fix: crash in v8 due to regexp reentrancy (#31142)

* fix: crash in v8 due to regexp reentrancy Check failed: !regexp_stack_->is_in_use() Refs https://bugs.chromium.org/p/chromium/issues/detail?id=1250646 Refs https://bugs.chromium.org/p/v8/issues/detail?id=11382 * chore: update patches * chore: update patches Co-authored-by: deepak1556 <hop2deep@gmail.com> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
2026-04-10 03:01:51 -04:00 · 2021-09-28 06:10:19 -07:00
parent d93629321e
commit d70c5d1e6a
4 changed files with 2243 additions and 0 deletions
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@@ -13,3 +13,6 @@ cherry-pick-1228036.patch
 cherry-pick-1234764.patch
 cherry-pick-fbfd2557c2ab.patch
 cherry-pick-034c2003be31.patch
+regexp_add_a_currently_failing_cctest_for_irregexp_reentrancy.patch
+regexp_allow_reentrant_irregexp_execution.patch
+regexp_remove_the_stack_parameter_from_regexp_matchers.patch
--- a/patches/v8/regexp_add_a_currently_failing_cctest_for_irregexp_reentrancy.patch
+++ b/patches/v8/regexp_add_a_currently_failing_cctest_for_irregexp_reentrancy.patch
@@ -0,0 +1,109 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jakob Gruber <jgruber@chromium.org>
+Date: Mon, 6 Sep 2021 08:29:33 +0200
+Subject: Add a (currently failing) cctest for irregexp reentrancy
+
+The test should be enabled once reentrancy is supported.
+
+Bug: v8:11382
+Change-Id: Ifb90d8a6fd8bf9f05e9ca2405d4e04e013ce7ee3
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3138201
+Commit-Queue: Jakob Gruber <jgruber@chromium.org>
+Auto-Submit: Jakob Gruber <jgruber@chromium.org>
+Reviewed-by: Patrick Thier <pthier@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#76667}
+
+diff --git a/test/cctest/cctest.status b/test/cctest/cctest.status
+index 7b1bf8caa5e3f3975a457e061d966fd60c5ef441..d6691b5e861d29100d0f1c15c887dd824f3929cb 100644
+--- a/test/cctest/cctest.status
+++ b/test/cctest/cctest.status
+@@ -126,6 +126,9 @@
+   'test-strings/StringOOM*': [PASS, ['mode == debug', SKIP]],
+   'test-serialize/CustomSnapshotDataBlobImmortalImmovableRoots': [PASS, ['mode == debug', SKIP]],
+   'test-parsing/ObjectRestNegativeTestSlow': [PASS, ['mode == debug', SKIP]],
+
+  # TODO(v8:11382): Reenable once irregexp is reentrant.
+  'test-regexp/RegExpInterruptReentrantExecution': [FAIL],
+ }],  # ALWAYS
+ 
+ ##############################################################################
+@@ -606,6 +609,9 @@
+ 
+   # Instruction cache flushing is disabled in jitless mode.
+   'test-icache/*': [SKIP],
+
+  # Tests generated irregexp code.
+  'test-regexp/RegExpInterruptReentrantExecution': [SKIP],
+ }], # lite_mode or variant == jitless
+ 
+ ##############################################################################
+diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
+index 5eafa420bc21f40a2eb0caaa76ad2ffd4bd8db85..db0fb3c965c66e7d5a173559c52deca36bc47ebd 100644
+--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
+@@ -21581,10 +21581,6 @@ TEST(RegExpInterruptAndMakeSubjectTwoByteExternal) {
+   // experimental engine.
+   i::FLAG_enable_experimental_regexp_engine_on_excessive_backtracks = false;
+   RegExpInterruptTest test;
+-  // We want to be stuck regexp execution, so no fallback to linear-time
+-  // engine.
+-  // TODO(mbid,v8:10765): Find a way to test interrupt support of the
+-  // experimental engine.
