[backport] CVE-2025-5419

LeszekSwirski · Michal Klocek · commit 906b190749aa · 2025-06-10T12:57:07.000Z
[turbofan] Weaken alias analysis in store-store elimination Bug: 420636529 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6594051 Change-Id: I64525f45a688bc9e7d2335f9c92ca144fc517d12 Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/650558 Reviewed-by: Anu Aliyas <anu.aliyas@qt.io>
diff --git a/chromium/v8/src/compiler/turboshaft/store-store-elimination-reducer-inl.h b/chromium/v8/src/compiler/turboshaft/store-store-elimination-reducer-inl.h
@@ -324,10 +324,11 @@ class RedundantStoreAnalysis {
           // TODO(nicohartmann@): Use the new effect flags to distinguish heap
           // access once available.
           const bool is_on_heap_store = store.kind.tagged_base;
-          const bool is_field_store = !store.index().valid();
+          const bool is_fixed_offset_store = !store.index().valid();
           const uint8_t size = store.stored_rep.SizeInBytes();
-          // For now we consider only stores of fields of objects on the heap.
-          if (is_on_heap_store && is_field_store) {
+          // For now we consider only stores of fixed offsets of objects on the
+          // heap.
+          if (is_on_heap_store && is_fixed_offset_store) {
             bool is_eliminable_store = false;
             switch (table_.GetObservability(store.base(), store.offset, size)) {
               case StoreObservability::kUnobservable:
@@ -414,11 +415,16 @@ class RedundantStoreAnalysis {
           // TODO(nicohartmann@): Use the new effect flags to distinguish heap
           // access once available.
           const bool is_on_heap_load = load.kind.tagged_base;
-          const bool is_field_load = !load.index().valid();
+          const bool is_fixed_offset_load = !load.index().valid();
           // For now we consider only loads of fields of objects on the heap.
-          if (is_on_heap_load && is_field_load) {
-            table_.MarkPotentiallyAliasingStoresAsObservable(load.base(),
-                                                             load.offset);
+          if (is_on_heap_load) {
+            if (is_fixed_offset_load) {
+              table_.MarkPotentiallyAliasingStoresAsObservable(load.base(),
+                                                               load.offset);
+            } else {
+              // A dynamically indexed load might alias any fixed offset.
+              table_.MarkAllStoresAsObservable();
+            }
           }
           break;
         }
