[regexp] Revert to ZoneList usage in @@replace

Fixes a crash found by clusterfuzz caused by a call to
std::vector::reserve with a huge capacity, and reverts to ZoneList
handling as a tentative fix for performance regressions on the slow
@@replace path.

BUG=chromium:707187,chromium:706748,v8:5437

Review-Url: https://codereview.chromium.org/2787343002
Cr-Commit-Position: refs/heads/master@{#44311}

src/runtime/runtime-regexp.cc

@@ -1046,7 +1046,7 @@ class VectorBackedMatch : public String::Match {
  public:
   VectorBackedMatch(Isolate* isolate, Handle<String> subject,
                     Handle<String> match, int match_position,
-                    std::vector<Handle<Object>>* captures,
+                    ZoneVector<Handle<Object>>* captures,
                     Handle<Object> groups_obj)
       : isolate_(isolate),
         match_(match),
@@ -1105,7 +1105,7 @@ class VectorBackedMatch : public String::Match {
   Handle<String> subject_;
   Handle<String> match_;
   const int match_position_;
-  std::vector<Handle<Object>>* captures_;
+  ZoneVector<Handle<Object>>* captures_;
 
   bool has_named_captures_;
   Handle<JSReceiver> groups_obj_;
@@ -1839,8 +1839,8 @@ RUNTIME_FUNCTION(Runtime_RegExpReplace) {
     const uint32_t position =
         std::min(PositiveNumberToUint32(*position_obj), length);
 
-    std::vector<Handle<Object>> captures;
-    captures.reserve(captures_length);
+    // Do not reserve capacity since captures_length is user-controlled.
+    ZoneVector<Handle<Object>> captures(&zone);
 
     for (int n = 0; n < captures_length; n++) {
       Handle<Object> capture;

test/mjsunit/regress/regress-707187.js

@@ -0,0 +1,12 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let i = 0;
+let re = /./g;
+re.exec = () => {
+  if (i++ == 0) return { length: 2147483648 };
+  return null;
+};
+
+"".replace(re);