[value-serializer] Ensure deserialized JSRegExp flags are valid

src/value-serializer.cc

 // Copyright 2016 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/value-serializer.h"
 
 #include <type_traits>
 
 #include "include/v8-value-serializer-version.h"
 #include "src/base/logging.h"
@@ skipping 1445 matching lines @@
   AddObjectWithID(id, value);
   return value;
 }
 
 MaybeHandle<JSRegExp> ValueDeserializer::ReadJSRegExp() {
   uint32_t id = next_id_++;
   Handle<String> pattern;
   uint32_t raw_flags;
   Handle<JSRegExp> regexp;
   if (!ReadString().ToHandle(&pattern) ||
-      !ReadVarint<uint32_t>().To(&raw_flags) ||
-      !JSRegExp::New(pattern, static_cast<JSRegExp::Flags>(raw_flags))
+      !ReadVarint<uint32_t>().To(&raw_flags)) {
+    return MaybeHandle<JSRegExp>();
+  }
+
+  // Ensure the deserialized flags are valid. The context behind this is that
+  // the JSRegExp::Flags enum statically includes kDotAll, but it is only valid
+  // to set kDotAll if FLAG_harmony_regexp_dotall is enabled. Fuzzers don't
+  // know about this and happily set kDotAll anyways, leading to CHECK failures
+  // later on.
+  const uint32_t all_ones = static_cast<uint32_t>(-1);
+  const uint32_t flags_mask = (all_ones << JSRegExp::FlagCount()) ^ all_ones;
+  const uint32_t masked_flags = raw_flags & flags_mask;

[jbroman, 2017/05/09 14:52:23]

Hmm. WDYT of rejecting such cases, rather than masking them out (which seems
like it would lead to a different regexp on the deserializing end)?

i.e.

if (raw_flags & ~flags_mask || !JSRegExp::New(...).ToHandle(&regexp)) {
  return MaybeHandle<JSRegExp>();
}

[jgruber, 2017/05/09 15:02:58]

SGTM. I was worried about rejecting a majority of the fuzzer inputs, but I guess
we're already very restrictive when deserializing objects in general. Changed in
the newest patchset.

+
+  if (!JSRegExp::New(pattern, static_cast<JSRegExp::Flags>(masked_flags))
            .ToHandle(&regexp)) {
     return MaybeHandle<JSRegExp>();
   }
+
   AddObjectWithID(id, regexp);
   return regexp;
 }
 
 MaybeHandle<JSMap> ValueDeserializer::ReadJSMap() {
   // If we are at the end of the stack, abort. This function may recurse.
   STACK_CHECK(isolate_, MaybeHandle<JSMap>());
 
   HandleScope scope(isolate_);
   uint32_t id = next_id_++;
@@ skipping 545 matching lines @@
   if (stack.size() != 1) {
     isolate_->Throw(*isolate_->factory()->NewError(
         MessageTemplate::kDataCloneDeserializationError));
     return MaybeHandle<Object>();
   }
   return scope.CloseAndEscape(stack[0]);
 }
 
 }  // namespace internal
 }  // namespace v8