From 635c366f482ac6d4ce000694e9ac0613e225b133 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Sat, 16 Jun 2018 08:29:33 -0500 Subject: [PATCH] 5.11.0 drop shadow build (to match other qt5 packages where it has been problematic) drop upstreamed patches rebase no-icudtl-dat.patch pull in upstream gcc8 FTBFS fix update clean_ffmpeg whitelist patches needswork: system-nspr-prtime,system-icu-utf,no-sse2,skia-neon,icu59 minimal debug/debuginfo (for now) use macros %make_build %ldconfig_scriptlets %__ninja %__ninja_common_opts --- .gitignore | 1 + 0002-Fix-build-with-GCC-8.1.0.patch | 84 ++ clean_ffmpeg.sh | 19 +- clean_qtwebengine.sh | 2 +- qt5-qtwebengine.spec | 88 +- ...e-src-5.10.0-no-aspirational-scripts.patch | 86 -- ...-everywhere-src-5.10.1-CVE-2018-6033.patch | 64 - ...everywhere-src-5.10.1-security-5.9.5.patch | 1245 ----------------- ...-everywhere-src-5.11.0-no-icudtl-dat.patch | 22 +- sources | 2 +- 10 files changed, 163 insertions(+), 1450 deletions(-) create mode 100644 0002-Fix-build-with-GCC-8.1.0.patch delete mode 100644 qtwebengine-everywhere-src-5.10.0-no-aspirational-scripts.patch delete mode 100644 qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch delete mode 100644 qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch rename qtwebengine-opensource-src-5.6.0-no-icudtl-dat.patch => qtwebengine-everywhere-src-5.11.0-no-icudtl-dat.patch (63%) diff --git a/.gitignore b/.gitignore index ef889b6..a4bcc76 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ /qtwebengine-opensource-src-5.9.3-clean.tar.xz /qtwebengine-everywhere-src-5.10.0-clean.tar.xz /qtwebengine-everywhere-src-5.10.1-clean.tar.xz +/qtwebengine-everywhere-src-5.11.0-clean.tar.xz diff --git a/0002-Fix-build-with-GCC-8.1.0.patch b/0002-Fix-build-with-GCC-8.1.0.patch new file mode 100644 index 0000000..ee1bfe3 --- /dev/null +++ b/0002-Fix-build-with-GCC-8.1.0.patch @@ -0,0 +1,84 @@ +From 96f354df27c2f3c7c1b221b676c7a1af6b3da375 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=BCri=20Valdmann?= +Date: Mon, 14 May 2018 10:15:50 +0200 +Subject: [PATCH 02/29] Fix build with GCC 8.1.0 + +Task-number: QTBUG-68203 +Change-Id: I780d884d5e20ef04e902d7b449da4aa3f97d8d0b +Reviewed-by: Allan Sandfeld Jensen +--- + .../mojo/public/cpp/bindings/associated_interface_ptr_info.h | 2 +- + .../mojo/public/cpp/bindings/associated_interface_request.h | 2 +- + chromium/mojo/public/cpp/bindings/interface_request.h | 2 +- + .../mojo/public/cpp/bindings/scoped_interface_endpoint_handle.h | 2 ++ + chromium/mojo/public/cpp/system/handle.h | 2 +- + 5 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/chromium/mojo/public/cpp/bindings/associated_interface_ptr_info.h b/chromium/mojo/public/cpp/bindings/associated_interface_ptr_info.h +index 1f79662bd7..184ba6a9e8 100644 +--- a/chromium/mojo/public/cpp/bindings/associated_interface_ptr_info.h ++++ b/chromium/mojo/public/cpp/bindings/associated_interface_ptr_info.h +@@ -45,7 +45,7 @@ class AssociatedInterfacePtrInfo { + + bool is_valid() const { return handle_.is_valid(); } + +- explicit operator bool() const { return handle_; } ++ explicit operator bool() const { return !!handle_; } + + ScopedInterfaceEndpointHandle PassHandle() { + return std::move(handle_); +diff --git a/chromium/mojo/public/cpp/bindings/associated_interface_request.h