CSS integration - image from inline style from document with base tag

From 7d8616b2b7339a9f5f316e7d9a80ac9c36cd7a86 Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Wed, 24 Mar 2021 01:55:51 +0100 Subject: [PATCH 01/48] chore: cherry-pick e1505713dc31 from chromium (#28234) --- patches/chromium/.patches | 1 + ...s_use_the_document_s_url_as_referrer.patch | 447 ++++++++++++++++++ 2 files changed, 448 insertions(+) create mode 100644 patches/chromium/css_make_fetches_from_inline_css_use_the_document_s_url_as_referrer.patch diff --git a/patches/chromium/.patches b/patches/chromium/.patches index 83acfecbfe6ce..33275bdc72308 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -160,3 +160,4 @@ cherry-pick-b3dc4c4b349d.patch cherry-pick-c6d6f7aee733.patch cherry-pick-37210e5ab006.patch reland_reland_fsa_add_issafepathcomponent_checks_to.patch +css_make_fetches_from_inline_css_use_the_document_s_url_as_referrer.patch diff --git a/patches/chromium/css_make_fetches_from_inline_css_use_the_document_s_url_as_referrer.patch b/patches/chromium/css_make_fetches_from_inline_css_use_the_document_s_url_as_referrer.patch new file mode 100644 index 0000000000000..0883a3c9c5561 --- /dev/null +++ b/patches/chromium/css_make_fetches_from_inline_css_use_the_document_s_url_as_referrer.patch @@ -0,0 +1,447 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: David Van Cleve +Date: Thu, 4 Mar 2021 16:50:46 +0000 +Subject: css: Make fetches from inline CSS use the document's URL as referrer + +Right now, fetches from inline CSS use the inline CSS's base URL +instead of the URL from the context that embeds the inline CSS: for +instance, loading a source-site.com page with the following code + + +should lead to the best-sheet.com sheet getting fetched with a +source-site.com referrer, but it will currently provide an +other-site.com referrer. However, if the imported sheet from +best-sheet.com makes more nested fetches, those nested requests should +use best-sheet.com as the basis for their referrers (as they do +currently). + +This CL updates CSSParserContext's referrer setting logic to roughly do +the following: +- inline CSS: use the embedding document's URL as the referrer, or, for +srcdoc iframes, walk up the frame tree until hitting a non-srcdoc frame +- requests from fetched stylesheets: just as currently, use the fetched +sheet's URL as the basis for constructing the referrer + +This seemed like it required refactoring CSSParserContext slightly +because there are constructors that take both a Document and a base URL, +and it's not obvious from the constructor signature whether the +Document or the base URL should be the one that provides the referrer. +To resolve this ambiguity, the refactor updates these CSSParserContext +constructors to take caller-provided Referrer objects. + +(cherry picked from commit 0b1539fcb923056624d4adc84b88140d367d92da) + +Change-Id: If5a99d8057dff5e771e821d0e1f605566e28ff1d +Fixed: 1158645, 1158010 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2592447 +Reviewed-by: Rune Lillesveen +Reviewed-by: Matt Falkenhagen +Commit-Queue: David Van Cleve +Cr-Original-Commit-Position: refs/heads/master@{#841509} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2731576 +Reviewed-by: Achuith Bhandarkar +Commit-Queue: Victor-Gabriel Savu +Cr-Commit-Position: refs/branch-heads/4240@{#1558} +Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218} + +diff --git a/third_party/blink/renderer/core/css/css_style_sheet.cc b/third_party/blink/renderer/core/css/css_style_sheet.cc +index c168b0a244865e3c390989e3e5af275fdef2a4cd..10efc5bd894c16de745b7f4bb07268719f443e73 100644 +--- a/third_party/blink/renderer/core/css/css_style_sheet.cc ++++ b/third_party/blink/renderer/core/css/css_style_sheet.cc +@@ -37,6 +37,7 @@ + #include "third_party/blink/renderer/core/dom/document.h" + #include "third_party/blink/renderer/core/dom/node.h" + #include "third_party/blink/renderer/core/frame/deprecation.h" ++#include "third_party/blink/renderer/core/frame/local_dom_window.h" + #include "third_party/blink/renderer/core/html/html_link_element.h" + #include "third_party/blink/renderer/core/html/html_style_element.h" + #include "third_party/blink/renderer/core/html_names.h" +@@ -138,9 +139,15 @@ CSSStyleSheet* CSSStyleSheet::CreateInline(Node& owner_node, + const KURL& base_url, + const TextPosition& start_position, + const WTF::TextEncoding& encoding) { ++ Document& owner_node_document = owner_node.GetDocument(); + auto* parser_context = MakeGarbageCollected( +- owner_node.GetDocument(), owner_node.GetDocument().BaseURL(), +- true /* origin_clean */, owner_node.GetDocument().GetReferrerPolicy(), ++ owner_node_document, owner_node_document.BaseURL(), ++ true /* origin_clean */, ++ Referrer( ++ owner_node_document.GetExecutionContext() ++ ? owner_node_document.GetExecutionContext()->OutgoingReferrer() ++ : String(), // GetExecutionContext() only returns null in tests. ++ owner_node.GetDocument().GetReferrerPolicy()), + encoding); + if (AdTracker::IsAdScriptExecutingInDocument(&owner_node.GetDocument())) + parser_context->SetIsAdRelated(); +diff --git a/third_party/blink/renderer/core/css/parser/css_parser_context.cc b/third_party/blink/renderer/core/css/parser/css_parser_context.cc +index 5c1292cf13b4265c3db36fd3c1a71a30b3c81c68..b636bd5388a871fd284a74b7926aeb5922e274e5 100644 +--- a/third_party/blink/renderer/core/css/parser/css_parser_context.cc ++++ b/third_party/blink/renderer/core/css/parser/css_parser_context.cc +@@ -53,27 +53,25 @@ CSSParserContext::CSSParserContext(const CSSParserContext* other, + is_ad_related_ = other->is_ad_related_; + } + +-CSSParserContext::CSSParserContext( +- const CSSParserContext* other, +- const KURL& base_url, +- bool origin_clean, +- network::mojom::ReferrerPolicy referrer_policy, +- const WTF::TextEncoding& charset, +- const Document* use_counter_document) +- : CSSParserContext( +- base_url, +- origin_clean, +- charset, +- other->mode_, +- other->match_mode_, +- other->profile_, +- Referrer(base_url.StrippedForUseAsReferrer(), referrer_policy), +- other->is_html_document_, +- other->use_legacy_background_size_shorthand_behavior_, +- other->secure_context_mode_, +- other->should_check_content_security_policy_, +- use_counter_document, +- other->resource_fetch_restriction_) { ++CSSParserContext::CSSParserContext(const CSSParserContext* other, ++ const KURL& base_url, ++ bool origin_clean, ++ const Referrer& referrer, ++ const WTF::TextEncoding& charset, ++ const Document* use_counter_document) ++ : CSSParserContext(base_url, ++ origin_clean, ++ charset, ++ other->mode_, ++ other->match_mode_, ++ other->profile_, ++ referrer, ++ other->is_html_document_, ++ other->use_legacy_background_size_shorthand_behavior_, ++ other->secure_context_mode_, ++ other->should_check_content_security_policy_, ++ use_counter_document, ++ other->resource_fetch_restriction_) { + is_ad_related_ = other->is_ad_related_; + } + +@@ -96,18 +94,23 @@ CSSParserContext::CSSParserContext(CSSParserMode mode, + ResourceFetchRestriction::kNone) {} + + CSSParserContext::CSSParserContext(const Document& document) +- : CSSParserContext(document, +- document.BaseURL(), +- true /* origin_clean */, +- document.GetReferrerPolicy(), +- WTF::TextEncoding(), +- kLiveProfile) {} ++ : CSSParserContext( ++ document, ++ document.BaseURL(), ++ true /* origin_clean */, ++ Referrer(document.GetExecutionContext() ++ ? document.GetExecutionContext()->OutgoingReferrer() ++ : String(), // GetExecutionContext() only returns null ++ // in tests. ++ document.GetReferrerPolicy()), ++ WTF::TextEncoding(), ++ kLiveProfile) {} + + CSSParserContext::CSSParserContext( + const Document& document, + const KURL& base_url_override, + bool origin_clean, +- network::mojom::ReferrerPolicy referrer_policy_override, ++ const Referrer& referrer, + const WTF::TextEncoding& charset, + SelectorProfile profile, + enum ResourceFetchRestriction resource_fetch_restriction) +@@ -122,8 +125,7 @@ CSSParserContext::CSSParserContext( + : kHTMLStandardMode) + : document.InQuirksMode() ? kHTMLQuirksMode : kHTMLStandardMode, + profile, +- Referrer(base_url_override.StrippedForUseAsReferrer(), +- referrer_policy_override), ++ referrer, + IsA(document), + document.GetSettings() + ? document.GetSettings() +diff --git a/third_party/blink/renderer/core/css/parser/css_parser_context.h b/third_party/blink/renderer/core/css/parser/css_parser_context.h +index 33b458f21910bcbfdb6956b02cd2ef56bb39778b..8d7ec9e6b7a14fffaaf72dcd0d2c0d0f062dbbfa 100644 +--- a/third_party/blink/renderer/core/css/parser/css_parser_context.h ++++ b/third_party/blink/renderer/core/css/parser/css_parser_context.h +@@ -40,10 +40,15 @@ class CORE_EXPORT CSSParserContext final + explicit CSSParserContext(const CSSParserContext* other, + const Document* use_counter_document = nullptr); + ++ // Creates a context with most of its constructor attributes provided by ++ // copying from |other|, except that the remaining constructor arguments take ++ // precedence over the corresponding characteristics of |other|. This is ++ // useful for initializing @imported sheets' contexts, which inherit most of ++ // their characteristics from their parents. + CSSParserContext(const CSSParserContext* other, + const KURL& base_url_override, + bool origin_clean, +- network::mojom::ReferrerPolicy referrer_policy_override, ++ const Referrer& referrer, + const WTF::TextEncoding& charset_override, + const Document* use_counter_document); + CSSParserContext(CSSParserMode, +@@ -54,7 +59,7 @@ class CORE_EXPORT CSSParserContext final + CSSParserContext(const Document&, + const KURL& base_url_override, + bool origin_clean, +- network::mojom::ReferrerPolicy referrer_policy_override, ++ const Referrer& referrer, + const WTF::TextEncoding& charset = WTF::TextEncoding(), + SelectorProfile = kLiveProfile, + ResourceFetchRestriction resource_fetch_restriction = +@@ -69,7 +74,7 @@ class CORE_EXPORT CSSParserContext final + CSSParserMode, + CSSParserMode match_mode, + SelectorProfile, +- const Referrer&, ++ const Referrer& referrer, + bool is_html_document, + bool use_legacy_background_size_shorthand_behavior, + SecureContextMode, +diff --git a/third_party/blink/renderer/core/css/selector_query.cc b/third_party/blink/renderer/core/css/selector_query.cc +index 722b751f19207b070664d79c5a9cc758f1c044f4..35d9d926f2e1ac0c2d032817b87c1079af9408ec 100644 +--- a/third_party/blink/renderer/core/css/selector_query.cc ++++ b/third_party/blink/renderer/core/css/selector_query.cc +@@ -535,9 +535,8 @@ SelectorQuery* SelectorQueryCache::Add(const AtomicString& selectors, + + CSSSelectorList selector_list = CSSParser::ParseSelector( + MakeGarbageCollected( +- document, document.BaseURL(), true /* origin_clean */, +- document.GetReferrerPolicy(), WTF::TextEncoding(), +- CSSParserContext::kSnapshotProfile), ++ document, document.BaseURL(), true /* origin_clean */, Referrer(), ++ WTF::TextEncoding(), CSSParserContext::kSnapshotProfile), + nullptr, selectors); + + if (!selector_list.First()) { +diff --git a/third_party/blink/renderer/core/css/selector_query_test.cc b/third_party/blink/renderer/core/css/selector_query_test.cc +index 8d701d91372e5c2fb4b1a30f190f629f95e1b0b2..bf14850baf8dd2e92f74b89b78963a367440a704 100644 +--- a/third_party/blink/renderer/core/css/selector_query_test.cc ++++ b/third_party/blink/renderer/core/css/selector_query_test.cc +@@ -72,9 +72,8 @@ TEST(SelectorQueryTest, NotMatchingPseudoElement) { + + CSSSelectorList selector_list = CSSParser::ParseSelector( + MakeGarbageCollected( +- *document, NullURL(), true /* origin_clean */, +- network::mojom::ReferrerPolicy::kDefault, WTF::TextEncoding(), +- CSSParserContext::kSnapshotProfile), ++ *document, NullURL(), true /* origin_clean */, Referrer(), ++ WTF::TextEncoding(), CSSParserContext::kSnapshotProfile), + nullptr, "span::before"); + std::unique_ptr query = + SelectorQuery::Adopt(std::move(selector_list)); +@@ -83,9 +82,8 @@ TEST(SelectorQueryTest, NotMatchingPseudoElement) { + + selector_list = CSSParser::ParseSelector( + MakeGarbageCollected( +- *document, NullURL(), true /* origin_clean */, +- network::mojom::ReferrerPolicy::kDefault, WTF::TextEncoding(), +- CSSParserContext::kSnapshotProfile), ++ *document, NullURL(), true /* origin_clean */, Referrer(), ++ WTF::TextEncoding(), CSSParserContext::kSnapshotProfile), + nullptr, "span"); + query = SelectorQuery::Adopt(std::move(selector_list)); + elm = query->QueryFirst(*document); +@@ -103,9 +101,8 @@ TEST(SelectorQueryTest, LastOfTypeNotFinishedParsing) { + + CSSSelectorList selector_list = CSSParser::ParseSelector( + MakeGarbageCollected( +- *document, NullURL(), true /* origin_clean */, +- network::mojom::ReferrerPolicy::kDefault, WTF::TextEncoding(), +- CSSParserContext::kSnapshotProfile), ++ *document, NullURL(), true /* origin_clean */, Referrer(), ++ WTF::TextEncoding(), CSSParserContext::kSnapshotProfile), + nullptr, "p:last-of-type"); + std::unique_ptr query = + SelectorQuery::Adopt(std::move(selector_list)); +diff --git a/third_party/blink/renderer/core/css/style_rule_import.cc b/third_party/blink/renderer/core/css/style_rule_import.cc +index 447d130a9c29a698c81c0436b318058172b3a7ef..857fb15c74063613d467c29829eda0a8ea18b9bb 100644 +--- a/third_party/blink/renderer/core/css/style_rule_import.cc ++++ b/third_party/blink/renderer/core/css/style_rule_import.cc +@@ -83,8 +83,9 @@ void StyleRuleImport::NotifyFinished(Resource* resource) { + CSSParserContext* context = MakeGarbageCollected( + parent_context, cached_style_sheet->GetResponse().ResponseUrl(), + cached_style_sheet->GetResponse().IsCorsSameOrigin(), +- cached_style_sheet->GetReferrerPolicy(), cached_style_sheet->Encoding(), +- document); ++ Referrer(cached_style_sheet->GetResponse().ResponseUrl(), ++ cached_style_sheet->GetReferrerPolicy()), ++ cached_style_sheet->Encoding(), document); + if (cached_style_sheet->GetResourceRequest().IsAdResource()) + context->SetIsAdRelated(); + +diff --git a/third_party/blink/renderer/core/dom/processing_instruction.cc b/third_party/blink/renderer/core/dom/processing_instruction.cc +index 739226d95f964ebf4ae35983c6e1cd5faa01b324..1a1ead65c7642350f7d13364046f665c021bc3b0 100644 +--- a/third_party/blink/renderer/core/dom/processing_instruction.cc ++++ b/third_party/blink/renderer/core/dom/processing_instruction.cc +@@ -206,7 +206,9 @@ void ProcessingInstruction::NotifyFinished(Resource* resource) { + auto* parser_context = MakeGarbageCollected( + GetDocument(), style_resource->GetResponse().ResponseUrl(), + style_resource->GetResponse().IsCorsSameOrigin(), +- style_resource->GetReferrerPolicy(), style_resource->Encoding()); ++ Referrer(style_resource->GetResponse().ResponseUrl(), ++ style_resource->GetReferrerPolicy()), ++ style_resource->Encoding()); + if (style_resource->GetResourceRequest().IsAdResource()) + parser_context->SetIsAdRelated(); + +diff --git a/third_party/blink/renderer/core/html/link_style.cc b/third_party/blink/renderer/core/html/link_style.cc +index 5036ac1f0cb9613772c704a6dc5c5e2496ab5567..5e3b7e361ae1ebe2ff89f10448eac4fe33352031 100644 +--- a/third_party/blink/renderer/core/html/link_style.cc ++++ b/third_party/blink/renderer/core/html/link_style.cc +@@ -88,7 +88,9 @@ void LinkStyle::NotifyFinished(Resource* resource) { + auto* parser_context = MakeGarbageCollected( + GetDocument(), cached_style_sheet->GetResponse().ResponseUrl(), + cached_style_sheet->GetResponse().IsCorsSameOrigin(), +- cached_style_sheet->GetReferrerPolicy(), cached_style_sheet->Encoding()); ++ Referrer(cached_style_sheet->GetResponse().ResponseUrl(), ++ cached_style_sheet->GetReferrerPolicy()), ++ cached_style_sheet->Encoding()); + if (cached_style_sheet->GetResourceRequest().IsAdResource()) { + parser_context->SetIsAdRelated(); + } +diff --git a/third_party/blink/renderer/core/html/track/vtt/vtt_parser.cc b/third_party/blink/renderer/core/html/track/vtt/vtt_parser.cc +index 0b6e9b6b8b66029f46ca79f24a2519f13e611005..e492003c470af4c7b96551f6dfee79d26f8b7c77 100644 +--- a/third_party/blink/renderer/core/html/track/vtt/vtt_parser.cc ++++ b/third_party/blink/renderer/core/html/track/vtt/vtt_parser.cc +@@ -244,9 +244,8 @@ VTTParser::ParseState VTTParser::CollectRegionSettings(const String& line) { + VTTParser::ParseState VTTParser::CollectStyleSheet(const String& line) { + if (line.IsEmpty() || line.Contains("-->")) { + auto* parser_context = MakeGarbageCollected( +- *document_, NullURL(), true /* origin_clean */, +- document_->GetReferrerPolicy(), UTF8Encoding(), +- CSSParserContext::kLiveProfile, ++ *document_, NullURL(), true /* origin_clean */, Referrer(), ++ UTF8Encoding(), CSSParserContext::kLiveProfile, + ResourceFetchRestriction::kOnlyDataUrls); + auto* style_sheet_contents = + MakeGarbageCollected(parser_context); +diff --git a/third_party/blink/web_tests/TestExpectations b/third_party/blink/web_tests/TestExpectations +index acf5033054cecc1099068e2452cfbef8f1ffbd95..0e9ac683c48befe5f3e740e0632bf93e7569c686 100644 +--- a/third_party/blink/web_tests/TestExpectations ++++ b/third_party/blink/web_tests/TestExpectations +@@ -3245,6 +3245,7 @@ virtual/webrtc-wpt-plan-b/external/wpt/webrtc/RTCPeerConnection-restartIce-onneg + # See also crbug.com/920100 (sheriff 2019-01-09). + crbug.com/626703 external/wpt/referrer-policy/css-integration/svg/external-stylesheet.html [ Timeout Failure ] + crbug.com/626703 external/wpt/referrer-policy/css-integration/svg/inline-style.html [ Timeout Failure ] ++crbug.com/626703 external/wpt/referrer-policy/css-integration/svg/inline-style-with-differentorigin-base-tag.tentative.html [ Timeout Failure ] + crbug.com/626703 external/wpt/referrer-policy/css-integration/svg/internal-stylesheet.html [ Timeout Failure ] + crbug.com/626703 external/wpt/referrer-policy/css-integration/svg/presentation-attribute.html [ Timeout Failure ] + crbug.com/626703 external/wpt/referrer-policy/css-integration/svg/processing-instruction.html [ Timeout Failure ] +diff --git a/third_party/blink/web_tests/external/wpt/referrer-policy/css-integration/image/inline-style-with-differentorigin-base-tag.tentative.html b/third_party/blink/web_tests/external/wpt/referrer-policy/css-integration/image/inline-style-with-differentorigin-base-tag.tentative.html +new file mode 100644 +index 0000000000000000000000000000000000000000..091afd832ab35a76136b4242df1c1ec73aee109d +--- /dev/null ++++ b/third_party/blink/web_tests/external/wpt/referrer-policy/css-integration/image/inline-style-with-differentorigin-base-tag.tentative.html +@@ -0,0 +1,45 @@ ++ ++CSS integration - image from inline style from document with base tag ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++

Check that resources from inline styles are loaded with ++ the referrer and referrer policy from the document and, in ++ particular, not with the different base URL set in the base tag.

