[string] Fix regexp fast path in MaybeCallFunctionAtSymbol

schuay · Commit Bot · commit 55a98076827e · 2017-11-08T09:49:33.000Z
The regexp fast path in MaybeCallFunctionAtSymbol had an issue in which we'd call ToString after checking that the given {object} was a fast regexp and deciding to take the fast path. This is invalid since ToString() can call into user-controlled JS and may mutate {object}. There's no way to place the ToString call correctly in this instance: 1 before BranchIfFastRegExp, it's a spec violation if we end up on the slow regexp path; 2 the problem with the current location is already described above; 3 and we can't place it into the fast-path regexp builtin (e.g. RegExpReplace) either due to the same reasons as 1. The solution in this CL is to restrict the fast path to string arguments only, i.e. cases where ToString would be a nop and can safely be skipped. Bug: chromium:782145 Change-Id: Ifd35b3a9a6cf2e77c96cb860a8ec98eaec35aa85 Reviewed-on: https://chromium-review.googlesource.com/758257 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#49213}
diff --git a/src/builtins/builtins-string-gen.cc b/src/builtins/builtins-string-gen.cc
@@ -1082,9 +1082,9 @@ void StringBuiltinsAssembler::RequireObjectCoercible(Node* const context,
 }
 
 void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol(
-    Node* const context, Node* const object, Handle<Symbol> symbol,
-    const NodeFunction0& regexp_call, const NodeFunction1& generic_call,
-    CodeStubArguments* args) {
+    Node* const context, Node* const object, Node* const maybe_string,
+    Handle<Symbol> symbol, const NodeFunction0& regexp_call,
+    const NodeFunction1& generic_call, CodeStubArguments* args) {
   Label out(this);
 
   // Smis definitely don't have an attached symbol.
@@ -1114,14 +1114,21 @@ void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol(
   }
 
   // Take the fast path for RegExps.
+  // There's two conditions: {object} needs to be a fast regexp, and
+  // {maybe_string} must be a string (we can't call ToString on the fast path
+  // since it may mutate {object}).
   {
     Label stub_call(this), slow_lookup(this);
 
+    GotoIf(TaggedIsSmi(maybe_string), &slow_lookup);
+    GotoIfNot(IsString(maybe_string), &slow_lookup);
+
     RegExpBuiltinsAssembler regexp_asm(state());
     regexp_asm.BranchIfFastRegExp(context, object, object_map, &stub_call,
                                   &slow_lookup);
 
     BIND(&stub_call);
+    // TODO(jgruber): Add a no-JS scope once it exists.
     Node* const result = regexp_call();
     if (args == nullptr) {
       Return(result);
@@ -1345,12 +1352,10 @@ TF_BUILTIN(StringPrototypeReplace, StringBuiltinsAssembler) {
   // Redirect to replacer method if {search[@@replace]} is not undefined.
 
   MaybeCallFunctionAtSymbol(
-      context, search, isolate()->factory()->replace_symbol(),
+      context, search, receiver, isolate()->factory()->replace_symbol(),
       [=]() {
-        Node* const subject_string = ToString_Inline(context, receiver);
-
-        return CallBuiltin(Builtins::kRegExpReplace, context, search,
-                           subject_string, replace);
+        return CallBuiltin(Builtins::kRegExpReplace, context, search, receiver,
+                           replace);
       },
       [=](Node* fn) {
         Callable call_callable = CodeFactory::Call(isolate());
@@ -1511,11 +1516,8 @@ class StringMatchSearchAssembler : public StringBuiltinsAssembler {
     RequireObjectCoercible(context, receiver, method_name);
 
     MaybeCallFunctionAtSymbol(
-        context, maybe_regexp, symbol,
-        [=] {
-          Node* const receiver_string = ToString_Inline(context, receiver);
-          return CallBuiltin(builtin, context, maybe_regexp, receiver_string);
-        },
+        context, maybe_regexp, receiver, symbol,
+        [=] { return CallBuiltin(builtin, context, maybe_regexp, receiver); },
         [=](Node* fn) {
           Callable call_callable = CodeFactory::Call(isolate());
           return CallJS(call_callable, context, fn, maybe_regexp, receiver);
@@ -1804,12 +1806,10 @@ TF_BUILTIN(StringPrototypeSplit, StringBuiltinsAssembler) {
   // Redirect to splitter method if {separator[@@split]} is not undefined.
 
   MaybeCallFunctionAtSymbol(
-      context, separator, isolate()->factory()->split_symbol(),
+      context, separator, receiver, isolate()->factory()->split_symbol(),
       [=]() {
-        Node* const subject_string = ToString_Inline(context, receiver);
-
-        return CallBuiltin(Builtins::kRegExpSplit, context, separator,
-                           subject_string, limit);
+        return CallBuiltin(Builtins::kRegExpSplit, context, separator, receiver,
+                           limit);
       },
       [=](Node* fn) {
         Callable call_callable = CodeFactory::Call(isolate());
diff --git a/src/builtins/builtins-string-gen.h b/src/builtins/builtins-string-gen.h
@@ -84,9 +84,11 @@ class StringBuiltinsAssembler : public CodeStubAssembler {
   //  }
   //
   // Contains fast paths for Smi and RegExp objects.
+  // Important: {regexp_call} may not contain any code that can call into JS.
   typedef std::function<Node*()> NodeFunction0;
   typedef std::function<Node*(Node* fn)> NodeFunction1;
   void MaybeCallFunctionAtSymbol(Node* const context, Node* const object,
+                                 Node* const maybe_string,
                                  Handle<Symbol> symbol,
                                  const NodeFunction0& regexp_call,
                                  const NodeFunction1& generic_call,
diff --git a/test/mjsunit/regress/regress-782145.js b/test/mjsunit/regress/regress-782145.js
@@ -0,0 +1,21 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function newFastRegExp() { return new RegExp('.'); }
+function toSlowRegExp(re) { re.exec = 42; }
+
+let re = newFastRegExp();
+const evil_nonstring = { [Symbol.toPrimitive]: () => toSlowRegExp(re) };
+const empty_string = "";
+
+String.prototype.replace.call(evil_nonstring, re, empty_string);
+
+re = newFastRegExp();
+String.prototype.match.call(evil_nonstring, re, empty_string);
+
+re = newFastRegExp();
+String.prototype.search.call(evil_nonstring, re, empty_string);
+
+re = newFastRegExp();
+String.prototype.split.call(evil_nonstring, re, empty_string);
