Commit c1700c56 authored by Jakob Gruber's avatar Jakob Gruber Committed by V8 LUCI CQ

[regexp] Fix UAF in RegExpMacroAssembler

.. by turning `masm_` into a unique_ptr s.t. it's freed after the
NoRootArrayScope which references it.

Fixed: chromium:1252620
Change-Id: I24580c5a96d76a973b2b083e7a76b95f93bb6068
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3185459
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: 's avatarPatrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77082}
parent ae16d614
......@@ -95,9 +95,10 @@ RegExpMacroAssemblerARM::RegExpMacroAssemblerARM(Isolate* isolate, Zone* zone,
Mode mode,
int registers_to_save)
: NativeRegExpMacroAssembler(isolate, zone),
masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
masm_(std::make_unique<MacroAssembler>(
isolate, CodeObjectRequired::kYes,
NewAssemblerBuffer(kRegExpCodeSize))),
no_root_array_scope_(masm_),
no_root_array_scope_(masm_.get()),
mode_(mode),
num_registers_(registers_to_save),
num_saved_registers_(registers_to_save),
......@@ -112,7 +113,6 @@ RegExpMacroAssemblerARM::RegExpMacroAssemblerARM(Isolate* isolate, Zone* zone,
}
RegExpMacroAssemblerARM::~RegExpMacroAssemblerARM() {
delete masm_;
// Unuse labels in case we throw away the assembler without calling GetCode.
entry_label_.Unuse();
start_label_.Unuse();
......@@ -332,7 +332,7 @@ void RegExpMacroAssemblerARM::CheckNotBackReferenceIgnoreCase(
__ mov(r3, Operand(ExternalReference::isolate_address(isolate())));
{
AllowExternalCallThatCantCauseGC scope(masm_);
AllowExternalCallThatCantCauseGC scope(masm_.get());
ExternalReference function =
unicode ? ExternalReference::re_case_insensitive_compare_unicode(
isolate())
......@@ -660,7 +660,7 @@ Handle<HeapObject> RegExpMacroAssemblerARM::GetCode(Handle<String> source) {
// Tell the system that we have a stack frame. Because the type is MANUAL, no
// is generated.
FrameScope scope(masm_, StackFrame::MANUAL);
FrameScope scope(masm_.get(), StackFrame::MANUAL);
// Actually emit code to start a new stack frame.
// Push arguments
......
......@@ -186,7 +186,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM
Isolate* isolate() const { return masm_->isolate(); }
MacroAssembler* const masm_;
const std::unique_ptr<MacroAssembler> masm_;
const NoRootArrayScope no_root_array_scope_;
// Which mode to generate code for (Latin1 or UC16).
......
......@@ -108,9 +108,10 @@ RegExpMacroAssemblerARM64::RegExpMacroAssemblerARM64(Isolate* isolate,
Zone* zone, Mode mode,
int registers_to_save)
: NativeRegExpMacroAssembler(isolate, zone),
masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
masm_(std::make_unique<MacroAssembler>(
isolate, CodeObjectRequired::kYes,
NewAssemblerBuffer(kRegExpCodeSize))),
no_root_array_scope_(masm_),
no_root_array_scope_(masm_.get()),
mode_(mode),
num_registers_(registers_to_save),
num_saved_registers_(registers_to_save),
......@@ -130,7 +131,6 @@ RegExpMacroAssemblerARM64::RegExpMacroAssemblerARM64(Isolate* isolate,
}
RegExpMacroAssemblerARM64::~RegExpMacroAssemblerARM64() {
delete masm_;
// Unuse labels in case we throw away the assembler without calling GetCode.