++ ++

++ ++ ++ ++

++ ++ +diff --git a/third_party/blink/web_tests/external/wpt/referrer-policy/css-integration/svg/inline-style-with-differentorigin-base-tag.tentative.html b/third_party/blink/web_tests/external/wpt/referrer-policy/css-integration/svg/inline-style-with-differentorigin-base-tag.tentative.html +new file mode 100644 +index 0000000000000000000000000000000000000000..9a8bc6da418bc7302138daba8cf06cb449bd2dfe +--- /dev/null ++++ b/third_party/blink/web_tests/external/wpt/referrer-policy/css-integration/svg/inline-style-with-differentorigin-base-tag.tentative.html +@@ -0,0 +1,40 @@ ++ ++ ++ ++ ++ CSS integration - styling SVG from inline style on page with different-origin base tag ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++

Check that resources from inline styles are loaded with ++ the referrer and referrer policy from the document and, in ++ particular, not from the document's overridden base URL.

++ ++ ++

++ ++ ++ +diff --git a/third_party/blink/web_tests/http/tests/css/resources/referrer-check.php b/third_party/blink/web_tests/http/tests/css/resources/referrer-check.php +index 69483e01544c842f56a51d00d1b2ee5dc24b4162..7a517de692f418c3c8b365d0f7aefb9e585c9da0 100644 +--- a/third_party/blink/web_tests/http/tests/css/resources/referrer-check.php ++++ b/third_party/blink/web_tests/http/tests/css/resources/referrer-check.php +@@ -31,7 +31,7 @@ $expectedReferrerPaths = array( + "document" => "/css/css-resources-referrer.html", + "sheet" => "/css/resources/css-resources-referrer.css", + "importedSheet" => "/css/resources/css-resources-referrer-import.css", +- "iframe" => "/from/iframe.html" ++ "iframe" => "/css/css-resources-referrer-srcdoc.html" + ); + + $from = $_GET["from"]; From b44be5775254849576230679e8b9973a9c86ac03 Mon Sep 17 00:00:00 2001 From: "trop[bot]" <37223003+trop[bot]@users.noreply.github.com> Date: Thu, 25 Mar 2021 12:15:45 -0700 Subject: [PATCH 02/48] fix: disappearing thumbar after win.hide() (#28388) * fix: disappearing thumbar after win.hide() * Add descriptive comment Co-authored-by: Shelley Vohr --- shell/browser/native_window_views.cc | 8 ++++++++ shell/browser/ui/win/taskbar_host.cc | 5 +++-- shell/browser/ui/win/taskbar_host.h | 2 ++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/shell/browser/native_window_views.cc b/shell/browser/native_window_views.cc index 2770db5d08ee3..710887f3bca49 100644 --- a/shell/browser/native_window_views.cc +++ b/shell/browser/native_window_views.cc @@ -421,6 +421,14 @@ void NativeWindowViews::Hide() { if (global_menu_bar_) global_menu_bar_->OnWindowUnmapped(); #endif + +#if defined(OS_WIN) + // When the window is removed from the taskbar via win.hide(), + // the thumbnail buttons need to be set up again. + // Ensure that when the window is hidden, + // the taskbar host is notified that it should re-add them. + taskbar_host_.SetThumbarButtonsAdded(false); +#endif } bool NativeWindowViews::IsVisible() { diff --git a/shell/browser/ui/win/taskbar_host.cc b/shell/browser/ui/win/taskbar_host.cc index 717937b5855df..56fdc8668ca7b 100644 --- a/shell/browser/ui/win/taskbar_host.cc +++ b/shell/browser/ui/win/taskbar_host.cc @@ -114,11 +114,12 @@ bool TaskbarHost::SetThumbarButtons(HWND window, // Finally add them to taskbar. HRESULT r; - if (thumbar_buttons_added_) + if (thumbar_buttons_added_) { r = taskbar_->ThumbBarUpdateButtons(window, kMaxButtonsCount, thumb_buttons); - else + } else { r = taskbar_->ThumbBarAddButtons(window, kMaxButtonsCount, thumb_buttons); + } thumbar_buttons_added_ = true; last_buttons_ = buttons; diff --git a/shell/browser/ui/win/taskbar_host.h b/shell/browser/ui/win/taskbar_host.h index 886633ff2789e..f97070618944c 100644 --- a/shell/browser/ui/win/taskbar_host.h +++ b/shell/browser/ui/win/taskbar_host.h @@ -60,6 +60,8 @@ class TaskbarHost { // Called by the window that there is a button in thumbar clicked. bool HandleThumbarButtonEvent(int button_id); + void SetThumbarButtonsAdded(bool added) { thumbar_buttons_added_ = added; } + private: // Initialize the taskbar object. bool InitializeTaskbar(); From ce1242981456b3a3498edfb3bf8e392453062df5 Mon Sep 17 00:00:00 2001 From: "trop[bot]" <37223003+trop[bot]@users.noreply.github.com> Date: Wed, 7 Apr 2021 09:47:42 +0900 Subject: [PATCH 03/48] ci: Add goma fallback flag (#28547) * ci: fallback to local compile if goma auth fails * use correct flag Co-authored-by: John Kleinschmidt --- .circleci/config.yml | 1 + appveyor.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 6ce9a15d0cb83..48df451e63527 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -303,6 +303,7 @@ step-setup-goma-for-build: &step-setup-goma-for-build third_party/goma/goma_ctl.py ensure_start echo 'export GN_GOMA_FILE='`node -e "console.log(require('./src/utils/goma.js').gnFilePath)"` >> $BASH_ENV echo 'export LOCAL_GOMA_DIR='`node -e "console.log(require('./src/utils/goma.js').dir)"` >> $BASH_ENV + echo 'export GOMA_FALLBACK_ON_AUTH_FAILURE=true' >> $BASH_ENV cd .. step-restore-brew-cache: &step-restore-brew-cache diff --git a/appveyor.yml b/appveyor.yml index 9945b1faf5f81..20f07607e825d 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -36,6 +36,7 @@ environment: ELECTRON_ENABLE_STACK_DUMPING: 1 MOCHA_REPORTER: mocha-multi-reporters MOCHA_MULTI_REPORTERS: mocha-appveyor-reporter, tap + GOMA_FALLBACK_ON_AUTH_FAILURE: true notifications: - provider: Webhook url: https://electron-mission-control.herokuapp.com/rest/appveyor-hook From 18d60df17363830eee8938382f0e837117e8fc2f Mon Sep 17 00:00:00 2001 From: "trop[bot]" <37223003+trop[bot]@users.noreply.github.com> Date: Mon, 12 Apr 2021 00:14:36 -0700 Subject: [PATCH 04/48] docs: systemPreferences.subscribeWorkspaceNotification return type (#28611) Co-authored-by: Samuel Maddock --- docs/api/system-preferences.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/api/system-preferences.md b/docs/api/system-preferences.md index a9c5ed5c5b4cd..704c72ea4c594 100644 --- a/docs/api/system-preferences.md +++ b/docs/api/system-preferences.md @@ -132,6 +132,8 @@ This is necessary for events such as `NSUserDefaultsDidChangeNotification`. * `userInfo` Record * `object` String +Returns `Number` - The ID of this subscription + Same as `subscribeNotification`, but uses `NSWorkspace.sharedWorkspace.notificationCenter`. This is necessary for events such as `NSWorkspaceDidActivateApplicationNotification`. From 602f65ab5dab248f178f347f62fbb73b9be1f4bd Mon Sep 17 00:00:00 2001 From: Electron Bot Date: Tue, 13 Apr 2021 13:29:37 -0700 Subject: [PATCH 05/48] chore: cherry-pick 02f84c745fc0 from v8 (#28640) * chore: cherry-pick 02f84c745fc0 from v8 * update patches --- patches/v8/.patches | 1 + patches/v8/cherry-pick-02f84c745fc0.patch | 89 +++++++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 patches/v8/cherry-pick-02f84c745fc0.patch diff --git a/patches/v8/.patches b/patches/v8/.patches index 9ea034424d9a4..2ed7487d57628 100644 --- a/patches/v8/.patches +++ b/patches/v8/.patches @@ -25,3 +25,4 @@ cherry-pick-36abafa0a316.patch merged_interpreter_store_accumulator_to_callee_after_optional.patch reland_regexp_hard-crash_on_invalid_offsets_in.patch regexp_throw_when_length_of_text_nodes_in_alternatives_is_too.patch +cherry-pick-02f84c745fc0.patch diff --git a/patches/v8/cherry-pick-02f84c745fc0.patch b/patches/v8/cherry-pick-02f84c745fc0.patch new file mode 100644 index 0000000000000..d6ac1746a93c3 --- /dev/null +++ b/patches/v8/cherry-pick-02f84c745fc0.patch @@ -0,0 +1,89 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Georg Neis +Date: Mon, 12 Apr 2021 09:42:03 +0200 +Subject: Fix bug in InstructionSelector::ChangeInt32ToInt64 + +Bug: chromium:1196683 +Change-Id: Ib4ea738b47b64edc81450583be4c80a41698c3d1 +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820971 +Commit-Queue: Georg Neis +Reviewed-by: Nico Hartmann +Cr-Commit-Position: refs/heads/master@{#73903} + +diff --git a/src/compiler/backend/x64/instruction-selector-x64.cc b/src/compiler/backend/x64/instruction-selector-x64.cc +index ab669864954fb5335b0e98881351a43134f870a4..82d8cbd6f7ec5309461d03fb1769382d0bf19877 100644 +--- a/src/compiler/backend/x64/instruction-selector-x64.cc ++++ b/src/compiler/backend/x64/instruction-selector-x64.cc +@@ -1270,7 +1270,9 @@ void InstructionSelector::VisitChangeInt32ToInt64(Node* node) { + opcode = load_rep.IsSigned() ? kX64Movsxwq : kX64Movzxwq; + break; + case MachineRepresentation::kWord32: +- opcode = load_rep.IsSigned() ? kX64Movsxlq : kX64Movl; ++ // ChangeInt32ToInt64 must interpret its input as a _signed_ 32-bit ++ // integer, so here we must sign-extend the loaded value in any case. ++ opcode = kX64Movsxlq; + break; + default: + UNREACHABLE(); +diff --git a/test/mjsunit/compiler/regress-1196683.js b/test/mjsunit/compiler/regress-1196683.js +new file mode 100644 +index 0000000000000000000000000000000000000000..abd7d6b2f8da45991e1e3b6c72582bc716d63efb +--- /dev/null ++++ b/test/mjsunit/compiler/regress-1196683.js +@@ -0,0 +1,56 @@ ++// Copyright 2021 the V8 project authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++// Flags: --allow-natives-syntax ++ ++ ++(function() { ++ const arr = new Uint32Array([2**31]); ++ function foo() { ++ return (arr[0] ^ 0) + 1; ++ } ++ %PrepareFunctionForOptimization(foo); ++ assertEquals(-(2**31) + 1, foo()); ++ %OptimizeFunctionOnNextCall(foo); ++ assertEquals(-(2**31) + 1, foo()); ++}); ++ ++ ++// The remaining tests already passed without the bugfix. ++ ++ ++(function() { ++ const arr = new Uint16Array([2**15]); ++ function foo() { ++ return (arr[0] ^ 0) + 1; ++ } ++ %PrepareFunctionForOptimization(foo); ++ assertEquals(2**15 + 1, foo()); ++ %OptimizeFunctionOnNextCall(foo); ++ assertEquals(2**15 + 1, foo()); ++})(); ++ ++ ++(function() { ++ const arr = new Uint8Array([2**7]); ++ function foo() { ++ return (arr[0] ^ 0) + 1; ++ } ++ %PrepareFunctionForOptimization(foo); ++ assertEquals(2**7 + 1, foo()); ++ %OptimizeFunctionOnNextCall(foo); ++ assertEquals(2**7 + 1, foo()); ++})(); ++ ++ ++(function() { ++ const arr = new Int32Array([-(2**31)]); ++ function foo() { ++ return (arr[0] >>> 0) + 1; ++ } ++ %PrepareFunctionForOptimization(foo); ++ assertEquals(2**31 + 1, foo()); ++ %OptimizeFunctionOnNextCall(foo); ++ assertEquals(2**31 + 1, foo()); ++})(); From 792d1892417f5fd8ec7dee0fcbabad965ed8c9ce Mon Sep 17 00:00:00 2001 From: Electron Bot Date: Tue, 13 Apr 2021 13:36:46 -0700 Subject: [PATCH 06/48] Bump v10.4.3 --- ELECTRON_VERSION | 2 +- package.json | 2 +- shell/browser/resources/win/electron.rc | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ELECTRON_VERSION b/ELECTRON_VERSION index d3a69816afe67..32002b998f80d 100644 --- a/ELECTRON_VERSION +++ b/ELECTRON_VERSION @@ -1 +1 @@ -10.4.2 \ No newline at end of file +10.4.3 \ No newline at end of file diff --git a/package.json b/package.json index bb61168bf2396..69658f1f0692e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "electron", - "version": "10.4.2", + "version": "10.4.3", "repository": "https://github.com/electron/electron", "description": "Build cross platform desktop apps with JavaScript, HTML, and CSS", "devDependencies": { diff --git a/shell/browser/resources/win/electron.rc b/shell/browser/resources/win/electron.rc index 043e314d7cebb..30db59c83a714 100644 --- a/shell/browser/resources/win/electron.rc +++ b/shell/browser/resources/win/electron.rc @@ -50,8 +50,8 @@ END // VS_VERSION_INFO VERSIONINFO - FILEVERSION 10,4,2,0 - PRODUCTVERSION 10,4,2,0 + FILEVERSION 10,4,3,0 + PRODUCTVERSION 10,4,3,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -68,12 +68,12 @@ BEGIN BEGIN VALUE "CompanyName", "GitHub, Inc." VALUE "FileDescription", "Electron" - VALUE "FileVersion", "10.4.2" + VALUE "FileVersion", "10.4.3" VALUE "InternalName", "electron.exe" VALUE "LegalCopyright", "Copyright (C) 2015 GitHub, Inc. All rights reserved." VALUE "OriginalFilename", "electron.exe" VALUE "ProductName", "Electron" - VALUE "ProductVersion", "10.4.2" + VALUE "ProductVersion", "10.4.3" VALUE "SquirrelAwareVersion", "1" END END From 7c72a36b15f7b41a98eedfa2a4c163f4bf17794c Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Mon, 19 Apr 2021 15:52:15 +0200 Subject: [PATCH 07/48] chore: cherry-pick 3c80bb2a594f from chromium (#28690) * chore: cherry-pick 3c80bb2a594f from chromium * update patches Co-authored-by: Electron Bot --- patches/chromium/.patches | 1 + .../chromium/cherry-pick-3c80bb2a594f.patch | 46 +++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 patches/chromium/cherry-pick-3c80bb2a594f.patch diff --git a/patches/chromium/.patches b/patches/chromium/.patches index 33275bdc72308..4ac900f0d0b70 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -161,3 +161,4 @@ cherry-pick-c6d6f7aee733.patch cherry-pick-37210e5ab006.patch reland_reland_fsa_add_issafepathcomponent_checks_to.patch css_make_fetches_from_inline_css_use_the_document_s_url_as_referrer.patch +cherry-pick-3c80bb2a594f.patch diff --git a/patches/chromium/cherry-pick-3c80bb2a594f.patch b/patches/chromium/cherry-pick-3c80bb2a594f.patch new file mode 100644 index 0000000000000..e8f0e9fcd93dc --- /dev/null +++ b/patches/chromium/cherry-pick-3c80bb2a594f.patch @@ -0,0 +1,46 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jana Grill +Date: Wed, 14 Apr 2021 08:40:10 +0000 +Subject: Forbid script execution while updating the paint lifecycle. + +(cherry picked from commit 5425d3b100fab533ea9ddc2ed8fbfc4870db0587) + +Bug: 1196781 +Change-Id: Idc8d24792d5c413691977b09ca821de4e13887ad +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2812000 +Commit-Queue: Adrian Taylor +Commit-Queue: Robert Flack +Reviewed-by: Xianzhu Wang +Cr-Original-Commit-Position: refs/heads/master@{#870275} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2821879 +Reviewed-by: Robert Flack +Reviewed-by: Achuith Bhandarkar +Reviewed-by: Victor-Gabriel Savu +Commit-Queue: Jana Grill +Cr-Commit-Position: refs/branch-heads/4240@{#1601} +Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218} + +diff --git a/third_party/blink/renderer/core/frame/local_frame_view.cc b/third_party/blink/renderer/core/frame/local_frame_view.cc +index 9a4c7a5249424b021759bf7895dd3f343b9641e6..37054d34157e7f4b4d65b022cdb83c832deb26a8 100644 +--- a/third_party/blink/renderer/core/frame/local_frame_view.cc ++++ b/third_party/blink/renderer/core/frame/local_frame_view.cc +@@ -2648,11 +2648,14 @@ void LocalFrameView::RunPaintLifecyclePhase() { + for (PaintLayerScrollableArea* area : *animating_scrollable_areas) + area->UpdateCompositorScrollAnimations(); + } +- frame_view.GetLayoutView() +- ->GetDocument() +- .GetDocumentAnimations() +- .UpdateAnimations(DocumentLifecycle::kPaintClean, +- paint_artifact_compositor_.get()); ++ { ++ ScriptForbiddenScope forbid_script; ++ frame_view.GetLayoutView() ++ ->GetDocument() ++ .GetDocumentAnimations() ++ .UpdateAnimations(DocumentLifecycle::kPaintClean, ++ paint_artifact_compositor_.get()); ++ } + }); + + // Initialize animation properties in the newly created paint property From bb913bc17b88032659d4649fa75075cc7da451dd Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Mon, 19 Apr 2021 15:54:40 +0200 Subject: [PATCH 08/48] chore: cherry-pick 254c7945ee from v8 (#28698) --- patches/v8/.patches | 1 + ..._fix_bug_in_optimizedframe_summarize.patch | 209 ++++++++++++++++++ 2 files changed, 210 insertions(+) create mode 100644 patches/v8/merged_deoptimizer_fix_bug_in_optimizedframe_summarize.patch diff --git a/patches/v8/.patches b/patches/v8/.patches index 2ed7487d57628..f36b2e4f9d937 100644 --- a/patches/v8/.patches +++ b/patches/v8/.patches @@ -26,3 +26,4 @@ merged_interpreter_store_accumulator_to_callee_after_optional.patch reland_regexp_hard-crash_on_invalid_offsets_in.patch regexp_throw_when_length_of_text_nodes_in_alternatives_is_too.patch cherry-pick-02f84c745fc0.patch +merged_deoptimizer_fix_bug_in_optimizedframe_summarize.patch diff --git a/patches/v8/merged_deoptimizer_fix_bug_in_optimizedframe_summarize.patch b/patches/v8/merged_deoptimizer_fix_bug_in_optimizedframe_summarize.patch new file mode 100644 index 0000000000000..1bed8ccc93d16 --- /dev/null +++ b/patches/v8/merged_deoptimizer_fix_bug_in_optimizedframe_summarize.patch @@ -0,0 +1,209 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Georg Neis +Date: Tue, 23 Mar 2021 17:37:21 +0100 +Subject: Merged: [deoptimizer] Fix bug in OptimizedFrame::Summarize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Revision: 3353a7d0b017146d543434be4036a81aaf7d25ae + +BUG=chromium:1182647 +NOTRY=true +NOPRESUBMIT=true +NOTREECHECKS=true +R=bmeurer@chromium.org + +(cherry picked from commit c0c96b768a7d3463b11403874549e6496529740d) + +Change-Id: I86abd6a3f34169be5f99aa9f54bb7bb3706fa85a +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2780300 +Reviewed-by: Georg Neis +Reviewed-by: Benedikt Meurer +Commit-Queue: Georg Neis +Cr-Original-Commit-Position: refs/branch-heads/8.9@{#49} +Cr-Original-Branched-From: 16b9bbbd581c25391981aa03180b76aa60463a3e-refs/heads/8.9.255@{#1} +Cr-Original-Branched-From: d16a2a688498bd1c3e6a49edb25d8c4ca56232dc-refs/heads/master@{#72039} +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794427 +Reviewed-by: Victor-Gabriel Savu +Commit-Queue: Artem Sumaneev +Cr-Commit-Position: refs/branch-heads/8.6@{#72} +Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} +Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} + +diff --git a/src/deoptimizer/deoptimizer.cc b/src/deoptimizer/deoptimizer.cc +index 804b77c065723de1d27ace6bbbe5456ef42fbad0..b89975ce2edd1a16fd65d6e5cbc0c9d098691691 100644 +--- a/src/deoptimizer/deoptimizer.cc ++++ b/src/deoptimizer/deoptimizer.cc +@@ -3277,7 +3277,8 @@ Address TranslatedState::DecompressIfNeeded(intptr_t value) { + } + } + +-TranslatedState::TranslatedState(const JavaScriptFrame* frame) { ++TranslatedState::TranslatedState(const JavaScriptFrame* frame) ++ : purpose_(kFrameInspection) { + int deopt_index = Safepoint::kNoDeoptimizationIndex; + DeoptimizationData data = + static_cast(frame)->GetDeoptimizationData( +@@ -3666,25 +3667,63 @@ void TranslatedState::EnsureCapturedObjectAllocatedAt( + } + + default: +- CHECK(map->IsJSObjectMap()); + EnsureJSObjectAllocated(slot, map); +- TranslatedValue* properties_slot = &(frame->values_[value_index]); +- value_index++; ++ int remaining_children_count = slot->GetChildrenCount() - 1; ++ ++ TranslatedValue* properties_slot = frame->ValueAt(value_index); ++ value_index++, remaining_children_count--; + if (properties_slot->kind() == TranslatedValue::kCapturedObject) { +- // If we are materializing the property array, make sure we put +- // the mutable heap numbers at the right places. ++ // We are materializing the property array, so make sure we put the ++ // mutable heap numbers at the right places. + EnsurePropertiesAllocatedAndMarked(properties_slot, map); + EnsureChildrenAllocated(properties_slot->GetChildrenCount(), frame, + &value_index, worklist); ++ } else { ++ CHECK_EQ(properties_slot->kind(), TranslatedValue::kTagged); + } +- // Make sure all the remaining children (after the map and properties) are +- // allocated. +- return EnsureChildrenAllocated(slot->GetChildrenCount() - 2, frame, ++ ++ TranslatedValue* elements_slot = frame->ValueAt(value_index); ++ value_index++, remaining_children_count--; ++ if (elements_slot->kind() == TranslatedValue::kCapturedObject || ++ !map->IsJSArrayMap()) { ++ // Handle this case with the other remaining children below. ++ value_index--, remaining_children_count++; ++ } else { ++ CHECK_EQ(elements_slot->kind(), TranslatedValue::kTagged); ++ elements_slot->GetValue(); ++ if (purpose_ == kFrameInspection) { ++ // We are materializing a JSArray for the purpose of frame inspection. ++ // If we were to construct it with the above elements value then an ++ // actual deopt later on might create another JSArray instance with ++ // the same elements store. That would violate the key assumption ++ // behind left-trimming. ++ elements_slot->ReplaceElementsArrayWithCopy(); ++ } ++ } ++ ++ // Make sure all the remaining children (after the map, properties store, ++ // and possibly elements store) are allocated. ++ return EnsureChildrenAllocated(remaining_children_count, frame, + &value_index, worklist); + } + UNREACHABLE(); + } + ++void TranslatedValue::ReplaceElementsArrayWithCopy() { ++ DCHECK_EQ(kind(), TranslatedValue::kTagged); ++ DCHECK_EQ(materialization_state(), TranslatedValue::kFinished); ++ auto elements = Handle::cast(GetValue()); ++ DCHECK(elements->IsFixedArray() || elements->IsFixedDoubleArray()); ++ if (elements->IsFixedDoubleArray()) { ++ DCHECK(!elements->IsCowArray()); ++ set_storage(isolate()->factory()->CopyFixedDoubleArray( ++ Handle::cast(elements))); ++ } else if (!elements->IsCowArray()) { ++ set_storage(isolate()->factory()->CopyFixedArray( ++ Handle::cast(elements))); ++ } ++} ++ + void TranslatedState::EnsureChildrenAllocated(int count, TranslatedFrame* frame, + int* value_index, + std::stack* worklist) { +@@ -3749,6 +3788,7 @@ Handle TranslatedState::AllocateStorageFor(TranslatedValue* slot) { + + void TranslatedState::EnsureJSObjectAllocated(TranslatedValue* slot, + Handle map) { ++ CHECK(map->IsJSObjectMap()); + CHECK_EQ(map->instance_size(), slot->GetChildrenCount() * kTaggedSize); + + Handle object_storage = AllocateStorageFor(slot); +diff --git a/src/deoptimizer/deoptimizer.h b/src/deoptimizer/deoptimizer.h +index 6c68ea1f96f00df51008a14d3ca7c7e672c47f0f..8f413cd93dc562cbda06e0b8bda5a37a7b4f09b9 100644 +--- a/src/deoptimizer/deoptimizer.h ++++ b/src/deoptimizer/deoptimizer.h +@@ -117,6 +117,8 @@ class TranslatedValue { + return storage_; + } + ++ void ReplaceElementsArrayWithCopy(); ++ + Kind kind_; + MaterializationState materialization_state_ = kUninitialized; + TranslatedState* container_; // This is only needed for materialization of +@@ -313,7 +315,15 @@ class TranslatedFrame { + + class TranslatedState { + public: +- TranslatedState() = default; ++ // There are two constructors, each for a different purpose: ++ ++ // The default constructor is for the purpose of deoptimizing an optimized ++ // frame (replacing it with one or several unoptimized frames). It is used by ++ // the Deoptimizer. ++ TranslatedState() : purpose_(kDeoptimization) {} ++ ++ // This constructor is for the purpose of merely inspecting an optimized ++ // frame. It is used by stack trace generation and various debugging features. + explicit TranslatedState(const JavaScriptFrame* frame); + + void Prepare(Address stack_frame_pointer); +@@ -347,6 +357,12 @@ class TranslatedState { + private: + friend TranslatedValue; + ++ // See the description of the constructors for an explanation of the two ++ // purposes. The only actual difference is that in the kFrameInspection case ++ // extra work is needed to not violate assumptions made by left-trimming. For ++ // details, see the code around ReplaceElementsArrayWithCopy. ++ enum Purpose { kDeoptimization, kFrameInspection }; ++ + TranslatedFrame CreateNextTranslatedFrame(TranslationIterator* iterator, + FixedArray literal_array, + Address fp, FILE* trace_file); +@@ -404,6 +420,7 @@ class TranslatedState { + static Float32 GetFloatSlot(Address fp, int slot_index); + static Float64 GetDoubleSlot(Address fp, int slot_index); + ++ Purpose const purpose_; + std::vector frames_; + Isolate* isolate_ = nullptr; + Address stack_frame_pointer_ = kNullAddress; +diff --git a/test/mjsunit/compiler/regress-1182647.js b/test/mjsunit/compiler/regress-1182647.js +new file mode 100644 +index 0000000000000000000000000000000000000000..e0582f7cbfb4f1e5d081443374248c1b5eb30a2e +--- /dev/null ++++ b/test/mjsunit/compiler/regress-1182647.js +@@ -0,0 +1,25 @@ ++// Copyright 2021 the V8 project authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++// Flags: --allow-natives-syntax --verify-heap ++ ++function foo() { ++ const arr = Array(1000); ++ ++ function bar() { ++ try { ({a: p4nda, b: arr.length}); } catch(e) {} ++ } ++ ++ for (var i = 0; i < 25; i++) bar(); ++ ++ /p4nda/.test({}); // Deopt here. ++ ++ arr.shift(); ++} ++ ++%PrepareFunctionForOptimization(foo); ++foo(); ++foo(); ++%OptimizeFunctionOnNextCall(foo); ++foo(); From 95b81c16c46869c0d9d548f50c6a77cb2c450e8a Mon Sep 17 00:00:00 2001 From: "trop[bot]" <37223003+trop[bot]@users.noreply.github.com> Date: Mon, 19 Apr 2021 19:59:11 -0400 Subject: [PATCH 09/48] build: read node files as binary files (#28733) Co-authored-by: John Kleinschmidt --- script/release/uploaders/upload-node-checksums.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/release/uploaders/upload-node-checksums.py b/script/release/uploaders/upload-node-checksums.py index 1774308320c10..41d509f2a6f72 100755 --- a/script/release/uploaders/upload-node-checksums.py +++ b/script/release/uploaders/upload-node-checksums.py @@ -88,7 +88,7 @@ def create_checksum(algorithm, directory, filename, files): lines = [] for path in files: h = hashlib.new(algorithm) - with open(path, 'r') as f: + with open(path, 'rb') as f: h.update(f.read()) lines.append(h.hexdigest() + ' ' + os.path.relpath(path, directory)) From 4f4c6a21611753a1a63c785b60326406f8eba748 Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Tue, 20 Apr 2021 17:50:10 +0200 Subject: [PATCH 10/48] chore: cherry-pick 012e9baf46c9 from chromium (#28725) * chore: cherry-pick 012e9baf46c9 from chromium * update patches Co-authored-by: Electron Bot --- patches/chromium/.patches | 1 + .../chromium/cherry-pick-012e9baf46c9.patch | 86 +++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 patches/chromium/cherry-pick-012e9baf46c9.patch diff --git a/patches/chromium/.patches b/patches/chromium/.patches index 4ac900f0d0b70..88e428d1fb54a 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -162,3 +162,4 @@ cherry-pick-37210e5ab006.patch reland_reland_fsa_add_issafepathcomponent_checks_to.patch css_make_fetches_from_inline_css_use_the_document_s_url_as_referrer.patch cherry-pick-3c80bb2a594f.patch +cherry-pick-012e9baf46c9.patch diff --git a/patches/chromium/cherry-pick-012e9baf46c9.patch b/patches/chromium/cherry-pick-012e9baf46c9.patch new file mode 100644 index 0000000000000..f2021d4766405 --- /dev/null +++ b/patches/chromium/cherry-pick-012e9baf46c9.patch @@ -0,0 +1,86 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jana Grill +Date: Thu, 15 Apr 2021 20:49:42 +0000 +Subject: Mojo: Remove some inappropriate DCHECKs + +There are a few places where we DCHECK conditions that cannot be +reliably asserted since they depend on untrusted inputs. These are +replaced with logic to conditionally terminate the connection to the +offending peer process. + +(cherry picked from commit a32b061fc92cc3864d036ffb8c22c12b05202589) + +Fixed: 1195333 +Change-Id: I0c6873bf55d6b0b1d0cbb3c2e5b256e1a57ff696 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2808893 +Reviewed-by: Robert Sesek +Commit-Queue: Ken Rockot +Cr-Original-Commit-Position: refs/heads/master@{#870007} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2821958 +Reviewed-by: Achuith Bhandarkar +Reviewed-by: Victor-Gabriel Savu +Commit-Queue: Achuith Bhandarkar +Owners-Override: Achuith Bhandarkar +Cr-Commit-Position: refs/branch-heads/4240@{#1608} +Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218} + +diff --git a/mojo/core/node_controller.cc b/mojo/core/node_controller.cc +index c7646fa4dc5c5062e8a8a620e55839301af51bed..c333ed64f71f0dfe5d0012b07bcedccfd94cd5e9 100644 +--- a/mojo/core/node_controller.cc ++++ b/mojo/core/node_controller.cc +@@ -942,7 +942,11 @@ void NodeController::OnBrokerClientAdded(const ports::NodeName& from_node, + void NodeController::OnAcceptBrokerClient(const ports::NodeName& from_node, + const ports::NodeName& broker_name, + PlatformHandle broker_channel) { +- DCHECK(!GetConfiguration().is_broker_process); ++ if (GetConfiguration().is_broker_process) { ++ // The broker should never receive this message from anyone. ++ DropPeer(from_node, nullptr); ++ return; ++ } + + // This node should already have an inviter in bootstrap mode. + ports::NodeName inviter_name; +@@ -953,8 +957,13 @@ void NodeController::OnAcceptBrokerClient(const ports::NodeName& from_node, + inviter = bootstrap_inviter_channel_; + bootstrap_inviter_channel_ = nullptr; + } +- DCHECK(inviter_name == from_node); +- DCHECK(inviter); ++ ++ if (inviter_name != from_node || !inviter || ++ broker_name == ports::kInvalidNodeName) { ++ // We are not expecting this message. Assume the source is hostile. ++ DropPeer(from_node, nullptr); ++ return; ++ } + + base::queue pending_broker_clients; + std::unordered_map +@@ -965,22 +974,22 @@ void NodeController::OnAcceptBrokerClient(const ports::NodeName& from_node, + std::swap(pending_broker_clients, pending_broker_clients_); + std::swap(pending_relay_messages, pending_relay_messages_); + } +- DCHECK(broker_name != ports::kInvalidNodeName); + + // It's now possible to add both the broker and the inviter as peers. + // Note that the broker and inviter may be the same node. + scoped_refptr broker; + if (broker_name == inviter_name) { +- DCHECK(!broker_channel.is_valid()); + broker = inviter; +- } else { +- DCHECK(broker_channel.is_valid()); ++ } else if (broker_channel.is_valid()) { + broker = NodeChannel::Create( + this, + ConnectionParams(PlatformChannelEndpoint(std::move(broker_channel))), + Channel::HandlePolicy::kAcceptHandles, io_task_runner_, + ProcessErrorCallback()); + AddPeer(broker_name, broker, true /* start_channel */); ++ } else { ++ DropPeer(from_node, nullptr); ++ return; + } + + AddPeer(inviter_name, inviter, false /* start_channel */); From 0b6842d429842f398a5fb28a17d93fe9a78380d2 Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Wed, 21 Apr 2021 12:21:04 +0200 Subject: [PATCH 11/48] chore: cherry-pick 872b8c13d7 from skia (#28739) --- patches/skia/.patches | 1 + ...kscalercontext_getimage_less_brittle.patch | 199 ++++++++++++++++++ 2 files changed, 200 insertions(+) create mode 100644 patches/skia/skscalercontext_getimage_less_brittle.patch diff --git a/patches/skia/.patches b/patches/skia/.patches index f790163ecfd00..9db688a673039 100644 --- a/patches/skia/.patches +++ b/patches/skia/.patches @@ -1,2 +1,3 @@ cherry-pick-6763a713f957.patch cherry-pick-b0d3d3e85fa6.patch +skscalercontext_getimage_less_brittle.patch diff --git a/patches/skia/skscalercontext_getimage_less_brittle.patch b/patches/skia/skscalercontext_getimage_less_brittle.patch new file mode 100644 index 0000000000000..1085f4f7379ed --- /dev/null +++ b/patches/skia/skscalercontext_getimage_less_brittle.patch @@ -0,0 +1,199 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Ben Wagner +Date: Thu, 1 Apr 2021 15:02:21 -0400 +Subject: SkScalerContext::getImage less brittle. + +Properly handle edge cases like + * the temporary glyph being a different size than expected + * filters which reduce in size + * filters which return false to indicate no filtering has been done + +Bug: chromium:1190525 +Change-Id: Ibc53eb1d7014210019e96cd6bae3e256d967be54 +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/392156 +Commit-Queue: Ben Wagner +Reviewed-by: Herb Derby +(cherry picked from commit 348ee387a96d7d94733d46ad9e82b19cb890dd16) +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/392437 + +diff --git a/src/core/SkScalerContext.cpp b/src/core/SkScalerContext.cpp +index a2df87c3ef62790353b8fac8169d83bc657db3d4..d1cb80a631814e995c756dc23764a21b00e97270 100644 +--- a/src/core/SkScalerContext.cpp ++++ b/src/core/SkScalerContext.cpp +@@ -534,41 +534,39 @@ static void generateMask(const SkMask& mask, const SkPath& path, + } + + void SkScalerContext::getImage(const SkGlyph& origGlyph) { +- const SkGlyph* glyph = &origGlyph; ++ const SkGlyph* unfilteredGlyph = &origGlyph; + SkGlyph tmpGlyph{origGlyph.getPackedID()}; + + // in case we need to call generateImage on a mask-format that is different + // (i.e. larger) than what our caller allocated by looking at origGlyph. + SkAutoMalloc tmpGlyphImageStorage; + +- if (fMaskFilter) { // restore the prefilter bounds +- ++ if (fMaskFilter) { + // need the original bounds, sans our maskfilter + sk_sp mf = std::move(fMaskFilter); + this->getMetrics(&tmpGlyph); + fMaskFilter = std::move(mf); + +- // we need the prefilter bounds to be <= filter bounds +- SkASSERT(tmpGlyph.fWidth <= origGlyph.fWidth); +- SkASSERT(tmpGlyph.fHeight <= origGlyph.fHeight); +- +- if (tmpGlyph.fMaskFormat == origGlyph.fMaskFormat) { ++ // Use the origGlyph storage for the temporary unfiltered mask if it will fit. ++ if (tmpGlyph.fMaskFormat == origGlyph.fMaskFormat && ++ tmpGlyph.imageSize() <= origGlyph.imageSize()) ++ { + tmpGlyph.fImage = origGlyph.fImage; + } else { + tmpGlyphImageStorage.reset(tmpGlyph.imageSize()); + tmpGlyph.fImage = tmpGlyphImageStorage.get(); + } +- glyph = &tmpGlyph; ++ unfilteredGlyph = &tmpGlyph; + } + + if (!fGenerateImageFromPath) { +- generateImage(*glyph); ++ generateImage(*unfilteredGlyph); + } else { + SkPath devPath; +- SkMask mask = glyph->mask(); ++ SkMask mask = unfilteredGlyph->mask(); + +- if (!this->internalGetPath(glyph->getPackedID(), &devPath)) { +- generateImage(*glyph); ++ if (!this->internalGetPath(unfilteredGlyph->getPackedID(), &devPath)) { ++ generateImage(*unfilteredGlyph); + } else { + SkASSERT(SkMask::kARGB32_Format != origGlyph.fMaskFormat); + SkASSERT(SkMask::kARGB32_Format != mask.fFormat); +@@ -579,39 +577,98 @@ void SkScalerContext::getImage(const SkGlyph& origGlyph) { + } + + if (fMaskFilter) { +- // the src glyph image shouldn't be 3D +- SkASSERT(SkMask::k3D_Format != glyph->fMaskFormat); ++ // k3D_Format should not be mask filtered. ++ SkASSERT(SkMask::k3D_Format != unfilteredGlyph->fMaskFormat); ++ ++ SkMask filteredMask; ++ SkMask srcMask; ++ SkMatrix m; ++ fRec.getMatrixFrom2x2(&m); ++ ++ if (as_MFB(fMaskFilter)->filterMask(&filteredMask, unfilteredGlyph->mask(), m, nullptr)) { ++ // Filter succeeded; filteredMask.fImage was allocated. ++ srcMask = filteredMask; ++ } else if (unfilteredGlyph->fImage == tmpGlyphImageStorage.get()) { ++ // Filter did nothing; unfiltered mask is independent of origGlyph.fImage. ++ srcMask = unfilteredGlyph->mask(); ++ } else if (origGlyph.iRect() == unfilteredGlyph->iRect()) { ++ // Filter did nothing; the unfiltered mask is in origGlyph.fImage and matches. ++ return; ++ } else { ++ // Filter did nothing; the unfiltered mask is in origGlyph.fImage and conflicts. ++ srcMask = unfilteredGlyph->mask(); ++ size_t imageSize = unfilteredGlyph->imageSize(); ++ tmpGlyphImageStorage.reset(imageSize); ++ srcMask.fImage = static_cast(tmpGlyphImageStorage.get()); ++ memcpy(srcMask.fImage, unfilteredGlyph->fImage, imageSize); ++ } + +- SkMask srcM = glyph->mask(), +- dstM; +- SkMatrix matrix; ++ SkASSERT_RELEASE(srcMask.fFormat == origGlyph.fMaskFormat); ++ SkMask dstMask = origGlyph.mask(); ++ SkIRect origBounds = dstMask.fBounds; + +- fRec.getMatrixFrom2x2(&matrix); ++ // Find the intersection of src and dst while updating the fImages. ++ if (srcMask.fBounds.fTop < dstMask.fBounds.fTop) { ++ int32_t topDiff = dstMask.fBounds.fTop - srcMask.fBounds.fTop; ++ srcMask.fImage += srcMask.fRowBytes * topDiff; ++ srcMask.fBounds.fTop = dstMask.fBounds.fTop; ++ } ++ if (dstMask.fBounds.fTop < srcMask.fBounds.fTop) { ++ int32_t topDiff = srcMask.fBounds.fTop - dstMask.fBounds.fTop; ++ dstMask.fImage += dstMask.fRowBytes * topDiff; ++ dstMask.fBounds.fTop = srcMask.fBounds.fTop; ++ } + +- if (as_MFB(fMaskFilter)->filterMask(&dstM, srcM, matrix, nullptr)) { +- int width = std::min(origGlyph.fWidth, dstM.fBounds.width()); +- int height = std::min(origGlyph.fHeight, dstM.fBounds.height()); +- int dstRB = origGlyph.rowBytes(); +- int srcRB = dstM.fRowBytes; ++ if (srcMask.fBounds.fLeft < dstMask.fBounds.fLeft) { ++ int32_t leftDiff = dstMask.fBounds.fLeft - srcMask.fBounds.fLeft; ++ srcMask.fImage += leftDiff; ++ srcMask.fBounds.fLeft = dstMask.fBounds.fLeft; ++ } ++ if (dstMask.fBounds.fLeft < srcMask.fBounds.fLeft) { ++ int32_t leftDiff = srcMask.fBounds.fLeft - dstMask.fBounds.fLeft; ++ dstMask.fImage += leftDiff; ++ dstMask.fBounds.fLeft = srcMask.fBounds.fLeft; ++ } + +- const uint8_t* src = (const uint8_t*)dstM.fImage; +- uint8_t* dst = (uint8_t*)origGlyph.fImage; ++ if (srcMask.fBounds.fBottom < dstMask.fBounds.fBottom) { ++ dstMask.fBounds.fBottom = srcMask.fBounds.fBottom; ++ } ++ if (dstMask.fBounds.fBottom < srcMask.fBounds.fBottom) { ++ srcMask.fBounds.fBottom = dstMask.fBounds.fBottom; ++ } + +- if (SkMask::k3D_Format == dstM.fFormat) { +- // we have to copy 3 times as much +- height *= 3; +- } ++ if (srcMask.fBounds.fRight < dstMask.fBounds.fRight) { ++ dstMask.fBounds.fRight = srcMask.fBounds.fRight; ++ } ++ if (dstMask.fBounds.fRight < srcMask.fBounds.fRight) { ++ srcMask.fBounds.fRight = dstMask.fBounds.fRight; ++ } + +- // clean out our glyph, since it may be larger than dstM +- //sk_bzero(dst, height * dstRB); ++ SkASSERT(srcMask.fBounds == dstMask.fBounds); ++ int width = srcMask.fBounds.width(); ++ int height = srcMask.fBounds.height(); ++ int dstRB = dstMask.fRowBytes; ++ int srcRB = srcMask.fRowBytes; + +- while (--height >= 0) { +- memcpy(dst, src, width); +- src += srcRB; +- dst += dstRB; +- } +- SkMask::FreeImage(dstM.fImage); ++ const uint8_t* src = srcMask.fImage; ++ uint8_t* dst = dstMask.fImage; ++ ++ if (SkMask::k3D_Format == filteredMask.fFormat) { ++ // we have to copy 3 times as much ++ height *= 3; ++ } ++ ++ // If not filling the full original glyph, clear it out first. ++ if (dstMask.fBounds != origBounds) { ++ sk_bzero(origGlyph.fImage, origGlyph.fHeight * origGlyph.rowBytes()); ++ } ++ ++ while (--height >= 0) { ++ memcpy(dst, src, width); ++ src += srcRB; ++ dst += dstRB; + } ++ SkMask::FreeImage(filteredMask.fImage); + } + } + From 8f1074c204b3f84093978639fa35e1ccddfdcc88 Mon Sep 17 00:00:00 2001 From: Electron Bot Date: Wed, 21 Apr 2021 03:29:48 -0700 Subject: [PATCH 12/48] chore: cherry-pick 512cd5e179f4 from v8 (#28750) * chore: cherry-pick 512cd5e179f4 from v8 * update patches --- patches/v8/.patches | 1 + patches/v8/cherry-pick-512cd5e179f4.patch | 109 ++++++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 patches/v8/cherry-pick-512cd5e179f4.patch diff --git a/patches/v8/.patches b/patches/v8/.patches index f36b2e4f9d937..baef29ebe0167 100644 --- a/patches/v8/.patches +++ b/patches/v8/.patches @@ -27,3 +27,4 @@ reland_regexp_hard-crash_on_invalid_offsets_in.patch regexp_throw_when_length_of_text_nodes_in_alternatives_is_too.patch cherry-pick-02f84c745fc0.patch merged_deoptimizer_fix_bug_in_optimizedframe_summarize.patch +cherry-pick-512cd5e179f4.patch diff --git a/patches/v8/cherry-pick-512cd5e179f4.patch b/patches/v8/cherry-pick-512cd5e179f4.patch new file mode 100644 index 0000000000000..f443fe88936a4 --- /dev/null +++ b/patches/v8/cherry-pick-512cd5e179f4.patch @@ -0,0 +1,109 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Georg Neis +Date: Wed, 14 Apr 2021 13:19:44 +0200 +Subject: Merged: [compiler] Fix bug in + RepresentationChanger::GetWord32RepresentationFor + +Revision: fd29e246f65a7cee130e72cd10f618f3b82af232 + +BUG=chromium:1195777 +NOTRY=true +NOPRESUBMIT=true +NOTREECHECKS=true +R=nicohartmann@chromium.org + +Change-Id: I0400b3ae5736ef86dbeae558d15bfcca2e9f351a +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2826114 +Commit-Queue: Georg Neis +Reviewed-by: Nico Hartmann +Cr-Commit-Position: refs/branch-heads/9.0@{#34} +Cr-Branched-From: bd0108b4c88e0d6f2350cb79b5f363fbd02f3eb7-refs/heads/9.0.257@{#1} +Cr-Branched-From: 349bcc6a075411f1a7ce2d866c3dfeefc2efa39d-refs/heads/master@{#73001} + +diff --git a/src/compiler/representation-change.cc b/src/compiler/representation-change.cc +index 5967d1005e5d859bfc873bda3cde2b2b26667d31..7dca85da59f074171bbaf00394af03c4dce33b61 100644 +--- a/src/compiler/representation-change.cc ++++ b/src/compiler/representation-change.cc +@@ -949,10 +949,10 @@ Node* RepresentationChanger::GetWord32RepresentationFor( + return node; + } else if (output_rep == MachineRepresentation::kWord64) { + if (output_type.Is(Type::Signed32()) || +- output_type.Is(Type::Unsigned32())) { +- op = machine()->TruncateInt64ToInt32(); +- } else if (output_type.Is(cache_->kSafeInteger) && +- use_info.truncation().IsUsedAsWord32()) { ++ (output_type.Is(Type::Unsigned32()) && ++ use_info.type_check() == TypeCheckKind::kNone) || ++ (output_type.Is(cache_->kSafeInteger) && ++ use_info.truncation().IsUsedAsWord32())) { + op = machine()->TruncateInt64ToInt32(); + } else if (use_info.type_check() == TypeCheckKind::kSignedSmall || + use_info.type_check() == TypeCheckKind::kSigned32 || +diff --git a/test/mjsunit/compiler/regress-1195777.js b/test/mjsunit/compiler/regress-1195777.js +new file mode 100644 +index 0000000000000000000000000000000000000000..b122f4f0169af573723d4318b9f1127c857c9e35 +--- /dev/null ++++ b/test/mjsunit/compiler/regress-1195777.js +@@ -0,0 +1,62 @@ ++// Copyright 2021 the V8 project authors. All rights reserved. ++// Use of this source code is governed by a BSD-style license that can be ++// found in the LICENSE file. ++ ++// Flags: --allow-natives-syntax ++ ++ ++(function() { ++ function foo(b) { ++ let y = (new Date(42)).getMilliseconds(); ++ let x = -1; ++ if (b) x = 0xFFFF_FFFF; ++ return y < Math.max(1 << y, x, 1 + y); ++ } ++ assertTrue(foo(true)); ++ %PrepareFunctionForOptimization(foo); ++ assertTrue(foo(false)); ++ %OptimizeFunctionOnNextCall(foo); ++ assertTrue(foo(true)); ++})(); ++ ++ ++(function() { ++ function foo(b) { ++ let x = 0; ++ if (b) x = -1; ++ return x == Math.max(-1, x >>> Infinity); ++ } ++ assertFalse(foo(true)); ++ %PrepareFunctionForOptimization(foo); ++ assertTrue(foo(false)); ++ %OptimizeFunctionOnNextCall(foo); ++ assertFalse(foo(true)); ++})(); ++ ++ ++(function() { ++ function foo(b) { ++ let x = -1; ++ if (b) x = 0xFFFF_FFFF; ++ return -1 < Math.max(0, x, -1); ++ } ++ assertTrue(foo(true)); ++ %PrepareFunctionForOptimization(foo); ++ assertTrue(foo(false)); ++ %OptimizeFunctionOnNextCall(foo); ++ assertTrue(foo(true)); ++})(); ++ ++ ++(function() { ++ function foo(b) { ++ let x = 0x7FFF_FFFF; ++ if (b) x = 0; ++ return 0 < (Math.max(-5 >>> x, -5) % -5); ++ } ++ assertTrue(foo(true)); ++ %PrepareFunctionForOptimization(foo); ++ assertTrue(foo(false)); ++ %OptimizeFunctionOnNextCall(foo); ++ assertTrue(foo(true)); ++})(); From 16568d71e4ad39ce19bb55c038f5441b0b8b9e85 Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Wed, 21 Apr 2021 13:18:10 +0200 Subject: [PATCH 13/48] chore: cherry-pick 6a6361c9f31c from chromium (#28703) * chore: cherry-pick 6a6361c9f31c from chromium * update patches Co-authored-by: Electron Bot Co-authored-by: Shelley Vohr --- patches/chromium/.patches | 1 + .../chromium/cherry-pick-6a6361c9f31c.patch | 48 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 patches/chromium/cherry-pick-6a6361c9f31c.patch diff --git a/patches/chromium/.patches b/patches/chromium/.patches index 88e428d1fb54a..07e1fec988724 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -162,4 +162,5 @@ cherry-pick-37210e5ab006.patch reland_reland_fsa_add_issafepathcomponent_checks_to.patch css_make_fetches_from_inline_css_use_the_document_s_url_as_referrer.patch cherry-pick-3c80bb2a594f.patch +cherry-pick-6a6361c9f31c.patch cherry-pick-012e9baf46c9.patch diff --git a/patches/chromium/cherry-pick-6a6361c9f31c.patch b/patches/chromium/cherry-pick-6a6361c9f31c.patch new file mode 100644 index 0000000000000..d761e3dfe0c03 --- /dev/null +++ b/patches/chromium/cherry-pick-6a6361c9f31c.