[Backport] CVE-2025-0611: Object corruption in V8

Cherry-pick of patch originally reviewed on:
https://chromium-review.googlesource.com/c/v8/v8/+/6157748:
regalloc: handle non-loop resumable_loops

Resumable loops which are not loops can be either:

1. An unreachable loop with only a back-edge
2. A fall-through to a resumable loop with a dead back-edge

Only (1) starts with an empty register state.

Fixed: 386143468
Change-Id: I67d6e042e44915ec5719fe8dfe840dbb28079d28
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6157748
Auto-Submit: Olivier Flückiger <[email protected]>
Commit-Queue: Toon Verwaest <[email protected]>
Commit-Queue: Olivier Flückiger <[email protected]>
Reviewed-by: Toon Verwaest <[email protected]>
Cr-Commit-Position: refs/heads/main@{#98016}
(cherry picked from commit b44bd24761f1a2eae131bd90be15b5a68cc70f83)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/619260
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/624496
Reviewed-by: Anu Aliyas <[email protected]>

Author: o-

chromium/v8/src/maglev/maglev-interpreter-frame-state.cc

@@ -710,6 +710,24 @@ void MergePointInterpreterFrameState::ReducePhiPredecessorCount(
     result->reduce_input_count();
   }
 }
+
+bool MergePointInterpreterFrameState::IsUnreachable() const {
+  DCHECK_EQ(predecessors_so_far_, predecessor_count_);
+  if (predecessor_count_ > 1) {
+    return false;
+  }
+  // This should actually only support predecessor_count == 1, but we
+  // currently don't eliminate resumable loop headers (and subsequent code
+  // until the next resume) that end up being unreachable from JumpLoop.
+  if (predecessor_count_ == 0) {
+    DCHECK(is_resumable_loop());
+    return true;
+  }
+  DCHECK_EQ(predecessor_count_, 1);
+  DCHECK_IMPLIES(is_loop(), predecessor_at(0)->control_node()->Is<JumpLoop>());
+  return is_loop();
+}
+
 }  // namespace maglev
 }  // namespace internal
 }  // namespace v8

chromium/v8/src/maglev/maglev-interpreter-frame-state.h

@@ -737,6 +737,8 @@ class MergePointInterpreterFrameState {
            predecessors_so_far_ == 0;
   }
 
+  bool IsUnreachable() const;
+
   BasicBlockType basic_block_type() const {
     return kBasicBlockTypeBits::decode(bitfield_);
   }

chromium/v8/src/maglev/maglev-regalloc.cc

@@ -147,7 +147,7 @@ bool IsLiveAtTarget(ValueNode* node, ControlNode* source, BasicBlock* target) {
   }
 
   // Drop all values on resumable loop headers.
-  if (target->has_state() && target->state()->is_resumable_loop()) return false;
+  if (target->is_loop() && target->state()->is_resumable_loop()) return false;
 
   // TODO(verwaest): This should be true but isn't because we don't yet
   // eliminate dead code.
@@ -388,13 +388,9 @@ void StraightForwardRegisterAllocator::AllocateRegisters() {
       if (block->state()->is_exception_handler()) {
         // Exceptions start from a blank state of register values.
         ClearRegisterValues();
-      } else if (block->state()->is_resumable_loop() &&
-                 block->state()->predecessor_count() <= 1) {
+      } else if (block->state()->IsUnreachable()) {
         // Loops that are only reachable through JumpLoop start from a blank
         // state of register values.
-        // This should actually only support predecessor_count == 1, but we
-        // currently don't eliminate resumable loop headers (and subsequent code
-        // until the next resume) that end up being unreachable from JumpLoop.
         ClearRegisterValues();
       } else {
         InitializeRegisterValues(block->state()->register_state());