {
                                        Context::PROMISE_FUNCTION_INDEX)) {
      if (!isolate_->IsPromiseSpeciesLookupChainIntact()) return;
      isolate_->InvalidatePromiseSpeciesProtector();
-    } else if (isolate_->IsInAnyContext(*holder_,
-                                        Context::REGEXP_FUNCTION_INDEX)) {
-      if (!isolate_->IsRegExpSpeciesLookupChainIntact()) return;
-      isolate_->InvalidateRegExpSpeciesProtector();
    } else if (IsTypedArrayFunctionInAnyContext(isolate_, *holder_)) {
      if (!isolate_->IsTypedArraySpeciesLookupChainIntact()) return;
      isolate_->InvalidateTypedArraySpeciesProtector();

--- a/src/roots.h
+++ b/src/roots.h
@@ -238,7 +238,6 @@ class RootVisitor;
  V(Cell*, is_concat_spreadable_protector, IsConcatSpreadableProtector)       \
  V(PropertyCell*, array_species_protector, ArraySpeciesProtector)            \
  V(PropertyCell*, typed_array_species_protector, TypedArraySpeciesProtector) \
-  V(PropertyCell*, regexp_species_protector, RegExpSpeciesProtector)          \
  V(PropertyCell*, promise_species_protector, PromiseSpeciesProtector)        \
  V(Cell*, string_length_protector, StringLengthProtector)                    \
  V(PropertyCell*, array_iterator_protector, ArrayIteratorProtector)          \

--- a/test/mjsunit/regress-v8-8445-2.js
+++ b/test/mjsunit/regress-v8-8445-2.js
-// Copyright 2018 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Flags: --allow-natives-syntax --harmony-string-matchall
-
-class MyRegExp {
-  exec() { return null; }
-}
-
-var r = /c/;
-
-assertEquals(["ab", ""], "abc".split(r));
-assertEquals([["c"]], [..."c".matchAll(r)]);
-
-r.constructor =  { [Symbol.species] : MyRegExp };
-
-assertEquals(["abc"], "abc".split(r));
-assertEquals([], [..."c".matchAll(r)]);
-
-assertEquals(["ab", ""], "abc".split(/c/));
-assertEquals([["c"]], [..."c".matchAll(/c/)]);
-
-RegExp.prototype.constructor =  { [Symbol.species] : MyRegExp };
-
-assertEquals(["abc"], "abc".split(/c/));
-assertEquals([], [..."c".matchAll(/c/)]);
--- a/test/mjsunit/regress-v8-8445.js
+++ b/test/mjsunit/regress-v8-8445.js
-// Copyright 2018 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Flags: --allow-natives-syntax --harmony-string-matchall
-
-class MyRegExp {
-  exec() { return null; }
-}
-
-assertEquals(["ab", ""], "abc".split(/c/));
-assertEquals([["a"]], [..."a".matchAll(/a/)]);
-
-Object.defineProperty(RegExp, Symbol.species, { get() { return MyRegExp; }});
-
-assertEquals(["abc"], "abc".split(/c/));
-assertEquals([], [..."a".matchAll(/a/)]);
--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py
@@ -412,22 +412,21 @@ KNOWN_OBJECTS = {
  ("OLD_SPACE", 0x006e1): "IsConcatSpreadableProtector",
  ("OLD_SPACE", 0x006f1): "ArraySpeciesProtector",
  ("OLD_SPACE", 0x00719): "TypedArraySpeciesProtector",
-  ("OLD_SPACE", 0x00741): "RegExpSpeciesProtector",
-  ("OLD_SPACE", 0x00769): "PromiseSpeciesProtector",
-  ("OLD_SPACE", 0x00791): "StringLengthProtector",
-  ("OLD_SPACE", 0x007a1): "ArrayIteratorProtector",
-  ("OLD_SPACE", 0x007c9): "ArrayBufferNeuteringProtector",
-  ("OLD_SPACE", 0x007f1): "PromiseHookProtector",
-  ("OLD_SPACE", 0x00819): "PromiseResolveProtector",
-  ("OLD_SPACE", 0x00829): "MapIteratorProtector",
-  ("OLD_SPACE", 0x00851): "PromiseThenProtector",
-  ("OLD_SPACE", 0x00879): "SetIteratorProtector",
-  ("OLD_SPACE", 0x008a1): "StringIteratorProtector",
-  ("OLD_SPACE", 0x008c9): "SingleCharacterStringCache",
-  ("OLD_SPACE", 0x010d9): "StringSplitCache",
-  ("OLD_SPACE", 0x018e9): "RegExpMultipleCache",
-  ("OLD_SPACE", 0x020f9): "DefaultMicrotaskQueue",
-  ("OLD_SPACE", 0x02111): "BuiltinsConstantsTable",
+  ("OLD_SPACE", 0x00741): "PromiseSpeciesProtector",
+  ("OLD_SPACE", 0x00769): "StringLengthProtector",
+  ("OLD_SPACE", 0x00779): "ArrayIteratorProtector",
+  ("OLD_SPACE", 0x007a1): "ArrayBufferNeuteringProtector",
+  ("OLD_SPACE", 0x007c9): "PromiseHookProtector",
+  ("OLD_SPACE", 0x007f1): "PromiseResolveProtector",
+  ("OLD_SPACE", 0x00801): "MapIteratorProtector",
+  ("OLD_SPACE", 0x00829): "PromiseThenProtector",
+  ("OLD_SPACE", 0x00851): "SetIteratorProtector",
+  ("OLD_SPACE", 0x00879): "StringIteratorProtector",
+  ("OLD_SPACE", 0x008a1): "SingleCharacterStringCache",
+  ("OLD_SPACE", 0x010b1): "StringSplitCache",
+  ("OLD_SPACE", 0x018c1): "RegExpMultipleCache",
+  ("OLD_SPACE", 0x020d1): "DefaultMicrotaskQueue",
+  ("OLD_SPACE", 0x020e9): "BuiltinsConstantsTable",
 }

 # List of known V8 Frame Markers.