mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

chore: cherry-pick 3 changes from 0-M132 (#45220)

Browse source 
chore: [32-x-y] cherry-pick 2 changes from 0-M132

* 3c2d220ad025 from v8
* 35f86d6a0a03 from chromium
This commit is contained in:
Pedro Pontes 2025-01-16 21:19:08 +00:00 committed by GitHub
parent 2e35a065ba
commit b84dedbc70
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 1559 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
patches/chromium/.patches
View file

@ -145,3 +145,4 @@ wayland_support_outgoing_dnd_sessions_with_no_offered_mime_types.patch
cherry-pick-3a6ff45cc3f4.patch
cherry-pick-a51e7ebb7663.patch
cherry-pick-f3300abe2fcd.patch
remove_persistentmemoryallocator_getallocsize.patch

13
patches/chromium/cherry-pick-3a6ff45cc3f4.patch
View file

@ -1,7 +1,7 @@
From 3a6ff45cc3f48a359772f81c512c512b4f2d2643 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Stefan Zager <szager@chromium.org>
Date: Sat, 14 Dec 2024 11:06:00 -0800
Subject: [PATCH] [M130] Prevent ImageData from being reclaimed while in use
Subject: Prevent ImageData from being reclaimed while in use
Cherry-picked from:
https://chromium-review.googlesource.com/c/chromium/src/+/5990752
@ -14,13 +14,12 @@ Owners-Override: Prudhvikumar Bommana <pbommana@google.com>
Commit-Queue: Prudhvikumar Bommana <pbommana@google.com>
Cr-Commit-Position: refs/branch-heads/6723@{#2713}
Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013}
---
diff --git a/cc/tiles/gpu_image_decode_cache.cc b/cc/tiles/gpu_image_decode_cache.cc
index df1d24b..39fa3ff 100644
index 39f0a6e1ad2da6056a702ac2e920a0adb5d153f1..d9b8130af2b2830903cf1b9d91e3f8c1ccaff3dd 100644
--- a/cc/tiles/gpu_image_decode_cache.cc
+++ b/cc/tiles/gpu_image_decode_cache.cc
@@ -2401,6 +2401,9 @@
@@ -2398,6 +2398,9 @@ void GpuImageDecodeCache::DecodeImageIfNecessary(
image_data->decode.ResetData();
@ -30,7 +29,7 @@ index df1d24b..39fa3ff 100644
// Decode the image into `aux_image_data` while the lock is not held.
DecodedAuxImageData aux_image_data[kAuxImageCount];
{
@@ -2728,6 +2731,9 @@
@@ -2725,6 +2728,9 @@ void GpuImageDecodeCache::UploadImageIfNecessary_GpuCpu_YUVA(
sk_sp<SkImage> uploaded_v_image =
image_data->decode.image(2, AuxImage::kDefault);
@ -40,7 +39,7 @@ index df1d24b..39fa3ff 100644
// For kGpu, we upload and color convert (if necessary).
if (image_data->mode == DecodedDataMode::kGpu) {
DCHECK(!use_transfer_cache_);
@@ -2815,6 +2821,9 @@
@@ -2812,6 +2818,9 @@ void GpuImageDecodeCache::UploadImageIfNecessary_GpuCpu_RGBA(
DCHECK(!use_transfer_cache_);
DCHECK(!image_data->info.yuva.has_value());

