chore: cherry-pick 2 changes from 1-M130 (#44483)

* chore: cherry-pick 2 changes from 1-M130

* chore: cherry-pick 1 change from 2-M130

patches/chromium/.patches

@@ -140,3 +140,4 @@ m126-lts_check_string_range_in_shapesegment.patch
 m126-lts_reland_fix_stringview_to_crash_when_offset_length.patch
 m126-lts_protect_automation_rate_from_non-deterministic_change.patch
 m126-lts_don_t_perform_pseudo-element_ident_parsing_on_non-ascii.patch
+m130_extensions_serviceworker_skip_worker_for_isolated_world.patch

patches/chromium/cherry-pick-c333ed995449.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Ken Rockot <rockot@google.com>
 Date: Mon, 30 Sep 2024 06:33:13 +0000
-Subject: [M128] ipcz: Validate link state fragment before adoption
+Subject: ipcz: Validate link state fragment before adoption
 
 (cherry picked from commit c333ed99544992f66e6e03621fa938d75ad01f70)
 

patches/chromium/m126-lts_check_string_range_in_shapesegment.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Koji Ishii <kojii@chromium.org>
 Date: Thu, 12 Sep 2024 06:00:02 +0000
-Subject: [M126-LTS] Check string range in `ShapeSegment`
+Subject: Check string range in `ShapeSegment`
 
 crrev.com/c/5776342 fixed a range `CHECK` in
 `CollectFallbackHintChars`, but depends on the CSS and font

patches/chromium/m126-lts_don_t_perform_pseudo-element_ident_parsing_on_non-ascii.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Gyuyoung Kim <qkim@google.com>
 Date: Tue, 1 Oct 2024 02:11:48 +0000
-Subject: [M126-LTS] Don't perform pseudo-element ident parsing on non-ASCII
+Subject: Don't perform pseudo-element ident parsing on non-ASCII
 
 ParsePseudoType crashes on ASAN when given non-ASCII characters,
 so returning early if those are present.

patches/chromium/m126-lts_fix_a_range_check_for_when_it_overflows.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Koji Ishii <kojii@chromium.org>
 Date: Thu, 12 Sep 2024 05:51:00 +0000
-Subject: [M126-LTS] Fix a range `CHECK` for when it overflows
+Subject: Fix a range `CHECK` for when it overflows
 
 This patch fixes a `CHECK` for a range of a string when
 `offset + length` overflows the `unsigned`.

patches/chromium/m126-lts_protect_automation_rate_from_non-deterministic_change.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Hongchan Choi <hongchan@chromium.org>
 Date: Tue, 17 Sep 2024 17:04:42 +0000
-Subject: [M126-LTS] Protect automation_rate_ from non-deterministic change
+Subject: Protect automation_rate_ from non-deterministic change
 
 This CL fixes non-deterministic (racy) data change on
 AudioParamHandler::automation_rate_. It also revises incorrect logic

patches/chromium/m126-lts_reland_fix_stringview_to_crash_when_offset_length.patch

@@ -1,8 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Koji Ishii <kojii@chromium.org>
 Date: Thu, 12 Sep 2024 06:17:42 +0000
-Subject: [M126-LTS] Reland "Fix `StringView` to crash when `offset + length`
- overflows"
+Subject: Reland "Fix `StringView` to crash when `offset + length` overflows"
 
 This is a reland of commit ba40b993a6b700a2ad0fd092e141783fb1f60e70
 

patches/chromium/m130_extensions_serviceworker_skip_worker_for_isolated_world.patch