b/chromium/mojo/public/cpp/bindings/associated_interface_request.h +index 12d2f3ce1d..fcdc2b9321 100644 +--- a/chromium/mojo/public/cpp/bindings/associated_interface_request.h ++++ b/chromium/mojo/public/cpp/bindings/associated_interface_request.h +@@ -50,7 +50,7 @@ class AssociatedInterfaceRequest { + // handle. + bool is_pending() const { return handle_.is_valid(); } + +- explicit operator bool() const { return handle_; } ++ explicit operator bool() const { return !!handle_; } + + ScopedInterfaceEndpointHandle PassHandle() { return std::move(handle_); } + +diff --git a/chromium/mojo/public/cpp/bindings/interface_request.h b/chromium/mojo/public/cpp/bindings/interface_request.h +index 1007cb0b8c..da1f3244a3 100644 +--- a/chromium/mojo/public/cpp/bindings/interface_request.h ++++ b/chromium/mojo/public/cpp/bindings/interface_request.h +@@ -54,7 +54,7 @@ class InterfaceRequest { + // Indicates whether the request currently contains a valid message pipe. + bool is_pending() const { return handle_.is_valid(); } + +- explicit operator bool() const { return handle_; } ++ explicit operator bool() const { return !!handle_; } + + // Removes the message pipe from the request and returns it. + ScopedMessagePipeHandle PassMessagePipe() { return std::move(handle_); } +diff --git a/chromium/mojo/public/cpp/bindings/scoped_interface_endpoint_handle.h b/chromium/mojo/public/cpp/bindings/scoped_interface_endpoint_handle.h +index 5d00e5019e..ef8a927ba6 100644 +--- a/chromium/mojo/public/cpp/bindings/scoped_interface_endpoint_handle.h ++++ b/chromium/mojo/public/cpp/bindings/scoped_interface_endpoint_handle.h +@@ -45,6 +45,8 @@ class MOJO_CPP_BINDINGS_EXPORT ScopedInterfaceEndpointHandle { + + bool is_valid() const; + ++ explicit operator bool() const { return is_valid(); } ++ + // Returns true if the interface hasn't associated with a message pipe. + bool pending_association() const; + +diff --git a/chromium/mojo/public/cpp/system/handle.h b/chromium/mojo/public/cpp/system/handle.h +index 7c886e8825..c9f9e961db 100644 +--- a/chromium/mojo/public/cpp/system/handle.h ++++ b/chromium/mojo/public/cpp/system/handle.h +@@ -121,7 +121,7 @@ class ScopedHandleBase { + + bool is_valid() const { return handle_.is_valid(); } + +- explicit operator bool() const { return handle_; } ++ explicit operator bool() const { return !!handle_; } + + bool operator==(const ScopedHandleBase& other) const { + return handle_.value() == other.get().value(); +-- +2.17.1 + diff --git a/clean_ffmpeg.sh b/clean_ffmpeg.sh index 51b6854..77f0b57 100755 --- a/clean_ffmpeg.sh +++ b/clean_ffmpeg.sh @@ -99,10 +99,15 @@ header_files=" libavutil/x86/asm.h \ libavcodec/arm/vp56_arith.h \ libavcodec/arm/vp8.h \ libavcodec/arm/vp8dsp.h \ + libavcodec/aac_ac3_parser.h \ + libavcodec/ac3_parser_internal.h \ + libavcodec/ac3.h \ + libavcodec/adts_header.h \ libavcodec/avcodec.h \ libavcodec/blockdsp.h \ libavcodec/bytestream.h \ libavcodec/dct.h \ + libavcodec/dct32.h \ libavcodec/dsputil.h \ libavcodec/dv_profile_internal.h \ libavcodec/error_resilience.h \ @@ -119,12 +124,19 @@ header_files=" libavutil/x86/asm.h \ libavcodec/h264pred.h \ libavcodec/hpeldsp.h \ libavcodec/hwaccel.h \ + libavcodec/hwaccels.h \ libavcodec/idctdsp.h \ libavcodec/internal.h \ libavcodec/mathops.h \ + libavcodec/mdct15.h \ libavcodec/me_cmp.h \ libavcodec/motion_est.h \ + libavcodec/mpegaudio_tablegen.h \ + libavcodec/mpegaudiodectab.h \ + libavcodec/mpegaudiodsp.h \ + libavcodec/mpeg12.h \ libavcodec/mpeg12data.h \ + libavcodec/mpeg12vlc.h \ libavcodec/mpegpicture.h \ libavcodec/mpegutils.h \ libavcodec/mpegvideo.h \ @@ -132,6 +144,8 @@ header_files=" libavutil/x86/asm.h \ libavcodec/mpegvideoencdsp.h \ libavcodec/old_codec_ids.h \ libavcodec/options_table.h \ + libavcodec/opus_celt.h \ + libavcodec/opus_pvq.h \ libavcodec/opus_rc.h \ libavcodec/pcm_tablegen.h \ libavcodec/pel_template.c \ @@ -211,12 +225,15 @@ manual_files=" libavutil/x86/x86inc.asm \ libavutil/x86/float_dsp.asm \ libavutil/x86/lls.asm \ libavcodec/bit_depth_template.c \ + libavcodec/dct32_template.c \ libavcodec/fft_template.c \ libavcodec/h264pred_template.c \ libavcodec/hpel_template.c \ libavcodec/hpeldsp_template.c \ libavcodec/mdct_template.c \ - libavcodec/pel_template.c \ + libavcodec/mpegaudiodec_template.c \ + libavcodec/mpegaudiodsp_template.c + libavcodec/mpegaudiodsp.c \ libavcodec/videodsp_template.c \ libavcodec/flacdec.c \ libavcodec/flacdsp.c \ diff --git a/clean_qtwebengine.sh b/clean_qtwebengine.sh index cc3fe6a..3b3ae9a 100755 --- a/clean_qtwebengine.sh +++ b/clean_qtwebengine.sh @@ -21,7 +21,7 @@ if [ -z "$1" ] ; then echo "usage: ./clean_qtwebengine.sh VERSION" - echo "e.g.: ./clean_qtwebengine.sh 5.10.0" + echo "e.g.: ./clean_qtwebengine.sh 5.11.0" exit 1 fi diff --git a/qt5-qtwebengine.spec b/qt5-qtwebengine.spec index 5939aaa..5f66bf2 100644 --- a/qt5-qtwebengine.spec +++ b/qt5-qtwebengine.spec @@ -6,7 +6,7 @@ # define to build docs, need to undef this for bootstrapping # where qt5-qttools (qt5-doctools) builds are not yet available # disable on Rawhide for now -%if 0%{?fedora} < 28 +%if 0%{?fedora} < 29 %global docs 1 %endif @@ -23,7 +23,8 @@ # the QMake CONFIG flags to force debugging information to be produced in # release builds, and for all parts of the code -%ifarch %{arm} +#ifarch %{arm} +%if 1 # the ARM builder runs out of memory during linking with the full setting below, # so omit debugging information for the parts upstream deems it dispensable for # (webcore, v8base) @@ -49,8 +50,8 @@ Summary: Qt5 - QtWebEngine components Name: qt5-qtwebengine -Version: 5.10.1 -Release: 7%{?dist} +Version: 5.11.0 +Release: 1%{?dist} # See LICENSE.GPL LICENSE.LGPL LGPL_EXCEPTION.txt, for details # See also http://qt-project.org/doc/qt-5.0/qtdoc/licensing.html @@ -58,7 +59,7 @@ Release: 7%{?dist} License: (LGPLv2 with exceptions or GPLv3 with exceptions) and BSD and LGPLv2+ and ASL 2.0 and IJG and MIT and GPLv2+ and ISC and OpenSSL and (MPLv1.1 or GPLv2 or LGPLv2) URL: http://www.qt.io # cleaned tarball with patent-encumbered codecs removed from the bundled FFmpeg -# wget http://download.qt.io/official_releases/qt/5.10/5.10.1/submodules/qtwebengine-everywhere-src-5.10.1.tar.xz +# wget http://download.qt.io/official_releases/qt/5.11/5.11.0/submodules/qtwebengine-everywhere-src-5.11.0.tar.xz # ./clean_qtwebengine.sh 5.10.1 Source0: qtwebengine-everywhere-src-%{version}-clean.tar.xz # cleanup scripts used above @@ -73,7 +74,7 @@ Patch0: qtwebengine-everywhere-src-5.10.0-linux-pri.patch # resulting warnings - not