33
patches/chromium/cherry-pick-a51e7ebb7663.patch
View file

@ -1,7 +1,7 @@
From a51e7ebb7663b40ed070e91669f69c64fb9179d9 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Guido Urdaneta <guidou@chromium.org>
Date: Wed, 18 Dec 2024 15:21:59 -0800
Subject: [PATCH] [M126-LTS][VideoCaptureManager] Replace raw pointers with scoped_refptr
Subject: Replace raw pointers with scoped_refptr
VCM used VideoCaptureController raw pointers in a number of places,
including as a field in VCM::CaptureDeviceStartRequest.
@ -22,10 +22,9 @@ Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Commit-Queue: Gyuyoung Kim (xWF) <qkim@google.com>
Cr-Commit-Position: refs/branch-heads/6478@{#2009}
Cr-Branched-From: e6143acc03189c5e52959545b110d6d17ecd5286-refs/heads/main@{#1300313}
---
diff --git a/content/browser/renderer_host/media/video_capture_manager.cc b/content/browser/renderer_host/media/video_capture_manager.cc
index 3db89a04..11b6caf 100644
index 4e3ccc0050d63466d7dcbd221c4f580939668ce0..fbc168cfd26d53711dd16f337287110a548a2215 100644
--- a/content/browser/renderer_host/media/video_capture_manager.cc
+++ b/content/browser/renderer_host/media/video_capture_manager.cc
@@ -15,6 +15,7 @@
@ -36,7 +35,7 @@ index 3db89a04..11b6caf 100644
#include "base/metrics/histogram_functions.h"
#include "base/observer_list.h"
#include "base/ranges/algorithm.h"
@@ -61,12 +62,14 @@
@@ -61,12 +62,14 @@ namespace content {
class VideoCaptureManager::CaptureDeviceStartRequest {
public:
CaptureDeviceStartRequest(
@ -53,7 +52,7 @@ index 3db89a04..11b6caf 100644
const base::UnguessableToken& session_id() const { return session_id_; }
media::VideoCaptureParams params() const { return params_; }
@@ -76,7 +79,7 @@
@@ -76,7 +79,7 @@ class VideoCaptureManager::CaptureDeviceStartRequest {
}
private:
@ -62,7 +61,7 @@ index 3db89a04..11b6caf 100644
const base::UnguessableToken session_id_;
const media::VideoCaptureParams params_;
mojo::PendingRemote<video_effects::mojom::VideoEffectsProcessor>
@@ -84,12 +87,12 @@
@@ -84,12 +87,12 @@ class VideoCaptureManager::CaptureDeviceStartRequest {
};
VideoCaptureManager::CaptureDeviceStartRequest::CaptureDeviceStartRequest(
@ -77,7 +76,7 @@ index 3db89a04..11b6caf 100644
session_id_(session_id),
params_(params),
video_effects_processor_(std::move(video_effects_processor)) {}
@@ -258,14 +261,15 @@
@@ -258,14 +261,15 @@ void VideoCaptureManager::ApplySubCaptureTarget(
void VideoCaptureManager::QueueStartDevice(
const media::VideoCaptureSessionId& session_id,
@ -96,7 +95,7 @@ index 3db89a04..11b6caf 100644
if (device_start_request_queue_.size() == 1)
ProcessDeviceStartRequestQueue();
}
@@ -311,7 +315,8 @@
@@ -311,7 +315,8 @@ void VideoCaptureManager::ProcessDeviceStartRequestQueue() {
if (request == device_start_request_queue_.end())
return;
@ -106,7 +105,7 @@ index 3db89a04..11b6caf 100644
EmitLogMessage("VideoCaptureManager::ProcessDeviceStartRequestQueue", 3);
// The unit test VideoCaptureManagerTest.OpenNotExisting requires us to fail
@@ -329,7 +334,7 @@
@@ -329,7 +334,7 @@ void VideoCaptureManager::ProcessDeviceStartRequestQueue() {
GetDeviceInfoById(controller->device_id());
if (!device_info) {
OnDeviceLaunchFailed(
@ -115,7 +114,7 @@ index 3db89a04..11b6caf 100644
media::VideoCaptureError::
kVideoCaptureManagerProcessDeviceStartQueueDeviceInfoNotFound);
return;
@@ -350,7 +355,7 @@
@@ -350,7 +355,7 @@ void VideoCaptureManager::ProcessDeviceStartRequestQueue() {
base::BindOnce([](scoped_refptr<VideoCaptureManager>,
scoped_refptr<VideoCaptureController>) {},
scoped_refptr<VideoCaptureManager>(this),
@ -124,7 +123,7 @@ index 3db89a04..11b6caf 100644
request->TakeVideoEffectsProcessor());
}
@@ -434,7 +439,7 @@
@@ -434,7 +439,7 @@ void VideoCaptureManager::ConnectClient(
EmitLogMessage(string_stream.str(), 1);
}
@ -133,7 +132,7 @@ index 3db89a04..11b6caf 100644
GetOrCreateController(session_id, params);
if (!controller) {
std::move(done_cb).Run(nullptr);
@@ -908,7 +913,8 @@
@@ -908,7 +913,8 @@ media::VideoCaptureDeviceInfo* VideoCaptureManager::GetDeviceInfoById(
return nullptr;
}
@ -143,7 +142,7 @@ index 3db89a04..11b6caf 100644
const media::VideoCaptureSessionId& capture_session_id,
const media::VideoCaptureParams& params) {
DCHECK_CURRENTLY_ON(BrowserThread::IO);
@@ -930,10 +936,12 @@
@@ -930,10 +936,12 @@ VideoCaptureController* VideoCaptureManager::GetOrCreateController(
return existing_device;
}
@ -161,10 +160,10 @@ index 3db89a04..11b6caf 100644
}
diff --git a/content/browser/renderer_host/media/video_capture_manager.h b/content/browser/renderer_host/media/video_capture_manager.h
index a93c6bb..b88052a4 100644
index a93c6bbb9677113402831378a4d9fa38e04408e2..b88052a4e9f52c0e969e068b8af3bbe2c7fb2d49 100644
--- a/content/browser/renderer_host/media/video_capture_manager.h
+++ b/content/browser/renderer_host/media/video_capture_manager.h
@@ -297,7 +297,7 @@
@@ -297,7 +297,7 @@ class CONTENT_EXPORT VideoCaptureManager
// Finds a VideoCaptureController for the indicated |capture_session_id|,
// creating a fresh one if necessary. Returns nullptr if said
// |capture_session_id| is invalid.
@ -173,7 +172,7 @@ index a93c6bb..b88052a4 100644
const media::VideoCaptureSessionId& capture_session_id,
const media::VideoCaptureParams& params);
@@ -309,7 +309,7 @@
@@ -309,7 +309,7 @@ class CONTENT_EXPORT VideoCaptureManager
// another request pending start.
void QueueStartDevice(
const media::VideoCaptureSessionId& session_id,

