Merge branch '4-2-x' into miniak/liftoff-correctly-unuse-labels-4-2-x

electron · Jun 4, 2019 · e10fa74 · e10fa74
2 parents b27c25b + bbeedaf
commit e10fa74
Show file tree

Hide file tree

Showing 7 changed files with 299 additions and 0 deletions.
diff --git a/patches/common/chromium/.patches b/patches/common/chromium/.patches
@@ -103,3 +103,4 @@ chore_expose_getcontentclient_to_embedders.patch
 tabbed_window_lagging.patch
 restore_live_region_changed_events_for_processing_by_jaws_focus_mode.patch
 enable_quic_proxies_for_https_urls.patch
+fix_svg_crash_for_v0_distribution_into_foreignobject.patch
diff --git a/patches/common/chromium/fix_svg_crash_for_v0_distribution_into_foreignobject.patch b/patches/common/chromium/fix_svg_crash_for_v0_distribution_into_foreignobject.patch
@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Rune Lillesveen <futhark@chromium.org>
+Date: Tue, 18 Dec 2018 14:45:19 +0000
+Subject: Fix SVG crash for v0 distribution into foreignObject.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We require a parent element to be an SVG element for non-svg-root
+elements in order to create a LayoutObject for them. However, we checked
+the light tree parent element, not the flat tree one which is the parent
+for the layout tree construction. Note that this is just an issue in
+Shadow DOM v0 since v1 does not allow shadow roots on SVG elements.
+
+Bug: 915469
+Change-Id: Id81843abad08814fae747b5bc81c09666583f130
+Reviewed-on: https://chromium-review.googlesource.com/c/1382494
+Reviewed-by: Fredrik Söderquist <fs@opera.com>
+Commit-Queue: Rune Lillesveen <futhark@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#617487}
+
+diff --git a/third_party/WebKit/LayoutTests/svg/foreignObject/shadow-dom-v0-crash.html b/third_party/WebKit/LayoutTests/svg/foreignObject/shadow-dom-v0-crash.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..44ac3b0540b8f5a816a67b5be382b179623bd0cd
+--- /dev/null
++++ b/third_party/WebKit/LayoutTests/svg/foreignObject/shadow-dom-v0-crash.html
+@@ -0,0 +1,11 @@
++<!DOCTYPE html>
++<script src="../../resources/testharness.js"></script>
++<script src="../../resources/testharnessreport.js"></script>
++<p>PASS if no crash or DCHECK failure.</p>
++<svg id="svg"><g /></svg>
++<script>
++  test(() => {
++    const root = svg.createShadowRoot();
++    root.innerHTML = '<foreignObject><div><content></content></div></foreignObject>';
++  }, "Rendering an svg g element distributed into a foreignObject will crash.");
++</script>
+diff --git a/third_party/blink/renderer/core/svg/svg_element.cc b/third_party/blink/renderer/core/svg/svg_element.cc
+index e9a1fd9dd0ef6975cbc3e0967e8b0e9c8362b7a1..6af7df47e3502903346c4509c6fd080ef6d071ef 100644
+--- a/third_party/blink/renderer/core/svg/svg_element.cc
++++ b/third_party/blink/renderer/core/svg/svg_element.cc
+@@ -37,6 +37,7 @@
+ #include "third_party/blink/renderer/core/dom/document.h"
+ #include "third_party/blink/renderer/core/dom/element_traversal.h"
+ #include "third_party/blink/renderer/core/dom/events/event.h"
++#include "third_party/blink/renderer/core/dom/flat_tree_traversal.h"
+ #include "third_party/blink/renderer/core/dom/node_computed_style.h"
+ #include "third_party/blink/renderer/core/dom/shadow_root.h"
+ #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
+@@ -1047,10 +1048,8 @@ bool SVGElement::LayoutObjectIsNeeded(const ComputedStyle& style) const {
+ }
+
+ bool SVGElement::HasSVGParent() const {
+-  // Should we use the flat tree parent instead? If so, we should probably fix a
+-  // few other checks.
+-  return ParentOrShadowHostElement() &&
+-         ParentOrShadowHostElement()->IsSVGElement();
++  Element* parent = FlatTreeTraversal::ParentElement(*this);
++  return parent && parent->IsSVGElement();
+ }
+
+ MutableCSSPropertyValueSet* SVGElement::AnimatedSMILStyleProperties() const {
diff --git a/patches/common/config.json b/patches/common/config.json
@@ -9,6 +9,8 @@
 
   "src/electron/patches/common/skia": "src/third_party/skia",
 
+  "src/electron/patches/common/swiftshader": "src/third_party/swiftshader",
+
   "src/electron/patches/common/webrtc":  "src/third_party/webrtc",
 
