nodejs · ofrobots · Nov 10, 2017 · Nov 27, 2017 · Nov 30, 2017
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 6
 #define V8_MINOR_VERSION 1
 #define V8_BUILD_NUMBER 534
-#define V8_PATCH_LEVEL 48
+#define V8_PATCH_LEVEL 49
 
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)

diff --git a/deps/v8/src/builtins/builtins-string-gen.cc b/deps/v8/src/builtins/builtins-string-gen.cc
@@ -1004,9 +1004,9 @@ void StringBuiltinsAssembler::RequireObjectCoercible(Node* const context,
 }
 
 void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol(
-    Node* const context, Node* const object, Handle<Symbol> symbol,
-    const NodeFunction0& regexp_call, const NodeFunction1& generic_call,
-    CodeStubArguments* args) {
+    Node* const context, Node* const object, Node* const maybe_string,
+    Handle<Symbol> symbol, const NodeFunction0& regexp_call,
+    const NodeFunction1& generic_call, CodeStubArguments* args) {
   Label out(this);
 
   // Smis definitely don't have an attached symbol.
@@ -1036,14 +1036,21 @@ void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol(
   }
 
   // Take the fast path for RegExps.
+  // There's two conditions: {object} needs to be a fast regexp, and
+  // {maybe_string} must be a string (we can't call ToString on the fast path
+  // since it may mutate {object}).
   {
     Label stub_call(this), slow_lookup(this);
 
+    GotoIf(TaggedIsSmi(maybe_string), &slow_lookup);
+    GotoIfNot(IsString(maybe_string), &slow_lookup);
+
     RegExpBuiltinsAssembler regexp_asm(state());
     regexp_asm.BranchIfFastRegExp(context, object, object_map, &stub_call,
                                   &slow_lookup);
 
     BIND(&stub_call);
+    // TODO(jgruber): Add a no-JS scope once it exists.
     Node* const result = regexp_call();
     if (args == nullptr) {
       Return(result);
@@ -1149,12 +1156,10 @@ TF_BUILTIN(StringPrototypeReplace, StringBuiltinsAssembler) {
   // Redirect to replacer method if {search[@@replace]} is not undefined.
 
   MaybeCallFunctionAtSymbol(
-      context, search, isolate()->factory()->replace_symbol(),
+      context, search, receiver, isolate()->factory()->replace_symbol(),
       [=]() {
-        Node* const subject_string = ToString_Inline(context, receiver);
-
-        return CallBuiltin(Builtins::kRegExpReplace, context, search,
-                           subject_string, replace);
+        return CallBuiltin(Builtins::kRegExpReplace, context, search, receiver,
+                           replace);
       },
       [=](Node* fn) {
         Callable call_callable = CodeFactory::Call(isolate());
@@ -1392,12 +1397,10 @@ TF_BUILTIN(StringPrototypeSplit, StringBuiltinsAssembler) {
   // Redirect to splitter method if {separator[@@split]} is not undefined.
 
   MaybeCallFunctionAtSymbol(
-      context, separator, isolate()->factory()->split_symbol(),
+      context, separator, receiver, isolate()->factory()->split_symbol(),
       [=]() {
-        Node* const subject_string = ToString_Inline(context, receiver);
-
-        return CallBuiltin(Builtins::kRegExpSplit, context, separator,
-                           subject_string, limit);
+        return CallBuiltin(Builtins::kRegExpSplit, context, separator, receiver,
+                           limit);
       },
       [=](Node* fn) {
         Callable call_callable = CodeFactory::Call(isolate());

diff --git a/deps/v8/src/builtins/builtins-string-gen.h b/deps/v8/src/builtins/builtins-string-gen.h
@@ -89,9 +89,11 @@ class StringBuiltinsAssembler : public CodeStubAssembler {
   //  }
   //
   // Contains fast paths for Smi and RegExp objects.
+  // Important: {regexp_call} may not contain any code that can call into JS.
   typedef std::function<Node*()> NodeFunction0;
   typedef std::function<Node*(Node* fn)> NodeFunction1;
   void MaybeCallFunctionAtSymbol(Node* const context, Node* const object,
+                                 Node* const maybe_string,
                                  Handle<Symbol> symbol,
                                  const NodeFunction0& regexp_call,
                                  const NodeFunction1& generic_call,

diff --git a/deps/v8/test/mjsunit/regress/regress-782145.js b/deps/v8/test/mjsunit/regress/regress-782145.js
@@ -0,0 +1,21 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function newFastRegExp() { return new RegExp('.'); }
+function toSlowRegExp(re) { re.exec = 42; }
+
+let re = newFastRegExp();
+const evil_nonstring = { [Symbol.toPrimitive]: () => toSlowRegExp(re) };
+const empty_string = "";
+
+String.prototype.replace.call(evil_nonstring, re, empty_string);
+
+re = newFastRegExp();
+String.prototype.match.call(evil_nonstring, re, empty_string);
+
+re = newFastRegExp();
+String.prototype.search.call(evil_nonstring, re, empty_string);
+
+re = newFastRegExp();
+String.prototype.split.call(evil_nonstring, re, empty_string);
diff --git a/test/sequential/sequential.status b/test/sequential/sequential.status
@@ -10,6 +10,7 @@ prefix sequential
 test-inspector-async-call-stack       : PASS, FLAKY
 test-inspector-bindings               : PASS, FLAKY
 test-inspector-debug-end              : PASS, FLAKY
+test-inspector-async-hook-setup-at-signal:  PASS, FLAKY
 
 [$system==linux]