45
patches/chromium/cherry-pick-f3300abe2fcd.patch
View file

@ -1,7 +1,7 @@
From f3300abe2fcd0164794d7a782cc221d10c17f322 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Date: Mon, 06 Jan 2025 05:34:49 -0800
Subject: [PATCH] [M130] Make AcceptLanguagesWatcher a weak persistent object
Date: Mon, 6 Jan 2025 05:34:49 -0800
Subject: Make AcceptLanguagesWatcher a weak persistent object
DedicatedWorkerOrSharedWorkerFetchContext keeps on having a pointer
to the AcceptLanguagesWatcher as a raw_ptr. Even if the implementing
@ -28,13 +28,12 @@ Auto-Submit: Daniel Yip <danielyip@google.com>
Owners-Override: Daniel Yip <danielyip@google.com>
Cr-Commit-Position: refs/branch-heads/6723@{#2761}
Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013}
---
diff --git a/third_party/blink/public/platform/web_worker_fetch_context.h b/third_party/blink/public/platform/web_worker_fetch_context.h
index 6f2a2e9..cf8bfce4 100644
index 83f6773cf4d8542d042b74697e36aa2ea3329bbf..c41e1aa452994a66c58e40c8e936134dd6375071 100644
--- a/third_party/blink/public/platform/web_worker_fetch_context.h
+++ b/third_party/blink/public/platform/web_worker_fetch_context.h
@@ -33,19 +33,12 @@
@@ -33,19 +33,12 @@ class SiteForCookies;
namespace blink {
@ -56,10 +55,10 @@ index 6f2a2e9..cf8bfce4 100644
// passed to a worker (dedicated, shared and service worker) and initialized on
// the worker thread by InitializeOnWorkerThread(). It contains information
diff --git a/third_party/blink/renderer/core/workers/worker_navigator.cc b/third_party/blink/renderer/core/workers/worker_navigator.cc
index 344382b..a4159a4 100644
index 344382b6f661b4cb8b0d78b070bc0d5c603d28f8..a4159a402ed48f2df233bfc1115e4b0438e1aaaf 100644
--- a/third_party/blink/renderer/core/workers/worker_navigator.cc
+++ b/third_party/blink/renderer/core/workers/worker_navigator.cc
@@ -61,4 +61,9 @@
@@ -61,4 +61,9 @@ void WorkerNavigator::NotifyUpdate() {
*Event::Create(event_type_names::kLanguagechange));
}
@ -70,7 +69,7 @@ index 344382b..a4159a4 100644
+
} // namespace blink
diff --git a/third_party/blink/renderer/core/workers/worker_navigator.h b/third_party/blink/renderer/core/workers/worker_navigator.h
index ea07a96..ab622f8e 100644
index ea07a96390fbcf06853d80b7b20cf50128494e9a..ab622f8ebc6a5f68ceb9f867876b6bf696d3fc30 100644
--- a/third_party/blink/renderer/core/workers/worker_navigator.h
+++ b/third_party/blink/renderer/core/workers/worker_navigator.h
@@ -29,6 +29,7 @@
@ -81,7 +80,7 @@ index ea07a96..ab622f8e 100644
#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
namespace blink {
@@ -46,6 +47,9 @@
@@ -46,6 +47,9 @@ class CORE_EXPORT WorkerNavigator final : public NavigatorBase,
// AcceptLanguagesWatcher override
void NotifyUpdate() override;
@ -92,7 +91,7 @@ index ea07a96..ab622f8e 100644
} // namespace blink
diff --git a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc
index 0815877..4930962 100644
index 585c6ab98495f168cc731afcdc2137156a32c0b4..cac6af5b89fee1c23c6f56ce0aeee4376647cf6e 100644
--- a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc
+++ b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc
@@ -18,6 +18,7 @@
@ -103,7 +102,7 @@ index 0815877..4930962 100644
#include "third_party/blink/renderer/platform/loader/fetch/url_loader/url_loader_factory.h"
#include "third_party/blink/renderer/platform/loader/internet_disconnected_url_loader.h"
@@ -226,9 +227,12 @@
@@ -226,9 +227,12 @@ void WebServiceWorkerFetchContextImpl::UpdateSubresourceLoaderFactories(
void WebServiceWorkerFetchContextImpl::NotifyUpdate(
const RendererPreferences& new_prefs) {
@ -120,7 +119,7 @@ index 0815877..4930962 100644
}
diff --git a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h
index a7c897de..c2f1c9d 100644
index c59acba074327eb609ae40c069873272a3aa0e71..dad815728a335e5e0de77b95f0dcae871fb6a9ce 100644
--- a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h
+++ b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h