entry_label_.Unuse();
start_label_.Unuse();
......@@ -190,7 +190,7 @@ void RegExpMacroAssemblerARM64::Backtrack() {
CheckPreemption();
if (has_backtrack_limit()) {
Label next;
UseScratchRegisterScope temps(masm_);
UseScratchRegisterScope temps(masm_.get());
Register scratch = temps.AcquireW();
__ Ldr(scratch, MemOperand(frame_pointer(), kBacktrackCount));
__ Add(scratch, scratch, 1);
......@@ -421,7 +421,7 @@ void RegExpMacroAssemblerARM64::CheckNotBackReferenceIgnoreCase(
__ Mov(x3, ExternalReference::isolate_address(isolate()));
{
AllowExternalCallThatCantCauseGC scope(masm_);
AllowExternalCallThatCantCauseGC scope(masm_.get());
ExternalReference function =
unicode ? ExternalReference::re_case_insensitive_compare_unicode(
isolate())
......@@ -754,7 +754,7 @@ Handle<HeapObject> RegExpMacroAssemblerARM64::GetCode(Handle<String> source) {
// Tell the system that we have a stack frame. Because the type is MANUAL, no
// code is generated.
FrameScope scope(masm_, StackFrame::MANUAL);
FrameScope scope(masm_.get(), StackFrame::MANUAL);
// Push registers on the stack, only push the argument registers that we need.
CPURegList argument_registers(x0, x5, x6, x7);
......
......@@ -267,7 +267,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM64
Isolate* isolate() const { return masm_->isolate(); }
MacroAssembler* const masm_;
const std::unique_ptr<MacroAssembler> masm_;
const NoRootArrayScope no_root_array_scope_;
// Which mode to generate code for (LATIN1 or UC16).
......
......@@ -85,9 +85,10 @@ RegExpMacroAssemblerIA32::RegExpMacroAssemblerIA32(Isolate* isolate, Zone* zone,
Mode mode,
int registers_to_save)
: NativeRegExpMacroAssembler(isolate, zone),
masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
masm_(std::make_unique<MacroAssembler>(
isolate, CodeObjectRequired::kYes,
NewAssemblerBuffer(kRegExpCodeSize))),
no_root_array_scope_(masm_),
no_root_array_scope_(masm_.get()),
mode_(mode),
num_registers_(registers_to_save),
num_saved_registers_(registers_to_save),
......@@ -102,7 +103,6 @@ RegExpMacroAssemblerIA32::RegExpMacroAssemblerIA32(Isolate* isolate, Zone* zone,
}
RegExpMacroAssemblerIA32::~RegExpMacroAssemblerIA32() {
delete masm_;
// Unuse labels in case we throw away the assembler without calling GetCode.
entry_label_.Unuse();
start_label_.Unuse();
......@@ -334,7 +334,7 @@ void RegExpMacroAssemblerIA32::CheckNotBackReferenceIgnoreCase(
__ mov(Operand(esp, 0 * kSystemPointerSize), edx);
{
AllowExternalCallThatCantCauseGC scope(masm_);
AllowExternalCallThatCantCauseGC scope(masm_.get());
ExternalReference compare =
unicode ? ExternalReference::re_case_insensitive_compare_unicode(
isolate())
......@@ -693,7 +693,7 @@ Handle<HeapObject> RegExpMacroAssemblerIA32::GetCode(Handle<String> source) {
// Tell the system that we have a stack frame. Because the type is MANUAL, no
// code is generated.
FrameScope scope(masm_, StackFrame::MANUAL);
FrameScope scope(masm_.get(), StackFrame::MANUAL);
// Actually emit code to start a new stack frame.
__ push(ebp);
......
......@@ -182,7 +182,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerIA32
Isolate* isolate() const { return masm_->isolate(); }
MacroAssembler* const masm_;
const std::unique_ptr<MacroAssembler> masm_;
const NoRootArrayScope no_root_array_scope_;
// Which mode to generate code for (LATIN1 or UC16).
......
