chore: cherry-pick 11 changes from Release-1-M115 #39517
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
electron/security#385 - d0c1b8954a1b from chromium
Ensure unique entries in frame_timing_details_CompositorFrameSinkSupport::DidPresentCompositorFrame() keeps
|frame_timing_details_| map keyed on CompositorFrame frame_tokens. These
are supposed to be unique but a malicious renderer could violate that
assumption. Convert some DCHECKs into CHECKs to guard against problems
related to this.
(cherry picked from commit 9b62ab5a88379b37dbc712171fdfd5530b99a7a9)
Bug: 1458819
Change-Id: Ib0b9551d18ea421957e0dce49a2593043f4abb12
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4673638
Reviewed-by: Jonathan Ross jonross@chromium.org
Commit-Queue: Kyle Charbonneau kylechar@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1169287}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4689943
Bot-Commit: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Commit-Queue: Vasiliy Telezhnikov vasilyt@chromium.org
Cr-Commit-Position: refs/branch-heads/5735@{#1481}
Cr-Branched-From: 2f562e4ddbaf79a3f3cb338b4d1bd4398d49eb67-refs/heads/main@{#1135570}
electron/security#383 - 96fc6d931c97 from v8
[wasm-gc] Merge a few fixesThis commit cherry-picks small parts of:
crrev.com/c/4669597
crrev.com/c/4675296
crrev.com/c/4677170
that are suitable for backmerging.
Bug: chromium:1462951
Change-Id: Ic8994753c3bdbf9676701ce3ab8c98ae9700156b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4677663
Auto-Submit: Jakob Kummerow jkummerow@chromium.org
Reviewed-by: Manos Koukoutos manoskouk@chromium.org
Commit-Queue: Manos Koukoutos manoskouk@chromium.org
Cr-Commit-Position: refs/branch-heads/11.5@{#35}
Cr-Branched-From: 0c4044b7336787781646e48b2f98f0c7d1b400a5-refs/heads/11.5.150@{#1}
Cr-Branched-From: b71d3038a7d99c79e1c21239e8ae07da5fc8c90b-refs/heads/main@{#87781}
electron/security#386 - abb3ebd3d2ef from chromium
Destroy CastDeviceListHost during KeyedServices shutdownThis makes MediaNotificationService destroy all the CastDeviceListHosts
that it's instantiated in its KeyedService shutdown. This is necessary
because CastDeviceListHost depends on MediaRouter, another KeyedService.
(cherry picked from commit ffc0dfef649ad5b1149f89bb24c70d43405442ba)
Bug: 1457757
Change-Id: I453279da77b141ad9cd89310fc8128cc7d2919f2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4672319
Reviewed-by: Tommy Steimel steimel@chromium.org
Commit-Queue: Takumi Fujimoto takumif@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1168361}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4692442
Auto-Submit: Takumi Fujimoto takumif@chromium.org
Commit-Queue: Tommy Steimel steimel@chromium.org
Cr-Commit-Position: refs/branch-heads/5790@{#1763}
Cr-Branched-From: 1d71a337b1f6e707a13ae074dca1e2c34905eb9f-refs/heads/main@{#1148114}
electron/security#384 - fa181f8768c9 from chromium
Roll WebRTC from dbb89430ef77 to e9e03a916050 (3 revisions)https://webrtc.googlesource.com/src.git/+log/dbb89430ef77..e9e03a916050
2023-07-19 joachimr@meta.com Fix inaccurate contentType in RTCInbound/OutboundRtpStreamStats
2023-07-19 phancke@microsoft.com Prevent SDP munging of duplicate SSRCs
2023-07-19 chromium-webrtc-autoroll@webrtc-ci.iam.gserviceaccount.com Roll chromium_revision 21b76e39ae..58a3c40eba (1172261:1172400)
If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
https://autoroll.skia.org/r/webrtc-chromium-autoroll
Please CC webrtc-chromium-sheriffs-robots@google.com,webrtc-infra@google.com on the revert to ensure that a human
is aware of the problem.
