98adbbb593
* chore: bump chromium to 135.0.7049.7 (main) (#45900) chore: bump chromium in DEPS to 135.0.7049.7 (cherry picked from commitbb1c3dff21) * chore: bump chromium to 136.0.7053.1 (main) (#45906) * chore: bump chromium in DEPS to 136.0.7052.0 * chore: update mas_avoid_private_macos_api_usage.patch.patch6318359patch applied manually due to context shear * chore: update preconnect_manager.patch Xref:6318420patch applied manually due to context shear * chore: e patches all * chore: bump chromium to 136.0.7053.1 * chore: update fix_remove_profiles_from_spellcheck_service.patch Xref:6326575patch applied manually due to context shear * chore: e patches all * chore: revert removal of v8 API used by Node.js * devtools: Remove DevToolsUIBindings::SendJsonRequest() |6326236* 6244461: Merge //content/common/user_agent.cc into //components/embedder_support:user_agent |6244461* 6313744: Migrate views::Background factory methods to ColorVariant |6313744* 6314545: Remove multiple argument support from base::ToString() |6314545* 6317362: [Extensions] Inline MessagingDelegate::CreateReceiverForTab() |6317362* 6308998: Add SettingAccess structured metrics event for DevTools |6308998* 6295214: Remove redundant state field in per-extension preferences |6295214NB: this change is copied from the upstream change to extensions/shell/browser/shell_extension_loader.cc * fix: ui/ linter error This is showing up in an eslint build step in Electron: > /__w/electron/electron/src/out/Default/gen/ui/webui/resources/cr_elements/preprocessed/cr_menu_selector/cr_menu_selector.ts > 77:23 error This assertion is unnecessary since the receiver accepts the original type of the expression @typescript-eslint/no-unnecessary-type-assertion > > ✖ 1 problem (1 error, 0 warnings) > 1 error and 0 warnings potentially fixable with the `--fix` option. However, removing the assertion causes a typescript build failure: > gen/ui/webui/resources/cr_elements/preprocessed/cr_menu_selector/cr_menu_selector.ts:77:23 - error TS2345: Argument of type 'HTMLElement | null' is not assignable to parameter of type 'HTMLElement'. > Type 'null' is not assignable to type 'HTMLElement'. > > 77 items.indexOf(this.querySelector<HTMLElement>(':focus')); > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ So I think the two different steps may be picking up typescript definitions. This patch should be removed after the issue is tracked down and fixed in a followup task. * fix: -Wnonnull warning Fixes this warning: > 2025-03-07T01:05:01.8637705Z ../../third_party/electron_node/src/debug_utils.cc(257,12): error: null passed to a callee that requires a non-null argument [-Werror,-Wnonnull] > 2025-03-07T01:05:01.8638267Z 257 | return nullptr; > 2025-03-07T01:05:01.8638481Z | ^~~~~~~ > 2025-03-07T01:05:01.8638700Z 1 error generated. Not sure why this warning was never triggered before; `git blame` indicates this code hasn't changed in ages: > c40a8273ef2 (Michaël Zasso 2024-05-10 09:50:20 +0200 255) #endif // DEBUG > 8e2d33f1562 (Anna Henningsen 2018-06-07 16:54:29 +0200 256) } > 247b5130595 (Refael Ackermann 2018-10-22 15:07:00 -0400 257) return nullptr; > 247b5130595 (Refael Ackermann 2018-10-22 15:07:00 -0400 258) } Presumably this is failing in this Chromium roll due to a clang version bump. We should remove this patch after upstreaming it. * docs: add upstream pr link for Node patch --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Charles Kerr <charles@charleskerr.com> (cherry picked from commit458b14b8ed) * chore!: bump chromium to 136.0.7054.0 (main) (#45923) * chore: bump chromium in DEPS to 136.0.7054.0 * chore: update allow_in-process_windows_to_have_different_web_prefs.patch Xref:5906158patch applied manually due to context shear * chore: e patches all * refactor!: Session.clearStorageData(syncable) Xref:6309405Remove syncable type from opts.quota in Session.clearStorageData(opts) because it that category has been removed upstream. BREAKING CHANGE: Removed ses.clearDataStorage({ quota: 'syncable' }) * docs: deprecate