deps: V8: cherry-pick 53c4d057974a

Original commit message:

    Reland "[regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition"

    This is a reland of 164cf80bbb0a6e091300bfc4cbbe70a6e6bd3e49

    The reland fixes UB (left-shift of negative integer type) with a
    static_cast<uint32_t>.

    Original change's description:
    > [regexp] Hard-crash on invalid offsets in AdvanceCurrentPosition
    >
    > Drive-by: Range checks in `Emit(byte, twenty_four_bits)` to ensure the
    > given packed bits actually fit into 24 bits.
    >
    > Bug: chromium:1166138
    > Change-Id: I2e711e6466bb48d7b9897f68dfe621d12bd92508
    > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2625877
    > Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    > Commit-Queue: Leszek Swirski <leszeks@chromium.org>
    > Auto-Submit: Jakob Gruber <jgruber@chromium.org>
    > Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    > Cr-Commit-Position: refs/heads/master@{#72064}

    (cherry picked from commit ff8d0f92d423774cf773b5b4fb48b6744971e27a)

    No-Try: true
    No-Presubmit: true
    No-Tree-Checks: true
    Tbr: leszeks@chromium.org
    Bug: chromium:1166138
    Change-Id: I514495e14bb99dfc9588fdb4a9f35d67d8d64acb
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2626663
    Reviewed-by: Jakob Gruber <jgruber@chromium.org>
    Commit-Queue: Jakob Gruber <jgruber@chromium.org>
    Cr-Original-Commit-Position: refs/heads/master@{#72088}
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742954
    Reviewed-by: Jana Grill <janagrill@chromium.org>
    Commit-Queue: Victor-Gabriel Savu <vsavu@google.com>
    Cr-Commit-Position: refs/branch-heads/8.6@{#64}
    Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
    Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

Refs: https://github.com/v8/v8/commit/53c4d057974af3fde91fd960a9794533dda8204b

PR-URL: https://github.com/nodejs/node/pull/38275
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>

5 files changed, 22 insertions, 9 deletions

diff --git a/deps/v8/src/regexp/regexp-bytecode-generator-inl.h b/deps/v8/src/regexp/regexp-bytecode-generator-inl.h
index bd906fea153..2a6ffec9297 100644
--- a/deps/v8/src/regexp/regexp-bytecode-generator-inl.h
+++ b/deps/v8/src/regexp/regexp-bytecode-generator-inl.h
@@ -14,13 +14,13 @@ namespace v8 {
 namespace internal {
 
 void RegExpBytecodeGenerator::Emit(uint32_t byte, uint32_t twenty_four_bits) {
-  uint32_t word = ((twenty_four_bits << BYTECODE_SHIFT) | byte);
-  DCHECK(pc_ <= buffer_.length());
-  if (pc_ + 3 >= buffer_.length()) {
-    Expand();
-  }
-  *reinterpret_cast<uint32_t*>(buffer_.begin() + pc_) = word;
-  pc_ += 4;
+  DCHECK(is_uint24(twenty_four_bits));
+  Emit32((twenty_four_bits << BYTECODE_SHIFT) | byte);
+}
+
+void RegExpBytecodeGenerator::Emit(uint32_t byte, int32_t twenty_four_bits) {
+  DCHECK(is_int24(twenty_four_bits));
+  Emit32((static_cast<uint32_t>(twenty_four_bits) << BYTECODE_SHIFT) | byte);
 }
 
 void RegExpBytecodeGenerator::Emit16(uint32_t word) {
diff --git a/deps/v8/src/regexp/regexp-bytecode-generator.cc b/deps/v8/src/regexp/regexp-bytecode-generator.cc
index e82b67b530a..16f693c6a03 100644
--- a/deps/v8/src/regexp/regexp-bytecode-generator.cc
+++ b/deps/v8/src/regexp/regexp-bytecode-generator.cc
@@ -161,8 +161,10 @@ bool RegExpBytecodeGenerator::Succeed() {
 void RegExpBytecodeGenerator::Fail() { Emit(BC_FAIL, 0); }
 
 void RegExpBytecodeGenerator::AdvanceCurrentPosition(int by) {
-  DCHECK_LE(kMinCPOffset, by);
-  DCHECK_GE(kMaxCPOffset, by);
+  // TODO(chromium:1166138): Turn back into DCHECKs once the underlying issue
+  // is fixed.
+  CHECK_LE(kMinCPOffset, by);
+  CHECK_GE(kMaxCPOffset, by);
   advance_current_start_ = pc_;
   advance_current_offset_ = by;
   Emit(BC_ADVANCE_CP, by);
diff --git a/deps/v8/src/regexp/regexp-bytecode-generator.h b/deps/v8/src/regexp/regexp-bytecode-generator.h
index fdb9b468619..0b4656f6633 100644
--- a/deps/v8/src/regexp/regexp-bytecode-generator.h
+++ b/deps/v8/src/regexp/regexp-bytecode-generator.h
@@ -85,6 +85,7 @@ class V8_EXPORT_PRIVATE RegExpBytecodeGenerator : public RegExpMacroAssembler {
   inline void Emit16(uint32_t x);
   inline void Emit8(uint32_t x);
   inline void Emit(uint32_t bc, uint32_t arg);
+  inline void Emit(uint32_t bc, int32_t arg);
   // Bytecode buffer.
   int length();
   void Copy(byte* a);
diff --git a/deps/v8/test/mjsunit/mjsunit.status b/deps/v8/test/mjsunit/mjsunit.status
index 42f0b970d36..1fb864e04a8 100644
--- a/deps/v8/test/mjsunit/mjsunit.status
+++ b/deps/v8/test/mjsunit/mjsunit.status
@@ -73,6 +73,9 @@
   # Enable once multi-byte prefixed opcodes are correctly handled
   'regress/wasm/regress-1065599': [SKIP],
 
+  # https://crbug.com/1166138
+  'regress/regress-1166138': SKIP,
+
   ##############################################################################
   # Tests where variants make no sense.
   'd8/enable-tracing': [PASS, NO_VARIANTS],
diff --git a/deps/v8/test/mjsunit/regress/regress-1166138.js b/deps/v8/test/mjsunit/regress/regress-1166138.js
new file mode 100644
index 00000000000..b1a5d6b7bb8
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-1166138.js
@@ -0,0 +1,7 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let badregexp =  "(?:" +  " ".repeat(32768*2)+  ")*";
+reg = RegExp(badregexp);
+reg.test()