To file a bug in WebRTC: https://bugs.chromium.org/p/webrtc/issues/entry
To file a bug in Chromium: https://bugs.chromium.org/p/chromium/issues/entry
To report a problem with the AutoRoller itself, please file a bug:
https://bugs.chromium.org/p/skia/issues/entry?template=Autoroller+Bug
Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
Bug: chromium:1459124
Tbr: webrtc-chromium-sheriffs-robots@google.com
Change-Id: I2340d48bb0484a1dd608eb61bb97de4c3313307b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4703308
Bot-Commit: chromium-autoroll chromium-autoroll@skia-public.iam.gserviceaccount.com
Commit-Queue: chromium-autoroll chromium-autoroll@skia-public.iam.gserviceaccount.com
Cr-Commit-Position: refs/heads/main@{#1172688}
electron/security#388 - 337124b13aaa from chromium
[Merge M116] [blink] Fix UAF in NonMainThreadTaskQueueThe issue is that WorkerThreadScheduler::OnTaskCompleted's
PerformMicrotaskCheckpoint() might result in a blink heap GC which may
collect NonMainThreadWebSchedulingTaskQueueImpl (owned by
GarbageCollected) which might own the last ref to
NonMainThreadTaskQueue. If the NonMainThreadTaskQueue is deleted,
there's a UAF in the follow-up call to
task_queue->OnTaskRunTimeReported(task_timing);
Retain a ref to NonMainThreadTaskQueue throughout OnTaskCompleted() to
prevent this.
The other option, proposed @ crbug.com/1464113#c3 was to bind the ref
ahead of time in the
on_task_completed_handler
but I am leery thatthis might prevent deleting queues with pending tasks.
R=altimin@chromium.org
(cherry picked from commit 3463ed58f68034e68a1291b6413776c2b72994e8)
Bug: 1464113
Change-Id: I877c609244ab90a0af1c87c317cf5a55e2fa60ff
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4678047
Reviewed-by: Alexander Timin altimin@chromium.org
Reviewed-by: Etienne Pierre-Doray etiennep@chromium.org
Commit-Queue: Gabriel Charette gab@chromium.org
Auto-Submit: Gabriel Charette gab@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1170760}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4706171
Commit-Queue: Alexander Timin altimin@chromium.org
Cr-Commit-Position: refs/branch-heads/5845@{#750}
Cr-Branched-From: 5a5dff63a4a4c63b9b18589819bebb2566c85443-refs/heads/main@{#1160321}
electron/security#382 - 83b0bdb696d8 from chromium
Roll SwiftShader from 222e07b368b1 to 8d9a45b1f3ab (12 revisions)https://swiftshader.googlesource.com/SwiftShader.git/+log/222e07b368b1..8d9a45b1f3ab
2023-07-24 bclayton@google.com LLVMReactor: Remove CreateFreeze() call
2023-07-23 bclayton@google.com LLVMReactor: Clamp RHS of bit shifts using type width
2023-07-22 bclayton@google.com Fix another 'sign-compare' warning as error
2023-07-22 bclayton@google.com Fix 'sign-compare' warning as error
2023-07-21 bclayton@google.com LLVMReactor: Clamp RHS of bit shifts.
2023-07-21 swiftshader.regress@gmail.com Regres: Update test lists @ 4a260c12
2023-07-21 bclayton@google.com ExecutableMemory: Use VirtualAlloc() instead of
new
on windows2023-07-20 avi@google.com Don't allow Swiftshader to be compiled as ARC
2023-07-18 tiszka@chromium.org [subzero] Fix integer overflows during alloca coalescing
2023-07-12 aredulla@google.com [ssci] Added Shipped field to READMEs
2023-07-11 jif@google.com [LLVM 16] Have Swiftshader built with Android.bp use LLVM 16.
2023-07-04 jif@google.com [LLVM 16] Shifts do not generate poison values
If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
https://autoroll.skia.org/r/swiftshader-chromium-autoroll
Please CC capn@chromium.org,swiftshader-eng+autoroll@google.com on the revert to ensure that a human
is aware of the problem.