Session.clearDataStorage({ quota }) --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Charles Kerr <charles@charleskerr.com> (cherry picked from commit20414f66ca) * chore: bump chromium to 136.0.7058.1 (main) (#45928) * chore: bump chromium in DEPS to 136.0.7056.0 * chore: update mas_avoid_private_macos_api_usage.patch.patch no manual changes; patch applied with fuzz * chore: update fix_adapt_exclusive_access_for_electron_needs.patch patch applied manually due to context shear 6319958: [FS] Replace GURL with url::Origin for Excluisve Access Bubble |6319958* chore: update feat_allow_usage_of_sccontentsharingpicker_on_supported_platforms.patch no manual changes; patch applied with fuzz 6311876: Expose captured surface resolution for MacOS |6311876* chore: e patches all * 6319958: [FS] Replace GURL with url::Origin for Excluisve Access Bubble |6319958* 6326673: views: Delete the single-parameter Widget::InitParams constructor. |6326673*6331102* 6331102: [A11yPerformance] Rename AXMode::kScreenReader to kExtendedProperties |6331102Sync with shell/browser/ui/webui/accessibility_ui.cc to upstream chrome/browser/accessibility/accessibility_ui.cc changes in 4af8657 * chore: bump Chromium 136.0.7058.1 (#45933) chore: bump chromium in DEPS to 136.0.7058.1 --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Charles Kerr <charles@charleskerr.com> (cherry picked from commitb0c11371e0) * chore: bump chromium to 136.0.7062.0 (main) (#45957) * chore: bump chromium in DEPS to 136.0.7059.0 * chore: bump chromium in DEPS to 136.0.7060.0 * chore: bump chromium in DEPS to 136.0.7062.0 --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> (cherry picked from commit2de8fd7d93) * fixup! chore: bump chromium to 136.0.7053.1 (main) (#45906) chore: fix patch shear * chore: remove cherry-pick-521faebc8a7c.patch fixed upstream @ 521faeb 6334632: Disable setting primtive restart for WebGL in the cmd decoder. |6334632* chore: remove cherry-pick-9dacf5694dfd.patch fixed upstream @ 9dacf56 6330188: Move WebGL primitive restart state setting to the GPU process. |6330188* chore: e patches all --------- Co-authored-by: Charles Kerr <charles@charleskerr.com> Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
125 lines
5.5 KiB
Diff
125 lines
5.5 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: deepak1556 <hop2deep@gmail.com>
|
|
Date: Wed, 28 Jun 2023 21:11:40 +0900
|
|
Subject: fix: harden blink::ScriptState::MaybeFrom
|
|
|
|
This is needed as side effect of https://chromium-review.googlesource.com/c/chromium/src/+/4609446
|
|
which now gets blink::ExecutionContext from blink::ScriptState
|
|
and there are isolate callbacks which get entered from Node.js
|
|
environment that has v8::Context not associated with blink::ScriptState.
|
|
Some examples are ModifyCodeGenerationFromStrings in node_bindings.cc,
|
|
blink::UseCounterCallback etc.
|
|
|
|
Without this patch when blink::ScriptState::MaybeFrom tries to extract
|
|
blink::ScriptState from the provided v8::Context and since Node.js has context
|
|
embedder data fields with index greater than blink (see node_context_data.h)
|
|
leading to the following CHECK failure.
|
|
|
|
```
|
|
script_state.h(169)] Security Check Failed: script_state
|
|
```
|
|
|
|
This patch adds a new tag in the context associated with ScriptState
|
|
to uniquely identify. It is based on what Node.js does to identify the
|
|
context created by it in `node_context_data.h`.
|
|
|
|
PS: We are not performing a check like
|
|
|
|
```
|
|
ScriptState* script_state =
|
|
static_cast<ScriptState*>(context->GetAlignedPointerFromEmbedderData(
|
|
kV8ContextPerContextDataIndex));
|
|
if (!script_state) {
|
|
return nullptr;
|
|
}
|
|
```
|
|
|
|
since in 32-bit builds which does not have v8 sandbox enabled unlike 64-bit builds,
|
|
the embedder data slot will not lazy initialize indexes in the former. This means
|
|
accessing uninitialized lower indexes can return garbage values that cannot be null checked.
|
|
Refer to v8::EmbedderDataSlot::store_aligned_pointer for context.
