[regexp] Fix yet another invalid use related to range arrays

`Equals` did not properly account for arrays with odd lengths. Bug: v8:11069 Change-Id: I3264ebef248adcecd59b902bf1521cfddbd5a69d Fixed: chromium:1267674 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3264218 Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#77756}

[regexp] Fix yet another invalid use related to range arrays
`Equals` did not properly account for arrays with odd lengths. Bug: v8:11069 Change-Id: I3264ebef248adcecd59b902bf1521cfddbd5a69d Fixed: chromium:1267674 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3264218 Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#77756}
c9d23462 · Jakob Gruber · V8 LUCI CQ · 3a858a91 · c9d23462 · c9d23462
Commit c9d23462 authored Nov 08, 2021 by Jakob Gruber Committed by V8 LUCI CQ Nov 08, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 4 deletions

regexp-macro-assembler.cc src/regexp/regexp-macro-assembler.cc +4 -4

regress-1267674.js test/mjsunit/regress/regress-1267674.js +7 -0

No files found.
--- a/src/regexp/regexp-macro-assembler.cc
+++ b/src/regexp/regexp-macro-assembler.cc
@@ -130,13 +130,13 @@ int RangeArrayLengthFor(const ZoneList<CharacterRange>* ranges) {
 }

 bool Equals(const ZoneList<CharacterRange>* lhs, const Handle<ByteArray>& rhs) {
-  if (rhs->length() != RangeArrayLengthFor(lhs) * kUInt16Size) return false;
+  DCHECK_EQ(rhs->length() % kUInt16Size, 0);  // uc16 elements.
+  const int rhs_length = rhs->length() / kUInt16Size;
+  if (rhs_length != RangeArrayLengthFor(lhs)) return false;
  for (int i = 0; i < lhs->length(); i++) {
    const CharacterRange& r = lhs->at(i);
    if (rhs->get_uint16(i * 2 + 0) != r.from()) return false;
-    if (i == lhs->length() - 1 && r.to() == kMaxUInt16) {
-      break;  // Avoid overflow by leaving the last range open-ended.
-    }
+    if (i * 2 + 1 == rhs_length) break;
    if (rhs->get_uint16(i * 2 + 1) != r.to() + 1) return false;
  }
  return true;

--- a/test/mjsunit/regress/regress-1267674.js
+++ b/test/mjsunit/regress/regress-1267674.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --no-regexp-tier-up
+
+assertNull(/[PxdsuJ\W]+\x00/imsy.exec());