[qt5-qtwebengine-freeworld] Forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146)
10:55 a.m.
commit cd80e0340f66a5d16acd45f38e9c0b3319d12fe6
Author: Kevin Kofler <kevin.kofler(a)chello.at>
Date: Sat Mar 17 11:54:04 2018 +0100
Forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146)
* Sat Mar 17 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org> - 5.10.1-3
- Forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146)
qt5-qtwebengine-freeworld.spec | 16 +-
...gine-everywhere-src-5.10.1-security-5.9.5.patch | 1245 ++++++++++++++++++++
2 files changed, 1258 insertions(+), 3 deletions(-)
---
diff --git a/qt5-qtwebengine-freeworld.spec b/qt5-qtwebengine-freeworld.spec
index 88b226e..65e4e51 100644
--- a/qt5-qtwebengine-freeworld.spec
+++ b/qt5-qtwebengine-freeworld.spec
@@ -41,7 +41,7 @@
Summary: Qt5 - QtWebEngine components (freeworld version)
Name: qt5-qtwebengine-freeworld
Version: 5.10.1
-Release: 2%{?dist}
+Release: 3%{?dist}
%global major_minor %(echo %{version} | cut -d. -f-2)
%global major %(echo %{version} | cut -d. -f1)
@@ -97,15 +97,20 @@ Patch21: qtwebengine-everywhere-src-5.10.0-gn-bootstrap-verbose.patch
# https://codereview.qt-project.org/#/c/196922/
# see QTBUG-60886 and QTBUG-65090
Patch22: qtwebengine-everywhere-src-5.10.0-icu59.patch
+## Upstream patches:
# drop support for obsolete Unicode "aspirational scripts" (dropped in UTS
31),
# fixes #error with ICU >= 60 (which was a reminder to double-check the list)
# see: http://www.unicode.org/reports/tr31/#Aspirational_Use_Scripts
# backport of: https://chromium-review.googlesource.com/c/chromium/src/+/731871
Patch100: qtwebengine-everywhere-src-5.10.0-no-aspirational-scripts.patch
+# forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146)
+# see the patch metadata for the list of fixed CVEs and Chromium bug IDs
+# omit the Chromium bug 806122 fix because we use the system FFmpeg
+Patch101: qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch
# fix build with FFmpeg 3.5 (apply conditionally because it breaks older FFmpeg)
# backport of: https://chromium-review.googlesource.com/c/chromium/src/+/754261
# https://chromium-review.googlesource.com/c/chromium/src/+/889686
-Patch101: qtwebengine-everywhere-src-5.10.1-ffmpeg35.patch
+Patch102: qtwebengine-everywhere-src-5.10.1-ffmpeg35.patch
# handled by qt5-srpm-macros, which defines %%qt5_qtwebengine_arches
ExclusiveArch: %{qt5_qtwebengine_arches}
@@ -204,6 +209,7 @@ BuildRequires: pkgconfig(vpx) >= 1.7.0
# http://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=61-based
# see dist/changes-5.10.1 for the version numbers (base, security fixes) and for
# a list of CVEs fixed by the added security backports
+# See Patch101 for additional fixes applied (up to version 65.0.3325.146)
Provides: bundled(chromium) = 61.0.3163.140
# Bundled in src/3rdparty/chromium/third_party:
@@ -332,8 +338,9 @@ This version is compiled with support for patent-encumbered codecs
enabled.
%patch21 -p1 -b .gn-bootstrap-verbose
%patch22 -p1 -b .icu59
%patch100 -p1 -b .no-aspirational-scripts
+%patch101 -p1 -b .security-5.9.5
%if 0%{?fedora} > 27
-%patch101 -p1 -b .ffmpeg35
+%patch102 -p1 -b .ffmpeg35
%endif
# fix // in #include in content/renderer/gpu to avoid debugedit failure
sed -i -e 's!gpu//!gpu/!g' \
@@ -417,6 +424,9 @@ echo "%{_libdir}/%{name}" \
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog
+* Sat Mar 17 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org> - 5.10.1-3
+- Forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146)
+
* Thu Mar 01 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org> - 5.10.1-2
- Drop -fabi-version=11 workaround, gcc-8.0.1-0.16.fc28 should fix this
diff --git a/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch
b/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch
new file mode 100644
index 0000000..78b3e55
--- /dev/null
+++ b/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch
@@ -0,0 +1,1245 @@
+From d58330a607981f2e12c65c4b72ecbc36c5c52801 Mon Sep 17 00:00:00 2001
+Message-Id:
<d58330a607981f2e12c65c4b72ecbc36c5c52801.1521166869.git.Kevin(a)tigcc.ticalc.org>
+From: Michal Klocek <michal.klocek(a)qt.io>
+Date: Thu, 8 Mar 2018 11:26:33 +0100
+Subject: [PATCH] Backport security fixes from QtWebEngine 5.9.5 (minus FFmpeg
+ fix)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[Backport] CVE-2017-15429
+
+Only open windows with js URLs if the entered window has access
+
+It's not enough to check that the current window has access, if other
+security checks failed and the entered window shouldn't have access to
+the current window.
+
+BUG=788453
+R=haraken@chromium.org,mkwst(a)chromium.org
+
+Change-Id: Iea10c52f20bdc49f00eba067cab69dab06f79f01
+Reviewed-on: https://chromium-review.googlesource.com/792934
+Commit-Queue: Jochen Eisinger <jochen(a)chromium.org>
+Reviewed-by: Mike West <mkwst(a)chromium.org>
+Reviewed-by: Kentaro Hara <haraken(a)chromium.org>
+Reviewed-by: Yuki Shiino <yukishiino(a)chromium.org>
+Cr-Commit-Position: refs/heads/master@{#519683}
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] CVE-2018-6069
+
+check for bad buffers in Unpack8
+
+Bug:799918
+Change-Id: I0502a487d67ce757bf818823cf0ad46b7703294c
+Reviewed-on: https://skia-review.googlesource.com/92841
+Commit-Queue: Mike Reed <reed(a)google.com>
+Reviewed-by: Florin Malita <fmalita(a)chromium.org>
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] CVE-2018-6071
+
+detect too many points
+
+Bug:777318
+Change-Id: Idb52688b6ee4ae020004400da995620c1f548559
+Reviewed-on: https://skia-review.googlesource.com/73821
+Commit-Queue: Mike Reed <mike(a)reedtribe.org>
+Reviewed-by: Herb Derby <herb(a)google.com>
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] Security Bug 770734
+
+Fix a crash in TemplateURLParser.
+
+It was caused by dereferencing an invalid URL during parsing.
+
+Bug: 770734
+Change-Id: I4fedd3f310aaf7e1e1d2384aa64939d46b8b2a5a
+Reviewed-on: https://chromium-review.googlesource.com/773902
+Commit-Queue: Vasilii Sukhanov <vasilii(a)chromium.org>
+Reviewed-by: Peter Kasting <pkasting(a)chromium.org>
+Cr-Commit-Position: refs/heads/master@{#517751}
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] Security Bug 774833
+
+Intl.DateTimeFormat: throw RangeError for non-finite input
+
+intl.js throws an exception when datetime-value to format is
+Infinity or NaN, but there was a way to thwart the check.