|
|
|
|
diff --git a/gin/public/gin_embedders.h b/gin/public/gin_embedders.h
|
|
index 8d7c5631fd8f1499c67384286f0e3c4037673b32..2b7bdfbac06a42e6bc51eb65e023c3673e6eb885 100644
|
|
--- a/gin/public/gin_embedders.h
|
|
+++ b/gin/public/gin_embedders.h
|
|
@@ -20,6 +20,8 @@ enum GinEmbedder : uint16_t {
|
|
kEmbedderBlink,
|
|
kEmbedderPDFium,
|
|
kEmbedderFuchsia,
|
|
+ kEmbedderElectron,
|
|
+ kEmbedderBlinkTag,
|
|
};
|
|
|
|
} // namespace gin
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.cc b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
index e4a27a24c83dd1a478b2ada8b6c8220076790791..c76dc818f38a62fff63852dbecbc85e304ac731d 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.cc
|
|
@@ -13,6 +13,10 @@ namespace blink {
|
|
|
|
ScriptState::CreateCallback ScriptState::s_create_callback_ = nullptr;
|
|
|
|
+int const ScriptState::kScriptStateTag = 0x6e6f64;
|
|
+void* const ScriptState::kScriptStateTagPtr = const_cast<void*>(
|
|
+ static_cast<const void*>(&ScriptState::kScriptStateTag));
|
|
+
|
|
// static
|
|
void ScriptState::SetCreateCallback(CreateCallback create_callback) {
|
|
DCHECK(create_callback);
|
|
@@ -37,6 +41,8 @@ ScriptState::ScriptState(v8::Local<v8::Context> context,
|
|
DCHECK(world_);
|
|
context_.SetWeak(this, &OnV8ContextCollectedCallback);
|
|
context->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex, this);
|
|
+ context->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, ScriptState::kScriptStateTagPtr);
|
|
RendererResourceCoordinator::Get()->OnScriptStateCreated(this,
|
|
execution_context);
|
|
}
|
|
@@ -79,6 +85,8 @@ void ScriptState::DissociateContext() {
|
|
// Cut the reference from V8 context to ScriptState.
|
|
GetContext()->SetAlignedPointerInEmbedderData(kV8ContextPerContextDataIndex,
|
|
nullptr);
|
|
+ GetContext()->SetAlignedPointerInEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex, nullptr);
|
|
reference_from_v8_context_.Clear();
|
|
|
|
// Cut the reference from ScriptState to V8 context.
|
|
diff --git a/third_party/blink/renderer/platform/bindings/script_state.h b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
index b3cc8d819b06108386aed9465cab4f27a28b675f..9c8818f10de59fdd2a3fd44d9cd23d40a93b53a7 100644
|
|
--- a/third_party/blink/renderer/platform/bindings/script_state.h
|
|
+++ b/third_party/blink/renderer/platform/bindings/script_state.h
|
|
@@ -185,7 +185,12 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
v8::Local<v8::Context> context) {
|
|
DCHECK(!context.IsEmpty());
|
|
if (context->GetNumberOfEmbedderDataFields() <=
|
|
- kV8ContextPerContextDataIndex) {
|
|
+ kV8ContextPerContextDataTagIndex) {
|
|
+ return nullptr;
|
|
+ }
|
|
+ if (context->GetAlignedPointerFromEmbedderData(
|
|
+ kV8ContextPerContextDataTagIndex) !=
|
|
+ ScriptState::kScriptStateTagPtr) {
|
|
return nullptr;
|
|
}
|
|
ScriptState* script_state =
|
|
@@ -263,6 +268,8 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
static void SetCreateCallback(CreateCallback);
|
|
friend class ScriptStateImpl;
|
|
|
|
+ static void* const kScriptStateTagPtr;
|
|
+ static int const kScriptStateTag;
|
|
static constexpr int kV8ContextPerContextDataIndex =
|
|
static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
static_cast<int>(gin::kEmbedderBlink);
|
|
@@ -271,6 +278,10 @@ class PLATFORM_EXPORT ScriptState : public GarbageCollected<ScriptState> {
|
|
// internals.idl.
|
|
String last_compiled_script_file_name_;
|
|
bool last_compiled_script_used_code_cache_ = false;
|
|
+
|
|
+ static constexpr int kV8ContextPerContextDataTagIndex =
|
|
+ static_cast<int>(gin::kPerContextDataStartIndex) +
|
|
+ static_cast<int>(gin::kEmbedderBlinkTag);
|
|
};
|
|
|
|
// ScriptStateProtectingContext keeps the context associated with the
|