To file a bug in SwiftShader: https://bugs.chromium.org/p/swiftshader/issues/entry
To file a bug in Chromium: https://bugs.chromium.org/p/chromium/issues/entry
To report a problem with the AutoRoller itself, please file a bug:
https://bugs.chromium.org/p/skia/issues/entry?template=Autoroller+Bug
Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
Cq-Include-Trybots: luci.chromium.try:linux_chromium_msan_rel_ng;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel;luci.chromium.try:linux-swangle-try-x64;luci.chromium.try:win-swangle-try-x86
Bug: chromium:1427865,chromium:1431761,chromium:1464038,chromium:1464680,chromium:1466124,chromium:733237
Tbr: swiftshader-eng+autoroll@google.com
Change-Id: Ifea78e22e4b836267a9094fffa87ddda27516f1c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4711308
Bot-Commit: chromium-autoroll chromium-autoroll@skia-public.iam.gserviceaccount.com
Commit-Queue: chromium-autoroll chromium-autoroll@skia-public.iam.gserviceaccount.com
Cr-Commit-Position: refs/heads/main@{#1174303}
electron/security#378 - 8d60b1d3b1be from v8
[wasm-gc] Use wasm-null as default value for wasm reference types(cherry picked from commit b947905d27518b7764607708ec9f74ac3ea94b6b)
Bug: v8:7748, chromium:1466183
Change-Id: I6d7de33e0cec37747045269f441e65f7a482dd4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4701553
Auto-Submit: Manos Koukoutos manoskouk@chromium.org
Reviewed-by: Jakob Kummerow jkummerow@chromium.org
Commit-Queue: Jakob Kummerow jkummerow@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#89060}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4714606
Commit-Queue: Manos Koukoutos manoskouk@chromium.org
Cr-Commit-Position: refs/branch-heads/11.6@{#22}
Cr-Branched-From: e29c028f391389a7a60ee37097e3ca9e396d6fa4-refs/heads/11.6.189@{#3}
Cr-Branched-From: 95cbef20e2aa556a1ea75431a48b36c4de6b9934-refs/heads/main@{#88340}
electron/security#381 - 285c7712c506 from angle
M116: Translator: Unconditionally limit variable sizes... instead of just for WebGL. This is to avoid hitting driver bugs
that were prevented with this check for WebGL on a compromised renderer
that can create non-WebGL contexts.
Bug: chromium:1464682
Change-Id: I2b1c5a8c51f06225f5f850109d30778d97e574c7
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4717371
Reviewed-by: Roman Lavrov romanl@google.com
electron/security#377 - 2bf945775fe6 from angle
M116: Translator: Limit variable sizes vs uint overflowBug: chromium:1464680
Change-Id: Iee41a2da7a7a330e6cc4d6da59a6e9836ee9dd36
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4717372
Reviewed-by: Roman Lavrov romanl@google.com
electron/security#387 - cafe56b591ed from angle
M116: GL: Ensure all instanced attributes have a buffer with dataApple OpenGL drivers sometimes crash when given an instanced draw with
a buffer that has never been given data.
It's not efficient to check if the attribute is both zero-sized and
instanced so just ensure that every time a zero-sized buffer is bound
to an attribute, it gets initialized with some data.
Bug: chromium:1456243
Change-Id: I66b7c7017843153db2df3bc50010cba765d03c5f
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4642048
Commit-Queue: Geoff Lang geofflang@chromium.org
Reviewed-by: Shahbaz Youssefi syoussefi@chromium.org
(cherry picked from commit 4e6124dae892690204f8e5996aeaad14f45e0a97)
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4727452
electron/security#380 - e40cb330b645 from chromium
Check whether read side is closed when reading QuicChromiumClientStreamWhen quic::QuicSpdyStream receives a RST_STREAM frame it clears the
underlying read buffer. Subsequent read operations should check
quic::QuicStream::read_side_closed() so that it doesn't access the
cleared read buffer.
This CL is cloned from https://crrev.com/c/4691923 by bashi@chromium.org.
(cherry picked from commit ecf8b698d6ec2a7c4bed49714c80f4ee5516c50d)
Bug: 1465224
Change-Id: I35a908e11d09c67dea857b34653d6cf1cadbb407
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4728448
Commit-Queue: Bence Béky bnc@chromium.org
Auto-Submit: Bence Béky bnc@chromium.org
Reviewed-by: Kenichi Ishibashi bashi@chromium.org
Commit-Queue: Kenichi Ishibashi bashi@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1176838}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4733554
Reviewed-by: Bence Béky bnc@chromium.org
Commit-Queue: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Bot-Commit: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Cr-Commit-Position: refs/branch-heads/5790@{#1904}
Cr-Branched-From: 1d71a337b1f6e707a13ae074dca1e2c34905eb9f-refs/heads/main@{#1148114}
Notes: