[Backport] CVE-2025-0291: Type Confusion in V8 (1/2)

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/6097632:
Merged: [turboshaft][wasm] WasmGCTypeAnalyzer: Fix phi input for single-block loops

Fixed: 383356864
(cherry picked from commit f231d83cb3c08754413b3ee1aa249cebd4d5445f)

Change-Id: I3247f6071a9a27eaef49ae8981b7eea93f83dc55
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6097632
Reviewed-by: Eva Herencsárová <[email protected]>
Auto-Submit: Jakob Kummerow <[email protected]>
Commit-Queue: Eva Herencsárová <[email protected]>
Commit-Queue: Jakob Kummerow <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.0@{#45}
Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615722
Reviewed-by: Anu Aliyas <[email protected]>

Author: jakobkummerow

chromium/v8/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.cc

@@ -269,6 +269,28 @@ void WasmGCTypeAnalyzer::ProcessAllocateStruct(
                       wasm::ValueType::Ref(type_index));
 }
 
+wasm::ValueType WasmGCTypeAnalyzer::GetTypeForPhiInput(const PhiOp& phi,
+                                                       int input_index) {
+  OpIndex phi_id = graph_.Index(phi);
+  OpIndex input = ResolveAliases(phi.input(input_index));
+  // If the input of the phi is in the same block as the phi and appears
+  // before the phi, don't use the predecessor value.
+
+  if (current_block_->begin().id() <= input.id() && input.id() < phi_id.id()) {
+    // Phi instructions have to be at the beginning of the block, so this can
+    // only happen for inputs that are also phis. Furthermore, this is only
+    // possible in loop headers of loops with a single block (endless loops) and
+    // only for the backedge-input.
+    DCHECK(graph_.Get(input).Is<PhiOp>());
+    DCHECK(current_block_->IsLoop());
+    DCHECK(current_block_->HasBackedge(graph_));
+    DCHECK_EQ(current_block_->LastPredecessor(), current_block_);
+    DCHECK_EQ(input_index, 1);
+    return types_table_.Get(input);
+  }
+  return types_table_.GetPredecessorValue(input, input_index);
+}
+
 void WasmGCTypeAnalyzer::ProcessPhi(const PhiOp& phi) {
   // The result type of a phi is the union of all its input types.
   // If any of the inputs is the default value ValueType(), there isn't any type
@@ -281,12 +303,10 @@ void WasmGCTypeAnalyzer::ProcessPhi(const PhiOp& phi) {
     RefineTypeKnowledge(graph_.Index(phi), GetResolvedType((phi.input(0))));
     return;
   }
-  wasm::ValueType union_type =
-      types_table_.GetPredecessorValue(ResolveAliases(phi.input(0)), 0);
+  wasm::ValueType union_type = GetTypeForPhiInput(phi, 0);
   if (union_type == wasm::ValueType()) return;
   for (int i = 1; i < phi.input_count; ++i) {
-    wasm::ValueType input_type =
-        types_table_.GetPredecessorValue(ResolveAliases(phi.input(i)), i);
+    wasm::ValueType input_type = GetTypeForPhiInput(phi, i);
     if (input_type == wasm::ValueType()) return;
     // <bottom> types have to be skipped as an unreachable predecessor doesn't
     // change our type knowledge.

chromium/v8/src/compiler/turboshaft/wasm-gc-typed-optimization-reducer.h

@@ -80,6 +80,8 @@ class WasmGCTypeAnalyzer {
   void ProcessPhi(const PhiOp& phi);
   void ProcessTypeAnnotation(const WasmTypeAnnotationOp& type_annotation);
 
+  wasm::ValueType GetTypeForPhiInput(const PhiOp& phi, int input_index);
+
   void CreateMergeSnapshot(const Block& block);
   bool CreateMergeSnapshot(base::Vector<const Snapshot> predecessors,
                            base::Vector<const bool> reachable);