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Palak Agarwal +Date: Wed, 31 Mar 2021 16:10:26 +0000 +Subject: WebContents bug fix: Device capture only if web contents is valid + +(cherry picked from commit a462be0883486431086c5f07cdafbd3607005a59) + +(cherry picked from commit e6f11cafde08981e47ba77e71abf99a271f7a042) + +Bug: 1181228 +Change-Id: I0a4c9718a3c0ccb52cefa4565b9787e6912554c9 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2752235 +Reviewed-by: Guido Urdaneta +Commit-Queue: Palak Agarwal +Cr-Original-Original-Commit-Position: refs/heads/master@{#863828} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2782122 +Auto-Submit: Guido Urdaneta +Commit-Queue: Rubber Stamper +Bot-Commit: Rubber Stamper +Cr-Original-Commit-Position: refs/branch-heads/4389@{#1586} +Cr-Original-Branched-From: 9251c5db2b6d5a59fe4eac7aafa5fed37c139bb7-refs/heads/master@{#843830} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2795101 +Reviewed-by: Victor-Gabriel Savu +Reviewed-by: Artem Sumaneev +Auto-Submit: Artem Sumaneev +Commit-Queue: Guido Urdaneta +Cr-Commit-Position: refs/branch-heads/4240@{#1585} +Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218} + +diff --git a/chrome/browser/media/webrtc/desktop_capture_access_handler.cc b/chrome/browser/media/webrtc/desktop_capture_access_handler.cc +index e3f7e784f0339581a1c8a50301f8dbfd465abbfd..1f0811610e155715cc5cd72bbaa7e703728a1fe5 100644 +--- a/chrome/browser/media/webrtc/desktop_capture_access_handler.cc ++++ b/chrome/browser/media/webrtc/desktop_capture_access_handler.cc +@@ -248,6 +248,14 @@ void DesktopCaptureAccessHandler::ProcessScreenCaptureAccessRequest( + const bool display_notification = + display_notification_ && ShouldDisplayNotification(extension); + ++ if (!content::WebContents::FromRenderFrameHost( ++ content::RenderFrameHost::FromID(request.render_process_id, ++ request.render_frame_id))) { ++ std::move(callback).Run( ++ devices, blink::mojom::MediaStreamRequestResult::INVALID_STATE, ++ std::move(ui)); ++ return; ++ } + ui = GetDevicesForDesktopCapture( + web_contents, &devices, screen_id, + blink::mojom::MediaStreamType::GUM_DESKTOP_VIDEO_CAPTURE, From f8738fb355cd9fd0ef470f67ce6b120bd6fe1a65 Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Wed, 21 Apr 2021 17:42:27 +0200 Subject: [PATCH 14/48] chore: cherry-pick 8c3eb9d1c409 from chromium (#28705) * chore: cherry-pick 8c3eb9d1c409 from chromium * update patches Co-authored-by: Electron Bot --- patches/chromium/.patches | 1 + .../chromium/cherry-pick-8c3eb9d1c409.patch | 143 ++++++++++++++++++ 2 files changed, 144 insertions(+) create mode 100644 patches/chromium/cherry-pick-8c3eb9d1c409.patch diff --git a/patches/chromium/.patches b/patches/chromium/.patches index 07e1fec988724..c49b5210852fd 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -164,3 +164,4 @@ css_make_fetches_from_inline_css_use_the_document_s_url_as_referrer.patch cherry-pick-3c80bb2a594f.patch cherry-pick-6a6361c9f31c.patch cherry-pick-012e9baf46c9.patch +cherry-pick-8c3eb9d1c409.patch diff --git a/patches/chromium/cherry-pick-8c3eb9d1c409.patch b/patches/chromium/cherry-pick-8c3eb9d1c409.patch new file mode 100644 index 0000000000000..e401c6f81f04d --- /dev/null +++ b/patches/chromium/cherry-pick-8c3eb9d1c409.patch @@ -0,0 +1,143 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Scott Violet +Date: Wed, 31 Mar 2021 13:28:05 +0000 +Subject: x11/ozone: fix two edge cases + +WindowTreeHost::OnHostMovedInPixels() may trigger a nested message +loop (tab dragging), which when the stack unravels means this may +be deleted. This adds an early out if this happens. + +X11WholeScreenMoveLoop has a similar issue, in so far as notifying +the delegate may delete this. + +BUG=1185482 +TEST=WindowTreeHostPlatform.DeleteHostFromOnHostMovedInPixels + +(cherry picked from commit 5e3a738b1204941aab9f15c0eb3d06e20fefd96e) + +(cherry picked from commit 8ad84a8e7882275fb32f938fd0adc04d1a2a5773) + +Change-Id: Ieca1c90b3e4358da50b332abe2941fdbb50c5c25 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2743555 +Reviewed-by: Thomas Anderson +Commit-Queue: Scott Violet +Cr-Original-Original-Commit-Position: refs/heads/master@{#860852} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2779886 +Cr-Original-Commit-Position: refs/branch-heads/4389@{#1583} +Cr-Original-Branched-From: 9251c5db2b6d5a59fe4eac7aafa5fed37c139bb7-refs/heads/master@{#843830} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2794391 +Reviewed-by: Scott Violet +Reviewed-by: Victor-Gabriel Savu +Commit-Queue: Artem Sumaneev +Cr-Commit-Position: refs/branch-heads/4240@{#1583} +Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218} + +diff --git a/ui/aura/window_tree_host_platform.cc b/ui/aura/window_tree_host_platform.cc +index 917b45bf3f8554c63886af30b1483cd97670299c..c9053e7c7e7abb1cdbaf114028579a0484b1d4a9 100644 +--- a/ui/aura/window_tree_host_platform.cc ++++ b/ui/aura/window_tree_host_platform.cc +@@ -214,13 +214,21 @@ void WindowTreeHostPlatform::OnBoundsChanged(const gfx::Rect& new_bounds) { + float current_scale = compositor()->device_scale_factor(); + float new_scale = ui::GetScaleFactorForNativeView(window()); + gfx::Rect old_bounds = bounds_in_pixels_; ++ auto weak_ref = GetWeakPtr(); + bounds_in_pixels_ = new_bounds; +- if (bounds_in_pixels_.origin() != old_bounds.origin()) ++ if (bounds_in_pixels_.origin() != old_bounds.origin()) { + OnHostMovedInPixels(bounds_in_pixels_.origin()); ++ // Changing the bounds may destroy this. ++ if (!weak_ref) ++ return; ++ } + if (bounds_in_pixels_.size() != old_bounds.size() || + current_scale != new_scale) { + pending_size_ = gfx::Size(); + OnHostResizedInPixels(bounds_in_pixels_.size()); ++ // Changing the size may destroy this. ++ if (!weak_ref) ++ return; + } + DCHECK_GT(on_bounds_changed_recursion_depth_, 0); + if (--on_bounds_changed_recursion_depth_ == 0) { +diff --git a/ui/aura/window_tree_host_platform_unittest.cc b/ui/aura/window_tree_host_platform_unittest.cc +index eda14e2f0cdf5015f366aa70ea68ae2a2c2b431e..4de039c88af8a6f0ac03df2f772cfea2dfe3514f 100644 +--- a/ui/aura/window_tree_host_platform_unittest.cc ++++ b/ui/aura/window_tree_host_platform_unittest.cc +@@ -34,7 +34,7 @@ class TestWindowTreeHost : public WindowTreeHostPlatform { + // OnHostWill/DidProcessBoundsChange. Additionally, this triggers a bounds + // change from within OnHostResized(). Such a scenario happens in production + // code. +-class TestWindowTreeHostObserver : public aura::WindowTreeHostObserver { ++class TestWindowTreeHostObserver : public WindowTreeHostObserver { + public: + TestWindowTreeHostObserver(WindowTreeHostPlatform* host, + ui::PlatformWindow* platform_window) +@@ -51,7 +51,7 @@ class TestWindowTreeHostObserver : public aura::WindowTreeHostObserver { + return on_host_will_process_bounds_change_count_; + } + +- // aura::WindowTreeHostObserver: ++ // WindowTreeHostObserver: + void OnHostResized(WindowTreeHost* host) override { + if (!should_change_bounds_in_on_resized_) + return; +@@ -92,5 +92,41 @@ TEST_F(WindowTreeHostPlatformTest, HostWillProcessBoundsChangeRecursion) { + EXPECT_EQ(1, observer.on_host_will_process_bounds_change_count()); + } + ++// Deletes WindowTreeHostPlatform from OnHostMovedInPixels(). ++class DeleteHostWindowTreeHostObserver : public WindowTreeHostObserver { ++ public: ++ explicit DeleteHostWindowTreeHostObserver( ++ std::unique_ptr host) ++ : host_(std::move(host)) { ++ host_->AddObserver(this); ++ } ++ ~DeleteHostWindowTreeHostObserver() override = default; ++ ++ TestWindowTreeHost* host() { return host_.get(); } ++ ++ // WindowTreeHostObserver: ++ void OnHostMovedInPixels(WindowTreeHost* host, ++ const gfx::Point& new_origin_in_pixels) override { ++ host_->RemoveObserver(this); ++ host_.reset(); ++ } ++ ++ private: ++ std::unique_ptr host_; ++ ++ DISALLOW_COPY_AND_ASSIGN(DeleteHostWindowTreeHostObserver); ++}; ++ ++// Verifies WindowTreeHostPlatform can be safely deleted when calling ++// OnHostMovedInPixels(). ++// Regression test for https://crbug.com/1185482 ++TEST_F(WindowTreeHostPlatformTest, DeleteHostFromOnHostMovedInPixels) { ++ std::unique_ptr host = ++ std::make_unique(); ++ DeleteHostWindowTreeHostObserver observer(std::move(host)); ++ observer.host()->SetBoundsInPixels(gfx::Rect(1, 2, 3, 4)); ++ EXPECT_EQ(nullptr, observer.host()); ++} ++ + } // namespace + } // namespace aura +diff --git a/ui/base/x/x11_whole_screen_move_loop.cc b/ui/base/x/x11_whole_screen_move_loop.cc +index 39f4d0c12aa1feb1702c3f4aa4ba0f62be591197..2bbb1f035b0db8de218ce629cc16aab91cf8519b 100644 +--- a/ui/base/x/x11_whole_screen_move_loop.cc ++++ b/ui/base/x/x11_whole_screen_move_loop.cc +@@ -62,9 +62,13 @@ X11WholeScreenMoveLoop::~X11WholeScreenMoveLoop() = default; + void X11WholeScreenMoveLoop::DispatchMouseMovement() { + if (!last_motion_in_screen_) + return; ++ auto weak_ref = weak_factory_.GetWeakPtr(); + delegate_->OnMouseMovement(last_motion_in_screen_->root_location(), + last_motion_in_screen_->flags(), + last_motion_in_screen_->time_stamp()); ++ // The delegate may delete this during dispatch. ++ if (!weak_ref) ++ return; + last_motion_in_screen_.reset(); + } + From 840ff8d7203e69048a3d574715b9214d621d65e4 Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Thu, 22 Apr 2021 19:57:47 +0200 Subject: [PATCH 15/48] chore: cherry-pick 74c9ad9a53 from chromium (#28761) --- patches/chromium/.patches | 1 + ..._for_permission_change_subscriptions.patch | 951 ++++++++++++++++++ shell/browser/electron_permission_manager.cc | 7 +- shell/browser/electron_permission_manager.h | 5 +- 4 files changed, 959 insertions(+), 5 deletions(-) create mode 100644 patches/chromium/use_idtype_for_permission_change_subscriptions.patch diff --git a/patches/chromium/.patches b/patches/chromium/.patches index c49b5210852fd..5690a270297c5 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -165,3 +165,4 @@ cherry-pick-3c80bb2a594f.patch cherry-pick-6a6361c9f31c.patch cherry-pick-012e9baf46c9.patch cherry-pick-8c3eb9d1c409.patch +use_idtype_for_permission_change_subscriptions.patch diff --git a/patches/chromium/use_idtype_for_permission_change_subscriptions.patch b/patches/chromium/use_idtype_for_permission_change_subscriptions.patch new file mode 100644 index 0000000000000..a2cdffc236f2f --- /dev/null +++ b/patches/chromium/use_idtype_for_permission_change_subscriptions.patch @@ -0,0 +1,951 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jana Grill +Date: Thu, 15 Apr 2021 19:35:42 +0000 +Subject: Use IDType for permission change subscriptions. + +(cherry picked from commit ad1489b7c3ed705fc623cdffdc292324be9fcbfa) + +Bug: 1025683 +Change-Id: I3b44ba7833138e8a657a4192e1a36c978695db32 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2791431 +Reviewed-by: Richard Coles +Reviewed-by: Yuchen Liu +Reviewed-by: Nasko Oskov +Reviewed-by: Andrey Kosyakov +Reviewed-by: Fabrice de Gans-Riberi +Reviewed-by: Arthur Sonzogni +Reviewed-by: Illia Klimov +Auto-Submit: Balazs Engedy +Commit-Queue: Balazs Engedy +Cr-Original-Commit-Position: refs/heads/master@{#867999} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2817980 +Reviewed-by: Victor-Gabriel Savu +Reviewed-by: Achuith Bhandarkar +Commit-Queue: Achuith Bhandarkar +Owners-Override: Achuith Bhandarkar +Cr-Commit-Position: refs/branch-heads/4240@{#1607} +Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218} + +diff --git a/android_webview/browser/aw_permission_manager.cc b/android_webview/browser/aw_permission_manager.cc +index bedb16b046d45b257e28e29e410afe43f5c8817c..c020e9668cbd2de9d36d2e160a07e324a2510d6b 100644 +--- a/android_webview/browser/aw_permission_manager.cc ++++ b/android_webview/browser/aw_permission_manager.cc +@@ -469,16 +469,17 @@ PermissionStatus AwPermissionManager::GetPermissionStatusForFrame( + .GetOrigin()); + } + +-int AwPermissionManager::SubscribePermissionStatusChange( ++AwPermissionManager::SubscriptionId ++AwPermissionManager::SubscribePermissionStatusChange( + PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) { +- return content::PermissionController::kNoPendingOperation; ++ return SubscriptionId(); + } + + void AwPermissionManager::UnsubscribePermissionStatusChange( +- int subscription_id) {} ++ SubscriptionId subscription_id) {} + + void AwPermissionManager::CancelPermissionRequest(int request_id) { + PendingRequest* pending_request = pending_requests_.Lookup(request_id); +diff --git a/android_webview/browser/aw_permission_manager.h b/android_webview/browser/aw_permission_manager.h +index d9670cac33b84016568e9693b62e83c5e7ee0969..7439e78199783b8ebe2c303ebebf0e1cf62dc718 100644 +--- a/android_webview/browser/aw_permission_manager.h ++++ b/android_webview/browser/aw_permission_manager.h +@@ -49,13 +49,14 @@ class AwPermissionManager : public content::PermissionControllerDelegate { + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin) override; +- int SubscribePermissionStatusChange( ++ SubscriptionId SubscribePermissionStatusChange( + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) + override; +- void UnsubscribePermissionStatusChange(int subscription_id) override; ++ void UnsubscribePermissionStatusChange( ++ SubscriptionId subscription_id) override; + + protected: + void CancelPermissionRequest(int request_id); +diff --git a/chrome/browser/permissions/permission_manager_browsertest.cc b/chrome/browser/permissions/permission_manager_browsertest.cc +index 440203ce6eca40070e09eae8bafe2a50bea75060..d48e6d85611b2ea4560f56d5e09fafa3a3453e7a 100644 +--- a/chrome/browser/permissions/permission_manager_browsertest.cc ++++ b/chrome/browser/permissions/permission_manager_browsertest.cc +@@ -49,13 +49,13 @@ class SubscriptionInterceptingPermissionManager + callback_ = std::move(callback); + } + +- int SubscribePermissionStatusChange( ++ SubscriptionId SubscribePermissionStatusChange( + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) + override { +- int result = ++ SubscriptionId result = + permissions::PermissionManager::SubscribePermissionStatusChange( + permission, render_frame_host, requesting_origin, callback); + std::move(callback_).Run(); +diff --git a/chromecast/browser/cast_permission_manager.cc b/chromecast/browser/cast_permission_manager.cc +index b358fc3bdb5c6af93a1e6568a667049574367741..b3a226dabff062e591fee38682409dec5e38a213 100644 +--- a/chromecast/browser/cast_permission_manager.cc ++++ b/chromecast/browser/cast_permission_manager.cc +@@ -63,17 +63,17 @@ CastPermissionManager::GetPermissionStatusForFrame( + return blink::mojom::PermissionStatus::GRANTED; + } + +-int CastPermissionManager::SubscribePermissionStatusChange( ++CastPermissionManager::SubscriptionId ++CastPermissionManager::SubscribePermissionStatusChange( + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) { +- return content::PermissionController::kNoPendingOperation; ++ return SubscriptionId(); + } + + void CastPermissionManager::UnsubscribePermissionStatusChange( +- int subscription_id) { +-} ++ SubscriptionId subscription_id) {} + + } // namespace shell + } // namespace chromecast +diff --git a/chromecast/browser/cast_permission_manager.h b/chromecast/browser/cast_permission_manager.h +index 564ac2b304596027cf7096892dfaf9796500419c..f9da64c6110307cf9912e897f87fcbb2ca123d75 100644 +--- a/chromecast/browser/cast_permission_manager.h ++++ b/chromecast/browser/cast_permission_manager.h +@@ -43,13 +43,14 @@ class CastPermissionManager : public content::PermissionControllerDelegate { + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin) override; +- int SubscribePermissionStatusChange( ++ SubscriptionId SubscribePermissionStatusChange( + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) + override; +- void UnsubscribePermissionStatusChange(int subscription_id) override; ++ void UnsubscribePermissionStatusChange( ++ SubscriptionId subscription_id) override; + + private: + DISALLOW_COPY_AND_ASSIGN(CastPermissionManager); +diff --git a/components/permissions/permission_manager.cc b/components/permissions/permission_manager.cc +index a9566441647f0e8527a6b9603f663f66e49b2abb..bdf639f49a987eb2d7ae31346dc01b85dac57eaa 100644 +--- a/components/permissions/permission_manager.cc ++++ b/components/permissions/permission_manager.cc +@@ -542,14 +542,15 @@ bool PermissionManager::IsPermissionOverridableByDevTools( + origin->GetURL()); + } + +-int PermissionManager::SubscribePermissionStatusChange( ++PermissionManager::SubscriptionId ++PermissionManager::SubscribePermissionStatusChange( + PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) { + DCHECK_CURRENTLY_ON(content::BrowserThread::UI); + if (is_shutting_down_) +- return 0; ++ return SubscriptionId(); + + if (subscriptions_.IsEmpty()) + PermissionsClient::Get() +@@ -586,16 +587,20 @@ int PermissionManager::SubscribePermissionStatusChange( + subscription->callback = + base::BindRepeating(&SubscriptionCallbackWrapper, std::move(callback)); + +- return subscriptions_.Add(std::move(subscription)); ++ auto id = subscription_id_generator_.GenerateNextId(); ++ subscriptions_.AddWithID(std::move(subscription), id); ++ return id; + } + +-void PermissionManager::UnsubscribePermissionStatusChange(int subscription_id) { ++void PermissionManager::UnsubscribePermissionStatusChange( ++ SubscriptionId subscription_id) { + DCHECK_CURRENTLY_ON(content::BrowserThread::UI); + if (is_shutting_down_) + return; + +- // Whether |subscription_id| is known will be checked by the Remove() call. +- subscriptions_.Remove(subscription_id); ++ if (subscriptions_.Lookup(subscription_id)) { ++ subscriptions_.Remove(subscription_id); ++ } + + if (subscriptions_.IsEmpty()) { + PermissionsClient::Get() +diff --git a/components/permissions/permission_manager.h b/components/permissions/permission_manager.h +index d11fb4b2c4a1a360ae01154995091439e13bd9a0..19d29dde0392adff318e82bd1c3091c4e1dcd926 100644 +--- a/components/permissions/permission_manager.h ++++ b/components/permissions/permission_manager.h +@@ -114,13 +114,14 @@ class PermissionManager : public KeyedService, + bool IsPermissionOverridableByDevTools( + content::PermissionType permission, + const base::Optional& origin) override; +- int SubscribePermissionStatusChange( ++ SubscriptionId SubscribePermissionStatusChange( + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) + override; +- void UnsubscribePermissionStatusChange(int subscription_id) override; ++ void UnsubscribePermissionStatusChange( ++ SubscriptionId subscription_id) override; + + // TODO(raymes): Rather than exposing this, use the denial reason from + // GetPermissionStatus in callers to determine whether a permission is +@@ -153,7 +154,8 @@ class PermissionManager : public KeyedService, + class PermissionResponseCallback; + + struct Subscription; +- using SubscriptionsMap = base::IDMap>; ++ using SubscriptionsMap = ++ base::IDMap, SubscriptionId>; + + PermissionContextBase* GetPermissionContext(ContentSettingsType type); + +@@ -186,6 +188,7 @@ class PermissionManager : public KeyedService, + content::BrowserContext* browser_context_; + PendingRequestsMap pending_requests_; + SubscriptionsMap subscriptions_; ++ SubscriptionId::Generator subscription_id_generator_; + + PermissionContextMap permission_contexts_; + using ContentSettingsTypeOverrides = +diff --git a/components/permissions/permission_manager_unittest.cc b/components/permissions/permission_manager_unittest.cc +index ff5793acc907134fc486fcd5b9c20bf0cf2d960c..0070768b4a41e2890b89aba817fe24f6268272c1 100644 +--- a/components/permissions/permission_manager_unittest.cc ++++ b/components/permissions/permission_manager_unittest.cc +@@ -325,7 +325,7 @@ TEST_F(PermissionManagerTest, SubscriptionDestroyedCleanlyWithoutUnsubscribe) { + } + + TEST_F(PermissionManagerTest, SubscribeUnsubscribeAfterShutdown) { +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -340,7 +340,7 @@ TEST_F(PermissionManagerTest, SubscribeUnsubscribeAfterShutdown) { + subscription_id); + + // Check that subscribe/unsubscribe after shutdown don't crash. +- int subscription2_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription2_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -351,7 +351,7 @@ TEST_F(PermissionManagerTest, SubscribeUnsubscribeAfterShutdown) { + } + + TEST_F(PermissionManagerTest, SameTypeChangeNotifies) { +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -369,7 +369,7 @@ TEST_F(PermissionManagerTest, SameTypeChangeNotifies) { + } + + TEST_F(PermissionManagerTest, DifferentTypeChangeDoesNotNotify) { +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -386,7 +386,7 @@ TEST_F(PermissionManagerTest, DifferentTypeChangeDoesNotNotify) { + } + + TEST_F(PermissionManagerTest, ChangeAfterUnsubscribeDoesNotNotify) { +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -403,7 +403,7 @@ TEST_F(PermissionManagerTest, ChangeAfterUnsubscribeDoesNotNotify) { + } + + TEST_F(PermissionManagerTest, DifferentPrimaryUrlDoesNotNotify) { +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -420,7 +420,7 @@ TEST_F(PermissionManagerTest, DifferentPrimaryUrlDoesNotNotify) { + } + + TEST_F(PermissionManagerTest, DifferentSecondaryUrlDoesNotNotify) { +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -437,7 +437,7 @@ TEST_F(PermissionManagerTest, DifferentSecondaryUrlDoesNotNotify) { + } + + TEST_F(PermissionManagerTest, WildCardPatternNotifies) { +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -458,7 +458,7 @@ TEST_F(PermissionManagerTest, ClearSettingsNotifies) { + url(), url(), ContentSettingsType::GEOLOCATION, std::string(), + CONTENT_SETTING_ALLOW); + +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -475,7 +475,7 @@ TEST_F(PermissionManagerTest, ClearSettingsNotifies) { + } + + TEST_F(PermissionManagerTest, NewValueCorrectlyPassed) { +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -497,7 +497,7 @@ TEST_F(PermissionManagerTest, ChangeWithoutPermissionChangeDoesNotNotify) { + url(), url(), ContentSettingsType::GEOLOCATION, std::string(), + CONTENT_SETTING_ALLOW); + +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -518,7 +518,7 @@ TEST_F(PermissionManagerTest, ChangesBackAndForth) { + url(), url(), ContentSettingsType::GEOLOCATION, std::string(), + CONTENT_SETTING_ASK); + +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -549,7 +549,7 @@ TEST_F(PermissionManagerTest, ChangesBackAndForthWorker) { + url(), url(), ContentSettingsType::GEOLOCATION, std::string(), + CONTENT_SETTING_ASK); + +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, nullptr, url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -576,7 +576,7 @@ TEST_F(PermissionManagerTest, ChangesBackAndForthWorker) { + } + + TEST_F(PermissionManagerTest, SubscribeMIDIPermission) { +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::MIDI, main_rfh(), url(), + base::Bind(&PermissionManagerTest::OnPermissionChange, +@@ -796,7 +796,7 @@ TEST_F(PermissionManagerTest, SubscribeWithPermissionDelegation) { + content::RenderFrameHost* parent = main_rfh(); + content::RenderFrameHost* child = AddChildRFH(parent, kOrigin2); + +- int subscription_id = ++ content::PermissionControllerDelegate::SubscriptionId subscription_id = + GetPermissionControllerDelegate()->SubscribePermissionStatusChange( + PermissionType::GEOLOCATION, child, GURL(kOrigin2), + base::Bind(&PermissionManagerTest::OnPermissionChange, +diff --git a/content/browser/android/nfc_host.cc b/content/browser/android/nfc_host.cc +index 30517f69b3d790690121bda2f3de50c0e31fadd1..0f077d211a23d05813dafd7dc621915c1fb79ba5 100644 +--- a/content/browser/android/nfc_host.cc ++++ b/content/browser/android/nfc_host.cc +@@ -99,8 +99,8 @@ void NFCHost::OnPermissionStatusChange(blink::mojom::PermissionStatus status) { + + void NFCHost::Close() { + nfc_provider_.reset(); +- if (subscription_id_ != 0) +- permission_controller_->UnsubscribePermissionStatusChange(subscription_id_); ++ permission_controller_->UnsubscribePermissionStatusChange(subscription_id_); ++ subscription_id_ = PermissionController::SubscriptionId(); + } + + } // namespace content +diff --git a/content/browser/android/nfc_host.h b/content/browser/android/nfc_host.h +index 8df7cbec810ecb535f4ce4b54266c34243341571..6b5f8dde17d0abda6132845018b4a8f81859cd0d 100644 +--- a/content/browser/android/nfc_host.h ++++ b/content/browser/android/nfc_host.h +@@ -44,7 +44,7 @@ class NFCHost : public WebContentsObserver { + mojo::Remote nfc_provider_; + + // Permission change subscription ID provided by |permission_controller_|. +- int subscription_id_ = 0; ++ PermissionController::SubscriptionId subscription_id_; + + DISALLOW_COPY_AND_ASSIGN(NFCHost); + }; +diff --git a/content/browser/permissions/permission_controller_impl.cc b/content/browser/permissions/permission_controller_impl.cc +index c6edd2ebec0b57808512c3b6c574548431efac7e..4722e9d7b3ed77489fa28f97afa55726f7f727e4 100644 +--- a/content/browser/permissions/permission_controller_impl.cc ++++ b/content/browser/permissions/permission_controller_impl.cc +@@ -132,7 +132,8 @@ struct PermissionControllerImpl::Subscription { + int render_frame_id = -1; + int render_process_id = -1; + base::RepeatingCallback callback; +- int delegate_subscription_id; ++ // This is default-initialized to an invalid ID. ++ PermissionControllerDelegate::SubscriptionId delegate_subscription_id; + }; + + PermissionControllerImpl::~PermissionControllerImpl() { +@@ -388,7 +389,8 @@ void PermissionControllerImpl::OnDelegatePermissionStatusChange( + subscription->callback.Run(status); + } + +-int PermissionControllerImpl::SubscribePermissionStatusChange( ++PermissionControllerImpl::SubscriptionId ++PermissionControllerImpl::SubscribePermissionStatusChange( + PermissionType permission, + RenderFrameHost* render_frame_host, + const GURL& requesting_origin, +@@ -422,21 +424,21 @@ int PermissionControllerImpl::SubscribePermissionStatusChange( + base::BindRepeating( + &PermissionControllerImpl::OnDelegatePermissionStatusChange, + base::Unretained(this), subscription.get())); +- } else { +- subscription->delegate_subscription_id = kNoPendingOperation; + } +- return subscriptions_.Add(std::move(subscription)); ++ ++ auto id = subscription_id_generator_.GenerateNextId(); ++ subscriptions_.AddWithID(std::move(subscription), id); ++ return id; + } + + void PermissionControllerImpl::UnsubscribePermissionStatusChange( +- int subscription_id) { ++ SubscriptionId subscription_id) { + Subscription* subscription = subscriptions_.Lookup(subscription_id); + if (!subscription) + return; + PermissionControllerDelegate* delegate = + browser_context_->GetPermissionControllerDelegate(); +- if (delegate && +- subscription->delegate_subscription_id != kNoPendingOperation) { ++ if (delegate) { + delegate->UnsubscribePermissionStatusChange( + subscription->delegate_subscription_id); + } +diff --git a/content/browser/permissions/permission_controller_impl.h b/content/browser/permissions/permission_controller_impl.h +index 7ebf3c48a0e863d9f4312b37e014ce0f89e5c3c7..d85788867f746547f80405c46660e055631d9208 100644 +--- a/content/browser/permissions/permission_controller_impl.h ++++ b/content/browser/permissions/permission_controller_impl.h +@@ -72,18 +72,19 @@ class CONTENT_EXPORT PermissionControllerImpl : public PermissionController { + const GURL& requesting_origin, + const GURL& embedding_origin); + +- int SubscribePermissionStatusChange( ++ SubscriptionId SubscribePermissionStatusChange( + PermissionType permission, + RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + const base::RepeatingCallback& + callback); + +- void UnsubscribePermissionStatusChange(int subscription_id); ++ void UnsubscribePermissionStatusChange(SubscriptionId subscription_id); + + private: + struct Subscription; +- using SubscriptionsMap = base::IDMap>; ++ using SubscriptionsMap = ++ base::IDMap, SubscriptionId>; + using SubscriptionsStatusMap = + base::flat_map; + +@@ -98,7 +99,13 @@ class CONTENT_EXPORT PermissionControllerImpl : public PermissionController { + const base::Optional& origin); + + DevToolsPermissionOverrides devtools_permission_overrides_; ++ ++ // Note that SubscriptionId is distinct from ++ // PermissionControllerDelegate::SubscriptionId, and the concrete ID values ++ // may be different as well. + SubscriptionsMap subscriptions_; ++ SubscriptionId::Generator subscription_id_generator_; ++ + BrowserContext* browser_context_; + + DISALLOW_COPY_AND_ASSIGN(PermissionControllerImpl); +diff --git a/content/browser/permissions/permission_service_context.cc b/content/browser/permissions/permission_service_context.cc +index c3ab81294edbb297108c3b8f59a35f1cfb8131f9..f15abf265eb690b5dfd66bb1c2d5e13b005ddbd0 100644 +--- a/content/browser/permissions/permission_service_context.cc ++++ b/content/browser/permissions/permission_service_context.cc +@@ -11,7 +11,6 @@ + #include "content/browser/permissions/permission_service_impl.h" + #include "content/public/browser/browser_context.h" + #include "content/public/browser/navigation_handle.h" +-#include "content/public/browser/permission_controller.h" + #include "content/public/browser/render_frame_host.h" + #include "content/public/browser/render_process_host.h" + #include "content/public/browser/web_contents.h" +@@ -32,7 +31,7 @@ class PermissionServiceContext::PermissionSubscription { + PermissionSubscription& operator=(const PermissionSubscription&) = delete; + + ~PermissionSubscription() { +- DCHECK_NE(id_, 0); ++ DCHECK(id_); + BrowserContext* browser_context = context_->GetBrowserContext(); + if (browser_context) { + PermissionControllerImpl::FromBrowserContext(browser_context) +@@ -41,7 +40,7 @@ class PermissionServiceContext::PermissionSubscription { + } + + void OnConnectionError() { +- DCHECK_NE(id_, 0); ++ DCHECK(id_); + context_->ObserverHadConnectionError(id_); + } + +@@ -49,12 +48,12 @@ class PermissionServiceContext::PermissionSubscription { + observer_->OnPermissionStatusChange(status); + } + +- void set_id(int id) { id_ = id; } ++ void set_id(PermissionController::SubscriptionId id) { id_ = id; } + + private: + PermissionServiceContext* const context_; + mojo::Remote observer_; +- int id_ = 0; ++ PermissionController::SubscriptionId id_; + }; + + PermissionServiceContext::PermissionServiceContext( +@@ -108,7 +107,7 @@ void PermissionServiceContext::CreateSubscription( + } + + GURL requesting_origin(origin.Serialize()); +- int subscription_id = ++ auto subscription_id = + PermissionControllerImpl::FromBrowserContext(browser_context) + ->SubscribePermissionStatusChange( + permission_type, render_frame_host_, requesting_origin, +@@ -119,7 +118,8 @@ void PermissionServiceContext::CreateSubscription( + subscriptions_[subscription_id] = std::move(subscription); + } + +-void PermissionServiceContext::ObserverHadConnectionError(int subscription_id) { ++void PermissionServiceContext::ObserverHadConnectionError( ++ PermissionController::SubscriptionId subscription_id) { + size_t erased = subscriptions_.erase(subscription_id); + DCHECK_EQ(1u, erased); + } +diff --git a/content/browser/permissions/permission_service_context.h b/content/browser/permissions/permission_service_context.h +index 4f93be504fd854b50bea96dedbc5d324d25ea6f1..0680c70c8ee4a79bb85c2fd1e3769a29f339816e 100644 +--- a/content/browser/permissions/permission_service_context.h ++++ b/content/browser/permissions/permission_service_context.h +@@ -9,6 +9,7 @@ + #include + + #include "content/common/content_export.h" ++#include "content/public/browser/permission_controller.h" + #include "content/public/browser/permission_type.h" + #include "content/public/browser/web_contents_observer.h" + #include "mojo/public/cpp/bindings/pending_receiver.h" +@@ -52,7 +53,8 @@ class CONTENT_EXPORT PermissionServiceContext : public WebContentsObserver { + mojo::PendingRemote observer); + + // Called when the connection to a PermissionObserver has an error. +- void ObserverHadConnectionError(int subscription_id); ++ void ObserverHadConnectionError( ++ PermissionController::SubscriptionId subscription_id); + + // May return nullptr during teardown, or when showing an interstitial. + BrowserContext* GetBrowserContext() const; +@@ -78,7 +80,8 @@ class CONTENT_EXPORT PermissionServiceContext : public WebContentsObserver { + RenderFrameHost* const render_frame_host_; + RenderProcessHost* const render_process_host_; + mojo::UniqueReceiverSet services_; +- std::unordered_map> ++ std::unordered_map> + subscriptions_; + }; + +diff --git a/content/browser/renderer_host/media/media_stream_manager.h b/content/browser/renderer_host/media/media_stream_manager.h +index 4468b5c906454a8cf4484c8f3f81841c9130721b..677f7a5fe22b55f12c324048972a7200ac8c873b 100644 +--- a/content/browser/renderer_host/media/media_stream_manager.h ++++ b/content/browser/renderer_host/media/media_stream_manager.h +@@ -50,6 +50,7 @@ + #include "content/public/browser/desktop_media_id.h" + #include "content/public/browser/media_request_state.h" + #include "content/public/browser/media_stream_request.h" ++#include "content/public/browser/permission_controller.h" + #include "media/base/video_facing.h" + #include "third_party/blink/public/common/mediastream/media_devices.h" + #include "third_party/blink/public/common/mediastream/media_stream_controls.h" +diff --git a/content/public/browser/permission_controller.h b/content/public/browser/permission_controller.h +index b9b42def49b35d31c22ee0d6c158737bdc0824b6..77fe96a1c33aea5e887e171b92f199acdf7dd6df 100644 +--- a/content/public/browser/permission_controller.h ++++ b/content/public/browser/permission_controller.h +@@ -6,6 +6,7 @@ + #define CONTENT_PUBLIC_BROWSER_PERMISSION_CONTROLLER_H_ + + #include "base/supports_user_data.h" ++#include "base/util/type_safety/id_type.h" + #include "content/common/content_export.h" + #include "content/public/browser/permission_type.h" + #include "third_party/blink/public/mojom/permissions/permission_status.mojom.h" +@@ -20,8 +21,13 @@ class RenderFrameHost; + class CONTENT_EXPORT PermissionController + : public base::SupportsUserData::Data { + public: +- // Constant retured when registering and subscribing if +- // cancelling/unsubscribing at a later stage would have no effect. ++ // Identifier for an active subscription. This is intentionally a distinct ++ // type from PermissionControllerDelegate::SubscriptionId as the concrete ++ // identifier values may be different. ++ using SubscriptionId = util::IdType64; ++ ++ // Constant returned when requesting a permission if cancelling at a later ++ // stage would have no effect. + static const int kNoPendingOperation = -1; + + ~PermissionController() override {} +@@ -48,4 +54,17 @@ class CONTENT_EXPORT PermissionController + + } // namespace content + ++namespace std { ++ ++template <> ++struct hash { ++ std::size_t operator()( ++ const content::PermissionController::SubscriptionId& v) const { ++ content::PermissionController::SubscriptionId::Hasher hasher; ++ return hasher(v); ++ } ++}; ++ ++} // namespace std ++ + #endif // CONTENT_PUBLIC_BROWSER_PERMISSION_CONTROLLER_H_ +diff --git a/content/public/browser/permission_controller_delegate.h b/content/public/browser/permission_controller_delegate.h +index e47de2a278e67091442c63bb7130022eae587041..82a1d4f0efd384386d8215f39d735ba488e4bc61 100644 +--- a/content/public/browser/permission_controller_delegate.h ++++ b/content/public/browser/permission_controller_delegate.h +@@ -5,6 +5,7 @@ + #ifndef CONTENT_PUBLIC_BROWSER_PERMISSION_CONTROLLER_DELEGATE_H_ + #define CONTENT_PUBLIC_BROWSER_PERMISSION_CONTROLLER_DELEGATE_H_ + ++#include "base/util/type_safety/id_type.h" + #include "content/common/content_export.h" + #include "content/public/browser/devtools_permission_overrides.h" + #include "third_party/blink/public/mojom/permissions/permission_status.mojom.h" +@@ -18,6 +19,10 @@ class RenderFrameHost; + class CONTENT_EXPORT PermissionControllerDelegate { + public: + using PermissionOverrides = DevToolsPermissionOverrides::PermissionOverrides; ++ ++ // Identifier for an active subscription. ++ using SubscriptionId = util::IdType64; ++ + virtual ~PermissionControllerDelegate() = default; + + // Requests a permission on behalf of a frame identified by +@@ -80,21 +85,21 @@ class CONTENT_EXPORT PermissionControllerDelegate { + + // Runs the given |callback| whenever the |permission| associated with the + // given RenderFrameHost changes. A nullptr should be passed if the request +- // is from a worker. Returns the subscription_id to be used to unsubscribe. +- // Can be kNoPendingOperation if the subscribe was not successful. +- virtual int SubscribePermissionStatusChange( ++ // is from a worker. Returns the ID to be used to unsubscribe, which can be ++ // `is_null()` if the subscribe was not successful. ++ virtual SubscriptionId SubscribePermissionStatusChange( + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback + callback) = 0; + +- // Unregisters from permission status change notifications. +- // The |subscription_id| must match the value returned by the +- // SubscribePermissionStatusChange call. Unsubscribing +- // an already unsubscribed |subscription_id| or providing the +- // |subscription_id| kNoPendingOperation is a no-op. +- virtual void UnsubscribePermissionStatusChange(int subscription_id) = 0; ++ // Unregisters from permission status change notifications. The ++ // |subscription_id| must match the value returned by the ++ // SubscribePermissionStatusChange call. Unsubscribing an already ++ // unsubscribed |subscription_id| or an `is_null()` ID is a no-op. ++ virtual void UnsubscribePermissionStatusChange( ++ SubscriptionId subscription_id) = 0; + + // Manually overrides default permission settings of delegate, if overrides + // are tracked by the delegate. This method should only be called by the +@@ -116,4 +121,17 @@ class CONTENT_EXPORT PermissionControllerDelegate { + + } // namespace content + ++namespace std { ++ ++template <> ++struct hash { ++ std::size_t operator()( ++ const content::PermissionControllerDelegate::SubscriptionId& v) const { ++ content::PermissionControllerDelegate::SubscriptionId::Hasher hasher; ++ return hasher(v); ++ } ++}; ++ ++} // namespace std ++ + #endif // CONTENT_PUBLIC_BROWSER_PERMISSION_CONTROLLER_DELEGATE_H_ +diff --git a/content/public/test/mock_permission_manager.h b/content/public/test/mock_permission_manager.h +index a193bd00e23abf2295c8bcf2ed5fb3acae68440f..34e71e23a2dae6d55348d8139480459b36377c0c 100644 +--- a/content/public/test/mock_permission_manager.h ++++ b/content/public/test/mock_permission_manager.h +@@ -49,13 +49,13 @@ class MockPermissionManager : public PermissionControllerDelegate { + void ResetPermission(PermissionType permission, + const GURL& requesting_origin, + const GURL& embedding_origin) override {} +- int SubscribePermissionStatusChange( ++ SubscriptionId SubscribePermissionStatusChange( + PermissionType permission, + RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) + override; +- void UnsubscribePermissionStatusChange(int subscription_id) override {} ++ void UnsubscribePermissionStatusChange(SubscriptionId subscription_id) override {} + + private: + DISALLOW_COPY_AND_ASSIGN(MockPermissionManager); +diff --git a/content/shell/browser/shell_permission_manager.cc b/content/shell/browser/shell_permission_manager.cc +index d0396ea346f267a26a8d318d518be59a55b9311a..b302b378960e9cf2445e1e8983d05f6fc2c668b6 100644 +--- a/content/shell/browser/shell_permission_manager.cc ++++ b/content/shell/browser/shell_permission_manager.cc +@@ -133,16 +133,16 @@ ShellPermissionManager::GetPermissionStatusForFrame( + .GetOrigin()); + } + +-int ShellPermissionManager::SubscribePermissionStatusChange( ++ShellPermissionManager::SubscriptionId ++ShellPermissionManager::SubscribePermissionStatusChange( + PermissionType permission, + RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) { +- return PermissionController::kNoPendingOperation; ++ return SubscriptionId(); + } + + void ShellPermissionManager::UnsubscribePermissionStatusChange( +- int subscription_id) { +-} ++ SubscriptionId subscription_id) {} + + } // namespace content +diff --git a/content/shell/browser/shell_permission_manager.h b/content/shell/browser/shell_permission_manager.h +index 85477665a9dd643f50c4567c1133973bc258a94f..ecda464779c39df4a8b4b1726414cf2763033f53 100644 +--- a/content/shell/browser/shell_permission_manager.h ++++ b/content/shell/browser/shell_permission_manager.h +@@ -42,13 +42,14 @@ class ShellPermissionManager : public PermissionControllerDelegate { + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin) override; +- int SubscribePermissionStatusChange( ++ SubscriptionId SubscribePermissionStatusChange( + PermissionType permission, + RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) + override; +- void UnsubscribePermissionStatusChange(int subscription_id) override; ++ void UnsubscribePermissionStatusChange( ++ SubscriptionId subscription_id) override; + + private: + DISALLOW_COPY_AND_ASSIGN(ShellPermissionManager); +diff --git a/content/shell/browser/web_test/web_test_permission_manager.cc b/content/shell/browser/web_test/web_test_permission_manager.cc +index 67f34deebcbf854692be497b1c31d8da72a5b03d..9c876335c3a2feee4f73d9f6f8e14d67f3988291 100644 +--- a/content/shell/browser/web_test/web_test_permission_manager.cc ++++ b/content/shell/browser/web_test/web_test_permission_manager.cc +@@ -147,7 +147,8 @@ WebTestPermissionManager::GetPermissionStatusForFrame( + .GetOrigin()); + } + +-int WebTestPermissionManager::SubscribePermissionStatusChange( ++WebTestPermissionManager::SubscriptionId ++WebTestPermissionManager::SubscribePermissionStatusChange( + PermissionType permission, + RenderFrameHost* render_frame_host, + const GURL& requesting_origin, +@@ -170,14 +171,18 @@ int WebTestPermissionManager::SubscribePermissionStatusChange( + GetPermissionStatus(permission, subscription->permission.origin, + subscription->permission.embedding_origin); + +- return subscriptions_.Add(std::move(subscription)); ++ auto id = subscription_id_generator_.GenerateNextId(); ++ subscriptions_.AddWithID(std::move(subscription), id); ++ return id; + } + + void WebTestPermissionManager::UnsubscribePermissionStatusChange( +- int subscription_id) { ++ SubscriptionId subscription_id) { + DCHECK_CURRENTLY_ON(BrowserThread::UI); + +- // Whether |subscription_id| is known will be checked by the Remove() call. ++ if (!subscriptions_.Lookup(subscription_id)) ++ return; ++ + subscriptions_.Remove(subscription_id); + } + +diff --git a/content/shell/browser/web_test/web_test_permission_manager.h b/content/shell/browser/web_test/web_test_permission_manager.h +index 1d15dbb9c7dda0b1e8642435d8a1e8f48af72e5c..46490c28fb013c2f5c8e75d7e7e24761f4498a58 100644 +--- a/content/shell/browser/web_test/web_test_permission_manager.h ++++ b/content/shell/browser/web_test/web_test_permission_manager.h +@@ -52,13 +52,14 @@ class WebTestPermissionManager + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin) override; +- int SubscribePermissionStatusChange( ++ SubscriptionId SubscribePermissionStatusChange( + PermissionType permission, + RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) + override; +- void UnsubscribePermissionStatusChange(int subscription_id) override; ++ void UnsubscribePermissionStatusChange( ++ SubscriptionId subscription_id) override; + + void SetPermission(PermissionType permission, + blink::mojom::PermissionStatus status, +@@ -98,7 +99,8 @@ class WebTestPermissionManager + }; + + struct Subscription; +- using SubscriptionsMap = base::IDMap>; ++ using SubscriptionsMap = ++ base::IDMap, SubscriptionId>; + using PermissionsMap = std::unordered_map; +@@ -116,6 +118,7 @@ class WebTestPermissionManager + + // List of subscribers currently listening to permission changes. + SubscriptionsMap subscriptions_; ++ SubscriptionId::Generator subscription_id_generator_; + + mojo::ReceiverSet receivers_; + +diff --git a/fuchsia/engine/browser/web_engine_permission_delegate.cc b/fuchsia/engine/browser/web_engine_permission_delegate.cc +index 98592f05b6d56108119b106a42d839c28131a324..c18b8be7cdf73720cf02afce9ea75ab98d3f1f64 100644 +--- a/fuchsia/engine/browser/web_engine_permission_delegate.cc ++++ b/fuchsia/engine/browser/web_engine_permission_delegate.cc +@@ -83,20 +83,21 @@ WebEnginePermissionDelegate::GetPermissionStatusForFrame( + permission, url::Origin::Create(requesting_origin)); + } + +-int WebEnginePermissionDelegate::SubscribePermissionStatusChange( ++WebEnginePermissionDelegate::SubscriptionId ++WebEnginePermissionDelegate::SubscribePermissionStatusChange( + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) { + // TODO(crbug.com/1063094): Implement permission status subscription. It's + // used in blink to emit PermissionStatus.onchange notifications. +- NOTIMPLEMENTED() << ": " << static_cast(permission); +- return content::PermissionController::kNoPendingOperation; ++ NOTIMPLEMENTED_LOG_ONCE() << ": " << static_cast(permission); ++ return SubscriptionId(); + } + + void WebEnginePermissionDelegate::UnsubscribePermissionStatusChange( +- int subscription_id) { ++ SubscriptionId subscription_id) { + // TODO(crbug.com/1063094): Implement permission status subscription. It's + // used in blink to emit PermissionStatus.onchange notifications. +- NOTREACHED(); ++ NOTIMPLEMENTED_LOG_ONCE(); + } +diff --git a/fuchsia/engine/browser/web_engine_permission_delegate.h b/fuchsia/engine/browser/web_engine_permission_delegate.h +index 036207b75d33b752981007a41aa51f3e64db4f0e..c39989b471c2a74ee1a9140e12f205866a0b7aff 100644 +--- a/fuchsia/engine/browser/web_engine_permission_delegate.h ++++ b/fuchsia/engine/browser/web_engine_permission_delegate.h +@@ -45,13 +45,14 @@ class WebEnginePermissionDelegate + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin) override; +- int SubscribePermissionStatusChange( ++ SubscriptionId SubscribePermissionStatusChange( + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) + override; +- void UnsubscribePermissionStatusChange(int subscription_id) override; ++ void UnsubscribePermissionStatusChange( ++ SubscriptionId subscription_id) override; + }; + + #endif // FUCHSIA_ENGINE_BROWSER_WEB_ENGINE_PERMISSION_DELEGATE_H_ +diff --git a/headless/lib/browser/headless_permission_manager.cc b/headless/lib/browser/headless_permission_manager.cc +index 5d4d609fc0c10e57ef3c6a730340dc409789dcdd..359ecdc4b72d560da830c51f23374150e6b30a2d 100644 +--- a/headless/lib/browser/headless_permission_manager.cc ++++ b/headless/lib/browser/headless_permission_manager.cc +@@ -71,15 +71,16 @@ HeadlessPermissionManager::GetPermissionStatusForFrame( + return blink::mojom::PermissionStatus::ASK; + } + +-int HeadlessPermissionManager::SubscribePermissionStatusChange( ++HeadlessPermissionManager::SubscriptionId ++HeadlessPermissionManager::SubscribePermissionStatusChange( + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) { +- return content::PermissionController::kNoPendingOperation; ++ return SubscriptionId(); + } + + void HeadlessPermissionManager::UnsubscribePermissionStatusChange( +- int subscription_id) {} ++ SubscriptionId subscription_id) {} + + } // namespace headless +diff --git a/headless/lib/browser/headless_permission_manager.h b/headless/lib/browser/headless_permission_manager.h +index 4b83309ab3ada17f7f2ac3323ba5f13ab76b9409..ac30670cb384a79457033a25c13da0c305b8eff2 100644 +--- a/headless/lib/browser/headless_permission_manager.h ++++ b/headless/lib/browser/headless_permission_manager.h +@@ -46,13 +46,14 @@ class HeadlessPermissionManager : public content::PermissionControllerDelegate { + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin) override; +- int SubscribePermissionStatusChange( ++ SubscriptionId SubscribePermissionStatusChange( + content::PermissionType permission, + content::RenderFrameHost* render_frame_host, + const GURL& requesting_origin, + base::RepeatingCallback callback) + override; +- void UnsubscribePermissionStatusChange(int subscription_id) override; ++ void UnsubscribePermissionStatusChange( ++ SubscriptionId subscription_id) override; + + private: + content::BrowserContext* browser_context_; diff --git a/shell/browser/electron_permission_manager.cc b/shell/browser/electron_permission_manager.cc index c06828be6c36e..b5545829e9d05 100644 --- a/shell/browser/electron_permission_manager.cc +++ b/shell/browser/electron_permission_manager.cc @@ -227,16 +227,17 @@ blink::mojom::PermissionStatus ElectronPermissionManager::GetPermissionStatus( return blink::mojom::PermissionStatus::GRANTED; } -int ElectronPermissionManager::SubscribePermissionStatusChange( +ElectronPermissionManager::SubscriptionId +ElectronPermissionManager::SubscribePermissionStatusChange( content::PermissionType permission, content::RenderFrameHost* render_frame_host, const GURL& requesting_origin, base::RepeatingCallback callback) { - return -1; + return SubscriptionId(); } void ElectronPermissionManager::UnsubscribePermissionStatusChange( - int subscription_id) {} + SubscriptionId subscription_id) {} bool ElectronPermissionManager::CheckPermissionWithDetails( content::PermissionType permission, diff --git a/shell/browser/electron_permission_manager.h b/shell/browser/electron_permission_manager.h index a347afd8375e7..97aade1b5dc49 100644 --- a/shell/browser/electron_permission_manager.h +++ b/shell/browser/electron_permission_manager.h @@ -90,13 +90,14 @@ class ElectronPermissionManager : public content::PermissionControllerDelegate { content::PermissionType permission, const GURL& requesting_origin, const GURL& embedding_origin) override; - int SubscribePermissionStatusChange( + SubscriptionId SubscribePermissionStatusChange( content::PermissionType permission, content::RenderFrameHost* render_frame_host, const GURL& requesting_origin, base::RepeatingCallback callback) override; - void UnsubscribePermissionStatusChange(int subscription_id) override; + void UnsubscribePermissionStatusChange( + SubscriptionId subscription_id) override; private: class PendingRequest; From a5e40fea7dca95982c0af597983cb344d087ab1c Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Mon, 26 Apr 2021 09:16:38 +0200 Subject: [PATCH 16/48] chore: cherry-pick 6b84dc72351b from chromium (#28808) * chore: cherry-pick 6b84dc72351b from chromium * update patches Co-authored-by: Electron Bot --- patches/chromium/.patches | 1 + .../chromium/cherry-pick-6b84dc72351b.patch | 82 +++++++++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 patches/chromium/cherry-pick-6b84dc72351b.patch diff --git a/patches/chromium/.patches b/patches/chromium/.patches index 5690a270297c5..a7ef0f8e0f363 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -166,3 +166,4 @@ cherry-pick-6a6361c9f31c.patch cherry-pick-012e9baf46c9.patch cherry-pick-8c3eb9d1c409.patch use_idtype_for_permission_change_subscriptions.patch +cherry-pick-6b84dc72351b.patch diff --git a/patches/chromium/cherry-pick-6b84dc72351b.patch b/patches/chromium/cherry-pick-6b84dc72351b.patch new file mode 100644 index 0000000000000..caec3db896ac6 --- /dev/null +++ b/patches/chromium/cherry-pick-6b84dc72351b.patch @@ -0,0 +1,82 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Brendon Tiszka +Date: Tue, 20 Apr 2021 15:45:03 +0000 +Subject: M86-LTS: Ensure that BrowserContext is not used after it has been + freed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Previously, it was possible for the BrowserContext to be destroyed +before ReportAnchorElementMetricsOnClick attempted to access it. + +The fix uses the fact that NavigationPredictor extends +WebContentsObserver and checks that web_contents is still alive +before dereferencing BrowserContext. WebContents will always +outlive BrowserContext. + +R=lukasza@chromium.org, ryansturm@chromium.org + +(cherry picked from commit 7313a810ae0b1361cbe8453bc5496654dee24c76) + +Bug: 1197904 +Change-Id: Iee4f126e92670a84d57c7a4ec7d6f702fb975c7e +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2821639 +Reviewed-by: Ryan Sturm +Reviewed-by: Łukasz Anforowicz +Commit-Queue: Łukasz Anforowicz +Cr-Original-Commit-Position: refs/heads/master@{#872021} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2838328 +Owners-Override: Achuith Bhandarkar +Auto-Submit: Achuith Bhandarkar +Reviewed-by: Artem Sumaneev +Commit-Queue: Achuith Bhandarkar +Cr-Commit-Position: refs/branch-heads/4240@{#1613} +Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218} + +diff --git a/AUTHORS b/AUTHORS +index 3aa101a8d38a899fefcca149e4ac8e658188e590..cccc1f6d1407183806e78cb99e56abe7bd93de82 100644 +--- a/AUTHORS ++++ b/AUTHORS +@@ -145,6 +145,7 @@ Bobby Powers + Branden Archer + Brendan Kirby + Brendan Long ++Brendon Tiszka + Brian Clifton + Brian G. Merrell + Brian Konzman, SJ +diff --git a/chrome/browser/navigation_predictor/navigation_predictor.cc b/chrome/browser/navigation_predictor/navigation_predictor.cc +index 495bb165a30f2b1bf690e6d0724ad8f347a76d44..b62a97501565555493f4db82ce4a1ababff19eb6 100644 +--- a/chrome/browser/navigation_predictor/navigation_predictor.cc ++++ b/chrome/browser/navigation_predictor/navigation_predictor.cc +@@ -506,6 +506,9 @@ void NavigationPredictor::ReportAnchorElementMetricsOnClick( + DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); + DCHECK(base::FeatureList::IsEnabled(blink::features::kNavigationPredictor)); + ++ if (!web_contents()) ++ return; ++ + if (browser_context_->IsOffTheRecord()) + return; + +@@ -652,6 +655,9 @@ void NavigationPredictor::ReportAnchorElementMetricsOnLoad( + // Each document should only report metrics once when page is loaded. + DCHECK(navigation_scores_map_.empty()); + ++ if (!web_contents()) ++ return; ++ + if (browser_context_->IsOffTheRecord()) + return; + +@@ -897,6 +903,9 @@ void NavigationPredictor::MaybeTakeActionOnLoad( + } + + void NavigationPredictor::MaybePrefetch() { ++ if (!web_contents()) ++ return; ++ + // If prefetches aren't allowed here, this URL has already + // been prefetched, or the current tab is hidden, + // we shouldn't prefetch again. From 049b1d08170c4d5c082ab11c8f03a3a5a44f3cd1 Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Mon, 26 Apr 2021 09:30:37 +0200 Subject: [PATCH 17/48] chore: cherry-pick ffde6ee0e4 from v8 (#28800) --- patches/v8/.patches | 1 + .../v8/merged_squashed_multiple_commits.patch | 202 ++++++++++++++++++ 2 files changed, 203 insertions(+) create mode 100644 patches/v8/merged_squashed_multiple_commits.patch diff --git a/patches/v8/.patches b/patches/v8/.patches index baef29ebe0167..f9f171b7015df 100644 --- a/patches/v8/.patches +++ b/patches/v8/.patches @@ -28,3 +28,4 @@ regexp_throw_when_length_of_text_nodes_in_alternatives_is_too.patch cherry-pick-02f84c745fc0.patch merged_deoptimizer_fix_bug_in_optimizedframe_summarize.patch cherry-pick-512cd5e179f4.patch +merged_squashed_multiple_commits.patch diff --git a/patches/v8/merged_squashed_multiple_commits.patch b/patches/v8/merged_squashed_multiple_commits.patch new file mode 100644 index 0000000000000..e94ad38afb84a --- /dev/null +++ b/patches/v8/merged_squashed_multiple_commits.patch @@ -0,0 +1,202 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Georg Neis +Date: Wed, 10 Mar 2021 09:45:36 +0100 +Subject: Merged: Squashed multiple commits. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Merged: [const-tracking] Mark const field as mutable when reconfiguring +Revision: 7535b91f7cb22274de734d5da7d0324d8653d626 + +Merged: [const-tracking] Fix incorrect DCHECK in MapUpdater +Revision: f95db8916a731e6e5ccc0282616bc907ce06012f + +BUG=chromium:1161847,chromium:1185463,v8:9233 +NOTRY=true +NOPRESUBMIT=true +NOTREECHECKS=true +R=ishell@chromium.org + +(cherry picked from commit 56518020bff4d0e8b82cff843c9f618c90084e42) + +Change-Id: I7f46a701646e1dd67a049b2aa4ac32d05b6885f3 +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2748079 +Commit-Queue: Georg Neis +Reviewed-by: Igor Sheludko +Cr-Original-Commit-Position: refs/branch-heads/8.9@{#43} +Cr-Original-Branched-From: 16b9bbbd581c25391981aa03180b76aa60463a3e-refs/heads/8.9.255@{#1} +Cr-Original-Branched-From: d16a2a688498bd1c3e6a49edb25d8c4ca56232dc-refs/heads/master@{#72039} +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2794428 +Reviewed-by: Victor-Gabriel Savu +Commit-Queue: Artem Sumaneev +Cr-Commit-Position: refs/branch-heads/8.6@{#73} +Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} +Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} + +diff --git a/src/objects/map-updater.cc b/src/objects/map-updater.cc +index b4b158749381efcf780d5c8ba07c286be6ba6b30..047750ebbd454a5f3f1fce7bc06ac042085245a4 100644 +--- a/src/objects/map-updater.cc ++++ b/src/objects/map-updater.cc +@@ -121,6 +121,41 @@ Handle MapUpdater::ReconfigureToDataField(InternalIndex descriptor, + PropertyDetails old_details = + old_descriptors_->GetDetails(modified_descriptor_); + ++ // If the {descriptor} was "const" data field so far, we need to update the ++ // {old_map_} here, otherwise we could get the constants wrong, i.e. ++ // ++ // o.x = 1; ++ // change o.x's attributes to something else ++ // delete o.x; ++ // o.x = 2; ++ // ++ // could trick V8 into thinking that `o.x` is still 1 even after the second ++ // assignment. ++ // This situation is similar to what might happen with property deletion. ++ if (old_details.constness() == PropertyConstness::kConst && ++ old_details.location() == kField && ++ old_details.attributes() != new_attributes_) { ++ Handle field_type( ++ old_descriptors_->GetFieldType(modified_descriptor_), isolate_); ++ Map::GeneralizeField(isolate_, old_map_, descriptor, ++ PropertyConstness::kMutable, ++ old_details.representation(), field_type); ++ // The old_map_'s property must become mutable. ++ // Note, that the {old_map_} and {old_descriptors_} are not expected to be ++ // updated by the generalization if the map is already deprecated. ++ DCHECK_IMPLIES( ++ !old_map_->is_deprecated(), ++ PropertyConstness::kMutable == ++ old_descriptors_->GetDetails(modified_descriptor_).constness()); ++ // Although the property in the old map is marked as mutable we still ++ // treat it as constant when merging with the new path in transition tree. ++ // This is fine because up until this reconfiguration the field was ++ // known to be constant, so it's fair to proceed treating it as such ++ // during this reconfiguration session. The issue is that after the ++ // reconfiguration the original field might become mutable (see the delete ++ // example above). ++ } ++ + // If property kind is not reconfigured merge the result with + // representation/field type from the old descriptor. + if (old_details.kind() == new_kind_) { +diff --git a/test/cctest/test-field-type-tracking.cc b/test/cctest/test-field-type-tracking.cc +index 740ae05c1eaf8104ad5c3c443b2e39429fc7fca5..99ffbe9bac6094c70ffda3f362ef0d0997d61fc1 100644 +--- a/test/cctest/test-field-type-tracking.cc ++++ b/test/cctest/test-field-type-tracking.cc +@@ -1081,20 +1081,31 @@ void TestReconfigureDataFieldAttribute_GeneralizeField( + Handle

