[regexp] Ensure there are no shape changes on the fast path

BUG=v8:5437,chromium:708247 Review-Url: https://codereview.chromium.org/2797993002 Cr-Commit-Position: refs/heads/master@{#44428}

[regexp] Ensure there are no shape changes on the fast path
BUG=v8:5437,chromium:708247 Review-Url: https://codereview.chromium.org/2797993002 Cr-Commit-Position: refs/heads/master@{#44428}
ae459356 · jgruber · Commit bot · 108e96a4 · ae459356 · ae459356
Commit ae459356 authored Apr 06, 2017 by jgruber Committed by Commit bot Apr 06, 2017
5 changed files
--- a/src/builtins/builtins-regexp-gen.cc
+++ b/src/builtins/builtins-regexp-gen.cc
--- a/src/builtins/builtins-regexp-gen.h
+++ b/src/builtins/builtins-regexp-gen.h
@@ -15,8 +15,8 @@ class RegExpBuiltinsAssembler : public CodeStubAssembler {
  explicit RegExpBuiltinsAssembler(compiler::CodeAssemblerState* state)
      : CodeStubAssembler(state) {}

-  void BranchIfFastRegExp(Node* const context, Node* const map,
-                          Label* const if_isunmodified,
+  void BranchIfFastRegExp(Node* const context, Node* const object,
+                          Node* const map, Label* const if_isunmodified,
                          Label* const if_ismodified);

 protected:
@@ -58,9 +58,13 @@ class RegExpBuiltinsAssembler : public CodeStubAssembler {
                             char const* method_name);

  // Analogous to BranchIfFastRegExp, for use in asserts.
-  Node* IsFastRegExpMap(Node* const context, Node* const map);
+  Node* IsFastRegExp(Node* const context, Node* const object, Node* const map);
+
+  // Performs fast path checks on the given object itself, but omits prototype
+  // checks.
+  Node* IsFastRegExpNoPrototype(Node* const context, Node* const object,
+                                Node* const map);

-  Node* IsInitialRegExpMap(Node* context, Node* map);
  void BranchIfFastRegExpResult(Node* context, Node* map,
                                Label* if_isunmodified, Label* if_ismodified);


--- a/src/builtins/builtins-string-gen.cc
+++ b/src/builtins/builtins-string-gen.cc
@@ -969,7 +969,7 @@ void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol(
    Label stub_call(this), slow_lookup(this);

    RegExpBuiltinsAssembler regexp_asm(state());
-    regexp_asm.BranchIfFastRegExp(context, object_map, &stub_call,
+    regexp_asm.BranchIfFastRegExp(context, object, object_map, &stub_call,
                                  &slow_lookup);

    Bind(&stub_call);

--- a/src/regexp/regexp-utils.cc
+++ b/src/regexp/regexp-utils.cc
@@ -145,7 +145,14 @@ bool RegExpUtils::IsUnmodifiedRegExp(Isolate* isolate, Handle<Object> obj) {
  if (!proto->IsJSReceiver()) return false;

  Handle<Map> initial_proto_initial_map = isolate->regexp_prototype_map();
-  return (JSReceiver::cast(proto)->map() == *initial_proto_initial_map);
+  if (JSReceiver::cast(proto)->map() != *initial_proto_initial_map) {
+    return false;
+  }
+
+  // The smi check is required to omit ToLength(lastIndex) calls with possible
+  // user-code execution on the fast path.
+  Object* last_index = JSRegExp::cast(recv)->LastIndex();
+  return last_index->IsSmi() && Smi::cast(last_index)->value() >= 0;
 }

 int RegExpUtils::AdvanceStringIndex(Isolate* isolate, Handle<String> string,

--- a/test/mjsunit/regress/regress-708247.js
+++ b/test/mjsunit/regress/regress-708247.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --predictable
+
+const str = '2016-01-02';
+
+function t() {
+  var re;
+  function toDictMode() {
+    for (var i = 0; i < 100; i++) {  // Loop is required.
+      re.x = 42;
+      delete re.x;
+    }
+    return 0;
+  }
+
+  re = /-/g;  // Needs to be global to trigger lastIndex accesses.
+  re.lastIndex = { valueOf : toDictMode };
+  return re.exec(str);
+}
+
+for (var q = 0; q < 10000; q++) {
+  t();  // Needs repetitions to trigger a crash.
+}