[compiler] Fix RegExpPrototypeTest reduction

This reduction relies on a known object layout of the regexp instance
in order to access the lastIndex field through a statically-determined
offset. Prior to this CL, we checked only for instance types, not for
the map, and thus it was possible to read garbage from either inside
or outside the current object.

Bug: chromium:1024758,v8:7779
Change-Id: I1eec8220797f443bdf3d05804e54f33b21fa2f00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924353
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65039}

src/compiler/heap-refs.h

@@ -389,6 +389,7 @@ class ContextRef : public HeapObjectRef {
   V(JSFunction, object_function)                                      \
   V(JSFunction, promise_function)                                     \
   V(JSFunction, promise_then)                                         \
+  V(JSFunction, regexp_function)                                      \
   V(JSFunction, string_function)                                      \
   V(JSFunction, symbol_function)                                      \
   V(JSGlobalObject, global_object)                                    \

src/compiler/js-call-reducer.cc

@@ -7067,11 +7067,14 @@ Reduction JSCallReducer::ReduceRegExpPrototypeTest(Node* node) {
   Node* control = NodeProperties::GetControlInput(node);
   Node* regexp = NodeProperties::GetValueInput(node, 1);
 
+  // Only the initial JSRegExp map is valid here, since the following lastIndex
+  // check as well as the lowered builtin call rely on a known location of the
+  // lastIndex field.
+  Handle<Map> regexp_initial_map =
+      native_context().regexp_function().initial_map().object();
+
   MapInference inference(broker(), regexp, effect);
-  if (!inference.HaveMaps() ||
-      !inference.AllOfInstanceTypes(InstanceTypeChecker::IsJSRegExp)) {
-    return inference.NoChange();
-  }
+  if (!inference.Is(regexp_initial_map)) return inference.NoChange();
   MapHandles const& regexp_maps = inference.GetMaps();
 
   ZoneVector<PropertyAccessInfo> access_infos(graph()->zone());

src/compiler/map-inference.cc

@@ -91,6 +91,13 @@ MapHandles const& MapInference::GetMaps() {
   return maps_;
 }
 
+bool MapInference::Is(Handle<Map> expected_map) {
+  if (!HaveMaps()) return false;
+  const MapHandles& maps = GetMaps();
+  if (maps.size() != 1) return false;
+  return maps[0].equals(expected_map);
+}
+
 void MapInference::InsertMapChecks(JSGraph* jsgraph, Node** effect,
                                    Node* control,
                                    const FeedbackSource& feedback) {

src/compiler/map-inference.h

@@ -55,6 +55,7 @@ class MapInference {
   V8_WARN_UNUSED_RESULT MapHandles const& GetMaps();
   V8_WARN_UNUSED_RESULT bool AllOfInstanceTypes(
       std::function<bool(InstanceType)> f);
+  V8_WARN_UNUSED_RESULT bool Is(Handle<Map> expected_map);
 
   // These methods provide a guard.
   //

test/mjsunit/regress/regress-crbug-1024758.js

@@ -0,0 +1,37 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+function f() {
+  return r.test("abc");
+}
+
+function to_dict(o) {
+  r.a = 42;
+  r.b = 42;
+  delete r.a;
+}
+
+function to_fast(o) {
+  const obj = {};
+  const obj2 = {};
+  delete o.a;
+  obj.__proto__ = o;
+  obj[0] = 1;
+  obj.__proto__ = obj2;
+  delete obj[0];
+  return o;
+}
+
+// Shrink the instance size by first transitioning to dictionary properties,
+// then back to fast properties.
+const r = /./;
+to_dict(r);
+to_fast(r);
+
+%PrepareFunctionForOptimization(f);
+assertTrue(f());
+%OptimizeFunctionOnNextCall(f);
+assertTrue(f());