[value-serializer] Ensure deserialized JSRegExp flags are valid

src/value-serializer.cc

Index: src/value-serializer.cc
diff --git a/src/value-serializer.cc b/src/value-serializer.cc
index caedf9f0bc87c5fd13e1c143a5b2e9dc3c4f8afa..b0cdbdfc4b8d0d07c4edbdcc230c2906e089d4e6 100644
--- a/src/value-serializer.cc
+++ b/src/value-serializer.cc
@@ -1463,11 +1463,24 @@ MaybeHandle<JSRegExp> ValueDeserializer::ReadJSRegExp() {
   uint32_t raw_flags;
   Handle<JSRegExp> regexp;
   if (!ReadString().ToHandle(&pattern) ||
-      !ReadVarint<uint32_t>().To(&raw_flags) ||
-      !JSRegExp::New(pattern, static_cast<JSRegExp::Flags>(raw_flags))
+      !ReadVarint<uint32_t>().To(&raw_flags)) {
+    return MaybeHandle<JSRegExp>();
+  }
+
+  // Ensure the deserialized flags are valid. The context behind this is that
+  // the JSRegExp::Flags enum statically includes kDotAll, but it is only valid
+  // to set kDotAll if FLAG_harmony_regexp_dotall is enabled. Fuzzers don't
+  // know about this and happily set kDotAll anyways, leading to CHECK failures
+  // later on.
+  const uint32_t all_ones = static_cast<uint32_t>(-1);
+  const uint32_t flags_mask = (all_ones << JSRegExp::FlagCount()) ^ all_ones;
+  const uint32_t masked_flags = raw_flags & flags_mask;

[jbroman, 2017/05/09 14:52:23]

Hmm. WDYT of rejecting such cases, rather than masking them out (which seems
like it would lead to a different regexp on the deserializing end)?

i.e.

if (raw_flags & ~flags_mask || !JSRegExp::New(...).ToHandle(&regexp)) {
  return MaybeHandle<JSRegExp>();
}

[jgruber, 2017/05/09 15:02:58]

SGTM. I was worried about rejecting a majority of the fuzzer inputs, but I guess
we're already very restrictive when deserializing objects in general. Changed in
the newest patchset.

+
+  if (!JSRegExp::New(pattern, static_cast<JSRegExp::Flags>(masked_flags))
            .ToHandle(&regexp)) {
     return MaybeHandle<JSRegExp>();
   }
+
   AddObjectWithID(id, regexp);
   return regexp;
 }