From 15f8a19c98ee75b3a12a5c56d185e22ab15684af Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Thu, 31 Oct 2024 14:31:19 -0700 Subject: [PATCH] chore: cherry-pick 2 changes from 1-M130 (#44483) * chore: cherry-pick 2 changes from 1-M130 * chore: cherry-pick 1 change from 2-M130 --- patches/chromium/.patches | 1 + .../chromium/cherry-pick-c333ed995449.patch | 2 +- ...s_check_string_range_in_shapesegment.patch | 2 +- ...o-element_ident_parsing_on_non-ascii.patch | 2 +- ..._a_range_check_for_when_it_overflows.patch | 2 +- ...n_rate_from_non-deterministic_change.patch | 2 +- ...ringview_to_crash_when_offset_length.patch | 3 +- ...orker_skip_worker_for_isolated_world.patch | 57 +++++++++++++++++++ patches/chromium/printing.patch | 4 +- patches/v8/.patches | 1 + ...e_data_for_zeroextendsword32toword64.patch | 2 +- ...h_uncatchable_exceptions_in_the_jspi.patch | 3 +- ...e_all_turbofan_frames_are_javascript.patch | 4 +- ...x_default_externref_exnref_reference.patch | 39 +++++++++++++ 14 files changed, 110 insertions(+), 14 deletions(-) create mode 100644 patches/chromium/m130_extensions_serviceworker_skip_worker_for_isolated_world.patch create mode 100644 patches/v8/merged_wasm_fix_default_externref_exnref_reference.patch diff --git a/patches/chromium/.patches b/patches/chromium/.patches index d0a3c12d21b..03f1c336af1 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -140,3 +140,4 @@ m126-lts_check_string_range_in_shapesegment.patch m126-lts_reland_fix_stringview_to_crash_when_offset_length.patch m126-lts_protect_automation_rate_from_non-deterministic_change.patch m126-lts_don_t_perform_pseudo-element_ident_parsing_on_non-ascii.patch +m130_extensions_serviceworker_skip_worker_for_isolated_world.patch diff --git a/patches/chromium/cherry-pick-c333ed995449.patch b/patches/chromium/cherry-pick-c333ed995449.patch index 4b71853952b..caf180f8b60 100644 --- a/patches/chromium/cherry-pick-c333ed995449.patch +++ b/patches/chromium/cherry-pick-c333ed995449.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Ken Rockot Date: Mon, 30 Sep 2024 06:33:13 +0000 -Subject: [M128] ipcz: Validate link state fragment before adoption +Subject: ipcz: Validate link state fragment before adoption (cherry picked from commit c333ed99544992f66e6e03621fa938d75ad01f70) diff --git a/patches/chromium/m126-lts_check_string_range_in_shapesegment.patch b/patches/chromium/m126-lts_check_string_range_in_shapesegment.patch index 428a3b58f8d..6a10c9f1710 100644 --- a/patches/chromium/m126-lts_check_string_range_in_shapesegment.patch +++ b/patches/chromium/m126-lts_check_string_range_in_shapesegment.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Koji Ishii Date: Thu, 12 Sep 2024 06:00:02 +0000 -Subject: [M126-LTS] Check string range in `ShapeSegment` +Subject: Check string range in `ShapeSegment` crrev.com/c/5776342 fixed a range `CHECK` in `CollectFallbackHintChars`, but depends on the CSS and font diff --git a/patches/chromium/m126-lts_don_t_perform_pseudo-element_ident_parsing_on_non-ascii.patch b/patches/chromium/m126-lts_don_t_perform_pseudo-element_ident_parsing_on_non-ascii.patch index b000da8c2f2..928df83a428 100644 --- a/patches/chromium/m126-lts_don_t_perform_pseudo-element_ident_parsing_on_non-ascii.patch +++ b/patches/chromium/m126-lts_don_t_perform_pseudo-element_ident_parsing_on_non-ascii.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Gyuyoung Kim Date: Tue, 1 Oct 2024 02:11:48 +0000 -Subject: [M126-LTS] Don't perform pseudo-element ident parsing on non-ASCII +Subject: Don't perform pseudo-element ident parsing on non-ASCII ParsePseudoType crashes on ASAN when given non-ASCII characters, so returning early if those are present. diff --git a/patches/chromium/m126-lts_fix_a_range_check_for_when_it_overflows.patch b/patches/chromium/m126-lts_fix_a_range_check_for_when_it_overflows.patch index 5bf38dfe2c6..0e966f34423 100644 --- a/patches/chromium/m126-lts_fix_a_range_check_for_when_it_overflows.patch +++ b/patches/chromium/m126-lts_fix_a_range_check_for_when_it_overflows.