Fix type confusion in libpac

From the upstream patch
(https://chromium.googlesource.com/v8/v8.git/+/55a98076827edac8eba775f8025df3749bcd8367%5E%21/#F0):

"""
Fix regexp fast path in MaybeCallFunctionAtSymbol

The regexp fast path in MaybeCallFunctionAtSymbol had an issue in which
we'd call ToString after checking that the given {object} was a fast
regexp and deciding to take the fast path. This is invalid since
ToString() can call into user-controlled JS and may mutate {object}.

There's no way to place the ToString call correctly in this instance:
1 before BranchIfFastRegExp, it's a spec violation if we end up on the
  slow regexp path;
2 the problem with the current location is already described above;
3 and we can't place it into the fast-path regexp builtin (e.g.
  RegExpReplace) either due to the same reasons as 1.

The solution in this CL is to restrict the fast path to string
arguments only, i.e. cases where ToString would be a nop and can safely
be skipped.
"""

Bug: 117556606

Test: /data/nativetest/proxy_resolver_v8_unittest/proxy_resolver_v8_unittest

Test: gts-tradefed run gts --test \
  com.google.android.gts.devicepolicy.DeviceOwnerTest#testProxyPacProxyTest \
  --module GtsGmscoreHostTestCases

Test: PoC from bug report

Merged-In: I2e02d994f107e64e4f465b4d8a02d4159a95240e

Change-Id: Ifb58de2b3c547c442f1ad69e0bca0fa934d1f728
(cherry picked from commit ce91afbb1b8ed1c0bbde11609be1f93e4bbfa461)

0 files changed, 0 insertions, 0 deletions