+
+Moreover, intl.js and runtime-intl.cc have unnecessary conversions
+of 'Number->Date->Number'. I removed the unnecessary conversion
+and made 'Number' be passed to %InternalDateFormat. With this
+streamlining, the work-around mentioned above does not work
+anymore.
+
+Add a check in runtime_intl.cc for Infinity/NaN and throw a
+RangeError.
+
+Add invalid-time test for invalid datetime-values passed to
+Intl.DateTimeFormat.format().
+
+Bug: chromium:774833
+Test: intl/date-format/invalid-time.js
+Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
+Change-Id: Idc575e532a86ee110dc4bb945ae023d6516650ee
+Reviewed-on: https://chromium-review.googlesource.com/724860
+Commit-Queue: Jungshik Shin <jshin(a)chromium.org>
+Reviewed-by: Adam Klein <adamk(a)chromium.org>
+Cr-Commit-Position: refs/heads/master@{#48765}
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] CVE-2018-6073
+
+Fix CopyTexImage behavior when cubemap workaround is involved.
+
+The bug is, we need to reset PIXEL_UNPACK_BUFFER as well as UNPACK params
+in order to upload data to textures correctly.
+
+BUG=804118
+TEST=tests in the bug
+R=piman(a)chromium.org
+TBR=zmo(a)chromium.org
+NOTRY=true
+
+(cherry picked from commit a89aa4642cefb79e312c95ca3c66bbaff5263a22)
+
+Cq-Include-Trybots:
master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
+Change-Id: I743f03cdc98b2c6993449ca615b246eb42ef4dfa
+Reviewed-on: https://chromium-review.googlesource.com/892282
+Commit-Queue: Zhenyao Mo <zmo(a)chromium.org>
+Reviewed-by: Antoine Labour <piman(a)chromium.org>
+Reviewed-by: Kai Ninomiya <kainino(a)chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#532749}
+Reviewed-on: https://chromium-review.googlesource.com/895907
+Reviewed-by: Zhenyao Mo <zmo(a)chromium.org>
+Cr-Commit-Position: refs/branch-heads/3325@{#208}
+Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] CVE-2018-6076
+
+Percent-encode UTF8 characters in URL fragment identifiers.
+
+This brings us into line with Firefox, Safari, and the spec.
+
+Bug: 758523
+Reviewed-on: https://chromium-review.googlesource.com/668363
+Commit-Queue: Mike West <mkwst(a)chromium.org>
+Reviewed-by: Jochen Eisinger <jochen(a)chromium.org>
+Reviewed-by: Andy Paicu <andypaicu(a)chromium.org>
+Cr-Commit-Position: refs/heads/master@{#507481}
+
+Encode ' ', '"', '<', '>', and '`' in
URL fragments.
+
+Implements the changes to fragment processing described in
+https://github.com/whatwg/url/pull/347, which adds a new "fragment
+percent-encode set" which contains the C0 control percent-encode set,
+along with:
+
+* 0x20 SPACE
+* 0x22 (")
+* 0x3C (<)
+* 0x3E (>)
+* 0x60 (`)
+
+This brings our implementation into line with Firefox.
+
+Bug: 758523
+Reviewed-on: https://chromium-review.googlesource.com/719004
+Commit-Queue: Mike West <mkwst(a)chromium.org>
+Reviewed-by: Jochen Eisinger <jochen(a)chromium.org>
+Cr-Commit-Position: refs/heads/master@{#523383}
+
+Change-Id: I25de642017ccb69473626a327ad194b3431a11ed
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] CVE-2018-6079
+
+Fix tabs sharing TEXTURE_2D_ARRAY/TEXTURE_3D data.
+
+In linux and android, we are seeing an issue where texture data from one
+tab overwrites the texture data of another tab. This is happening for apps
+which are using webgl2 texture of type TEXTURE_2D_ARRAY/TEXTURE_3D.
+Due to a bug in virtual context save/restore code for above texture formats,
+the texture data is not properly restored while switching tabs. Hence
+texture data from one tab overwrites other.
+
+This CL has fix for that issue, an update for existing test expectations
+and a new unit test for this bug.
+
+Bug: 788448
+Cq-Include-Trybots:
master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
+Change-Id: Ie933984cdd2d1381f42eb4638f730c8245207a28
+Reviewed-on: https://chromium-review.googlesource.com/930327
+Reviewed-by: Zhenyao Mo <zmo(a)chromium.org>
+Commit-Queue: vikas soni <vikassoni(a)chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#539111}(cherry picked from commit
d128139d53e9268e87921e82d89b3f2053cb83fd)
+Reviewed-on: https://chromium-review.googlesource.com/939878
+Cr-Commit-Position: refs/branch-heads/3325@{#610}
+Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] CVE-2018-6081
+
+Fix XSS in supervised user interstitial
+
+BUG=797525
+
+Change-Id: Ib5cfa732b0f4de8645031c0166e4d67633a65c93
+Reviewed-on: https://chromium-review.googlesource.com/844075
+Reviewed-by: Bernhard Bauer <bauerb(a)chromium.org>
+Commit-Queue: Rob Wu <rob(a)robwu.nl>
+Cr-Commit-Position: refs/heads/master@{#526158}
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] CVE-2018-6082
+
+Remove port 22 from the set of allowed FTP ports.
+
+The collision with SSH ports caused some possible concerns with being
+able to enumerate internal hosts. Analysis shows that Internet hosts
+supporting FTP over port 22 are a small fraction, and likely not
+accessed over the web.
+
+Bug: 767354
+Change-Id: I8958b4cc818b34127fd739d2dea58f498fb073c0
+Reviewed-on: https://chromium-review.googlesource.com/860753
+Reviewed-by: Matt Menke <mmenke(a)chromium.org>
+Commit-Queue: Christopher Thompson <cthomp(a)chromium.org>
+Cr-Commit-Position: refs/heads/master@{#528461}
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] CVE-2018-6064
+
+[elements] Fix Object.entries/values with changing elements
+
+Drive-by-cleanup:
+- Add InternalElementsAccessor to expose protected instance methods
+to ElementsAccessor subclasses.
+- Make some more ElementsAccessor methods protected that take the
+raw entry as parameter.
+
+Bug: chromium:798644
+Change-Id: Iffd00f1953461e8dd22c123e62298410fb6e049c
+Reviewed-on: https://chromium-review.googlesource.com/856816
+Commit-Queue: Camillo Bruni <cbruni(a)chromium.org>
+Reviewed-by: Jakob Kummerow <jkummerow(a)chromium.org>
+Cr-Commit-Position: refs/heads/master@{#50480}
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] CVE-2018-6062
+
+use safemath::mull for buffer sizes
+
+Bug:780104
+Change-Id: Ic683abd9c7d15ebb01b6e5d40dbeb6e76f102eff
+Reviewed-on: https://skia-review.googlesource.com/95760
+Reviewed-by: Brian Salomon <bsalomon(a)google.com>
+Commit-Queue: Mike Reed <reed(a)google.com>
+(cherry picked from commit fe266c2bce2b8ac4ef953f16c8e1a7801da9c57d)
+Reviewed-on: https://skia-review.googlesource.com/101780
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] CVE-2018-6060
+
+Keep AudioHandlers alive until they can be safely deleted.