+   test.RunTest(RegExpInterruptTest::MakeSubjectTwoByteExternal);
+ }
+ 
+diff --git a/test/cctest/test-regexp.cc b/test/cctest/test-regexp.cc
+index 63495194d4fbce61abbe9a7e83a446341f6f3dd6..fa02c23c47dcefb4ee77c9fc4c8222f52653e576 100644
+--- a/test/cctest/test-regexp.cc
+++ b/test/cctest/test-regexp.cc
+@@ -2340,6 +2340,50 @@ TEST(UnicodePropertyEscapeCodeSize) {
+   }
+ }
+ 
+namespace {
+
+struct RegExpExecData {
+  i::Isolate* isolate;
+  i::Handle<i::JSRegExp> regexp;
+  i::Handle<i::String> subject;
+};
+
+i::Handle<i::Object> RegExpExec(const RegExpExecData* d) {
+  return i::RegExp::Exec(d->isolate, d->regexp, d->subject, 0,
+                         d->isolate->regexp_last_match_info())
+      .ToHandleChecked();
+}
+
+void ReenterRegExp(v8::Isolate* isolate, void* data) {
+  RegExpExecData* d = static_cast<RegExpExecData*>(data);
+  i::Handle<i::Object> result = RegExpExec(d);
+  CHECK(result->IsNull());
+}
+
+}  // namespace
+
+// Tests reentrant irregexp calls.
+TEST(RegExpInterruptReentrantExecution) {
+  CHECK(!i::FLAG_jitless);
+  i::FLAG_regexp_tier_up = false;  // Enter irregexp, not the interpreter.
+
+  LocalContext context;
+  v8::Isolate* isolate = context->GetIsolate();
+  v8::HandleScope scope(isolate);
+
+  RegExpExecData d;
+  d.isolate = reinterpret_cast<i::Isolate*>(isolate);
+  d.regexp = v8::Utils::OpenHandle(
+      *v8::RegExp::New(context.local(), v8_str("(a*)*x"), v8::RegExp::kNone)
+           .ToLocalChecked());
+  d.subject = v8::Utils::OpenHandle(*v8_str("aaaa"));
+
+  isolate->RequestInterrupt(&ReenterRegExp, &d);
+
+  i::Handle<i::Object> result = RegExpExec(&d);
+  CHECK(result->IsNull());
+}
+
+ #undef CHECK_PARSE_ERROR
+ #undef CHECK_SIMPLE
+ #undef CHECK_MIN_MAX
--- a/patches/v8/regexp_allow_reentrant_irregexp_execution.patch
+++ b/patches/v8/regexp_allow_reentrant_irregexp_execution.patch
--- a/patches/v8/regexp_remove_the_stack_parameter_from_regexp_matchers.patch
+++ b/patches/v8/regexp_remove_the_stack_parameter_from_regexp_matchers.patch
@@ -0,0 +1,398 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jakob Gruber <jgruber@chromium.org>
+Date: Wed, 22 Sep 2021 14:42:48 +0200
+Subject: Remove the `stack` parameter from regexp matchers
+
+The argument is no longer in use.
+
+Bug: v8:11382
+Change-Id: I7febc7fe7ef17ae462c700f0dba3ca1beade3021
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173681
+Commit-Queue: Jakob Gruber <jgruber@chromium.org>
+Reviewed-by: Patrick Thier <pthier@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#77017}
+
+diff --git a/src/builtins/builtins-regexp-gen.cc b/src/builtins/builtins-regexp-gen.cc
+index 23648efb98bd571476a122e9eb4a27e62feddca1..adcb8c800ab3a754200fb0920376155612c1a9b9 100644
+--- a/src/builtins/builtins-regexp-gen.cc
+++ b/src/builtins/builtins-regexp-gen.cc
+@@ -433,8 +433,6 @@ TNode<HeapObject> RegExpBuiltinsAssembler::RegExpExecInternal(
+   // External constants.
+   TNode<ExternalReference> isolate_address =
+       ExternalConstant(ExternalReference::isolate_address(isolate()));
+-  TNode<ExternalReference> regexp_stack_memory_top_address = ExternalConstant(
+-      ExternalReference::address_of_regexp_stack_memory_top_address(isolate()));
+   TNode<ExternalReference> static_offsets_vector_address = ExternalConstant(
+       ExternalReference::address_of_static_offsets_vector(isolate()));
+ 
+@@ -602,26 +600,18 @@ TNode<HeapObject> RegExpBuiltinsAssembler::RegExpExecInternal(
+     MachineType arg5_type = type_int32;
+     TNode<Int32T> arg5 = SmiToInt32(register_count);
+ 
+-    // Argument 6: Start (high end) of backtracking stack memory area. This
+-    // argument is ignored in the interpreter.