 code_field_type = CreateDummyOptimizedCode(isolate);
+   Handle code_field_repr = CreateDummyOptimizedCode(isolate);
+   Handle code_field_const = CreateDummyOptimizedCode(isolate);
+-  Handle field_owner(
+-      map->FindFieldOwner(isolate, InternalIndex(kSplitProp)), isolate);
+-  DependentCode::InstallDependency(isolate,
+-                                   MaybeObjectHandle::Weak(code_field_type),
+-                                   field_owner, DependentCode::kFieldTypeGroup);
+-  DependentCode::InstallDependency(
+-      isolate, MaybeObjectHandle::Weak(code_field_repr), field_owner,
+-      DependentCode::kFieldRepresentationGroup);
+-  DependentCode::InstallDependency(
+-      isolate, MaybeObjectHandle::Weak(code_field_const), field_owner,
+-      DependentCode::kFieldConstGroup);
++  Handle code_src_field_const = CreateDummyOptimizedCode(isolate);
++  {
++    Handle field_owner(
++        map->FindFieldOwner(isolate, InternalIndex(kSplitProp)), isolate);
++    DependentCode::InstallDependency(
++        isolate, MaybeObjectHandle::Weak(code_field_type), field_owner,
++        DependentCode::kFieldTypeGroup);
++    DependentCode::InstallDependency(
++        isolate, MaybeObjectHandle::Weak(code_field_repr), field_owner,
++        DependentCode::kFieldRepresentationGroup);
++    DependentCode::InstallDependency(
++        isolate, MaybeObjectHandle::Weak(code_field_const), field_owner,
++        DependentCode::kFieldConstGroup);
++  }
++  {
++    Handle field_owner(
++        map2->FindFieldOwner(isolate, InternalIndex(kSplitProp)), isolate);
++    DependentCode::InstallDependency(
++        isolate, MaybeObjectHandle::Weak(code_src_field_const), field_owner,
++        DependentCode::kFieldConstGroup);
++  }
+   CHECK(!code_field_type->marked_for_deoptimization());
+   CHECK(!code_field_repr->marked_for_deoptimization());
+   CHECK(!code_field_const->marked_for_deoptimization());
++  CHECK(!code_src_field_const->marked_for_deoptimization());
+ 
+   // Reconfigure attributes of property |kSplitProp| of |map2| to NONE, which
+   // should generalize representations in |map1|.
+@@ -1102,10 +1113,21 @@ void TestReconfigureDataFieldAttribute_GeneralizeField(
+       Map::ReconfigureExistingProperty(isolate, map2, InternalIndex(kSplitProp),
+                                        kData, NONE, PropertyConstness::kConst);
+ 
+-  // |map2| should be left unchanged but marked unstable.
++  // |map2| should be mosly left unchanged but marked unstable and if the
++  // source property was constant it should also be transitioned to kMutable.
+   CHECK(!map2->is_stable());
+   CHECK(!map2->is_deprecated());
+   CHECK_NE(*map2, *new_map);
++  // If the "source" property was const then update constness expectations for
++  // "source" map and ensure the deoptimization dependency was triggered.
++  if (to.constness == PropertyConstness::kConst) {
++    expectations2.SetDataField(kSplitProp, READ_ONLY,
++                               PropertyConstness::kMutable, to.representation,
++                               to.type);
++    CHECK(code_src_field_const->marked_for_deoptimization());
++  } else {
++    CHECK(!code_src_field_const->marked_for_deoptimization());
++  }
+   CHECK(expectations2.Check(*map2));
+ 
+   for (int i = kSplitProp; i < kPropCount; i++) {
+diff --git a/test/mjsunit/regress/regress-crbug-1161847-1.js b/test/mjsunit/regress/regress-crbug-1161847-1.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..282d9b878718105db40fee0283d15227fb724a3a
+--- /dev/null
++++ b/test/mjsunit/regress/regress-crbug-1161847-1.js
+@@ -0,0 +1,19 @@
++// Copyright 2021 the V8 project authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++// Flags: --allow-natives-syntax
++
++function foo(first_run) {
++  let o = { x: 0 };
++  if (first_run) assertTrue(%HasOwnConstDataProperty(o, 'x'));
++  Object.defineProperty(o, 'x', { writable: false });
++  delete o.x;
++  o.x = 23;
++  if (first_run) assertFalse(%HasOwnConstDataProperty(o, 'x'));
++}
++%PrepareFunctionForOptimization(foo);
++foo(true);
++foo(false);
++%OptimizeFunctionOnNextCall(foo);
++foo(false);
+diff --git a/test/mjsunit/regress/regress-crbug-1161847-2.js b/test/mjsunit/regress/regress-crbug-1161847-2.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..ec61fee068acea0ea259164816142a01851f3669
+--- /dev/null
++++ b/test/mjsunit/regress/regress-crbug-1161847-2.js
+@@ -0,0 +1,19 @@
++// Copyright 2021 the V8 project authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++// Flags: --allow-natives-syntax
++
++function foo(first_run) {
++  let o = { x: 0 };
++  if (first_run) assertTrue(%HasOwnConstDataProperty(o, 'x'));
++  Object.defineProperty(o, 'x', { get() { return 1; }, configurable: true, enumerable: true });
++  delete o.x;
++  o.x = 23;
++  if (first_run) assertFalse(%HasOwnConstDataProperty(o, 'x'));
++}
++%PrepareFunctionForOptimization(foo);
++foo(true);
++foo(false);
++%OptimizeFunctionOnNextCall(foo);
++foo(false);