+
+When an AudioNode is disposed, the handler is also disposed. But add
+the handler to the orphan list so that the handler stays alive until
+the context can safely delete it. If we don't do this, the handler
+may get deleted while the audio thread is processing the handler (due
+to, say, channel count changes and such).
+
+For an realtime context, save the handler if the context is not closed.
+(Nothing will clean up the handler if the context is closed.)
+
+For an offline context, only need to do this when the context is
+running because the context is guaranteed to be stopped if we're not
+in the running state. Hence, there's no possibility of deleting the
+handler while the graph is running.
+
+Bug: 780919
+Change-Id: Id8ba47f48504c5681121facebfc5acb85b05de87
+Reviewed-on: https://chromium-review.googlesource.com/868841
+Reviewed-by: Hongchan Choi <hongchan(a)chromium.org>
+Commit-Queue: Raymond Toy <rtoy(a)chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#530892}(cherry picked from commit
ebcf9595bf908b515ffcd31374b071697a69faed)
+Reviewed-on: https://chromium-review.googlesource.com/893626
+Reviewed-by: Raymond Toy <rtoy(a)chromium.org>
+Cr-Commit-Position: refs/branch-heads/3325@{#180}
+Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] Security Bug 798410
+
+Crash fix for th with role gridcell in a table with nontraditional css
+
+Do not assume we can use ToLayoutCell() in an object that can be created
+for an ARIA cell and may not be associated with an actual table cell.
+
+Bug: 798410
+Change-Id: I3db7d09ca146469a4fb87ef04a03e9d4ba8525d3
+Reviewed-on: https://chromium-review.googlesource.com/906953
+Commit-Queue: Aaron Leventhal <aleventhal(a)chromium.org>
+Reviewed-by: Nektarios Paisios <nektar(a)chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#535462}(cherry picked from commit
b0d1618cc5e95f77c152022232257b61b61a952e)
+Reviewed-on: https://chromium-review.googlesource.com/916527
+Reviewed-by: Aaron Leventhal <aleventhal(a)chromium.org>
+Cr-Commit-Position: refs/branch-heads/3325@{#447}
+Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+
+[Backport] Security Bug 789764
+
+[parser] Fix func numbering inside for in.
+
+BUG=chromium:789764
+
+Change-Id: I6a466660159721683c4979af32019d740094151b
+Reviewed-on: https://chromium-review.googlesource.com/803217
+Reviewed-by: Ross McIlroy <rmcilroy(a)chromium.org>
+Reviewed-by: Jochen Eisinger <jochen(a)chromium.org>
+Commit-Queue: Marja Hölttä <marja(a)chromium.org>
+Cr-Commit-Position: refs/heads/master@{#49795}
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+---
+ .../search_engines/template_url_parser.cc | 2 +-
+ .../supervised_user_block_interstitial.js | 8 +--
+ .../gpu/command_buffer/service/context_state.cc | 34 +++++++++-
+ .../gpu/command_buffer/service/texture_manager.cc | 6 +-
+ chromium/net/base/port_util.cc | 3 +-
+ .../bindings/core/v8/custom/V8WindowCustom.cpp | 9 +++
+ .../WebKit/Source/core/frame/LocalFrameView.cpp | 5 +-
+ .../Source/modules/accessibility/AXTableCell.cpp | 8 +++
+ .../WebKit/Source/modules/webaudio/AudioNode.cpp | 41 ++++++++++--
+ chromium/third_party/skia/include/core/SkTypes.h | 1 +
+ chromium/third_party/skia/src/core/SkMath.cpp | 16 +++++
+ chromium/third_party/skia/src/core/SkPathRef.cpp | 22 +++++--
+ chromium/third_party/skia/src/core/SkSafeMath.h | 19 ++++++
+ .../third_party/skia/src/effects/SkPackBits.cpp | 5 +-
+ chromium/third_party/skia/src/effects/SkPackBits.h | 2 +-
+ .../third_party/skia/src/gpu/GrBufferAllocPool.cpp | 6 +-
+ chromium/url/url_canon_etc.cc | 61 ++++++++++++-----
+ chromium/v8/src/ast/ast-traversal-visitor.h | 1 +
+ chromium/v8/src/elements.cc | 76 ++++++++++++++++++----
+ chromium/v8/src/elements.h | 17 ++---
+ chromium/v8/src/js/intl.js | 8 +--
+ chromium/v8/src/runtime/runtime-intl.cc | 25 ++++---
+ 22 files changed, 293 insertions(+), 82 deletions(-)
+
+diff --git a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc
b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc
+index 64b1385e05..476d879b5f 100644
+--- a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc
++++ b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc
+@@ -438,7 +438,7 @@ void TemplateURLParsingContext::ProcessURLParams() {
+ return;
+
+ GURL url(is_suggest_url_ ? data_.suggestions_url : data_.url());
+- if (url.is_empty())
++ if (!url.is_valid())
+ return;
+
+ // If there is a parameter filter, parse the existing URL and remove any
+diff --git
a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js
b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js
+index d6b9327584..bee21be919 100644
+---
a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js
++++
b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js
+@@ -67,8 +67,8 @@ function initialize() {
+ $('custodian-avatar-img').style.content =
+ makeImageSet(avatarURL1x, avatarURL2x);
+ }
+- $('custodian-name').innerHTML = custodianName;
+- $('custodian-email').innerHTML =
loadTimeData.getString('custodianEmail');
++ $('custodian-name').textContent = custodianName;
++ $('custodian-email').textContent =
loadTimeData.getString('custodianEmail');
+ var secondAvatarURL1x = loadTimeData.getString('secondAvatarURL1x');
+ var secondAvatarURL2x = loadTimeData.getString('secondAvatarURL2x');
+ var secondCustodianName = loadTimeData.getString('secondCustodianName');
+@@ -79,8 +79,8 @@ function initialize() {
+ $('second-custodian-avatar-img').style.content =
+ makeImageSet(secondAvatarURL1x, secondAvatarURL2x);
+ }
+- $('second-custodian-name').innerHTML = secondCustodianName;
+- $('second-custodian-email').innerHTML = loadTimeData.getString(
++ $('second-custodian-name').textContent = secondCustodianName;
++ $('second-custodian-email').textContent = loadTimeData.getString(
+ 'secondCustodianEmail');
+ }
+ }
+diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc
b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc
+index 3c71d38b25..1b1d647c36 100644
+--- a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc
++++ b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc
+@@ -29,6 +29,16 @@ GLuint Get2dServiceId(const TextureUnit& unit) {
+ ? unit.bound_texture_2d->service_id() : 0;
+ }
+
++GLuint Get2dArrayServiceId(const TextureUnit& unit) {
++ return unit.bound_texture_2d_array.get()
++ ? unit.bound_texture_2d_array->service_id()
++ : 0;
++}
++
++GLuint Get3dServiceId(const TextureUnit& unit) {
++ return unit.bound_texture_3d.get() ? unit.bound_texture_3d->service_id() : 0;
++}
++
+ GLuint GetCubeServiceId(const TextureUnit& unit) {
+ return unit.bound_texture_cube_map.get()
+ ? unit.bound_texture_cube_map->service_id() : 0;
+@@ -239,6 +249,8 @@ void ContextState::RestoreTextureUnitBindings(
+ DCHECK_LT(unit, texture_units.size());
+ const TextureUnit& texture_unit = texture_units[unit];
+ GLuint service_id_2d = Get2dServiceId(texture_unit);
++ GLuint service_id_2d_array = Get2dArrayServiceId(texture_unit);
++ GLuint service_id_3d = Get3dServiceId(texture_unit);
+ GLuint service_id_cube = GetCubeServiceId(texture_unit);
+ GLuint service_id_oes = GetOesServiceId(texture_unit);
+ GLuint service_id_arb = GetArbServiceId(texture_unit);
+@@ -249,10 +261,22 @@ void ContextState::RestoreTextureUnitBindings(
+ feature_info_->feature_flags().oes_egl_image_external ||
+ feature_info_->feature_flags().nv_egl_stream_consumer_external;
+ bool bind_texture_arb = feature_info_->feature_flags().arb_texture_rectangle;
++ // TEXTURE_2D_ARRAY and TEXTURE_3D are only applicable from ES3 version.