@@ -6,16 +6,16 @@
@ -142,7 +141,7 @@ index a7c897de..c2f1c9d 100644
#include "third_party/blink/renderer/platform/weborigin/kurl.h"
#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
#include "third_party/blink/renderer/platform/wtf/vector.h"
@@ -135,7 +135,7 @@
@@ -135,7 +135,7 @@ class BLINK_EXPORT WebServiceWorkerFetchContextImpl final
// This is owned by ThreadedMessagingProxyBase on the main thread.
raw_ptr<base::WaitableEvent> terminate_sync_load_event_ = nullptr;
@ -152,10 +151,10 @@ index a7c897de..c2f1c9d 100644
Vector<String> cors_exempt_header_list_;
bool is_offline_mode_ = false;
diff --git a/third_party/blink/renderer/platform/BUILD.gn b/third_party/blink/renderer/platform/BUILD.gn
index 5b8e391..12da20f 100644
index ab2baebf60fe9bdf9502e404c99dd8ddac79c24e..fc64a15df563830e495f3589823116c18f3ebc8c 100644
--- a/third_party/blink/renderer/platform/BUILD.gn
+++ b/third_party/blink/renderer/platform/BUILD.gn
@@ -341,6 +341,7 @@
@@ -335,6 +335,7 @@ component("platform") {
output_name = "blink_platform"
sources = [
@ -165,7 +164,7 @@ index 5b8e391..12da20f 100644
"animation/compositor_animation.cc",
diff --git a/third_party/blink/renderer/platform/accept_languages_watcher.h b/third_party/blink/renderer/platform/accept_languages_watcher.h
new file mode 100644
index 0000000..7fd5de07f
index 0000000000000000000000000000000000000000..7fd5de07fb26863deab3f921f678f0628f496f2d
--- /dev/null
+++ b/third_party/blink/renderer/platform/accept_languages_watcher.h
@@ -0,0 +1,22 @@
@ -192,10 +191,10 @@ index 0000000..7fd5de07f
+
+#endif // THIRD_PARTY_BLINK_RENDERER_PLATFORM_ACCEPT_LANGUAGES_WATCHER_H_
diff --git a/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS b/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS
index c8a92c06..7886b02 100644
index c8a92c0641ddbe972239acbc44593058ddea7159..7886b02241bd44edfeea7a5af7a0d8dd545308f3 100644
--- a/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS
+++ b/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS
@@ -28,4 +28,7 @@
@@ -28,4 +28,7 @@ specific_include_rules = {
"web_url_loader_unittest.cc": [
"+net/test/cert_test_util.h"
],
@ -204,7 +203,7 @@ index c8a92c06..7886b02 100644
+ ],
}
diff --git a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc
index cc1954f6..c9f96ff 100644
index 723e6fb730bab1571e87dd2544104e1a80e463c4..17df81491e20181d6b2ea57397e63459ba3f75ea 100644
--- a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc
+++ b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc
@@ -28,6 +28,7 @@
@ -215,7 +214,7 @@ index cc1954f6..c9f96ff 100644
#include "third_party/blink/renderer/platform/loader/fetch/url_loader/url_loader.h"
#include "third_party/blink/renderer/platform/loader/fetch/url_loader/url_loader_factory.h"
#include "url/url_constants.h"
@@ -605,9 +606,13 @@
@@ -600,9 +601,13 @@ void DedicatedOrSharedWorkerFetchContextImpl::UpdateSubresourceLoaderFactories(
void DedicatedOrSharedWorkerFetchContextImpl::NotifyUpdate(
const RendererPreferences& new_prefs) {
@ -233,7 +232,7 @@ index cc1954f6..c9f96ff 100644
for (auto& watcher : child_preference_watchers_)
watcher->NotifyUpdate(new_prefs);
diff --git a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h
index b95a25fe..d0387cf 100644
index 113e65b3154981dd16f0e8839ad8dc9add33d392..33814865741bd0d1e2b73142f384f7024e119ca6 100644
--- a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h
+++ b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h
@@ -23,6 +23,7 @@
@ -244,7 +243,7 @@ index b95a25fe..d0387cf 100644
#include "third_party/blink/renderer/platform/wtf/casting.h"
#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
#include "third_party/blink/renderer/platform/wtf/vector.h"
@@ -301,7 +302,7 @@
@@ -300,7 +301,7 @@ class BLINK_PLATFORM_EXPORT DedicatedOrSharedWorkerFetchContextImpl final
std::unique_ptr<WeakWrapperResourceLoadInfoNotifier>
weak_wrapper_resource_load_info_notifier_;