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Koji Ishii Date: Thu, 12 Sep 2024 05:51:00 +0000 -Subject: [M126-LTS] Fix a range `CHECK` for when it overflows +Subject: Fix a range `CHECK` for when it overflows This patch fixes a `CHECK` for a range of a string when `offset + length` overflows the `unsigned`. diff --git a/patches/chromium/m126-lts_protect_automation_rate_from_non-deterministic_change.patch b/patches/chromium/m126-lts_protect_automation_rate_from_non-deterministic_change.patch index ba04d4a1e89..09bf123f3bf 100644 --- a/patches/chromium/m126-lts_protect_automation_rate_from_non-deterministic_change.patch +++ b/patches/chromium/m126-lts_protect_automation_rate_from_non-deterministic_change.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Hongchan Choi Date: Tue, 17 Sep 2024 17:04:42 +0000 -Subject: [M126-LTS] Protect automation_rate_ from non-deterministic change +Subject: Protect automation_rate_ from non-deterministic change This CL fixes non-deterministic (racy) data change on AudioParamHandler::automation_rate_. It also revises incorrect logic diff --git a/patches/chromium/m126-lts_reland_fix_stringview_to_crash_when_offset_length.patch b/patches/chromium/m126-lts_reland_fix_stringview_to_crash_when_offset_length.patch index ef10ada4164..80cda93aa30 100644 --- a/patches/chromium/m126-lts_reland_fix_stringview_to_crash_when_offset_length.patch +++ b/patches/chromium/m126-lts_reland_fix_stringview_to_crash_when_offset_length.patch @@ -1,8 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Koji Ishii Date: Thu, 12 Sep 2024 06:17:42 +0000 -Subject: [M126-LTS] Reland "Fix `StringView` to crash when `offset + length` - overflows" +Subject: Reland "Fix `StringView` to crash when `offset + length` overflows" This is a reland of commit ba40b993a6b700a2ad0fd092e141783fb1f60e70 diff --git a/patches/chromium/m130_extensions_serviceworker_skip_worker_for_isolated_world.patch b/patches/chromium/m130_extensions_serviceworker_skip_worker_for_isolated_world.patch new file mode 100644 index 00000000000..92c4ea1a445 --- /dev/null +++ b/patches/chromium/m130_extensions_serviceworker_skip_worker_for_isolated_world.patch @@ -0,0 +1,57 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Justin Lulejian +Date: Fri, 18 Oct 2024 21:34:12 +0000 +Subject: [M130][Extensions][ServiceWorker] Skip worker for isolated world + module fetch + +Before this change, an isolated world (e.g. extension content script, +but also others) could dynamically import a script from an accessible +resource (for extensions this is possible with web accessible +resources and a matching site). When this occurs a web service worker +could intercept that request and respond with arbitrary content. + +After this change, isolated world module requests skip triggering the +worker fetch handler. This includes extension content scripts, but also +includes any other scripts that execute in the isolated world context. + +(cherry picked from commit 2c501634c1191be1e509720103f06d51b94e6311) + +Bug: 371011220 +Change-Id: I37eda47324b6933a93d2a44792a06ff91399981f +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5917013 +Auto-Submit: Justin Lulejian +Reviewed-by: Hiroshige Hayashizaki +Commit-Queue: Justin Lulejian +Cr-Original-Commit-Position: refs/heads/main@{#1365918} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5940150 +Owners-Override: Daniel Yip +Bot-Commit: Rubber Stamper +Cr-Commit-Position: refs/branch-heads/6723@{#1432} +Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013} + +diff --git a/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc b/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc +index b3d861555d8ecb4295c8f57414784a9b7f8e1745..fe2ac5f0d5157c735ed00cee6d2b330be6d9a9ca 100644 +--- a/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc ++++ b/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc +@@ -153,12 +153,20 @@ void ModuleScriptLoader::FetchInternal( + url_ = module_request.Url(); + #endif + ++ DOMWrapperWorld& request_world = modulator_->GetScriptState()->World(); ++ ++ // Prevents web service workers from intercepting isolated world dynamic ++ // script imports requests and responding with different contents. ++ // TODO(crbug.com/1296102): Link to documentation that describes the criteria ++ // where module imports are handled by service worker fetch handler. ++ resource_request.SetSkipServiceWorker(request_world.IsIsolatedWorld()); ++ + // Set request 's destination to the result of running the + // fetch destination from module type steps given destination and + // moduleType. + SetFetchDestinationFromModuleType(resource_request, module_request); + +- ResourceLoaderOptions options(&modulator_->GetScriptState()->World()); ++ ResourceLoaderOptions options(&request_world); + + // Set request's initiator type to "script". + options.initiator_info.name = fetch_initiator_type_names::kScript; diff --git a/patches/chromium/printing.patch b/patches/chromium/printing.patch index 836e21b6960..761a6687915 100644 --- a/patches/chromium/printing.patch +++ b/patches/chromium/printing.patch @@ -895,10 +895,10 @@ index e89fd87753bad3c5663fa53f8dcc4542e7e307e5..2b433a0705234af6f9808ee741a9795d base::FilePath GetCanonicalPath(const base::FilePath& path) { diff --git a/ui/gtk/gtk_util.cc b/ui/gtk/gtk_util.cc -index d86fbcf969f2fa0d176ead903703ab612e5464c2..6b963ea8401d20e655d068a69105586814bab320 100644 +index 05f4d2b48a9a6f1f53c172720854a823d626d44c..adf13286a2d5d4b7f8e01e2ddc67e6fcc27afdf2 100644 --- a/ui/gtk/gtk_util.cc +++ b/ui/gtk/gtk_util.cc -@@ -227,9 +227,13 @@ aura::Window* GetAuraTransientParent(GtkWidget* dialog) { +@@ -222,9 +222,13 @@ aura::Window* GetAuraTransientParent(GtkWidget* dialog) { } void ClearAuraTransientParent(GtkWidget* dialog, aura::Window* parent) { diff --git a/patches/v8/.patches b/patches/v8/.patches index 9c2768ca57f..e47dbd4269a 100644 --- a/patches/v8/.patches +++ b/patches/v8/.patches @@ -13,3 +13,4 @@ m126-lts_wasm_don_t_catch_uncatchable_exceptions_in_the_jspi.patch merged_heap_sandbox_update_ept_s_evacuation_entries_in_scavenger.patch merged_don_t_assume_all_turbofan_frames_are_javascript.patch merged_wasm_do_not_inline_wrappers_with_ref_extern_parameter.patch +merged_wasm_fix_default_externref_exnref_reference.patch diff --git a/patches/v8/m126-lts_compiler_clear_stale_data_for_zeroextendsword32toword64.patch b/patches/v8/m126-lts_compiler_clear_stale_data_for_zeroextendsword32toword64.patch index a1934fbc390..734e74400e0 100644 --- a/patches/v8/m126-lts_compiler_clear_stale_data_for_zeroextendsword32toword64.patch +++ b/patches/v8/m126-lts_compiler_clear_stale_data_for_zeroextendsword32toword64.