upstreamable as is because it removes the fallback # mechanism for the ICU data directory (which is not used in our builds because # we use the system ICU, which embeds the data statically) completely -Patch1: qtwebengine-opensource-src-5.6.0-no-icudtl-dat.patch +Patch1: qtwebengine-everywhere-src-5.11.0-no-icudtl-dat.patch # fix extractCFlag to also look in QMAKE_CFLAGS_RELEASE, needed to detect the # ARM flags with our %%qmake_qt5 macro, including for the next patch Patch2: qtwebengine-opensource-src-5.9.0-fix-extractcflag.patch @@ -118,20 +119,7 @@ Patch22: qtwebengine-everywhere-src-5.10.0-icu59.patch # to get the value we expect (and chromium checks for). Patch by spot. Patch23: qtwebengine-everywhere-src-5.10.1-gcc8-alignof.patch ## Upstream patches: -# drop support for obsolete Unicode "aspirational scripts" (dropped in UTS 31), -# fixes #error with ICU >= 60 (which was a reminder to double-check the list) -# see: http://www.unicode.org/reports/tr31/#Aspirational_Use_Scripts -# backport of: https://chromium-review.googlesource.com/c/chromium/src/+/731871 -Patch100: qtwebengine-everywhere-src-5.10.0-no-aspirational-scripts.patch -# forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146) -# see the patch metadata for the list of fixed CVEs and Chromium bug IDs -# omit the Chromium bug 806122 fix because we do not ship that FFmpeg file -Patch101: qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch -# fix incomplete (and thus having no effect) fix for CVE-2018-6033 in 5.10.1 -# (forward-ported from 5.9.5, will also be included in 5.11) -Patch102: qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch -# From 5.11 branch, fix build against Qt 5.11.x -Patch103: 0027-Fix-compilation-of-simplebrowser-example.patch +Patch102: 0002-Fix-build-with-GCC-8.1.0.patch # handled by qt5-srpm-macros, which defines %%qt5_qtwebengine_arches ExclusiveArch: %{qt5_qtwebengine_arches} @@ -371,20 +359,27 @@ BuildArch: noarch %if !0%{?arm_neon} %patch3 -p1 -b .no-neon %endif -%patch4 -p1 -b .system-nspr-prtime -%patch5 -p1 -b .system-icu-utf -%patch6 -p1 -b .no-sse2 + +## upstream patches +pushd src/3rdparty/chromium +%patch102 -p2 -b .0002 +popd + +##FIXME/TODO rebase +#patch4 -p1 -b .system-nspr-prtime +#patch5 -p1 -b .system-icu-utf +#patch6 -p1 -b .no-sse2 +%ifarch %{ix86} +#global sse2 1 +%endif %patch9 -p1 -b .arm-fpu-fix %patch10 -p1 -b .openmax-dl-neon -%patch11 -p1 -b .skia-neon +#patch11 -p1 -b .skia-neon %patch12 -p1 -b .webrtc-neon-detect %patch21 -p1 -b .gn-bootstrap-verbose -%patch22 -p1 -b .icu59 +#patch22 -p1 -b .icu59 %patch23 -p1 -b .gcc8 -%patch100 -p1 -b .no-aspirational-scripts -%patch101 -p1 -b .security-5.9.5 -%patch102 -p1 -b .CVE-2018-6033 -%patch103 -p1 -b .0027 + # fix // in #include in content/renderer/gpu to avoid debugedit failure sed -i -e 's!gpu//!gpu/!g' \ src/3rdparty/chromium/content/renderer/gpu/compositor_forwarding_message_filter.cc @@ -427,27 +422,23 @@ cp -p src/3rdparty/chromium/LICENSE LICENSE.Chromium %build export STRIP=strip -export NINJAFLAGS="-v %{_smp_mflags}" -export NINJA_PATH=%{_bindir}/ninja-build - -mkdir %{_target_platform} -pushd %{_target_platform} +export NINJAFLAGS="%{__ninja_common_opts}" +export NINJA_PATH=%{__ninja} %{qmake_qt5} CONFIG+="%{debug_config}" \ - QMAKE_EXTRA_ARGS+="-system-webengine-icu" .. + QMAKE_EXTRA_ARGS+="-system-webengine-icu" . -make %{?