v8/regress-992389.js at b967c0d13808dcb703cf273162407f90d553dd86 - v8 - Gitea: Git with a cup of tea

AuroraMiddleware/v8

Patrick Thier 52c7565de8 [regexp] Fix dirty read in regexp interpreter.

When GC triggered while an exception is pending, a read to
memory that was no longer valid could happen while backtracking in the
regexp interpreter (introduced with commit fb0df2c).
This CL prevents this dirty read, that could have been a security issue.

Bug: chromium:992389, v8:9575
Change-Id: Ie1acd6faa16665e211666c6a8dcf2a9d74e0c886
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751342
Commit-Queue: Patrick Thier <pthier@google.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63195}

2019-08-13 16:08:18 +00:00

15 lines

345 B

JavaScript

Raw Blame History

 // Copyright 2019 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 // Flags: --jitless --gc-interval=12 --stack-size=50
 __f_0();
 function __f_0() {
   try {
     __f_0();
   } catch(e) {
     "b".replace(/(b)/g, function() { return "c"; });
   }
 }