[regexp] Check regexp type in %RegexpHasBytecode

Without the type check, Bytecode() may read OOB. Note that this is an
internal, test-only runtime function.

Bug: chromium:1041316
Change-Id: Id9898400605719df2a294e7654cf36ddeec23af1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2002395
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65790}

src/objects/objects.cc

@@ -6160,10 +6160,12 @@ Handle<JSRegExp> JSRegExp::Copy(Handle<JSRegExp> regexp) {
 }
 
 Object JSRegExp::Code(bool is_latin1) const {
+  DCHECK_EQ(TypeTag(), JSRegExp::IRREGEXP);
   return DataAt(code_index(is_latin1));
 }
 
 Object JSRegExp::Bytecode(bool is_latin1) const {
+  DCHECK_EQ(TypeTag(), JSRegExp::IRREGEXP);
   return DataAt(bytecode_index(is_latin1));
 }
 

src/runtime/runtime-test.cc

@@ -1122,8 +1122,13 @@ RUNTIME_FUNCTION(Runtime_RegexpHasBytecode) {
   DCHECK_EQ(2, args.length());
   CONVERT_ARG_CHECKED(JSRegExp, regexp, 0);
   CONVERT_BOOLEAN_ARG_CHECKED(is_latin1, 1);
-  bool is_irregexp_bytecode = regexp.Bytecode(is_latin1).IsByteArray();
-  return isolate->heap()->ToBoolean(is_irregexp_bytecode);
+  bool result;
+  if (regexp.TypeTag() == JSRegExp::IRREGEXP) {
+    result = regexp.Bytecode(is_latin1).IsByteArray();
+  } else {
+    result = false;
+  }
+  return isolate->heap()->ToBoolean(result);
 }
 
 RUNTIME_FUNCTION(Runtime_RegexpHasNativeCode) {