[Backport] CVE-2025-6554: Type Confusion in V8

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/6682542:
don't elide hole checks across optional chain

(cherry picked from commit 22e9d9621de58ec6fe6581b56215059a48451b9f)

Bug: 427663123
Change-Id: Iefdb15828d807bf9452b88e918a4b46cc2d422fa
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6678591
Commit-Queue: Stephen Röttger <[email protected]>
Reviewed-by: Toon Verwaest <[email protected]>
Cr-Original-Commit-Position: refs/heads/main@{#101050}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6682542
Reviewed-by: Leszek Swirski <[email protected]>
Reviewed-by: Camillo Bruni <[email protected]>
Commit-Queue: Gyuyoung Kim (xWF) <[email protected]>
Auto-Submit: Gyuyoung Kim (xWF) <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.2@{#100}
Cr-Branched-From: 24068c59cedad9ee976ddc05431f5f497b1ebd71-refs/heads/13.2.152@{#1}
Cr-Branched-From: 6054ba94db0969220be4f94dc1677fc4696bdc4f-refs/heads/main@{#97085}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/659335
Reviewed-by: Moss Heim <[email protected]>

Author: sroettger

chromium/v8/src/interpreter/bytecode-generator.cc

@@ -1206,7 +1206,8 @@ class V8_NODISCARD BytecodeGenerator::OptionalChainNullLabelScope final {
  public:
   explicit OptionalChainNullLabelScope(BytecodeGenerator* bytecode_generator)
       : bytecode_generator_(bytecode_generator),
-        labels_(bytecode_generator->zone()) {
+        labels_(bytecode_generator->zone()),
+        hole_check_scope_(bytecode_generator) {
     prev_ = bytecode_generator_->optional_chaining_null_labels_;
     bytecode_generator_->optional_chaining_null_labels_ = &labels_;
   }
@@ -1221,6 +1222,9 @@ class V8_NODISCARD BytecodeGenerator::OptionalChainNullLabelScope final {
   BytecodeGenerator* bytecode_generator_;
   BytecodeLabels labels_;
   BytecodeLabels* prev_;
+  // Use the same scope for the entire optional chain, as links earlier in the
+  // chain dominate later links, linearly.
+  HoleCheckElisionScope hole_check_scope_;
 };
 
 // LoopScope delimits the scope of {loop}, from its header to its final jump.
@@ -6338,9 +6342,6 @@ template <typename ExpressionFunc>
 void BytecodeGenerator::BuildOptionalChain(ExpressionFunc expression_func) {
   BytecodeLabel done;
   OptionalChainNullLabelScope label_scope(this);
-  // Use the same scope for the entire optional chain, as links earlier in the
-  // chain dominate later links, linearly.
-  HoleCheckElisionScope elider(this);
   expression_func();
   builder()->Jump(&done);
   label_scope.labels()->Bind(builder());