AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[regexp] Fix crash due to unsetting NoRootArrayScope after free

Browse Source 
This fixes a crash related to access after free on platforms that
store the MacroAssembler as a pointer. The intended behavior is
restored by explicitly setting the flag in the macro assembler
instead of using NoRootArrayScope.

Landing as TBR as it's blocking fuzzers and fix seems simple enough.

TBR=jgruber@chromium.org
R=jyan@ca.ibm.com
R=miladfar@ca.ibm.com

Bug: chromium:1057018
Change-Id: Ib6de82b47bb1abb74da58b3d476b359669372bb5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2080242
Commit-Queue: Emanuel Ziegler <ecmziegler@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66500}
This commit is contained in:
Emanuel Ziegler 2020-02-28 12:09:22 +01:00 committed by Commit Bot
parent cca9dd1012
commit 3caff4a0d6
10 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/regexp/arm/regexp-macro-assembler-arm.cc
View File

@ -102,7 +102,6 @@ RegExpMacroAssemblerARM::RegExpMacroAssemblerARM(Isolate* isolate, Zone* zone,
: NativeRegExpMacroAssembler(isolate, zone),
masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
NewAssemblerBuffer(kRegExpCodeSize))),
no_root_array_scope_(masm_),
mode_(mode),
num_registers_(registers_to_save),
num_saved_registers_(registers_to_save),
@ -111,6 +110,8 @@ RegExpMacroAssemblerARM::RegExpMacroAssemblerARM(Isolate* isolate, Zone* zone,
success_label_(),
backtrack_label_(),
exit_label_() {
masm_->set_root_array_available(false);
DCHECK_EQ(0, registers_to_save % 2);
__ jmp(&entry_label_); // We'll write the entry code later.
__ bind(&start_label_); // And then continue from here.

1
src/regexp/arm/regexp-macro-assembler-arm.h
View File

@ -189,7 +189,6 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM
Isolate* isolate() const { return masm_->isolate(); }
MacroAssembler* masm_;
NoRootArrayScope no_root_array_scope_;
// Which mode to generate code for (Latin1 or UC16).
Mode mode_;

3
src/regexp/arm64/regexp-macro-assembler-arm64.cc
View File

@ -112,7 +112,6 @@ RegExpMacroAssemblerARM64::RegExpMacroAssemblerARM64(Isolate* isolate,
: NativeRegExpMacroAssembler(isolate, zone),
masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
NewAssemblerBuffer(kRegExpCodeSize))),
no_root_array_scope_(masm_),
mode_(mode),
num_registers_(registers_to_save),
num_saved_registers_(registers_to_save),
@ -121,6 +120,8 @@ RegExpMacroAssemblerARM64::RegExpMacroAssemblerARM64(Isolate* isolate,
success_label_(),
backtrack_label_(),
exit_label_() {
masm_->set_root_array_available(false);
DCHECK_EQ(0, registers_to_save % 2);
// We can cache at most 16 W registers in x0-x7.
STATIC_ASSERT(kNumCachedRegisters <= 16);

1
src/regexp/arm64/regexp-macro-assembler-arm64.h
View File

@ -264,7 +264,6 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM64
Isolate* isolate() const { return masm_->isolate(); }
MacroAssembler* masm_;
NoRootArrayScope no_root_array_scope_;
// Which mode to generate code for (LATIN1 or UC16).
Mode mode_;

1
src/regexp/ia32/regexp-macro-assembler-ia32.cc
View File

@ -90,7 +90,6 @@ RegExpMacroAssemblerIA32::RegExpMacroAssemblerIA32(Isolate* isolate, Zone* zone,
: NativeRegExpMacroAssembler(isolate, zone),
masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
NewAssemblerBuffer(kRegExpCodeSize))),
no_root_array_scope_(masm_),
mode_(mode),
num_registers_(registers_to_save),
num_saved_registers_(registers_to_save),

1
src/regexp/ia32/regexp-macro-assembler-ia32.h
View File

@ -178,7 +178,6 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerIA32
Isolate* isolate() const { return masm_->isolate(); }
MacroAssembler* masm_;
NoRootArrayScope no_root_array_scope_;
// Which mode to generate code for (LATIN1 or UC16).
Mode mode_;

3
src/regexp/ppc/regexp-macro-assembler-ppc.cc
View File

@ -102,7 +102,6 @@ RegExpMacroAssemblerPPC::RegExpMacroAssemblerPPC(Isolate* isolate, Zone* zone,
: NativeRegExpMacroAssembler(isolate, zone),
masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
NewAssemblerBuffer(kRegExpCodeSize))),
no_root_array_scope_(masm_),
mode_(mode),
num_registers_(registers_to_save),
num_saved_registers_(registers_to_save),
@ -112,6 +111,8 @@ RegExpMacroAssemblerPPC::RegExpMacroAssemblerPPC(Isolate* isolate, Zone* zone,
backtrack_label_(),
exit_label_(),
internal_failure_label_() {
masm_->set_root_array_available(false);
DCHECK_EQ(0, registers_to_save % 2);

1
src/regexp/ppc/regexp-macro-assembler-ppc.h
View File

@ -181,7 +181,6 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerPPC
Isolate* isolate() const { return masm_->isolate(); }
MacroAssembler* masm_;
NoRootArrayScope no_root_array_scope_;
// Which mode to generate code for (Latin1 or UC16).
Mode mode_;

3
src/regexp/s390/regexp-macro-assembler-s390.cc
View File

@ -104,7 +104,6 @@ RegExpMacroAssemblerS390::RegExpMacroAssemblerS390(Isolate* isolate, Zone* zone,
: NativeRegExpMacroAssembler(isolate, zone),
masm_(new MacroAssembler(isolate, CodeObjectRequired::kYes,
NewAssemblerBuffer(kRegExpCodeSize))),
no_root_array_scope_(masm_),
mode_(mode),
num_registers_(registers_to_save),
num_saved_registers_(registers_to_save),
@ -114,6 +113,8 @@ RegExpMacroAssemblerS390::RegExpMacroAssemblerS390(Isolate* isolate, Zone* zone,
backtrack_label_(),
exit_label_(),
internal_failure_label_() {
masm_->set_root_array_available(false);
DCHECK_EQ(0, registers_to_save % 2);
__ b(&entry_label_); // We'll write the entry code later.

1
src/regexp/s390/regexp-macro-assembler-s390.h
View File

@ -183,7 +183,6 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerS390
Isolate* isolate() const { return masm_->isolate(); }
MacroAssembler* masm_;
NoRootArrayScope no_root_array_scope_;
// Which mode to generate code for (Latin1 or UC16).
Mode mode_;