[regexp] Fix integer overflows in TextNode::GetQuickCheckDetails

Several uc32 (= int32_t) fields were incorrectly treated as uc16 (= uint16_t): CharacterRange::from() CharacterRange::to() QuickCheckDetails::Position::mask QuickCheckDetails::Position::value Bug: v8:10568 Change-Id: I9ea7d76e4a0cbc6ee681de2136c398cdc622bca2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2230527 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#68290}

[regexp] Fix integer overflows in TextNode::GetQuickCheckDetails
Several uc32 (= int32_t) fields were incorrectly treated as uc16 (= uint16_t): CharacterRange::from() CharacterRange::to() QuickCheckDetails::Position::mask QuickCheckDetails::Position::value Bug: v8:10568 Change-Id: I9ea7d76e4a0cbc6ee681de2136c398cdc622bca2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2230527 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/master@{#68290}
a305d2de · Jakob Gruber · Commit Bot · abe6ce3d · a305d2de · a305d2de
Commit a305d2de authored Jun 10, 2020 by Jakob Gruber Committed by Commit Bot Jun 10, 2020
5 changed files
--- a/src/regexp/regexp-ast.h
+++ b/src/regexp/regexp-ast.h
@@ -76,9 +76,8 @@ class Interval {
  int to_;
 };
+// Represents code points (with values up to 0x10FFFF) in the range from from_
-// Represents code units in the range from from_ to to_, both ends are
+// to to_, both ends are inclusive.
-// inclusive.
 class CharacterRange {
 public:
  CharacterRange() : from_(0), to_(0) {}

--- a/src/regexp/regexp-compiler.cc
+++ b/src/regexp/regexp-compiler.cc
--- a/src/regexp/regexp-compiler.h
+++ b/src/regexp/regexp-compiler.h
@@ -96,8 +96,8 @@ class QuickCheckDetails {
  void set_cannot_match() { cannot_match_ = true; }
  struct Position {
    Position() : mask(0), value(0), determines_perfectly(false) {}
-    uc16 mask;
+    uc32 mask;
-    uc16 value;
+    uc32 value;
    bool determines_perfectly;
  };
  int characters() { return characters_; }

--- a/src/regexp/regexp-dotprinter.cc
+++ b/src/regexp/regexp-dotprinter.cc
@@ -143,7 +143,7 @@ void DotPrinterImpl::VisitText(TextNode* that) {
        if (node->is_negated()) os_ << "^";
        for (int j = 0; j < node->ranges(zone)->length(); j++) {
          CharacterRange range = node->ranges(zone)->at(j);
-          os_ << AsUC16(range.from()) << "-" << AsUC16(range.to());
+          os_ << AsUC32(range.from()) << "-" << AsUC32(range.to());
        }
        os_ << "]";
        break;

--- a/test/mjsunit/regress/regress-v8-10568.js
+++ b/test/mjsunit/regress/regress-v8-10568.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+assertEquals(/[--𐀾]/u.exec("Hr3QoS3KCWXQ2yjBoDIK")[0], "H");
+assertEquals(/[0-\u{10000}]/u.exec("A0")[0], "A");