@@ -0,0 +1,57 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Justin Lulejian <jlulejian@chromium.org>
+Date: Fri, 18 Oct 2024 21:34:12 +0000
+Subject: [M130][Extensions][ServiceWorker] Skip worker for isolated world
+ module fetch
+
+Before this change, an isolated world (e.g. extension content script,
+but also others) could dynamically import a script from an accessible
+resource (for extensions this is possible with web accessible
+resources and a matching site). When this occurs a web service worker
+could intercept that request and respond with arbitrary content.
+
+After this change, isolated world module requests skip triggering the
+worker fetch handler. This includes extension content scripts, but also
+includes any other scripts that execute in the isolated world context.
+
+(cherry picked from commit 2c501634c1191be1e509720103f06d51b94e6311)
+
+Bug: 371011220
+Change-Id: I37eda47324b6933a93d2a44792a06ff91399981f
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5917013
+Auto-Submit: Justin Lulejian <jlulejian@chromium.org>
+Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org>
+Commit-Queue: Justin Lulejian <jlulejian@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#1365918}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5940150
+Owners-Override: Daniel Yip <danielyip@google.com>
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Cr-Commit-Position: refs/branch-heads/6723@{#1432}
+Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013}
+
+diff --git a/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc b/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc
+index b3d861555d8ecb4295c8f57414784a9b7f8e1745..fe2ac5f0d5157c735ed00cee6d2b330be6d9a9ca 100644
+--- a/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc
++++ b/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc
+@@ -153,12 +153,20 @@ void ModuleScriptLoader::FetchInternal(
+   url_ = module_request.Url();
+ #endif
+ 
++  DOMWrapperWorld& request_world = modulator_->GetScriptState()->World();
++
++  // Prevents web service workers from intercepting isolated world dynamic
++  // script imports requests and responding with different contents.
++  // TODO(crbug.com/1296102): Link to documentation that describes the criteria
++  // where module imports are handled by service worker fetch handler.
++  resource_request.SetSkipServiceWorker(request_world.IsIsolatedWorld());
++
+   // <spec step="9">Set request 's destination to the result of running the
+   // fetch destination from module type steps given destination and
+   // moduleType.</spec>
+   SetFetchDestinationFromModuleType(resource_request, module_request);
+ 
+-  ResourceLoaderOptions options(&modulator_->GetScriptState()->World());
++  ResourceLoaderOptions options(&request_world);
+ 
+   // <spec step="11">Set request's initiator type to "script".</spec>
+   options.initiator_info.name = fetch_initiator_type_names::kScript;

patches/chromium/printing.patch

@@ -895,10 +895,10 @@ index e89fd87753bad3c5663fa53f8dcc4542e7e307e5..2b433a0705234af6f9808ee741a9795d
  
  base::FilePath GetCanonicalPath(const base::FilePath& path) {
 diff --git a/ui/gtk/gtk_util.cc b/ui/gtk/gtk_util.cc
-index d86fbcf969f2fa0d176ead903703ab612e5464c2..6b963ea8401d20e655d068a69105586814bab320 100644
+index 05f4d2b48a9a6f1f53c172720854a823d626d44c..adf13286a2d5d4b7f8e01e2ddc67e6fcc27afdf2 100644
 --- a/ui/gtk/gtk_util.cc
 +++ b/ui/gtk/gtk_util.cc
-@@ -227,9 +227,13 @@ aura::Window* GetAuraTransientParent(GtkWidget* dialog) {
+@@ -222,9 +222,13 @@ aura::Window* GetAuraTransientParent(GtkWidget* dialog) {
  }
  
  void ClearAuraTransientParent(GtkWidget* dialog, aura::Window* parent) {

patches/v8/.patches

@@ -13,3 +13,4 @@ m126-lts_wasm_don_t_catch_uncatchable_exceptions_in_the_jspi.patch
 merged_heap_sandbox_update_ept_s_evacuation_entries_in_scavenger.patch
 merged_don_t_assume_all_turbofan_frames_are_javascript.patch
 merged_wasm_do_not_inline_wrappers_with_ref_extern_parameter.patch
+merged_wasm_fix_default_externref_exnref_reference.patch

patches/v8/m126-lts_compiler_clear_stale_data_for_zeroextendsword32toword64.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Seth Brenith <seth.brenith@microsoft.com>
 Date: Tue, 6 Aug 2024 23:08:34 -0700
-Subject: [M126-LTS][compiler] Clear stale data for ZeroExtendsWord32ToWord64
+Subject: Clear stale data for ZeroExtendsWord32ToWord64
 