++ // So set it to FALSE by default.
++ bool bind_texture_2d_array = false;
++ bool bind_texture_3d = false;
++ // set the variables to true only if the application is ES3 or newer
++ if (feature_info_->IsES3Capable()) {
++ bind_texture_2d_array = true;
++ bind_texture_3d = true;
++ }
+
+ if (prev_state) {
+ const TextureUnit& prev_unit = prev_state->texture_units[unit];
+ bind_texture_2d = service_id_2d != Get2dServiceId(prev_unit);
++ bind_texture_2d_array =
++ service_id_2d_array != Get2dArrayServiceId(prev_unit);
++ bind_texture_3d = service_id_3d != Get3dServiceId(prev_unit);
+ bind_texture_cube = service_id_cube != GetCubeServiceId(prev_unit);
+ bind_texture_oes =
+ bind_texture_oes && service_id_oes != GetOesServiceId(prev_unit);
+@@ -261,8 +285,8 @@ void ContextState::RestoreTextureUnitBindings(
+ }
+
+ // Early-out if nothing has changed from the previous state.
+- if (!bind_texture_2d && !bind_texture_cube
+- && !bind_texture_oes && !bind_texture_arb) {
++ if (!bind_texture_2d && !bind_texture_2d_array && !bind_texture_3d
&&
++ !bind_texture_cube && !bind_texture_oes && !bind_texture_arb) {
+ return;
+ }
+
+@@ -279,6 +303,12 @@ void ContextState::RestoreTextureUnitBindings(
+ if (bind_texture_arb) {
+ glBindTexture(GL_TEXTURE_RECTANGLE_ARB, service_id_arb);
+ }
++ if (bind_texture_2d_array) {
++ glBindTexture(GL_TEXTURE_2D_ARRAY, service_id_2d_array);
++ }
++ if (bind_texture_3d) {
++ glBindTexture(GL_TEXTURE_3D, service_id_3d);
++ }
+ }
+
+ void ContextState::RestoreSamplerBinding(GLuint unit,
+diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc
b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc
+index f56e04f411..cac58af031 100644
+--- a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc
++++ b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc
+@@ -2634,9 +2634,6 @@ void TextureManager::DoCubeMapWorkaround(
+ TextureRef* texture_ref,
+ const char* function_name,
+ const DoTexImageArguments& args) {
+- // This workaround code does not work with an unpack buffer bound.
+- ScopedResetPixelUnpackBuffer scoped_reset_pbo(state);
+-
+ std::vector<GLenum> undefined_faces;
+ Texture* texture = texture_ref->texture();
+ if (texture_state->force_cube_complete ||
+@@ -2668,6 +2665,8 @@ void TextureManager::DoCubeMapWorkaround(
+ DoTexImageArguments new_args = args;
+ std::unique_ptr<char[]> zero(new char[args.pixels_size]);
+ memset(zero.get(), 0, args.pixels_size);
++ // Need to clear PIXEL_UNPACK_BUFFER and UNPACK params for data uploading.
++ state->PushTextureDecompressionUnpackState();
+ for (GLenum face : undefined_faces) {
+ new_args.target = face;
+ new_args.pixels = zero.get();
+@@ -2675,6 +2674,7 @@ void TextureManager::DoCubeMapWorkaround(
+ function_name, texture_ref, new_args);
+ texture->MarkLevelAsInternalWorkaround(face, args.level);
+ }
++ state->RestoreUnpackState();
+ }
+
+ void TextureManager::ValidateAndDoTexImage(
+diff --git a/src/3rdparty/chromium/net/base/port_util.cc
b/src/3rdparty/chromium/net/base/port_util.cc
+index 543d9db943..83c9821398 100644
+--- a/src/3rdparty/chromium/net/base/port_util.cc
++++ b/src/3rdparty/chromium/net/base/port_util.cc
+@@ -90,10 +90,9 @@ const int kRestrictedPorts[] = {
+ // KURL::port())
+ };
+
+-// FTP overrides the following restricted ports.
++// FTP overrides the following restricted port.
+ const int kAllowedFtpPorts[] = {
+ 21, // ftp data
+- 22, // ssh
+ };
+
+ base::LazyInstance<std::multiset<int>>::Leaky g_explicitly_allowed_ports =
+diff --git
a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
+index 90883c712f..9abef3a420 100644
+---
a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
++++
b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
+@@ -262,6 +262,15 @@ void V8Window::openMethodCustom(
+ return;
+ }
+
++ // If the bindings implementation is 100% correct, the current realm and the
++ // entered realm should be same origin-domain. However, to be on the safe
++ // side and add some defense in depth, we'll check against the entered realm
++ // as well here.
++ if (!BindingSecurity::ShouldAllowAccessTo(EnteredDOMWindow(info.GetIsolate()),
++ impl, exception_state)) {
++ return;
++ }
++
+ TOSTRING_VOID(V8StringResource<kTreatNullAndUndefinedAsNullString>,
+ url_string, info[0]);
+ AtomicString frame_name;
+diff --git
a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
+index 8ce1574d45..1c5b193eda 100644
+--- a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
++++ b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
+@@ -1862,9 +1862,12 @@ void LocalFrameView::ProcessUrlFragment(const KURL& url,
+ !frame_->GetDocument()->IsSVGDocument())
+ return;
+
++ // Try the raw fragment for HTML documents, but skip it for `svgView()`:
+ String fragment_identifier = url.FragmentIdentifier();
+- if (ProcessUrlFragmentHelper(fragment_identifier, behavior))
++ if (!frame_->GetDocument()->IsSVGDocument() &&
++ ProcessUrlFragmentHelper(fragment_identifier, behavior)) {
+ return;
++ }
+
+ // Try again after decoding the ref, based on the document's encoding.
+ if (frame_->GetDocument()->Encoding().IsValid()) {
+diff --git
a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
+index bbe7147921..1b88d0bd4e 100644
+---
a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
++++
b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
+@@ -156,6 +156,14 @@ AccessibilityRole AXTableCell::ScanToDecideHeaderRole() {
+ if (IsColumnHeaderCell())
+ return kColumnHeaderRole;
+
++ // This occurs in an edge case that mixes non-table CSS into a
++ // table, and <th role="gridcell">, see bug 798410.
++ // The odd CSS causes the <th> to not be a LayoutTableCell,
++ // and the ARIA role causes it to fall through to here, because
++ // it is not an ARIA/HTML column/row header.