1334
patches/chromium/remove_persistentmemoryallocator_getallocsize.patch Normal file
View file

File diff suppressed because it is too large Load diff

1
patches/skia/.patches
View file

@ -1 +1,2 @@
sksl_rp_prevent_overflow_when_computing_slot_allocation_size.patch
ganesh_avoid_overflow_when_combining_aahairlineops.patch

62
patches/skia/ganesh_avoid_overflow_when_combining_aahairlineops.patch Normal file
View file

@ -0,0 +1,62 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: James Godfrey-Kittle <jamesgk@google.com>
Date: Tue, 17 Dec 2024 12:14:17 -0500
Subject: [ganesh] Avoid overflow when combining AAHairlineOps
Bug: b/382786791
Change-Id: I955d943015cce76f75221df9fab0897a6f22fe4b
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/930577
Reviewed-by: Michael Ludwig <michaelludwig@google.com>
Commit-Queue: James Godfrey-Kittle <jamesgk@google.com>
(cherry picked from commit 8b030e47588af50f56ef380d81a17667baeb582b)
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/935337
Reviewed-by: James Godfrey-Kittle <jamesgk@google.com>
Auto-Submit: Michael Ludwig <michaelludwig@google.com>
Commit-Queue: Michael Ludwig <michaelludwig@google.com>
diff --git a/src/gpu/ganesh/ops/AAHairLinePathRenderer.cpp b/src/gpu/ganesh/ops/AAHairLinePathRenderer.cpp
index dd37a8ff200a70465669720d06e13bbc0ff389f0..570eeb8faad6e86908d957320dab0876c64a473b 100644
--- a/src/gpu/ganesh/ops/AAHairLinePathRenderer.cpp
+++ b/src/gpu/ganesh/ops/AAHairLinePathRenderer.cpp
@@ -10,6 +10,7 @@
#include "include/core/SkPoint3.h"
#include "include/private/base/SkFloatingPoint.h"
#include "include/private/base/SkTemplates.h"
+#include "src/base/SkSafeMath.h"
#include "src/core/SkGeometry.h"
#include "src/core/SkMatrixPriv.h"
#include "src/core/SkPointPriv.h"
@@ -1179,16 +1180,28 @@ void AAHairlineOp::onPrepareDraws(GrMeshDrawTarget* target) {
int instanceCount = fPaths.size();
bool convertConicsToQuads = !target->caps().shaderCaps()->fFloatIs32Bits;
- for (int i = 0; i < instanceCount; i++) {
+ SkSafeMath safeMath;
+ for (int i = 0; i < instanceCount && safeMath.ok(); i++) {
const PathData& args = fPaths[i];
- quadCount += gather_lines_and_quads(args.fPath, args.fViewMatrix, args.fDevClipBounds,
- args.fCapLength, convertConicsToQuads, &lines, &quads,
- &conics, &qSubdivs, &cWeights);
+ quadCount = safeMath.addInt(quadCount,
+ gather_lines_and_quads(args.fPath,
+ args.fViewMatrix,
+ args.fDevClipBounds,
+ args.fCapLength,
+ convertConicsToQuads,
+ &lines,
+ &quads,
+ &conics,
+ &qSubdivs,
+ &cWeights));
}
int lineCount = lines.size() / 2;
int conicCount = conics.size() / 3;
- int quadAndConicCount = conicCount + quadCount;
+ int quadAndConicCount = safeMath.addInt(conicCount, quadCount);
+ if (!safeMath.ok()) {
+ return;
+ }
static constexpr int kMaxLines = SK_MaxS32 / kLineSegNumVertices;
static constexpr int kMaxQuadsAndConics = SK_MaxS32 / kQuadNumVertices;

