chore: cherry-pick c1700c5 from v8 #32770

deermichel · 2022-02-07T15:06:53Z

[regexp] Fix UAF in RegExpMacroAssembler

.. by turning masm_ into a unique_ptr s.t. it's freed after the
NoRootArrayScope which references it.

Fixed: chromium:1252620
Change-Id: I24580c5a96d76a973b2b083e7a76b95f93bb6068
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3185459
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Patrick Thier <pthier@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77082}

Notes: Fixed crash in v8 regexp assembler.

deermichel · 2022-02-07T15:10:54Z

just fyi: this landed in Chr 96, therefore it is fixed in e16 and above

release-clerk · 2022-02-10T16:27:05Z

Release Notes Persisted

Fixed crash in v8 regexp assembler.

chore: cherry-pick c1700c5 from v8

7318abf

deermichel added semver/patch backwards-compatible bug fixes backport-check-skip Skip trop's backport validity checking 15-x-y labels Feb 7, 2022

deermichel requested a review from a team as a code owner February 7, 2022 15:06

chore: update patches

38f0246

jkleinsc approved these changes Feb 7, 2022

View reviewed changes

ckerr approved these changes Feb 7, 2022

View reviewed changes

miniak approved these changes Feb 8, 2022

View reviewed changes

Merge branch '15-x-y' into deermichel/cp-regexp-15

2552145

jkleinsc merged commit 65c9f47 into 15-x-y Feb 10, 2022

jkleinsc deleted the deermichel/cp-regexp-15 branch February 10, 2022 16:27

Provide feedback