++ if (!layout_object_ || !layout_object_->IsTableCell())
++ return kCellRole; // <th role="gridcell">.
++
+ // Check the previous cell and the next cell on the same row.
+ LayoutTableCell* layout_cell = ToLayoutTableCell(layout_object_);
+ AccessibilityRole header_role = kCellRole;
+diff --git
a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp
b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp
+index 64cc1d575f..b764fb6145 100644
+--- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp
++++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp
+@@ -64,6 +64,15 @@ AudioHandler::AudioHandler(NodeType node_type,
+ }
+ #endif
+ InstanceCounters::IncrementCounter(InstanceCounters::kAudioHandlerCounter);
++
++#if DEBUG_AUDIONODE_REFERENCES
++ fprintf(
++ stderr,
++ "[%16p]: %16p: %2d: AudioHandler::AudioHandler() %d [%d] total: %u\n",
++ Context(), this, GetNodeType(), connection_ref_count_,
++ node_count_[GetNodeType()],
++ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter));
++#endif
+ }
+
+ AudioHandler::~AudioHandler() {
+@@ -73,9 +82,13 @@ AudioHandler::~AudioHandler() {
+ InstanceCounters::DecrementCounter(InstanceCounters::kAudioHandlerCounter);
+ #if DEBUG_AUDIONODE_REFERENCES
+ --node_count_[GetNodeType()];
+- fprintf(stderr, "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d
[%d]\n",
+- Context(), this, GetNodeType(), connection_ref_count_,
+- node_count_[GetNodeType()]);
++ fprintf(
++ stderr,
++ "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d] remaining: "
++ "%u\n",
++ Context(), this, GetNodeType(), connection_ref_count_,
++ node_count_[GetNodeType()],
++ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter));
+ #endif
+ }
+
+@@ -542,9 +555,25 @@ void AudioNode::Dispose() {
+ #endif
+ BaseAudioContext::AutoLocker locker(context());
+ Handler().Dispose();
+- if (context()->ContextState() == BaseAudioContext::kRunning) {
+- context()->GetDeferredTaskHandler().AddRenderingOrphanHandler(
+- std::move(handler_));
++ if (context()->HasRealtimeConstraint()) {
++ // Add the handler to the orphan list if the context is not
++ // closed. (Nothing will clean up the orphan list if the context
++ // is closed.) These will get cleaned up in the post render task
++ // if audio thread is running or when the context is colleced (in
++ // the worst case).
++ if (context()->ContextState() != BaseAudioContext::kClosed) {
++ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler(
++ std::move(handler_));
++ }
++ } else {
++ // For an offline context, only need to save the handler when the
++ // context is running. The change in the context state is
++ // synchronous with the main thread (even though the offline
++ // thread is not synchronized to the main thread).
++ if (context()->ContextState() == BaseAudioContext::kRunning) {
++ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler(
++ std::move(handler_));
++ }
+ }
+ }
+
+diff --git a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h
b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h
+index 1dd672bea4..a3e295e285 100644
+--- a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h
++++ b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h
+@@ -235,6 +235,7 @@ template <typename D, typename S> D SkTo(S s) {
+ #define SK_MaxU32 0xFFFFFFFF
+ #define SK_MinU32 0
+ #define SK_NaN32 ((int) (1U << 31))
++#define SK_MaxSizeT SIZE_MAX
+
+ /** Returns true if the value can be represented with signed 16bits
+ */
+diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp
b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp
+index 6eff790c85..947c125b27 100644
+--- a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp
++++ b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp
+@@ -10,6 +10,8 @@
+ #include "SkFloatBits.h"
+ #include "SkFloatingPoint.h"
+ #include "SkScalar.h"
++#include "SkSafeMath.h"
++
+
+ #define sub_shift(zeros, x, n) \
+ zeros -= n; \
+@@ -84,3 +86,17 @@ float SkScalarSinCos(float radians, float* cosValue) {
+ }
+ return sinValue;
+ }
++
++///////////////////////////////////////////////////////////////////////////////////////////////////
++
++size_t SkSafeMath::Add(size_t x, size_t y) {
++ SkSafeMath tmp;
++ size_t sum = tmp.add(x, y);
++ return tmp.ok() ? sum : SK_MaxSizeT;
++}
++
++size_t SkSafeMath::Mul(size_t x, size_t y) {
++ SkSafeMath tmp;
++ size_t prod = tmp.mul(x, y);
++ return tmp.ok() ? prod : SK_MaxSizeT;
++}
+diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp
b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp
+index 094e6717e6..33008ead35 100644
+--- a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp
++++ b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp
+@@ -9,7 +9,7 @@
+ #include "SkOnce.h"
+ #include "SkPath.h"
+ #include "SkPathRef.h"
+-#include <limits>
++#include "SkSafeMath.h"
+
+ //////////////////////////////////////////////////////////////////////////////
+ SkPathRef::Editor::Editor(sk_sp<SkPathRef>* pathRef,
+@@ -195,22 +195,23 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount,
int* ptCountPtr
+ return false;
+ }
+
++ SkSafeMath safe;
+ int ptCount = 0;
+ int conicCount = 0;
+ for (int i = 0; i < vCount; ++i) {
+ switch (verbs[i]) {
+ case SkPath::kMove_Verb:
+ case SkPath::kLine_Verb:
+- ptCount += 1;
++ ptCount = safe.addInt(ptCount, 1);
+ break;
+ case SkPath::kConic_Verb:
+ conicCount += 1;
+ // fall-through
+ case SkPath::kQuad_Verb:
+- ptCount += 2;
++ ptCount = safe.addInt(ptCount, 2);
+ break;
+ case SkPath::kCubic_Verb:
+- ptCount += 3;
++ ptCount = safe.addInt(ptCount, 3);
+ break;
+ case SkPath::kClose_Verb:
+ break;
+@@ -218,6 +219,9 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int*
ptCountPtr
+ return false;
+ }
+ }
++ if (!safe) {
++ return false;
++ }
+ *ptCountPtr = ptCount;
+ *conicCountPtr = conicCount;
+ return true;
+@@ -554,12 +558,18 @@ SkPoint* SkPathRef::growForVerb(int /* SkPath::Verb*/ verb,
SkScalar weight) {
+ dirtyAfterEdit = false;
+ pCnt = 0;
+ }
++ SkSafeMath safe;
++ int newPointCnt = safe.addInt(fPointCnt, pCnt);
++ int newVerbCnt = safe.addInt(fVerbCnt, 1);
++ if (!safe) {
++ SK_ABORT("cannot grow path");
++ }
+ size_t space = sizeof(uint8_t) + pCnt * sizeof (SkPoint);
+ this->makeSpace(space);
+ this->fVerbs[~fVerbCnt] = verb;
+ SkPoint* ret = fPoints + fPointCnt;
+- fVerbCnt += 1;
+- fPointCnt += pCnt;
++ fVerbCnt = newVerbCnt;
++ fPointCnt = newPointCnt;
+ fFreeSpace -= space;
+ fBoundsIsDirty = true; // this also invalidates fIsFinite
+ if (dirtyAfterEdit) {
+diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h
b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h
+index 91200fbb56..74089633ae 100644
+--- a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h
++++ b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h
+@@ -28,6 +28,25 @@ public:
+ return result;
+ }
+
++ /**
++ * Return a + b, unless this result is an overflow/underflow. In those cases, fOK
will
++ * be set to false, and it is undefined what this returns.