+-    TNode<RawPtrT> stack_top = UncheckedCast<RawPtrT>(
+-        Load(MachineType::Pointer(), regexp_stack_memory_top_address));
+    // Argument 6: Indicate that this is a direct call from JavaScript.
+    MachineType arg6_type = type_int32;
+    TNode<Int32T> arg6 = Int32Constant(RegExp::CallOrigin::kFromJs);
+ 
+-    MachineType arg6_type = type_ptr;
+-    TNode<RawPtrT> arg6 = stack_top;
+    // Argument 7: Pass current isolate address.
+    MachineType arg7_type = type_ptr;
+    TNode<ExternalReference> arg7 = isolate_address;
+ 
+-    // Argument 7: Indicate that this is a direct call from JavaScript.
+-    MachineType arg7_type = type_int32;
+-    TNode<Int32T> arg7 = Int32Constant(RegExp::CallOrigin::kFromJs);
+-
+-    // Argument 8: Pass current isolate address.
+-    MachineType arg8_type = type_ptr;
+-    TNode<ExternalReference> arg8 = isolate_address;
+-
+-    // Argument 9: Regular expression object. This argument is ignored in native
+    // Argument 8: Regular expression object. This argument is ignored in native
+     // irregexp code.
+-    MachineType arg9_type = type_tagged;
+-    TNode<JSRegExp> arg9 = regexp;
+    MachineType arg8_type = type_tagged;
+    TNode<JSRegExp> arg8 = regexp;
+ 
+     TNode<RawPtrT> code_entry = LoadCodeObjectEntry(code);
+ 
+@@ -635,8 +625,7 @@ TNode<HeapObject> RegExpBuiltinsAssembler::RegExpExecInternal(
+             std::make_pair(arg1_type, arg1), std::make_pair(arg2_type, arg2),
+             std::make_pair(arg3_type, arg3), std::make_pair(arg4_type, arg4),
+             std::make_pair(arg5_type, arg5), std::make_pair(arg6_type, arg6),
+-            std::make_pair(arg7_type, arg7), std::make_pair(arg8_type, arg8),
+-            std::make_pair(arg9_type, arg9)));
+            std::make_pair(arg7_type, arg7), std::make_pair(arg8_type, arg8)));
+ 
+     // Check the result.
+     // We expect exactly one result since we force the called regexp to behave
+diff --git a/src/regexp/arm/regexp-macro-assembler-arm.cc b/src/regexp/arm/regexp-macro-assembler-arm.cc
+index 9827fc7a166775920a6d7bd91f0aec5be7e370b8..3c8c1d8c8187447cb09a531b937dfa275290a842 100644
+--- a/src/regexp/arm/regexp-macro-assembler-arm.cc
+++ b/src/regexp/arm/regexp-macro-assembler-arm.cc
+@@ -38,14 +38,12 @@ namespace internal {
+  * Each call to a public method should retain this convention.
+  *
+  * The stack will have the following structure:
+- *  - fp[56]  Address regexp     (address of the JSRegExp object; unused in
+ *  - fp[52]  Address regexp     (address of the JSRegExp object; unused in
+  *                                native code, passed to match signature of
+  *                                the interpreter)
+- *  - fp[52]  Isolate* isolate   (address of the current isolate)
+- *  - fp[48]  direct_call        (if 1, direct call from JavaScript code,
+ *  - fp[48]  Isolate* isolate   (address of the current isolate)
+ *  - fp[44]  direct_call        (if 1, direct call from JavaScript code,
+  *                                if 0, call through the runtime system).
+- *  - fp[44]  stack_area_base    (high end of the memory area to use as
+- *                                backtracking stack).
+  *  - fp[40]  capture array size (may fit multiple sets of matches)
+  *  - fp[36]  int* capture_array (int[num_saved_registers_], for output).
+  *  --- sp when called ---
+@@ -82,7 +80,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate,
+  *              Address regexp);
+diff --git a/src/regexp/arm/regexp-macro-assembler-arm.h b/src/regexp/arm/regexp-macro-assembler-arm.h
+index da7f44f3e56278a72e470f7a4658758d220a1818..9bfeada8bee67e9a673d6ac6064bbeca2376cdd9 100644
+--- a/src/regexp/arm/regexp-macro-assembler-arm.h
+++ b/src/regexp/arm/regexp-macro-assembler-arm.h
+@@ -95,15 +95,13 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM
+   static const int kFramePointer = 0;
+ 
+   // Above the frame pointer - Stored registers and stack passed parameters.
+-  // Register 4..11.
+   static const int kStoredRegisters = kFramePointer;
+   // Return address (stored from link register, read into pc on return).
+   static const int kReturnAddress = kStoredRegisters + 8 * kPointerSize;
+   // Stack parameters placed by caller.
+   static const int kRegisterOutput = kReturnAddress + kPointerSize;
+   static const int kNumOutputRegisters = kRegisterOutput + kPointerSize;
+-  static const int kStackHighEnd = kNumOutputRegisters + kPointerSize;
+-  static const int kDirectCall = kStackHighEnd + kPointerSize;
+  static const int kDirectCall = kNumOutputRegisters + kPointerSize;
+   static const int kIsolate = kDirectCall + kPointerSize;
+ 
+   // Below the frame pointer.
+diff --git a/src/regexp/arm64/regexp-macro-assembler-arm64.cc b/src/regexp/arm64/regexp-macro-assembler-arm64.cc
+index 2f064c0e1671f71fa877c3b67d3779e43483afa5..48cde5291f840bb7762d32918098bdab3ec01a83 100644
+--- a/src/regexp/arm64/regexp-macro-assembler-arm64.cc
+++ b/src/regexp/arm64/regexp-macro-assembler-arm64.cc
+@@ -66,14 +66,12 @@ namespace internal {
+  *  ^^^^^^^^^ fp ^^^^^^^^^
+  *  - fp[-8]     direct_call        1 => Direct call from JavaScript code.
+  *                                  0 => Call through the runtime system.
+- *  - fp[-16]    stack_base         High end of the memory area to use as
+- *                                  the backtracking stack.
+- *  - fp[-24]    output_size        Output may fit multiple sets of matches.
+- *  - fp[-32]    input              Handle containing the input string.
+- *  - fp[-40]    success_counter
+ *  - fp[-16]    output_size        Output may fit multiple sets of matches.
+ *  - fp[-24]    input              Handle containing the input string.
+ *  - fp[-32]    success_counter
+  *  ^^^^^^^^^^^^^ From here and downwards we store 32 bit values ^^^^^^^^^^^^^
+- *  - fp[-44]    register N         Capture registers initialized with
+- *  - fp[-48]    register N + 1     non_position_value.
+ *  - fp[-40]    register N         Capture registers initialized with
+ *  - fp[-44]    register N + 1     non_position_value.
+  *               ...                The first kNumCachedRegisters (N) registers
+  *               ...                are cached in x0 to x7.
+  *               ...                Only positions must be stored in the first
+@@ -95,7 +93,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate,
+  *              Address regexp);
+@@ -767,11 +764,10 @@ Handle<HeapObject> RegExpMacroAssemblerARM64::GetCode(Handle<String> source) {
+   // x3:  byte*    input_end
+   // x4:  int*     output array
+   // x5:  int      output array size
+-  // x6:  Address  stack_base
+-  // x7:  int      direct_call
+-
+-  //  sp[8]:  address of the current isolate
+-  //  sp[0]:  secondary link/return address used by native call
+  // x6:  int      direct_call
+  // x7:  Isolate* isolate
+  //
+  // sp[0]:  secondary link/return address used by native call
+ 
+   // Tell the system that we have a stack frame.  Because the type is MANUAL, no
+   // code is generated.
+diff --git a/src/regexp/arm64/regexp-macro-assembler-arm64.h b/src/regexp/arm64/regexp-macro-assembler-arm64.h
+index c5249625928b2cd8d08da52c219075c79cdbf880..7d99c3cbefb963696595e5bdc91b3c53d3d7f263 100644
+--- a/src/regexp/arm64/regexp-macro-assembler-arm64.h
+++ b/src/regexp/arm64/regexp-macro-assembler-arm64.h
+@@ -106,16 +106,12 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM64
+   // Callee-saved registers (x19-x28).
+   static const int kNumCalleeSavedRegisters = 10;
+   static const int kCalleeSavedRegisters = kReturnAddress + kSystemPointerSize;
+-  // Stack parameter placed by caller.
+-  // It is placed above the FP, LR and the callee-saved registers.
+-  static const int kIsolate =
+-      kCalleeSavedRegisters + kNumCalleeSavedRegisters * kSystemPointerSize;
+ 
+   // Below the frame pointer.
+   // Register parameters stored by setup code.
