[regexp] Fix UB (signed left shift) in peephole optimizer

Left-shifting a variable of signed type containing a negative value is undefined behavior. Bug: chromium:1010465,v8:9330 Change-Id: Ide524f87a7d76f906f6034de4c6605df150c66a8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847151 Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#64154}
2019-10-08 09:54:04 +02:00 · 2019-10-08 09:54:04 +02:00 · cca5ada9fe
commit cca5ada9fe
parent cea0ebcce1
1 changed files with 3 additions and 2 deletions
--- a/src/regexp/regexp-bytecode-peephole.cc
+++ b/src/regexp/regexp-bytecode-peephole.cc
@ -975,8 +975,9 @@ void RegExpBytecodePeephole::EmitArgument(int start_pc, const byte* bytecode,
      USE(prev_val);
 #else
          DCHECK_EQ(prev_val & 0xFFFFFF00, 0);
-          OverwriteValue<uint32_t>(pc() - sizeof(uint32_t),
-                                   (val << 8) | (prev_val & 0xFF));
+          OverwriteValue<uint32_t>(
+              pc() - sizeof(uint32_t),
+              (static_cast<uint32_t>(val) << 8) | (prev_val & 0xFF));
 #endif  // V8_TARGET_BIG_ENDIAN
          break;
        }