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Seth Brenith Date: Tue, 6 Aug 2024 23:08:34 -0700 -Subject: [M126-LTS][compiler] Clear stale data for ZeroExtendsWord32ToWord64 +Subject: Clear stale data for ZeroExtendsWord32ToWord64 The first call to ZeroExtendsWord32ToWord64 produces a correct result, but leaves some incorrect values in phi_states_. To avoid incorrect diff --git a/patches/v8/m126-lts_wasm_don_t_catch_uncatchable_exceptions_in_the_jspi.patch b/patches/v8/m126-lts_wasm_don_t_catch_uncatchable_exceptions_in_the_jspi.patch index adea1ed0b8d..82cd59a5936 100644 --- a/patches/v8/m126-lts_wasm_don_t_catch_uncatchable_exceptions_in_the_jspi.patch +++ b/patches/v8/m126-lts_wasm_don_t_catch_uncatchable_exceptions_in_the_jspi.patch @@ -1,8 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Thibaud Michaud Date: Tue, 3 Sep 2024 11:50:45 +0200 -Subject: [M126-LTS][wasm] Don't catch uncatchable exceptions in the JSPI - wrapper +Subject: Don't catch uncatchable exceptions in the JSPI wrapper M126 merge issues: The HandleStackSwitch function doesn't exist in the LTS branch. diff --git a/patches/v8/merged_don_t_assume_all_turbofan_frames_are_javascript.patch b/patches/v8/merged_don_t_assume_all_turbofan_frames_are_javascript.patch index 0673053ff1d..31111815ac3 100644 --- a/patches/v8/merged_don_t_assume_all_turbofan_frames_are_javascript.patch +++ b/patches/v8/merged_don_t_assume_all_turbofan_frames_are_javascript.patch @@ -16,10 +16,10 @@ Cr-Branched-From: 64a21d7ad7fca1ddc73a9264132f703f35000b69-refs/heads/12.9.202@{ Cr-Branched-From: da4200b2cfe6eb1ad73c457ed27cf5b7ff32614f-refs/heads/main@{#95679} diff --git a/src/execution/isolate.cc b/src/execution/isolate.cc -index c3db834a8b8a9f28d32860336347df169b808043..e26ac8b4cf14726a4d72c911a8bb8bc56bcb0486 100644 +index bf4d6b90626a6e8eb98913fb2e524c9e87dd6e3c..f16814a22242aff2134dcb7294d26f0eb34404ac 100644 --- a/src/execution/isolate.cc +++ b/src/execution/isolate.cc -@@ -2463,6 +2463,13 @@ HandlerTable::CatchPrediction PredictExceptionFromBytecode( +@@ -2481,6 +2481,13 @@ HandlerTable::CatchPrediction PredictExceptionFromBytecode( HandlerTable::CatchPrediction PredictException(const FrameSummary& summary, Isolate* isolate) { diff --git a/patches/v8/merged_wasm_fix_default_externref_exnref_reference.patch b/patches/v8/merged_wasm_fix_default_externref_exnref_reference.patch new file mode 100644 index 00000000000..07b53080dfc --- /dev/null +++ b/patches/v8/merged_wasm_fix_default_externref_exnref_reference.patch @@ -0,0 +1,39 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Thibaud Michaud +Date: Thu, 10 Oct 2024 18:54:04 +0200 +Subject: Merged: [wasm] Fix default externref/exnref reference + +- The default nullexternref should be null instead of undefined +- The default exnref/nullexnref should be null instead of wasm_null + +(cherry picked from commit e7ccf0af1bdddd20dc58e1790a94739dba0209a3) + +Change-Id: I5b32e80f2eb59b29113232f9e2f59a8803915cb3 +Fixed: 372285204,372269618 +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5937812 +Reviewed-by: Thibaud Michaud +Auto-Submit: Matthias Liedtke +Commit-Queue: Thibaud Michaud +Cr-Commit-Position: refs/branch-heads/13.0@{#35} +Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1} +Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103} + +diff --git a/src/wasm/wasm-js.cc b/src/wasm/wasm-js.cc +index ae04f27efb30f2bf086bd4fe4bf9a3594c38c581..8bdc146c672416b05b07d8b6a1d2af1629428536 100644 +--- a/src/wasm/wasm-js.cc ++++ b/src/wasm/wasm-js.cc +@@ -1303,9 +1303,12 @@ i::Handle DefaultReferenceValue(i::Isolate* isolate, + DCHECK(type.is_object_reference()); + // Use undefined for JS type (externref) but null for wasm types as wasm does + // not know undefined. +- if (type.heap_representation() == i::wasm::HeapType::kExtern || +- type.heap_representation() == i::wasm::HeapType::kNoExtern) { ++ if (type.heap_representation() == i::wasm::HeapType::kExtern) { + return isolate->factory()->undefined_value(); ++ } else if (type.heap_representation() == i::wasm::HeapType::kNoExtern || ++ type.heap_representation() == i::wasm::HeapType::kExn || ++ type.heap_representation() == i::wasm::HeapType::kNoExn) { ++ return isolate->factory()->null_value(); + } + return isolate->factory()->wasm_null(); + }