   "src/electron/patches/common/v8":  "src/v8"

diff --git a/patches/common/swiftshader/.patches b/patches/common/swiftshader/.patches
@@ -0,0 +1 @@
+prevent_gldeletequeries_from_deleting_a_live_query.patch
diff --git a/patches/common/swiftshader/prevent_gldeletequeries_from_deleting_a_live_query.patch b/patches/common/swiftshader/prevent_gldeletequeries_from_deleting_a_live_query.patch
@@ -0,0 +1,161 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alexis Hetu <sugoi@google.com>
+Date: Wed, 14 Nov 2018 10:54:53 -0500
+Subject: Prevent glDeleteQueries from deleting a live Query
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+glDeleteQueries() instantly deletes all the es2::Query objects
+passed as arguments to this function. If some of these queries
+are still being used by the renderer, this will result in a use
+after free error. To solve this issue, sw::Query is now a also
+ref counted object.
+
+Bug chromium:904714
+
+Change-Id: Ic1d5781bbf1724d8d07936fd49c8a172dc3d9fd4
+Reviewed-on: https://swiftshader-review.googlesource.com/c/22548
+Tested-by: Alexis Hétu <sugoi@google.com>
+Reviewed-by: Nicolas Capens <nicolascapens@google.com>
+
+diff --git a/src/D3D9/Direct3DQuery9.cpp b/src/D3D9/Direct3DQuery9.cpp
+index 31d249e7897869b8a97c1b8a4e449b1a71500f80..b6a3b2d60a8fa14016007d00be753e1642c75cbc 100644
+--- a/src/D3D9/Direct3DQuery9.cpp
++++ b/src/D3D9/Direct3DQuery9.cpp
+@@ -41,7 +41,7 @@ namespace D3D9
+ 		{
+ 			device->removeQuery(query);
+
+-			delete query;
++			query->release();
+ 		}
+ 	}
+
+@@ -202,7 +202,7 @@ namespace D3D9
+ 			return INVALIDCALL();
+ 		}
+
+-		bool signaled = !query || query->reference == 0;
++		bool signaled = !query || query->isReady();
+
+ 		if(size && signaled)
+ 		{
+diff --git a/src/OpenGL/libGLESv2/Query.cpp b/src/OpenGL/libGLESv2/Query.cpp
+index 027f8abcae73d0caae9cdfb610c4873229e93e40..87286210f2c4e4b6e984c5b28049afe3587eb1ca 100644
+--- a/src/OpenGL/libGLESv2/Query.cpp
++++ b/src/OpenGL/libGLESv2/Query.cpp
+@@ -32,7 +32,7 @@ Query::Query(GLuint name, GLenum type) : NamedObject(name)
+
+ Query::~Query()
+ {
+-	delete mQuery;
++	mQuery->release();
+ }
+
+ void Query::begin()
+@@ -140,7 +140,7 @@ GLboolean Query::testQuery()
+ {
+ 	if(mQuery != nullptr && mStatus != GL_TRUE)
+ 	{
+-		if(!mQuery->building && mQuery->reference == 0)
++		if(!mQuery->building && mQuery->isReady())
+ 		{
+ 			unsigned int resultSum = mQuery->data;
+ 			mStatus = GL_TRUE;
+diff --git a/src/Renderer/Renderer.cpp b/src/Renderer/Renderer.cpp
+index b560f4171ea649055572e4c535560d8664e1fa7e..e4a4e06660bf8a4731974f7615b8d68dd39e6b30 100644
+--- a/src/Renderer/Renderer.cpp
++++ b/src/Renderer/Renderer.cpp
+@@ -78,6 +78,27 @@ namespace sw
+ 		int threadIndex;
+ 	};
+
++	Query::Query(Type type) : building(false), data(0), type(type), reference(1)
++	{
++	}
++
++	void Query::addRef()
++	{
++		++reference; // Atomic
++	}
++
++	void Query::release()
++	{
++		int ref = reference--; // Atomic
++
++		ASSERT(ref >= 0);
++
++		if(ref == 0)
++		{
++			delete this;
++		}
++	}
++
+ 	DrawCall::DrawCall()
+ 	{
+ 		queries = 0;
+@@ -314,7 +335,7 @@ namespace sw
+ 				{
+ 					if(includePrimitivesWrittenQueries || (query->type != Query::TRANSFORM_FEEDBACK_PRIMITIVES_WRITTEN))
+ 					{
+-						++query->reference; // Atomic
++						query->addRef();
+ 						draw->queries->push_back(query);
+ 					}
+ 				}
+@@ -1002,7 +1023,7 @@ namespace sw
+ 							break;
+ 						}
+
+-						--query->reference; // Atomic
++						query->release();
+ 					}
+
+ 					delete draw.queries;
+diff --git a/src/Renderer/Renderer.hpp b/src/Renderer/Renderer.hpp
+index ce22866d7224036d4d32294d93f6a53c9da7d48d..0846a27b7b83b70206df6f594af0f59fb9e74fb5 100644
+--- a/src/Renderer/Renderer.hpp
++++ b/src/Renderer/Renderer.hpp
+@@ -89,26 +89,35 @@ namespace sw
+ 	{