3
patches/v8/.patches
View file

@ -11,4 +11,5 @@ cherry-pick-aad648bd2af9.patch
cherry-pick-cb0d9e1d7b88.patch
merged_wasm_arm_tail-call_free_scratch_register_earlier.patch
merged_turboshaft_wasm_wasmgctypeanalyzer_fix_phi_input_for.patch
merged_turboshaft_wasm_wasmgctypeanalyzer_fix_single-block_loops.patch
merged_turboshaft_wasm_wasmgctypeanalyzer_fix_single-block_loops.patch
merged_interpreter_fix_hole_elision_scope_for_switch_jump_tables.patch

16
patches/v8/cherry-pick-aad648bd2af9.patch
View file

@ -1,7 +1,10 @@
From aad648bd2af9815d0c48eeb78cbf3d8e6471d094 Mon Sep 17 00:00:00 2001
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Darius Mercadier <dmercadier@chromium.org>
Date: Thu, 05 Dec 2024 16:03:33 +0100
Subject: [PATCH] Merged: [maglev] Avoid retagging loop phi backedges too early
Date: Thu, 5 Dec 2024 16:03:33 +0100
Subject: Merged: [maglev] Avoid retagging loop phi backedges too early
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When we decide that a loop phi should remain tagged, we call
EnsurePhiInputsTagged to ensures that it only has tagged inputs, which
@ -32,13 +35,12 @@ Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/branch-heads/13.0@{#41}
Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
---
diff --git a/src/maglev/maglev-phi-representation-selector.cc b/src/maglev/maglev-phi-representation-selector.cc
index c03974e..b4d913d 100644
index 21952ebd08986033ff151f1ddda5904291985025..65864341c1fe582e44c1c6babd716ef38dbd559f 100644
--- a/src/maglev/maglev-phi-representation-selector.cc
+++ b/src/maglev/maglev-phi-representation-selector.cc
@@ -334,7 +334,8 @@
@@ -329,7 +329,8 @@ void MaglevPhiRepresentationSelector::EnsurePhiInputsTagged(Phi* phi) {
// should be tagged. We'll thus insert tagging operation on the untagged phi
// inputs of {phi}.
@ -50,7 +52,7 @@ index c03974e..b4d913d 100644
phi->change_input(i, EnsurePhiTagged(phi_input, phi->predecessor_at(i),
diff --git a/test/mjsunit/maglev/regress-382190919.js b/test/mjsunit/maglev/regress-382190919.js
new file mode 100644
index 0000000..773f442
index 0000000000000000000000000000000000000000..773f442cb98b914328cdd6e24a8eca1ef6d8a9d6
--- /dev/null
+++ b/test/mjsunit/maglev/regress-382190919.js
@@ -0,0 +1,39 @@

106
patches/v8/merged_interpreter_fix_hole_elision_scope_for_switch_jump_tables.patch Normal file
View file

@ -0,0 +1,106 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shu-yu Guo <syg@chromium.org>
Date: Mon, 18 Nov 2024 16:02:28 -0800
Subject: Merged: [interpreter] Fix hole elision scope for switch jump tables
(cherry picked from commit 5c3b50c26c50e68dbedf8ff991249e75e46ef06e)
Change-Id: Id6bf2b62598b85a05c6cc7bd06b6cce673d7342a
Bug: 374627491
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6042925
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Rezvan Mahdavi Hezaveh <rezvan@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@chromium.org>
Cr-Commit-Position: refs/branch-heads/13.2@{#18}
Cr-Branched-From: 24068c59cedad9ee976ddc05431f5f497b1ebd71-refs/heads/13.2.152@{#1}
Cr-Branched-From: 6054ba94db0969220be4f94dc1677fc4696bdc4f-refs/heads/main@{#97085}
diff --git a/src/interpreter/bytecode-generator.cc b/src/interpreter/bytecode-generator.cc
index 05d48601ec63c7df0c1a4c351be464074ad8b262..2c28bb53c88c70fd65bc0d208542ad35490f5044 100644
--- a/src/interpreter/bytecode-generator.cc
+++ b/src/interpreter/bytecode-generator.cc
@@ -2353,6 +2353,9 @@ void BytecodeGenerator::VisitSwitchStatement(SwitchStatement* stmt) {
// Are we still using any if-else bytecodes to evaluate the switch?
bool use_jumps = n_comp_cases != 0;
+ // Does the comparison for non-jump table jumps need an elision scope?
+ bool jump_comparison_needs_hole_check_elision_scope = false;
+
SwitchBuilder switch_builder(builder(), block_coverage_builder_, stmt,
n_comp_cases, jump_table);
ControlScopeForBreakable scope(this, stmt, &switch_builder);
@@ -2410,6 +2413,10 @@ void BytecodeGenerator::VisitSwitchStatement(SwitchStatement* stmt) {
info.covered_cases);
if (use_jumps) {
+ // When using a jump table, the first jump comparison is conditionally
+ // executed if the discriminant wasn't matched by anything in the jump
+ // table, and so needs its own elision scope.
+ jump_comparison_needs_hole_check_elision_scope = true;
builder()->LoadAccumulatorWithRegister(r1);
}
}
@@ -2430,16 +2437,14 @@ void BytecodeGenerator::VisitSwitchStatement(SwitchStatement* stmt) {
// The comparisons linearly dominate, so no need to open a new elision
// scope for each one.
base::Optional<HoleCheckElisionScope> elider;
- bool first_jump_emitted = false;
for (int i = 0; i < clauses->length(); ++i) {
CaseClause* clause = clauses->at(i);
if (clause->is_default()) {
info.default_case = i;
} else if (!info.CaseExists(clause->label())) {
- // The first non-default label is
- // unconditionally executed, so we only need to emplace it before
- // visiting the second non-default label.
- if (first_jump_emitted) elider.emplace(this);
+ if (jump_comparison_needs_hole_check_elision_scope && !elider) {
+ elider.emplace(this);
+ }
// Perform label comparison as if via '===' with tag.
VisitForAccumulatorValue(clause->label());
@@ -2450,7 +2455,9 @@ void BytecodeGenerator::VisitSwitchStatement(SwitchStatement* stmt) {
#endif
switch_builder.JumpToCaseIfTrue(ToBooleanMode::kAlreadyBoolean,
case_compare_ctr++);
- first_jump_emitted = true;
+ // The second and subsequent non-default comparisons are always
+ // conditionally executed, and need an elision scope.
+ jump_comparison_needs_hole_check_elision_scope = true;
}
}
}
diff --git a/test/mjsunit/regress/regress-374627491.js b/test/mjsunit/regress/regress-374627491.js
new file mode 100644
index 0000000000000000000000000000000000000000..ebb7e1d93f788f10606b4787cfacd79c3807ca0c
--- /dev/null
+++ b/test/mjsunit/regress/regress-374627491.js
@@ -0,0 +1,26 @@
+// Copyright 2024 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+class B { }
+class C extends B {
+ constructor() {
+ let x = 0;
+ switch (0) {
+ case 0:
+ case 1:
+ case 2:
+ case 3:
+ case 4:
+ case 5:
+ case 6:
+ case 7:
+ case 8:
+ case 9:
+ x += this;
+ break;
+ case this:
+ }
+ }
+}
+assertThrows(() => { new C(); }, ReferenceError);