++ */
++ int addInt(int a, int b) {
++ if (b < 0 && a < std::numeric_limits<int>::min() - b) {
++ fOK = false;
++ return a;
++ } else if (b > 0 && a > std::numeric_limits<int>::max() - b)
{
++ fOK = false;
++ return a;
++ }
++ return a + b;
++ }
++
++ // These saturate to their results
++ static size_t Add(size_t x, size_t y);
++ static size_t Mul(size_t x, size_t y);
++
+ private:
+ uint32_t mul32(uint32_t x, uint32_t y) {
+ uint64_t bx = x;
+diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp
b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp
+index 286d9d140c..d2dfed9de1 100644
+--- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp
++++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp
+@@ -88,13 +88,13 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t
srcSize,
+ unsigned n = *src++;
+ if (n <= 127) { // repeat count (n + 1)
+ n += 1;
+- if (dst >(endDst - n)) {
++ if (dst > (endDst - n) || src >= stop) {
+ return 0;
+ }
+ memset(dst, *src++, n);
+ } else { // same count (n - 127)
+ n -= 127;
+- if (dst > (endDst - n)) {
++ if (dst > (endDst - n) || src > (stop - n)) {
+ return 0;
+ }
+ memcpy(dst, src, n);
+@@ -103,5 +103,6 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t
srcSize,
+ dst += n;
+ }
+ SkASSERT(src <= stop);
++ SkASSERT(dst <= endDst);
+ return SkToInt(dst - origDst);
+ }
+diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h
b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h
+index 2dc7677afc..773b13e0c1 100644
+--- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h
++++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h
+@@ -36,7 +36,7 @@ public:
+ @param srcSize Number of bytes of src to unpack
+ @param dst Buffer (allocated by caller) to expand the src[] into.
+ @param dstSize Number of bytes in the output buffer.
+- @return the number of bytes written into dst.
++ @return the number of bytes written into dst, or 0 if srcSize or dstSize are too
small.
+ */
+ static int Unpack8(const uint8_t src[], size_t srcSize, uint8_t dst[],
+ size_t dstSize);
+diff --git a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp
b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp
+index 3096ae5eeb..050b5db164 100644
+--- a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp
++++ b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp
+@@ -13,7 +13,7 @@
+ #include "GrGpu.h"
+ #include "GrResourceProvider.h"
+ #include "GrTypes.h"
+-
++#include "SkSafeMath.h"
+ #include "SkTraceEvent.h"
+
+ #ifdef SK_DEBUG
+@@ -393,7 +393,7 @@ void* GrVertexBufferAllocPool::makeSpace(size_t vertexSize,
+ SkASSERT(startVertex);
+
+ size_t offset SK_INIT_TO_AVOID_WARNING;
+- void* ptr = INHERITED::makeSpace(vertexSize * vertexCount,
++ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(vertexSize, vertexCount),
+ vertexSize,
+ buffer,
+ &offset);
+@@ -447,7 +447,7 @@ void* GrIndexBufferAllocPool::makeSpace(int indexCount,
+ SkASSERT(startIndex);
+
+ size_t offset SK_INIT_TO_AVOID_WARNING;
+- void* ptr = INHERITED::makeSpace(indexCount * sizeof(uint16_t),
++ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(indexCount, sizeof(uint16_t)),
+ sizeof(uint16_t),
+ buffer,
+ &offset);
+diff --git a/src/3rdparty/chromium/url/url_canon_etc.cc
b/src/3rdparty/chromium/url/url_canon_etc.cc
+index 31e9fb5cfa..bbc46270a1 100644
+--- a/src/3rdparty/chromium/url/url_canon_etc.cc
++++ b/src/3rdparty/chromium/url/url_canon_etc.cc
+@@ -233,6 +233,43 @@ bool DoPort(const CHAR* spec,
+ return true;
+ }
+
++// clang-format off
++// Percent-escape all "C0 controls" (0x00-0x1F)
++// https://infra.spec.whatwg.org/#c0-control along with the characters ' '
++// (0x20), '"' (0x22), '<' (0x3C), '>' (0x3E), and
'`' (0x60):
++const bool kShouldEscapeCharInRef[0x80] = {
++// Control characters (0x00-0x1F)
++ true, true, true, true, true, true, true, true,
++ true, true, true, true, true, true, true, true,
++ true, true, true, true, true, true, true, true,
++ true, true, true, true, true, true, true, true,
++// ' ' ! " # $ % & '
++ true, false, true, false, false, false, false, false,
++// ( ) * + , - . /
++ false, false, false, false, false, false, false, false,
++// 0 1 2 3 4 5 6 7
++ false, false, false, false, false, false, false, false,
++// 8 9 : ; < = > ?
++ false, false, false, false, true, false, true, false,
++// @ A B C D E F G
++ false, false, false, false, false, false, false, false,
++// H I J K L M N O
++ false, false, false, false, false, false, false, false,
++// P Q R S T U V W
++ false, false, false, false, false, false, false, false,
++// X Y Z [ \ ] ^ _
++ false, false, false, false, false, false, false, false,
++// ` a b c d e f g
++ true, false, false, false, false, false, false, false,
++// h i j k l m n o
++ false, false, false, false, false, false, false, false,
++// p q r s t u v w
++ false, false, false, false, false, false, false, false,
++// x y z { | } ~
++ false, false, false, false, false, false, false
++};
++// clang-format on
++
+ template<typename CHAR, typename UCHAR>
+ void DoCanonicalizeRef(const CHAR* spec,
+ const Component& ref,
+@@ -255,22 +292,16 @@ void DoCanonicalizeRef(const CHAR* spec,
+ if (spec[i] == 0) {
+ // IE just strips NULLs, so we do too.
+ continue;
+- } else if (static_cast<UCHAR>(spec[i]) < 0x20) {
+- // Unline IE seems to, we escape control characters. This will probably
+- // make the reference fragment unusable on a web page, but people
+- // shouldn't be using control characters in their anchor names.
+- AppendEscapedChar(static_cast<unsigned char>(spec[i]), output);
+- } else if (static_cast<UCHAR>(spec[i]) < 0x80) {
+- // Normal ASCII characters are just appended.
+- output->push_back(static_cast<char>(spec[i]));
++ }
++
++ UCHAR current_char = static_cast<UCHAR>(spec[i]);
++ if (current_char < 0x80) {
++ if (kShouldEscapeCharInRef[current_char])
++ AppendEscapedChar(static_cast<unsigned char>(spec[i]), output);
++ else
++ output->push_back(static_cast<char>(spec[i]));
+ } else {
+- // Non-ASCII characters are appended unescaped, but only when they are
+- // valid. Invalid Unicode characters are replaced with the "invalid
+- // character" as IE seems to (ReadUTFChar puts the unicode replacement
+- // character in the output on failure for us).
