[Backport] Security bug 1427388

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4381738:
Merged: [compiler] Prevent constant folding of TypeGuard

TypeGuard are used to prevent operations from floating before a
preceding check, and thus shouldn't be constant-folded.

(cherry picked from commit 867716437273c16dc6ef5bc85b9c18affa1fb242)

Fixed: chromium:1427388
Change-Id: Id93807aa7553c6a42b17024b7f7975a1a28fbb78
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4381738
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/branch-heads/11.3@{#6}
Cr-Branched-From: b0a3a06aa78a9beb4e8485eb502b20b2abe2abbf-refs/heads/11.3.244@{#1}
Cr-Branched-From: 0326cf6343caaa6ea32bb3208e894cb7412e1313-refs/heads/main@{#86647}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/475990
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 2 insertions, 1 deletions

diff --git a/chromium/v8/src/compiler/constant-folding-reducer.cc b/chromium/v8/src/compiler/constant-folding-reducer.cc
index 9649dbda08c..7a25cb9037a 100644
--- a/chromium/v8/src/compiler/constant-folding-reducer.cc
+++ b/chromium/v8/src/compiler/constant-folding-reducer.cc
@@ -66,7 +66,8 @@ Reduction ConstantFoldingReducer::Reduce(Node* node) {
   DisallowHeapAccess no_heap_access;
   if (!NodeProperties::IsConstant(node) && NodeProperties::IsTyped(node) &&
       node->op()->HasProperty(Operator::kEliminatable) &&
-      node->opcode() != IrOpcode::kFinishRegion) {
+      node->opcode() != IrOpcode::kFinishRegion &&
+      node->opcode() != IrOpcode::kTypeGuard) {
     Node* constant = TryGetConstant(jsgraph(), node);
     if (constant != nullptr) {
       DCHECK(NodeProperties::IsTyped(constant));