CVE-2025-12429: Inappropriate implementation in V8

mibrunin · mibrunin · commit 84e4fb2806f2 · 2025-11-07T15:25:22.000Z
The upstream fix for a recently reported security issue caused regressions in the LTS branches of Chromium. To mitigate the risk, this patch reverts the change that enabled the feature that contains the security bug. Manual revert of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/4521712: [interpreter] Enable TDZ elision by default Bug: v8:13723 Change-Id: I003bbb2b6b5eb58837cb35e1db088218ed9b6d3c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4521712 Commit-Queue: Shu-yu Guo <syg@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/main@{#87775} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/687659 Reviewed-by: Michal Klocek <michal.klocek@qt.io> Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/689571
diff --git a/chromium/v8/src/flags/flag-definitions.h b/chromium/v8/src/flags/flag-definitions.h
@@ -1004,8 +1004,9 @@ DEFINE_BOOL(ignition_filter_expression_positions, true,
 DEFINE_BOOL(ignition_share_named_property_feedback, true,
             "share feedback slots when loading the same named property from "
             "the same object")
-DEFINE_BOOL(ignition_elide_redundant_tdz_checks, true,
+DEFINE_BOOL(ignition_elide_redundant_tdz_checks, false,
             "elide TDZ checks dominated by other TDZ checks")
+DEFINE_WEAK_IMPLICATION(future, ignition_elide_redundant_tdz_checks)
 DEFINE_BOOL(print_bytecode, false,
             "print bytecode generated by ignition interpreter")
 DEFINE_BOOL(enable_lazy_source_positions, V8_LAZY_SOURCE_POSITIONS_BOOL,