......@@ -99,9 +99,10 @@ RegExpMacroAssemblerPPC::RegExpMacroAssemblerPPC(Isolate* isolate, Zone* zone,
Mode mode,
int registers_to_save)
: NativeRegExpMacroAssembler(isolate, zone),
masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
masm_(std::make_unique<MacroAssembler>(
isolate, CodeObjectRequired::kYes,
NewAssemblerBuffer(kRegExpCodeSize))),
no_root_array_scope_(masm_),
no_root_array_scope_(masm_.get()),
mode_(mode),
num_registers_(registers_to_save),
num_saved_registers_(registers_to_save),
......@@ -124,7 +125,6 @@ RegExpMacroAssemblerPPC::RegExpMacroAssemblerPPC(Isolate* isolate, Zone* zone,
}
RegExpMacroAssemblerPPC::~RegExpMacroAssemblerPPC() {
delete masm_;
// Unuse labels in case we throw away the assembler without calling GetCode.
entry_label_.Unuse();
start_label_.Unuse();
......@@ -360,7 +360,7 @@ void RegExpMacroAssemblerPPC::CheckNotBackReferenceIgnoreCase(
__ mov(r6, Operand(ExternalReference::isolate_address(isolate())));
{
AllowExternalCallThatCantCauseGC scope(masm_);
AllowExternalCallThatCantCauseGC scope(masm_.get());
ExternalReference function =
unicode ? ExternalReference::re_case_insensitive_compare_unicode(
isolate())
......@@ -704,7 +704,7 @@ Handle<HeapObject> RegExpMacroAssemblerPPC::GetCode(Handle<String> source) {
// Tell the system that we have a stack frame. Because the type
// is MANUAL, no is generated.
FrameScope scope(masm_, StackFrame::MANUAL);
FrameScope scope(masm_.get(), StackFrame::MANUAL);
// Ensure register assigments are consistent with callee save mask
DCHECK(r25.bit() & kRegExpCalleeSaved);
......
......@@ -184,7 +184,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerPPC
Isolate* isolate() const { return masm_->isolate(); }
MacroAssembler* const masm_;
const std::unique_ptr<MacroAssembler> masm_;
const NoRootArrayScope no_root_array_scope_;
// Which mode to generate code for (Latin1 or UC16).
......
......@@ -101,9 +101,10 @@ RegExpMacroAssemblerS390::RegExpMacroAssemblerS390(Isolate* isolate, Zone* zone,
Mode mode,
int registers_to_save)
: NativeRegExpMacroAssembler(isolate, zone),
masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
masm_(std::make_unique<MacroAssembler>(
isolate, CodeObjectRequired::kYes,
NewAssemblerBuffer(kRegExpCodeSize))),
no_root_array_scope_(masm_),
no_root_array_scope_(masm_.get()),
mode_(mode),
num_registers_(registers_to_save),
num_saved_registers_(registers_to_save),
......@@ -125,7 +126,6 @@ RegExpMacroAssemblerS390::RegExpMacroAssemblerS390(Isolate* isolate, Zone* zone,
}
RegExpMacroAssemblerS390::~RegExpMacroAssemblerS390() {
delete masm_;
// Unuse labels in case we throw away the assembler without calling GetCode.
entry_label_.Unuse();
start_label_.Unuse();
......@@ -351,7 +351,7 @@ void RegExpMacroAssemblerS390::CheckNotBackReferenceIgnoreCase(
__ mov(r5, Operand(ExternalReference::isolate_address(isolate())));
{
AllowExternalCallThatCantCauseGC scope(masm_);
AllowExternalCallThatCantCauseGC scope(masm_.get());
ExternalReference function =
unicode ? ExternalReference::re_case_insensitive_compare_unicode(
isolate())
......@@ -675,7 +675,7 @@ Handle<HeapObject> RegExpMacroAssemblerS390::GetCode(Handle<String> source) {
// Tell the system that we have a stack frame. Because the type
// is MANUAL, no is generated.
FrameScope scope(masm_, StackFrame::MANUAL);
FrameScope scope(masm_.get(), StackFrame::MANUAL);
// Ensure register assigments are consistent with callee save mask
DCHECK(r6.bit() & kRegExpCalleeSaved);
......
......@@ -182,7 +182,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerS390
Isolate* isolate() const { return masm_->isolate(); }
MacroAssembler* const masm_;
const std::unique_ptr<MacroAssembler> masm_;
const NoRootArrayScope no_root_array_scope_;
// Which mode to generate code for (Latin1 or UC16).
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment