deps: V8: cherry-pick cfc3404f from upstream

Original commit message:
  [string] Fix regexp fast path in MaybeCallFunctionAtSymbol

  The regexp fast path in MaybeCallFunctionAtSymbol had an issue in which
  we'd call ToString after checking that the given {object} was a fast
  regexp and deciding to take the fast path. This is invalid since
  ToString() can call into user-controlled JS and may mutate {object}.

  There's no way to place the ToString call correctly in this instance:
  1 before BranchIfFastRegExp, it's a spec violation if we end up on the
    slow regexp path;
  2 the problem with the current location is already described above;
  3 and we can't place it into the fast-path regexp builtin (e.g.
    RegExpReplace) either due to the same reasons as 1.

  The solution in this CL is to restrict the fast path to string
  arguments only, i.e. cases where ToString would be a nop and can safely
  be skipped.

  Bug: chromium:782145
  Change-Id: Ifd35b3a9a6cf2e77c96cb860a8ec98eaec35aa85
  Reviewed-on: https://chromium-review.googlesource.com/758257
  Commit-Queue: Jakob Gruber <[email protected]>
  Reviewed-by: Yang Guo <[email protected]>
  Cr-Commit-Position: refs/heads/master@{#49213}

Refs: v8/v8@cfc3404
Refs: v8/v8@55a9807
PR-URL: #17354

Author: ofrobots

deps/v8/include/v8-version.h

@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 1
 #define V8_BUILD_NUMBER 534
-#define V8_PATCH_LEVEL 49
+#define V8_PATCH_LEVEL 50
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

deps/v8/src/builtins/builtins-string-gen.cc

@@ -1004,9 +1004,9 @@ void StringBuiltinsAssembler::RequireObjectCoercible(Node* const context,
 }
 
 void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol(
-    Node* const context, Node* const object, Handle<Symbol> symbol,
-    const NodeFunction0& regexp_call, const NodeFunction1& generic_call,
-    CodeStubArguments* args) {
+    Node* const context, Node* const object, Node* const maybe_string,
+    Handle<Symbol> symbol, const NodeFunction0& regexp_call,
+    const NodeFunction1& generic_call, CodeStubArguments* args) {
   Label out(this);
 
   // Smis definitely don't have an attached symbol.
@@ -1036,14 +1036,21 @@ void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol(
   }
 
   // Take the fast path for RegExps.
+  // There's two conditions: {object} needs to be a fast regexp, and
+  // {maybe_string} must be a string (we can't call ToString on the fast path
+  // since it may mutate {object}).
   {
     Label stub_call(this), slow_lookup(this);
 
+    GotoIf(TaggedIsSmi(maybe_string), &slow_lookup);
+    GotoIfNot(IsString(maybe_string), &slow_lookup);
+
     RegExpBuiltinsAssembler regexp_asm(state());
     regexp_asm.BranchIfFastRegExp(context, object, object_map, &stub_call,
                                   &slow_lookup);
 
     BIND(&stub_call);
+    // TODO(jgruber): Add a no-JS scope once it exists.
     Node* const result = regexp_call();
     if (args == nullptr) {
       Return(result);
@@ -1149,12 +1156,10 @@ TF_BUILTIN(StringPrototypeReplace, StringBuiltinsAssembler) {
   // Redirect to replacer method if {search[@@replace]} is not undefined.
 
   MaybeCallFunctionAtSymbol(
-      context, search, isolate()->factory()->replace_symbol(),
+      context, search, receiver, isolate()->factory()->replace_symbol(),
       [=]() {
-        Node* const subject_string = ToString_Inline(context, receiver);
-
-        return CallBuiltin(Builtins::kRegExpReplace, context, search,
-                           subject_string, replace);
+        return CallBuiltin(Builtins::kRegExpReplace, context, search, receiver,
+                           replace);
       },
       [=](Node* fn) {
         Callable call_callable = CodeFactory::Call(isolate());
@@ -1392,12 +1397,10 @@ TF_BUILTIN(StringPrototypeSplit, StringBuiltinsAssembler) {
   // Redirect to splitter method if {separator[@@split]} is not undefined.
 
   MaybeCallFunctionAtSymbol(
-      context, separator, isolate()->factory()->split_symbol(),
+      context, separator, receiver, isolate()->factory()->split_symbol(),
       [=]() {
-        Node* const subject_string = ToString_Inline(context, receiver);
-
-        return CallBuiltin(Builtins::kRegExpSplit, context, separator,
-                           subject_string, limit);
+        return CallBuiltin(Builtins::kRegExpSplit, context, separator, receiver,
+                           limit);
       },
       [=](Node* fn) {
         Callable call_callable = CodeFactory::Call(isolate());

deps/v8/src/builtins/builtins-string-gen.h

@@ -89,9 +89,11 @@ class StringBuiltinsAssembler : public CodeStubAssembler {
   //  }
   //
   // Contains fast paths for Smi and RegExp objects.
+  // Important: {regexp_call} may not contain any code that can call into JS.
   typedef std::function<Node*()> NodeFunction0;
   typedef std::function<Node*(Node* fn)> NodeFunction1;
   void MaybeCallFunctionAtSymbol(Node* const context, Node* const object,
+                                 Node* const maybe_string,
                                  Handle<Symbol> symbol,
                                  const NodeFunction0& regexp_call,
                                  const NodeFunction1& generic_call,

deps/v8/test/mjsunit/regress/regress-782145.js

@@ -0,0 +1,21 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function newFastRegExp() { return new RegExp('.'); }
+function toSlowRegExp(re) { re.exec = 42; }
+
+let re = newFastRegExp();
+const evil_nonstring = { [Symbol.toPrimitive]: () => toSlowRegExp(re) };
+const empty_string = "";
+
+String.prototype.replace.call(evil_nonstring, re, empty_string);
+
+re = newFastRegExp();
+String.prototype.match.call(evil_nonstring, re, empty_string);
+
+re = newFastRegExp();
+String.prototype.search.call(evil_nonstring, re, empty_string);
+
+re = newFastRegExp();
+String.prototype.split.call(evil_nonstring, re, empty_string);