 The first call to ZeroExtendsWord32ToWord64 produces a correct result,
 but leaves some incorrect values in phi_states_. To avoid incorrect

patches/v8/m126-lts_wasm_don_t_catch_uncatchable_exceptions_in_the_jspi.patch

@@ -1,8 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Thibaud Michaud <thibaudm@chromium.org>
 Date: Tue, 3 Sep 2024 11:50:45 +0200
-Subject: [M126-LTS][wasm] Don't catch uncatchable exceptions in the JSPI
- wrapper
+Subject: Don't catch uncatchable exceptions in the JSPI wrapper
 
 M126 merge issues:
   The HandleStackSwitch function doesn't exist in the LTS branch.

patches/v8/merged_don_t_assume_all_turbofan_frames_are_javascript.patch

@@ -16,10 +16,10 @@ Cr-Branched-From: 64a21d7ad7fca1ddc73a9264132f703f35000b69-refs/heads/12.9.202@{
 Cr-Branched-From: da4200b2cfe6eb1ad73c457ed27cf5b7ff32614f-refs/heads/main@{#95679}
 
 diff --git a/src/execution/isolate.cc b/src/execution/isolate.cc
-index c3db834a8b8a9f28d32860336347df169b808043..e26ac8b4cf14726a4d72c911a8bb8bc56bcb0486 100644
+index bf4d6b90626a6e8eb98913fb2e524c9e87dd6e3c..f16814a22242aff2134dcb7294d26f0eb34404ac 100644
 --- a/src/execution/isolate.cc
 +++ b/src/execution/isolate.cc
-@@ -2463,6 +2463,13 @@ HandlerTable::CatchPrediction PredictExceptionFromBytecode(
+@@ -2481,6 +2481,13 @@ HandlerTable::CatchPrediction PredictExceptionFromBytecode(
  
  HandlerTable::CatchPrediction PredictException(const FrameSummary& summary,
                                                 Isolate* isolate) {

patches/v8/merged_wasm_fix_default_externref_exnref_reference.patch

@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Thibaud Michaud <thibaudm@chromium.org>
+Date: Thu, 10 Oct 2024 18:54:04 +0200
+Subject: Merged: [wasm] Fix default externref/exnref reference
+
+- The default nullexternref should be null instead of undefined
+- The default exnref/nullexnref should be null instead of wasm_null
+
+(cherry picked from commit e7ccf0af1bdddd20dc58e1790a94739dba0209a3)
+
+Change-Id: I5b32e80f2eb59b29113232f9e2f59a8803915cb3
+Fixed: 372285204,372269618
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5937812
+Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
+Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
+Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
+Cr-Commit-Position: refs/branch-heads/13.0@{#35}
+Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
+Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
+
+diff --git a/src/wasm/wasm-js.cc b/src/wasm/wasm-js.cc
+index ae04f27efb30f2bf086bd4fe4bf9a3594c38c581..8bdc146c672416b05b07d8b6a1d2af1629428536 100644
+--- a/src/wasm/wasm-js.cc
++++ b/src/wasm/wasm-js.cc
+@@ -1303,9 +1303,12 @@ i::Handle<i::HeapObject> DefaultReferenceValue(i::Isolate* isolate,
+   DCHECK(type.is_object_reference());
+   // Use undefined for JS type (externref) but null for wasm types as wasm does
+   // not know undefined.
+-  if (type.heap_representation() == i::wasm::HeapType::kExtern ||
+-      type.heap_representation() == i::wasm::HeapType::kNoExtern) {
++  if (type.heap_representation() == i::wasm::HeapType::kExtern) {
+     return isolate->factory()->undefined_value();
++  } else if (type.heap_representation() == i::wasm::HeapType::kNoExtern ||
++             type.heap_representation() == i::wasm::HeapType::kExn ||
++             type.heap_representation() == i::wasm::HeapType::kNoExn) {
++    return isolate->factory()->null_value();
+   }
+   return isolate->factory()->wasm_null();
+ }