+- unsigned code_point;
+- ReadUTFChar(spec, &i, end, &code_point);
+- AppendUTF8Value(code_point, output);
++ AppendUTF8EscapedChar(spec, &i, end, output);
+ }
+ }
+
+diff --git a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h
b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h
+index 5eee300cc3..7026268b77 100644
+--- a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h
++++ b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h
+@@ -248,6 +248,7 @@ void
AstTraversalVisitor<Subclass>::VisitForStatement(ForStatement* stmt) {
+ template <class Subclass>
+ void AstTraversalVisitor<Subclass>::VisitForInStatement(ForInStatement* stmt) {
+ PROCESS_NODE(stmt);
++ RECURSE(Visit(stmt->each()));
+ RECURSE(Visit(stmt->enumerable()));
+ RECURSE(Visit(stmt->body()));
+ }
+diff --git a/src/3rdparty/chromium/v8/src/elements.cc
b/src/3rdparty/chromium/v8/src/elements.cc
+index 716cc00b9a..bc89c77047 100644
+--- a/src/3rdparty/chromium/v8/src/elements.cc
++++ b/src/3rdparty/chromium/v8/src/elements.cc
+@@ -518,6 +518,21 @@ static Maybe<int64_t> IndexOfValueSlowPath(Isolate* isolate,
+ return Just<int64_t>(-1);
+ }
+
++// The InternalElementsAccessor is a helper class to expose otherwise protected
++// methods to its subclasses. Namely, we don't want to publicly expose methods
++// that take an entry (instead of an index) as an argument.
++class InternalElementsAccessor : public ElementsAccessor {
++ public:
++ explicit InternalElementsAccessor(const char* name)
++ : ElementsAccessor(name) {}
++
++ virtual uint32_t GetEntryForIndex(Isolate* isolate, JSObject* holder,
++ FixedArrayBase* backing_store,
++ uint32_t index) = 0;
++
++ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0;
++};
++
+ // Base class for element handler implementations. Contains the
+ // the common logic for objects with different ElementsKinds.
+ // Subclasses must specialize method for which the element
+@@ -536,10 +551,10 @@ static Maybe<int64_t> IndexOfValueSlowPath(Isolate* isolate,
+ // CRTP to guarantee aggressive compile time optimizations (i.e. inlining and
+ // specialization of SomeElementsAccessor methods).
+ template <typename Subclass, typename ElementsTraitsParam>
+-class ElementsAccessorBase : public ElementsAccessor {
++class ElementsAccessorBase : public InternalElementsAccessor {
+ public:
+ explicit ElementsAccessorBase(const char* name)
+- : ElementsAccessor(name) { }
++ : InternalElementsAccessor(name) {}
+
+ typedef ElementsTraitsParam ElementsTraits;
+ typedef typename ElementsTraitsParam::BackingStore BackingStore;
+@@ -1040,35 +1055,67 @@ class ElementsAccessorBase : public ElementsAccessor {
+ Isolate* isolate, Handle<JSObject> object,
+ Handle<FixedArray> values_or_entries, bool get_entries, int* nof_items,
+ PropertyFilter filter) {
+- int count = 0;
++ DCHECK_EQ(*nof_items, 0);
+ KeyAccumulator accumulator(isolate, KeyCollectionMode::kOwnOnly,
+ ALL_PROPERTIES);
+ Subclass::CollectElementIndicesImpl(
+ object, handle(object->elements(), isolate), &accumulator);
+ Handle<FixedArray> keys = accumulator.GetKeys();
+
+- for (int i = 0; i < keys->length(); ++i) {
++ int count = 0;
++ int i = 0;
++ Handle<Map> original_map(object->map(), isolate);
++
++ for (; i < keys->length(); ++i) {
+ Handle<Object> key(keys->get(i), isolate);
+- Handle<Object> value;
+ uint32_t index;
+ if (!key->ToUint32(&index)) continue;
+
++ DCHECK_EQ(object->map(), *original_map);
+ uint32_t entry = Subclass::GetEntryForIndexImpl(
+ isolate, *object, object->elements(), index, filter);
+ if (entry == kMaxUInt32) continue;
+
+ PropertyDetails details = Subclass::GetDetailsImpl(*object, entry);
+
++ Handle<Object> value;
+ if (details.kind() == kData) {
+ value = Subclass::GetImpl(isolate, object->elements(), entry);
+ } else {
++ // This might modify the elements and/or change the elements kind.
+ LookupIterator it(isolate, object, index, LookupIterator::OWN);
+ ASSIGN_RETURN_ON_EXCEPTION_VALUE(
+ isolate, value, Object::GetProperty(&it), Nothing<bool>());
+ }
+- if (get_entries) {
+- value = MakeEntryPair(isolate, index, value);
++ if (get_entries) value = MakeEntryPair(isolate, index, value);
++ values_or_entries->set(count++, *value);
++ if (object->map() != *original_map) break;
++ }
++
++ // Slow path caused by changes in elements kind during iteration.
++ for (; i < keys->length(); i++) {
++ Handle<Object> key(keys->get(i), isolate);
++ uint32_t index;
++ if (!key->ToUint32(&index)) continue;
++
++ if (filter & ONLY_ENUMERABLE) {
++ InternalElementsAccessor* accessor =
++ reinterpret_cast<InternalElementsAccessor*>(
++ object->GetElementsAccessor());
++
++ uint32_t entry = accessor->GetEntryForIndex(isolate, *object,
++ object->elements(), index);
++ if (entry == kMaxUInt32) continue;
++ PropertyDetails details = accessor->GetDetails(*object, entry);
++ if (!details.IsEnumerable()) continue;
+ }
++
++ Handle<Object> value;
++ LookupIterator it(isolate, object, index, LookupIterator::OWN);
++ ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, value, Object::GetProperty(&it),
++ Nothing<bool>());
++
++ if (get_entries) value = MakeEntryPair(isolate, index, value);
+ values_or_entries->set(count++, *value);
+ }
+
+@@ -1668,12 +1715,13 @@ class DictionaryElementsAccessor
+ return result;
+ }
+ }
+-
++ Handle<Map> original_map(receiver->map(), isolate);
+ Handle<SeededNumberDictionary> dictionary(
+ SeededNumberDictionary::cast(receiver->elements()), isolate);
+ // Iterate through entire range, as accessing elements out of order is
+ // observable
+ for (uint32_t k = start_from; k < length; ++k) {
++ DCHECK_EQ(receiver->map(), *original_map);
+ int entry = dictionary->FindEntry(isolate, k);
+ if (entry == SeededNumberDictionary::kNotFound) {
+ if (search_for_hole) return Just(true);
+@@ -1738,15 +1786,15 @@ class DictionaryElementsAccessor
+ uint32_t start_from, uint32_t length) {
+ DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver));
+
++ Handle<Map> original_map(receiver->map(), isolate);
+ Handle<SeededNumberDictionary> dictionary(
+ SeededNumberDictionary::cast(receiver->elements()), isolate);
+ // Iterate through entire range, as accessing elements out of order is
+ // observable.