From 5593485831e71a8538667d3e3f71215c82dca42e Mon Sep 17 00:00:00 2001
From: "trop[bot]" <37223003+trop[bot]@users.noreply.github.com>
Date: Mon, 26 Apr 2021 11:49:43 +0200
Subject: [PATCH 18/48] fix: only set backgroundColor in default-app for
 default index.html (#28840)

Co-authored-by: Milan Burda 
---
 default_app/default_app.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/default_app/default_app.ts b/default_app/default_app.ts
index 7c2d8a3b9eecb..08d1c7ce39558 100644
--- a/default_app/default_app.ts
+++ b/default_app/default_app.ts
@@ -41,14 +41,14 @@ ipcMain.handle('bootstrap', (event) => {
   return isTrustedSender(event.sender) ? electronPath : null;
 });
 
-async function createWindow () {
+async function createWindow (backgroundColor?: string) {
   await app.whenReady();
 
   const options: Electron.BrowserWindowConstructorOptions = {
     width: 960,
     height: 620,
     autoHideMenuBar: true,
-    backgroundColor: '#2f3241',
+    backgroundColor,
     webPreferences: {
       preload: path.resolve(__dirname, 'preload.js'),
       contextIsolation: true,
@@ -96,7 +96,7 @@ export const loadURL = async (appUrl: string) => {
 };
 
 export const loadFile = async (appPath: string) => {
-  mainWindow = await createWindow();
+  mainWindow = await createWindow(appPath === 'index.html' ? '#2f3241' : undefined);
   mainWindow.loadFile(appPath);
   mainWindow.focus();
 };

From 95d9d7ddfed6e3d81270ca625c9ce37de9e38dd3 Mon Sep 17 00:00:00 2001
From: Pedro Pontes 
Date: Mon, 26 Apr 2021 13:08:57 +0200
Subject: [PATCH 19/48] chore: cherry-pick fe20b05a0e5e from chromium (#28780)

* chore: cherry-pick fe20b05a0e5e from chromium

* update patches

Co-authored-by: Electron Bot 
Co-authored-by: Cheng Zhao 
---
 patches/chromium/.patches                     |   1 +
 .../chromium/cherry-pick-fe20b05a0e5e.patch   | 140 ++++++++++++++++++
 2 files changed, 141 insertions(+)
 create mode 100644 patches/chromium/cherry-pick-fe20b05a0e5e.patch

diff --git a/patches/chromium/.patches b/patches/chromium/.patches
index a7ef0f8e0f363..9facf1bacb806 100644
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -166,4 +166,5 @@ cherry-pick-6a6361c9f31c.patch
 cherry-pick-012e9baf46c9.patch
 cherry-pick-8c3eb9d1c409.patch
 use_idtype_for_permission_change_subscriptions.patch
+cherry-pick-fe20b05a0e5e.patch
 cherry-pick-6b84dc72351b.patch
diff --git a/patches/chromium/cherry-pick-fe20b05a0e5e.patch b/patches/chromium/cherry-pick-fe20b05a0e5e.patch
new file mode 100644
index 0000000000000..ece508e56af62
--- /dev/null
+++ b/patches/chromium/cherry-pick-fe20b05a0e5e.patch
@@ -0,0 +1,140 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jana Grill 
+Date: Tue, 20 Apr 2021 18:23:33 +0000
+Subject: M86-LTS: DevTools: expect PageHandler may be destroyed during
+ Page.navigate
+
+(cherry picked from commit ff5e70191ec701cce4f84aaa25cd676376253a8a)
+
+Bug: 1188889
+Change-Id: I5c2fcca84834d66c46d77a70683212c2330177a5
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2787756
+Commit-Queue: Andrey Kosyakov 
+Reviewed-by: Dmitry Gozman 
+Reviewed-by: Karan Bhatia 
+Cr-Original-Commit-Position: refs/heads/master@{#867507}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2821536
+Commit-Queue: Achuith Bhandarkar 
+Reviewed-by: Achuith Bhandarkar 
+Reviewed-by: Victor-Gabriel Savu 
+Owners-Override: Achuith Bhandarkar 
+Cr-Commit-Position: refs/branch-heads/4240@{#1618}
+Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
+
+diff --git a/chrome/browser/extensions/api/debugger/debugger_apitest.cc b/chrome/browser/extensions/api/debugger/debugger_apitest.cc
+index 71ce5a3399db29451e990d530736460aa28eeec0..b35accc8ce46f3465624898fe18d463529498d07 100644
+--- a/chrome/browser/extensions/api/debugger/debugger_apitest.cc
++++ b/chrome/browser/extensions/api/debugger/debugger_apitest.cc
+@@ -24,6 +24,7 @@
+ #include "components/sessions/content/session_tab_helper.h"
+ #include "content/public/test/browser_test.h"
+ #include "content/public/test/browser_test_utils.h"
++#include "content/public/test/no_renderer_crashes_assertion.h"
+ #include "extensions/browser/extension_function.h"
+ #include "extensions/common/extension.h"
+ #include "extensions/common/extension_builder.h"
+@@ -353,6 +354,19 @@ IN_PROC_BROWSER_TEST_F(DebuggerExtensionApiTest,
+       << message_;
+ }
+ 
++// Tests that navigation to a forbidden URL is properly denied and
++// does not cause a crash.
++// This is a regression test for https://crbug.com/1188889.
++IN_PROC_BROWSER_TEST_F(DebuggerExtensionApiTest, DISABLED_NavigateToForbiddenUrl) {
++  content::ScopedAllowRendererCrashes scoped_allow_renderer_crashes;
++  // We don't send a DevTools command callback before disconnecting the session,
++  // so the extension does not receive a callback either.
++  base::AutoReset ignore_did_respond(
++      &ExtensionFunction::ignore_all_did_respond_for_testing_do_not_use, true);
++  ASSERT_TRUE(RunExtensionTest("debugger_navigate_to_forbidden_url"))
++      << message_;
++}
++
+ class SitePerProcessDebuggerExtensionApiTest : public DebuggerExtensionApiTest {
+  public:
+   void SetUpCommandLine(base::CommandLine* command_line) override {
+diff --git a/chrome/test/data/extensions/api_test/debugger_navigate_to_forbidden_url/background.js b/chrome/test/data/extensions/api_test/debugger_navigate_to_forbidden_url/background.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..e2ef32fffd3e5d49e7dc10d53f8c891ddb0f3872
+--- /dev/null
++++ b/chrome/test/data/extensions/api_test/debugger_navigate_to_forbidden_url/background.js
+@@ -0,0 +1,28 @@
++// Copyright 2021 The Chromium Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++const protocolVersion = '1.3';
++const DETACHED_WHILE_HANDLING = 'Detached while handling command.';
++
++chrome.test.runTests([
++  async function testNavigateToForbiddenUrl() {
++    const {openTab} = await import('/_test_resources/test_util/tabs_util.js');
++    const tab = await openTab('about:blank');
++    const debuggee = {tabId: tab.id};
++    await new Promise(resolve =>
++        chrome.debugger.attach(debuggee, protocolVersion, resolve));
++    chrome.debugger.sendCommand(debuggee, 'Page.crash');
++    await new Promise(resolve =>
++        chrome.debugger.onEvent.addListener((source, method, params) => {
++          if (method === 'Inspector.targetCrashed')
++            resolve();
++        }));
++    const result = await new Promise(resolve =>
++      chrome.debugger.sendCommand(debuggee, 'Page.navigate', {
++          url: 'chrome://version'
++      }, resolve));
++    chrome.test.assertLastError(DETACHED_WHILE_HANDLING);
++    chrome.test.succeed();
++  }
++]);
+diff --git a/chrome/test/data/extensions/api_test/debugger_navigate_to_forbidden_url/manifest.json b/chrome/test/data/extensions/api_test/debugger_navigate_to_forbidden_url/manifest.json
+new file mode 100644
+index 0000000000000000000000000000000000000000..05db294ed7f49893431b0039a5f338d20e08f27d
+--- /dev/null
++++ b/chrome/test/data/extensions/api_test/debugger_navigate_to_forbidden_url/manifest.json
+@@ -0,0 +1,11 @@
++{
++  "name": "Debugger API test for CDP-initiated navigation to forbidden URLs",
++  "version": "1.0",
++  "manifest_version": 2,
++  "background": {
++    "scripts": ["background.js"]
++  },
++  "permissions": [
++    "debugger"
++  ]
++}
+diff --git a/content/browser/devtools/protocol/page_handler.cc b/content/browser/devtools/protocol/page_handler.cc
+index 630de0dd016fd3d054bcd40b22d75a242eeaa23e..a340d3e4519ada9edba279090ea11b57521ef0f4 100644
+--- a/content/browser/devtools/protocol/page_handler.cc
++++ b/content/browser/devtools/protocol/page_handler.cc
+@@ -496,7 +496,12 @@ void PageHandler::Navigate(const std::string& url,
+   params.referrer = Referrer(GURL(referrer.fromMaybe("")), policy);
+   params.transition_type = type;
+   params.frame_tree_node_id = frame_tree_node->frame_tree_node_id();
++  // Handler may be destroyed while navigating if the session
++  // gets disconnected as a result of access checks.
++  base::WeakPtr weak_self = weak_factory_.GetWeakPtr();
+   frame_tree_node->navigator().GetController()->LoadURLWithParams(params);
++  if (!weak_self)
++    return;
+ 
+   base::UnguessableToken frame_token = frame_tree_node->devtools_frame_token();
+   auto navigate_callback = navigate_callbacks_.find(frame_token);
+diff --git a/content/browser/devtools/render_frame_devtools_agent_host.cc b/content/browser/devtools/render_frame_devtools_agent_host.cc
+index 52fdd0f1066699cc019c33de2517c23f12b4a616..8795c547717b206f4e459f655f6e62a7ba9229e0 100644
+--- a/content/browser/devtools/render_frame_devtools_agent_host.cc
++++ b/content/browser/devtools/render_frame_devtools_agent_host.cc
+@@ -472,8 +472,11 @@ void RenderFrameDevToolsAgentHost::UpdateFrameHost(
+     if (!ShouldAllowSession(session))
+       restricted_sessions.push_back(session);
+   }
+-  if (!restricted_sessions.empty())
++  scoped_refptr protect;
++  if (!restricted_sessions.empty()) {
++    protect = this;
+     ForceDetachRestrictedSessions(restricted_sessions);
++  }
+ 
+   UpdateFrameAlive();
+ }

From 3fe97b1b1b166b6579cea631e026d00c0c09ea7f Mon Sep 17 00:00:00 2001
From: Pedro Pontes 
Date: Mon, 26 Apr 2021 13:09:36 +0200
Subject: [PATCH 20/48] chore: cherry-pick 8ebd894186 and 1e35f64725 from v8
 (#28811)

* chore: cherry-pick 8ebd894186 and 1e35f64725 from v8

* update patches

Co-authored-by: Electron Bot 
Co-authored-by: Cheng Zhao 
---
 patches/v8/.patches                           |  2 +
 ..._array_prototype_concat_with_species.patch | 96 +++++++++++++++++++
 ...iltins_harden_array_prototype_concat.patch | 79 +++++++++++++++
 3 files changed, 177 insertions(+)
 create mode 100644 patches/v8/lts-m86_builtins_fix_array_prototype_concat_with_species.patch
 create mode 100644 patches/v8/lts-m86_builtins_harden_array_prototype_concat.patch

diff --git a/patches/v8/.patches b/patches/v8/.patches
index f9f171b7015df..bc8b71bf99c10 100644
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@@ -28,4 +28,6 @@ regexp_throw_when_length_of_text_nodes_in_alternatives_is_too.patch
 cherry-pick-02f84c745fc0.patch
 merged_deoptimizer_fix_bug_in_optimizedframe_summarize.patch
 cherry-pick-512cd5e179f4.patch
+lts-m86_builtins_fix_array_prototype_concat_with_species.patch
+lts-m86_builtins_harden_array_prototype_concat.patch
 merged_squashed_multiple_commits.patch
diff --git a/patches/v8/lts-m86_builtins_fix_array_prototype_concat_with_species.patch b/patches/v8/lts-m86_builtins_fix_array_prototype_concat_with_species.patch
new file mode 100644
index 0000000000000..de0269a10a104
--- /dev/null
+++ b/patches/v8/lts-m86_builtins_fix_array_prototype_concat_with_species.patch
@@ -0,0 +1,96 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Igor Sheludko 
+Date: Wed, 7 Apr 2021 19:12:32 +0200
+Subject: Fix Array.prototype.concat with @@species
+
+(cherry picked from commit 7989e04979c3195e60a6814e8263063eb91f7b47)
+
+No-Try: true
+No-Presubmit: true
+No-Tree-Checks: true
+Bug: chromium:1195977
+Change-Id: I16843bce2e9f776abca0f2b943b898ab5e597e42
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2810787
+Reviewed-by: Camillo Bruni 
+Commit-Queue: Igor Sheludko 
+Cr-Original-Commit-Position: refs/heads/master@{#73842}
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2823829
+Commit-Queue: Jana Grill 
+Reviewed-by: Igor Sheludko 
+Reviewed-by: Victor-Gabriel Savu 
+Cr-Commit-Position: refs/branch-heads/8.6@{#77}
+Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
+Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}
+
+diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
+index 3c2fe33c5b4b330c509d2926bc1e30daa1e09dba..938fb96c1d42d8152f974df33c3bed4cc1b542d3 100644
+--- a/src/builtins/builtins-array.cc
++++ b/src/builtins/builtins-array.cc
+@@ -649,11 +649,14 @@ class ArrayConcatVisitor {
+         index_offset_(0u),
+         bit_field_(FastElementsField::encode(fast_elements) |
+                    ExceedsLimitField::encode(false) |
+-                   IsFixedArrayField::encode(storage->IsFixedArray()) |
++                   IsFixedArrayField::encode(storage->IsFixedArray(isolate)) |
+                    HasSimpleElementsField::encode(
+-                       storage->IsFixedArray() ||
+-                       !storage->map().IsCustomElementsReceiverMap())) {
+-    DCHECK(!(this->fast_elements() && !is_fixed_array()));
++                       storage->IsFixedArray(isolate) ||
++                       // Don't take fast path for storages that might have
++                       // side effects when storing to them.
++                       (!storage->map(isolate).IsCustomElementsReceiverMap() &&
++                        !storage->IsJSTypedArray(isolate)))) {
++    DCHECK_IMPLIES(this->fast_elements(), is_fixed_array());
+   }
+ 
+   ~ArrayConcatVisitor() { clear_storage(); }
+@@ -1063,8 +1066,8 @@ bool IterateElements(Isolate* isolate, Handle receiver,
+     return IterateElementsSlow(isolate, receiver, length, visitor);
+   }
+ 
+-  if (!HasOnlySimpleElements(isolate, *receiver) ||
+-      !visitor->has_simple_elements()) {
++  if (!visitor->has_simple_elements() ||
++      !HasOnlySimpleElements(isolate, *receiver)) {
+     return IterateElementsSlow(isolate, receiver, length, visitor);
+   }
+   Handle array = Handle::cast(receiver);
+diff --git a/src/objects/fixed-array-inl.h b/src/objects/fixed-array-inl.h
+index adde6c7c1f7958643c46aedf8be33300d36f6306..1bc26ed1747d85d17da218f7521ff3a26bbdf25f 100644
+--- a/src/objects/fixed-array-inl.h
++++ b/src/objects/fixed-array-inl.h
+@@ -320,7 +320,7 @@ int Search(T* array, Name name, int valid_entries, int* out_insertion_index,
+ double FixedDoubleArray::get_scalar(int index) {
+   DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() &&
+          map() != GetReadOnlyRoots().fixed_array_map());
+-  DCHECK(index >= 0 && index < this->length());
++  DCHECK_LT(static_cast(index), static_cast(length()));
+   DCHECK(!is_the_hole(index));
+   return ReadField(kHeaderSize + index * kDoubleSize);
+ }
+@@ -328,7 +328,7 @@ double FixedDoubleArray::get_scalar(int index) {
+ uint64_t FixedDoubleArray::get_representation(int index) {
+   DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() &&
+          map() != GetReadOnlyRoots().fixed_array_map());
+-  DCHECK(index >= 0 && index < this->length());
++  DCHECK_LT(static_cast(index), static_cast(length()));
+   int offset = kHeaderSize + index * kDoubleSize;
+   // Bug(v8:8875): Doubles may be unaligned.
+   return base::ReadUnalignedValue(field_address(offset));
+@@ -346,6 +346,7 @@ Handle