+-  static const int kDirectCall = -kSystemPointerSize;
+-  static const int kStackHighEnd = kDirectCall - kSystemPointerSize;
+-  static const int kOutputSize = kStackHighEnd - kSystemPointerSize;
+  static const int kIsolate = -kSystemPointerSize;
+  static const int kDirectCall = kIsolate - kSystemPointerSize;
+  static const int kOutputSize = kDirectCall - kSystemPointerSize;
+   static const int kInput = kOutputSize - kSystemPointerSize;
+   // When adding local variables remember to push space for them in
+   // the frame in GetCode.
+diff --git a/src/regexp/experimental/experimental.cc b/src/regexp/experimental/experimental.cc
+index 500269c40eac001adbaa3e2677d53b59af8b1566..299838efc63186a5f7df734c4ec4dba9bfa4e6d1 100644
+--- a/src/regexp/experimental/experimental.cc
+++ b/src/regexp/experimental/experimental.cc
+@@ -192,8 +192,7 @@ int32_t ExperimentalRegExp::ExecRaw(Isolate* isolate,
+ int32_t ExperimentalRegExp::MatchForCallFromJs(
+     Address subject, int32_t start_position, Address input_start,
+     Address input_end, int* output_registers, int32_t output_register_count,
+-    Address backtrack_stack, RegExp::CallOrigin call_origin, Isolate* isolate,
+-    Address regexp) {
+    RegExp::CallOrigin call_origin, Isolate* isolate, Address regexp) {
+   DCHECK(FLAG_enable_experimental_regexp_engine);
+   DCHECK_NOT_NULL(isolate);
+   DCHECK_NOT_NULL(output_registers);
+diff --git a/src/regexp/experimental/experimental.h b/src/regexp/experimental/experimental.h
+index 1b44100cc88bed7825c0a30fb05e8477c47860ec..671792e5ef82919af652f431c5f6b325fea08d77 100644
+--- a/src/regexp/experimental/experimental.h
+++ b/src/regexp/experimental/experimental.h
+@@ -33,7 +33,6 @@ class ExperimentalRegExp final : public AllStatic {
+                                     Address input_start, Address input_end,
+                                     int* output_registers,
+                                     int32_t output_register_count,
+-                                    Address backtrack_stack,
+                                     RegExp::CallOrigin call_origin,
+                                     Isolate* isolate, Address regexp);
+   static MaybeHandle<Object> Exec(
+diff --git a/src/regexp/ia32/regexp-macro-assembler-ia32.cc b/src/regexp/ia32/regexp-macro-assembler-ia32.cc
+index 036fd62185f2b5338d512d7ea441a4c74f9727ee..7bd08ad112952d323353ccba956abf1100246bb8 100644
+--- a/src/regexp/ia32/regexp-macro-assembler-ia32.cc
+++ b/src/regexp/ia32/regexp-macro-assembler-ia32.cc
+@@ -40,8 +40,6 @@ namespace internal {
+  *       - Isolate* isolate     (address of the current isolate)
+  *       - direct_call          (if 1, direct call from JavaScript code, if 0
+  *                               call through the runtime system)
+- *       - stack_area_base      (high end of the memory area to use as
+- *                               backtracking stack)
+  *       - capture array size   (may fit multiple sets of matches)
+  *       - int* capture_array   (int[num_saved_registers_], for output).
+  *       - end of input         (address of end of string)
+@@ -74,7 +72,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate
+  *              Address regexp);
+diff --git a/src/regexp/ia32/regexp-macro-assembler-ia32.h b/src/regexp/ia32/regexp-macro-assembler-ia32.h
+index f02cb564ad507f95c688fbcdad6db4ed47f85c11..e9a22e802419c079f362d7ff66cf30c56022b68e 100644
+--- a/src/regexp/ia32/regexp-macro-assembler-ia32.h
+++ b/src/regexp/ia32/regexp-macro-assembler-ia32.h
+@@ -107,8 +107,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerIA32
+   // one set of capture results.  For the case of non-global regexp, we ignore
+   // this value.
+   static const int kNumOutputRegisters = kRegisterOutput + kSystemPointerSize;
+-  static const int kStackHighEnd = kNumOutputRegisters + kSystemPointerSize;
+-  static const int kDirectCall = kStackHighEnd + kSystemPointerSize;
+  static const int kDirectCall = kNumOutputRegisters + kSystemPointerSize;
+   static const int kIsolate = kDirectCall + kSystemPointerSize;
+   // Below the frame pointer - local stack variables.
+   // When adding local variables remember to push space for them in
+diff --git a/src/regexp/regexp-interpreter.cc b/src/regexp/regexp-interpreter.cc
+index ac2654cd5fd9807391aa15aac76a3e8cae5b0c53..32f6f92fcd1946b041d885433f6e8ca7ef62e730 100644
+--- a/src/regexp/regexp-interpreter.cc
+++ b/src/regexp/regexp-interpreter.cc
+@@ -1106,7 +1106,7 @@ IrregexpInterpreter::Result IrregexpInterpreter::MatchInternal(
+ // builtin.
+ IrregexpInterpreter::Result IrregexpInterpreter::MatchForCallFromJs(
+     Address subject, int32_t start_position, Address, Address,
+-    int* output_registers, int32_t output_register_count, Address,
+    int* output_registers, int32_t output_register_count,
+     RegExp::CallOrigin call_origin, Isolate* isolate, Address regexp) {
+   DCHECK_NOT_NULL(isolate);
+   DCHECK_NOT_NULL(output_registers);
+diff --git a/src/regexp/regexp-interpreter.h b/src/regexp/regexp-interpreter.h
+index 9b4a8c6c307266a78a35f52ef4ef0afe5b6af6fe..19f9513acc2c7d309179ca5e18ca7ef2165e74f4 100644
+--- a/src/regexp/regexp-interpreter.h
+++ b/src/regexp/regexp-interpreter.h
+@@ -34,9 +34,8 @@ class V8_EXPORT_PRIVATE IrregexpInterpreter : public AllStatic {
+   // RETRY is returned if a retry through the runtime is needed (e.g. when
+   // interrupts have been scheduled or the regexp is marked for tier-up).
+   //
+-  // Arguments input_start, input_end and backtrack_stack are
+-  // unused. They are only passed to match the signature of the native irregex
+-  // code.
+  // Arguments input_start and input_end are unused. They are only passed to
+  // match the signature of the native irregex code.
+   //
+   // Arguments output_registers and output_register_count describe the results
+   // array, which will contain register values of all captures if SUCCESS is
+@@ -45,7 +44,6 @@ class V8_EXPORT_PRIVATE IrregexpInterpreter : public AllStatic {
+                                    Address input_start, Address input_end,
+                                    int* output_registers,
+                                    int32_t output_register_count,
+-                                   Address backtrack_stack,
+                                    RegExp::CallOrigin call_origin,
+                                    Isolate* isolate, Address regexp);
+ 
+diff --git a/src/regexp/regexp-macro-assembler.cc b/src/regexp/regexp-macro-assembler.cc
+index 0275558eba45d6090f61f51c3de08f81481c1aee..e20cafe9bead6749f8cf9433b8b560e918cd18ac 100644
+--- a/src/regexp/regexp-macro-assembler.cc
+++ b/src/regexp/regexp-macro-assembler.cc
+@@ -300,24 +300,21 @@ int NativeRegExpMacroAssembler::Execute(
+     String input,  // This needs to be the unpacked (sliced, cons) string.
+     int start_offset, const byte* input_start, const byte* input_end,
+     int* output, int output_size, Isolate* isolate, JSRegExp regexp) {
+-  // Ensure that the minimum stack has been allocated.
+   RegExpStackScope stack_scope(isolate);
+-  Address stack_base = stack_scope.stack()->memory_top();
+ 
+   bool is_one_byte = String::IsOneByteRepresentationUnderneath(input);
+   Code code = Code::cast(regexp.Code(is_one_byte));
+   RegExp::CallOrigin call_origin = RegExp::CallOrigin::kFromRuntime;
+ 
+-  using RegexpMatcherSig = int(
+-      Address input_string, int start_offset,  // NOLINT(readability/casting)
+-      const byte* input_start, const byte* input_end, int* output,
+-      int output_size, Address stack_base, int call_origin, Isolate* isolate,
+-      Address regexp);
+  using RegexpMatcherSig =
+      // NOLINTNEXTLINE(readability/casting)
+      int(Address input_string, int start_offset, const byte* input_start,
+          const byte* input_end, int* output, int output_size, int call_origin,
+          Isolate* isolate, Address regexp);
+ 
+   auto fn = GeneratedCode<RegexpMatcherSig>::FromCode(code);
+-  int result =
+-      fn.Call(input.ptr(), start_offset, input_start, input_end, output,
+-              output_size, stack_base, call_origin, isolate, regexp.ptr());
+  int result = fn.Call(input.ptr(), start_offset, input_start, input_end,
+                       output, output_size, call_origin, isolate, regexp.ptr());
+   DCHECK_GE(result, SMALLEST_REGEXP_RESULT);
+ 
+   if (result == EXCEPTION && !isolate->has_pending_exception()) {
+diff --git a/src/regexp/x64/regexp-macro-assembler-x64.cc b/src/regexp/x64/regexp-macro-assembler-x64.cc
+index 42b79f1a9fd0e296ace1148dacedb4ff474a4139..fc87575a1a907b3b8b7fbc102ce16d214fde102f 100644
+--- a/src/regexp/x64/regexp-macro-assembler-x64.cc
+++ b/src/regexp/x64/regexp-macro-assembler-x64.cc
+@@ -47,14 +47,12 @@ namespace internal {
+  * Each call to a C++ method should retain these registers.
+  *
+  * The stack will have the following content, in some order, indexable from the
+- * frame pointer (see, e.g., kStackHighEnd):
+ * frame pointer (see, e.g., kDirectCall):
+  *    - Address regexp       (address of the JSRegExp object; unused in native
+  *                            code, passed to match signature of interpreter)
+  *    - Isolate* isolate     (address of the current isolate)
+  *    - direct_call          (if 1, direct call from JavaScript code, if 0 call
+  *                            through the runtime system)
+- *    - stack_area_base      (high end of the memory area to use as
+- *                            backtracking stack)
+  *    - capture array size   (may fit multiple sets of matches)
+  *    - int* capture_array   (int[num_saved_registers_], for output).
+  *    - end of input         (address of end of string)
+@@ -85,7 +83,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate,
+  *              Address regexp);
+@@ -862,8 +859,6 @@ Handle<HeapObject> RegExpMacroAssemblerX64::GetCode(Handle<String> source) {
+   }
+ 
+   // Initialize backtrack stack pointer.
+-  // TODO(jgruber): Remove the kStackHighEnd parameter (and others like
+-  // kIsolate).
+   LoadRegExpStackPointerFromMemory(backtrack_stackpointer());
+ 
+   __ jmp(&start_label_);
+diff --git a/src/regexp/x64/regexp-macro-assembler-x64.h b/src/regexp/x64/regexp-macro-assembler-x64.h
+index ff9ce0a43daa591343e8cebb25b5fdda8190a222..701697a12a5cbdbce0b8f554b2768b20b5dd434e 100644
+--- a/src/regexp/x64/regexp-macro-assembler-x64.h
+++ b/src/regexp/x64/regexp-macro-assembler-x64.h
+@@ -106,9 +106,8 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerX64
+   // this value. NumOutputRegisters is passed as 32-bit value.  The upper
+   // 32 bit of this 64-bit stack slot may contain garbage.
+   static const int kNumOutputRegisters = kRegisterOutput + kSystemPointerSize;
+-  static const int kStackHighEnd = kNumOutputRegisters + kSystemPointerSize;
+   // DirectCall is passed as 32 bit int (values 0 or 1).
+-  static const int kDirectCall = kStackHighEnd + kSystemPointerSize;
+  static const int kDirectCall = kNumOutputRegisters + kSystemPointerSize;
+   static const int kIsolate = kDirectCall + kSystemPointerSize;
+ #else
+   // In AMD64 ABI Calling Convention, the first six integer parameters
+@@ -119,13 +118,12 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerX64
+   static const int kInputStart = kStartIndex - kSystemPointerSize;
+   static const int kInputEnd = kInputStart - kSystemPointerSize;
+   static const int kRegisterOutput = kInputEnd - kSystemPointerSize;
+-
+   // For the case of global regular expression, we have room to store at least
+   // one set of capture results.  For the case of non-global regexp, we ignore
+   // this value.
+   static const int kNumOutputRegisters = kRegisterOutput - kSystemPointerSize;
+-  static const int kStackHighEnd = kFrameAlign;
+-  static const int kDirectCall = kStackHighEnd + kSystemPointerSize;
+
+  static const int kDirectCall = kFrameAlign;
+   static const int kIsolate = kDirectCall + kSystemPointerSize;
+ #endif
+