+ for (uint32_t k = start_from; k < length; ++k) {
++ DCHECK_EQ(receiver->map(), *original_map);
+ int entry = dictionary->FindEntry(isolate, k);
+- if (entry == SeededNumberDictionary::kNotFound) {
+- continue;
+- }
++ if (entry == SeededNumberDictionary::kNotFound) continue;
+
+ PropertyDetails details = GetDetailsImpl(*dictionary, entry);
+ switch (details.kind()) {
+@@ -3622,12 +3670,13 @@ class SloppyArgumentsElementsAccessor
+ Handle<Object> value,
+ uint32_t start_from, uint32_t length) {
+ DCHECK(JSObject::PrototypeHasNoElements(isolate, *object));
+- Handle<Map> original_map = handle(object->map(), isolate);
++ Handle<Map> original_map(object->map(), isolate);
+ Handle<SloppyArgumentsElements> elements(
+ SloppyArgumentsElements::cast(object->elements()), isolate);
+ bool search_for_hole = value->IsUndefined(isolate);
+
+ for (uint32_t k = start_from; k < length; ++k) {
++ DCHECK_EQ(object->map(), *original_map);
+ uint32_t entry =
+ GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES);
+ if (entry == kMaxUInt32) {
+@@ -3663,11 +3712,12 @@ class SloppyArgumentsElementsAccessor
+ Handle<Object> value,
+ uint32_t start_from, uint32_t length) {
+ DCHECK(JSObject::PrototypeHasNoElements(isolate, *object));
+- Handle<Map> original_map = handle(object->map(), isolate);
++ Handle<Map> original_map(object->map(), isolate);
+ Handle<SloppyArgumentsElements> elements(
+ SloppyArgumentsElements::cast(object->elements()), isolate);
+
+ for (uint32_t k = start_from; k < length; ++k) {
++ DCHECK_EQ(object->map(), *original_map);
+ uint32_t entry =
+ GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES);
+ if (entry == kMaxUInt32) {
+diff --git a/src/3rdparty/chromium/v8/src/elements.h
b/src/3rdparty/chromium/v8/src/elements.h
+index 9e64764bb0..350264daae 100644
+--- a/src/3rdparty/chromium/v8/src/elements.h
++++ b/src/3rdparty/chromium/v8/src/elements.h
+@@ -52,7 +52,6 @@ class ElementsAccessor {
+
+ virtual Handle<Object> Get(Handle<JSObject> holder, uint32_t entry) = 0;
+
+- virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0;
+ virtual bool HasAccessors(JSObject* holder) = 0;
+ virtual uint32_t NumberOfElements(JSObject* holder) = 0;
+
+@@ -63,8 +62,6 @@ class ElementsAccessor {
+ // element that is non-deletable.
+ virtual void SetLength(Handle<JSArray> holder, uint32_t new_length) = 0;
+
+- // Deletes an element in an object.
+- virtual void Delete(Handle<JSObject> holder, uint32_t entry) = 0;
+
+ // If kCopyToEnd is specified as the copy_size to CopyElements, it copies all
+ // of elements from source after source_start to the destination array.
+@@ -122,11 +119,6 @@ class ElementsAccessor {
+
+ virtual void Set(Handle<JSObject> holder, uint32_t entry, Object* value) = 0;
+
+- virtual void Reconfigure(Handle<JSObject> object,
+- Handle<FixedArrayBase> backing_store, uint32_t entry,
+- Handle<Object> value,
+- PropertyAttributes attributes) = 0;
+-
+ virtual void Add(Handle<JSObject> object, uint32_t index,
+ Handle<Object> value, PropertyAttributes attributes,
+ uint32_t new_capacity) = 0;
+@@ -208,6 +200,15 @@ class ElementsAccessor {
+ FixedArrayBase* backing_store,
+ uint32_t index) = 0;
+
++ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0;
++ virtual void Reconfigure(Handle<JSObject> object,
++ Handle<FixedArrayBase> backing_store, uint32_t entry,
++ Handle<Object> value,
++ PropertyAttributes attributes) = 0;
++
++ // Deletes an element in an object.
++ virtual void Delete(Handle<JSObject> holder, uint32_t entry) = 0;
++
+ // NOTE: this method violates the handlified function signature convention:
+ // raw pointer parameter |source_holder| in the function that allocates.
+ // This is done intentionally to avoid ArrayConcat() builtin performance
+diff --git a/src/3rdparty/chromium/v8/src/js/intl.js
b/src/3rdparty/chromium/v8/src/js/intl.js
+index 1579337fc1..7fc137f5c7 100644
+--- a/src/3rdparty/chromium/v8/src/js/intl.js
++++ b/src/3rdparty/chromium/v8/src/js/intl.js
+@@ -1682,9 +1682,7 @@ function formatDate(formatter, dateValue) {
+ dateMs = TO_NUMBER(dateValue);
+ }
+
+- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange);
+-
+- return %InternalDateFormat(formatter, new GlobalDate(dateMs));
++ return %InternalDateFormat(formatter, dateMs);
+ }
+
+ DEFINE_METHOD(
+@@ -1706,9 +1704,7 @@ DEFINE_METHOD(
+ dateMs = TO_NUMBER(dateValue);
+ }
+
+- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange);
+-
+- return %InternalDateFormatToParts(this, new GlobalDate(dateMs));
++ return %InternalDateFormatToParts(this, dateMs);
+ }
+ );
+
+diff --git a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc
b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc
+index 4bd6bebdc7..875fd719ef 100644
+--- a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc
++++ b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc
+@@ -7,7 +7,7 @@
+ #endif // V8_INTL_SUPPORT
+
+ #include "src/runtime/runtime-utils.h"
+-
++#include <cmath>
+ #include <memory>
+
+ #include "src/api-natives.h"
+@@ -247,17 +247,21 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormat) {
+ DCHECK_EQ(2, args.length());
+
+ CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0);
+- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1);
++ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1);
+
+- Handle<Object> value;
+- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date));
++ double date_value = date->Number();
++ // Check for +-Infinity and Nan
++ if (!std::isfinite(date_value)) {
++ THROW_NEW_ERROR_RETURN_FAILURE(
++ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue));
++ }
+
+ icu::SimpleDateFormat* date_format =
+ DateFormat::UnpackDateFormat(isolate, date_format_holder);
+ CHECK_NOT_NULL(date_format);
+
+ icu::UnicodeString result;
+- date_format->format(value->Number(), result);
++ date_format->format(date_value, result);
+
+ RETURN_RESULT_OR_FAILURE(
+ isolate, isolate->factory()->NewStringFromTwoByte(Vector<const
uint16_t>(
+@@ -349,10 +353,13 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) {
+ DCHECK_EQ(2, args.length());
+
+ CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0);
+- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1);
++ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1);
+
+- Handle<Object> value;
+- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date));
++ double date_value = date->Number();
++ if (!std::isfinite(date_value)) {
++ THROW_NEW_ERROR_RETURN_FAILURE(
++ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue));
++ }
+
+ icu::SimpleDateFormat* date_format =
+ DateFormat::UnpackDateFormat(isolate, date_format_holder);
+@@ -362,7 +369,7 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) {
+ icu::FieldPositionIterator fp_iter;
+ icu::FieldPosition fp;
+ UErrorCode status = U_ZERO_ERROR;
+- date_format->format(value->Number(), formatted, &fp_iter, status);
++ date_format->format(date_value, formatted, &fp_iter, status);
+ if (U_FAILURE(status)) return isolate->heap()->undefined_value();
+
+ Handle<JSArray> result = factory->NewJSArray(0);
+--
+2.14.3
+
2421
days inactive
2421
days old
rpmfusion-commits@lists.rpmfusion.org
0 comments
1 participants
participants (1)
-
Kevin Kofler