+ 		enum Type { FRAGMENTS_PASSED, TRANSFORM_FEEDBACK_PRIMITIVES_WRITTEN };
+
+-		Query(Type type) : building(false), reference(0), data(0), type(type)
+-		{
+-		}
++		Query(Type type);
++
++		void addRef();
++		void release();
+
+-		void begin()
++		inline void begin()
+ 		{
+ 			building = true;
+ 			data = 0;
+ 		}
+
+-		void end()
++		inline void end()
+ 		{
+ 			building = false;
+ 		}
+
++		inline bool isReady() const
++		{
++			return (reference == 1);
++		}
++
+ 		bool building;
+-		AtomicInt reference;
+ 		AtomicInt data;
+
+ 		const Type type;
++	private:
++		~Query() {} // Only delete a query within the release() function
++
++		AtomicInt reference;
+ 	};
+
+ 	struct DrawData
diff --git a/patches/common/v8/.patches b/patches/common/v8/.patches
@@ -20,4 +20,5 @@ expose_mksnapshot.patch
 build-torque-with-x64-toolchain-on-arm.patch
 do_not_run_arm_arm64_mksnapshot_binaries.patch
 turbofan_fix_wrong_typing_of_speculativesafeintegersubtract.patch
+turbofan_restrict_redundancy_elimination_from_widening_types.patch
 liftoff-correctly-unuse-labels.patch
diff --git a/patches/common/v8/turbofan_restrict_redundancy_elimination_from_widening_types.patch b/patches/common/v8/turbofan_restrict_redundancy_elimination_from_widening_types.patch
@@ -0,0 +1,70 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sigurd Schneider <sigurds@chromium.org>
+Date: Mon, 7 Jan 2019 15:11:31 +0100
+Subject: [turbofan] Restrict redundancy elimination from widening types
+
+This CL prevents redundancy elimination from widening types, which
+can cause problems if the input of a DeadValue (which has type None)
+is replaced by an equivalent node that does not have type None. This
+can happen because load elimination does not re-type nodes, for
+example.
+
+Bug: chromium:919340
+Change-Id: I89e872412edbcdc610e70ae160cde56cd045006c
+Reviewed-on: https://chromium-review.googlesource.com/c/1397709
+Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
+Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
+Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#58617}
+
+diff --git a/src/compiler/redundancy-elimination.cc b/src/compiler/redundancy-elimination.cc
+index 5ecef0408be4c849cccd695ccb8329ec7f27055e..8cc0501a22132e3c226294c53b047a473a8f9005 100644
+--- a/src/compiler/redundancy-elimination.cc
++++ b/src/compiler/redundancy-elimination.cc
+@@ -179,11 +179,22 @@ bool CheckSubsumes(Node const* a, Node const* b) {
+   return true;
+ }
+
++bool TypeSubsumes(Node* node, Node* replacement) {
++  if (!NodeProperties::IsTyped(node) || !NodeProperties::IsTyped(replacement)) {
++    // If either node is untyped, we are running during an untyped optimization
++    // phase, and replacement is OK.
++    return true;
++  }
++  Type node_type = NodeProperties::GetType(node);
++  Type replacement_type = NodeProperties::GetType(replacement);
++  return replacement_type.Is(node_type);
++}
++
+ }  // namespace
+
+ Node* RedundancyElimination::EffectPathChecks::LookupCheck(Node* node) const {
+   for (Check const* check = head_; check != nullptr; check = check->next) {
+-    if (CheckSubsumes(check->node, node)) {
++    if (CheckSubsumes(check->node, node) && TypeSubsumes(node, check->node)) {
+       DCHECK(!check->node->IsDead());
+       return check->node;
+     }
+diff --git a/test/mjsunit/regress/regress-919340.js b/test/mjsunit/regress/regress-919340.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..900bf6fde2f56bc328a17995c18a2fabd3f1023b
+--- /dev/null
++++ b/test/mjsunit/regress/regress-919340.js
+@@ -0,0 +1,17 @@
++// Copyright 2019 the V8 project authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++// Flags: --allow-natives-syntax --opt
++
++var E = 'Σ';
++var PI = 123;
++function f() {
++    print(E = 2, /b/.test(E) || /b/.test(E = 2));
++    ((E = 3) * PI);
++}
++
++f();
++f();
++%OptimizeFunctionOnNextCall(f);
++f();