_smp_mflags} +%make_build %if 0%{?docs} -make %{?_smp_mflags} docs +%make_build docs %endif -popd %install -make install INSTALL_ROOT=%{buildroot} -C %{_target_platform} +make install INSTALL_ROOT=%{buildroot} %if 0%{?docs} -make install_docs INSTALL_ROOT=%{buildroot} -C %{_target_platform} +make install_docs INSTALL_ROOT=%{buildroot} %endif # rpm macros @@ -489,8 +480,7 @@ sed -i -e "s|%{version} \${_Qt5WebEngine|%{lesser_version} \${_Qt5WebEngine|" \ %{buildroot}%{_qt5_libdir}/cmake/Qt5WebEngine*/Qt5WebEngine*Config.cmake -%post -p /sbin/ldconfig -%postun -p /sbin/ldconfig +%ldconfig_scriptlets %filetriggerin -- %{_datadir}/myspell while read filename ; do @@ -509,7 +499,8 @@ done %{_qt5_bindir}/qwebengine_convert_dict %{_qt5_libdir}/qt5/qml/* %{_qt5_libdir}/qt5/libexec/QtWebEngineProcess -%ifarch %{ix86} +#ifarch %{ix86} +%if 0%{?sse2} # shared V8 library and its SSE2 version %{_qt5_libdir}/qtwebengine/ %endif @@ -590,6 +581,17 @@ done %changelog +* Thu Jun 14 2018 Rex Dieter - 5.11.0-1 +- 5.11.0 +- drop shadow build (to match other qt5 packages where it has been problematic) +- drop upstreamed patches +- rebase no-icudtl-dat.patch +- pull in upstream gcc8 FTBFS fix +- update clean_ffmpeg whitelist +- patches needswork: system-nspr-prtime,system-icu-utf,no-sse2,skia-neon,icu59 +- minimal debug/debuginfo (for now) +- use macros %%make_build %%ldconfig_scriptlets %%__ninja %%__ninja_common_opts + * Sun May 27 2018 Rex Dieter - 5.10.1-7 - rebuild (qt5 5.11.0) - Add patch by spot from the Fedora Chromium RPM for FTBFS with GCC 8 on i686 diff --git a/qtwebengine-everywhere-src-5.10.0-no-aspirational-scripts.patch b/qtwebengine-everywhere-src-5.10.0-no-aspirational-scripts.patch deleted file mode 100644 index 967f452..0000000 --- a/qtwebengine-everywhere-src-5.10.0-no-aspirational-scripts.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff -ur qtwebengine-everywhere-src-5.10.0/src/3rdparty/chromium/components/url_formatter/idn_spoof_checker.cc qtwebengine-everywhere-src-5.10.0-no-aspirational-scripts/src/3rdparty/chromium/components/url_formatter/idn_spoof_checker.cc ---- qtwebengine-everywhere-src-5.10.0/src/3rdparty/chromium/components/url_formatter/idn_spoof_checker.cc 2017-11-28 14:06:53.000000000 +0100 -+++ qtwebengine-everywhere-src-5.10.0-no-aspirational-scripts/src/3rdparty/chromium/components/url_formatter/idn_spoof_checker.cc 2017-12-25 19:38:17.621271052 +0100 -@@ -331,39 +331,6 @@ - const icu::UnicodeSet* inclusion_set = uspoof_getInclusionUnicodeSet(status); - allowed_set.addAll(*inclusion_set); - --// Five aspirational scripts are taken from UTR 31 Table 6 at --// http://www.unicode.org/reports/tr31/#Aspirational_Use_Scripts . --// Not all the characters of aspirational scripts are suitable for --// identifiers. Therefore, only characters belonging to --// [:Identifier_Type=Aspirational:] (listed in 'Status/Type=Aspirational' --// section at --// http://www.unicode.org/Public/security/latest/xidmodifications.txt) are --// are added to the allowed set. The list has to be updated when a new --// version of Unicode is released. The current version is 9.0.0 and ICU 60 --// will have Unicode 10.0 data. --#if U_ICU_VERSION_MAJOR_NUM < 60 -- const icu::UnicodeSet aspirational_scripts( -- icu::UnicodeString( -- // Unified Canadian Syllabics -- "[\\u1401-\\u166C\\u166F-\\u167F" -- // Mongolian -- "\\u1810-\\u1819\\u1820-\\u1877\\u1880-\\u18AA" -- // Unified Canadian Syllabics -- "\\u18B0-\\u18F5" -- // Tifinagh -- "\\u2D30-\\u2D67\\u2D7F" -- // Yi -- "\\uA000-\\uA48C" -- // Miao -- "\\U00016F00-\\U00016F44\\U00016F50-\\U00016F7E" -- "\\U00016F8F-\\U00016F9F]", -- -1, US_INV), -- *status); -- allowed_set.addAll(aspirational_scripts); --#else --#error "Update aspirational_scripts per Unicode 10.0" --#endif -- - // The sections below refer to Mozilla's IDN blacklist: - // http://kb.mozillazine.org/Network.IDN.blacklist_chars - // -diff -ur qtwebengine-everywhere-src-5.10.0/src/3rdparty/chromium/components/url_formatter/url_formatter_unittest.cc qtwebengine-everywhere-src-5.10.0-no-aspirational-scripts/src/3rdparty/chromium/components/url_formatter/url_formatter_unittest.cc ---- qtwebengine-everywhere-src-5.10.0/src/3rdparty/chromium/components/url_formatter/url_formatter_unittest.cc 2017-11-28 14:06:53.000000000 +0100 -+++ qtwebengine-everywhere-src-5.10.0-no-aspirational-scripts/src/3rdparty/chromium/components/url_formatter/url_formatter_unittest.cc 2017-12-25 19:38:17.621271052 +0100 -@@ -132,22 +132,24 @@ - {"xn---123-kbjl2j0bl2k.in", L"\x0939\x093f\x0928\x094d\x0926\x0940-123.in", - true}, - -- // 5 Aspirational scripts -+ // What used to be 5 Aspirational scripts in the earlier versions of UAX 31. -+ // UAX 31 does not define aspirational scripts any more. -+ // See http://www.unicode.org/reports/tr31/#Aspirational_Use_Scripts . - // Unifieid Canadian Syllabary -- {"xn--dfe0tte.ca", L"\x1456\x14c2\x14ef.ca", true}, -+ {"xn--dfe0tte.ca", L"\x1456\x14c2\x14ef.ca", false}, - // Tifinagh - {"xn--4ljxa2bb4a6bxb.ma", L"\x2d5c\x2d49\x2d3c\x2d49\x2d4f\x2d30\x2d56.ma", -- true}, -+ false}, - // Tifinagh with a disallowed character(U+2D6F) - {"xn--hmjzaby5d5f.ma", L"\x2d5c\x2d49\x2d3c\x2d6f\x2d49\x2d4f.ma", false}, - // Yi -- {"xn--4o7a6e1x64c.cn", L"\xa188\xa320\xa071\xa0b7.cn", true}, -+ {"xn--4o7a6e1x64c.cn", L"\xa188\xa320\xa071\xa0b7.cn", false}, - // Mongolian - 'ordu' (place, camp) -- {"xn--56ec8bp.cn", L"\x1823\x1837\x1833\x1824.cn", true}, -+ {"xn--56ec8bp.cn", L"\x1823\x1837\x1833\x1824.cn", false}, - // Mongolian with a disallowed character - {"xn--95e5de3ds.cn", L"\x1823\x1837\x1804\x1833\x1824.cn", false}, - // Miao/Pollad -- {"xn--2u0fpf0a.cn", L"\U00016f04\U00016f62\U00016f59.cn", true}, -+ {"xn--2u0fpf0a.cn", L"\U00016f04\U00016f62\U00016f59.cn", false}, - - // Script mixing tests - // The following script combinations are allowed. -@@ -606,7 +608,7 @@ - L"a\x144a" - L"b.com", - false}, -- {"xn--xcec9s.com", L"\x1401\x144a\x1402.com", true}, -+ {"xn--xcec9s.com", L"\x1401\x144a\x1402.com", false}, - - // Custom dangerous patterns - // Two Katakana-Hiragana combining mark in a row diff --git a/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch b/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch deleted file mode 100644 index 8b97a2c..0000000 --- a/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 1fd21185614dcae0c7a6e5647ba56cff0120f563 Mon Sep 17 00:00:00 2001 -Message-Id: <1fd21185614dcae0c7a6e5647ba56cff0120f563.1521386919.git.kevin.kofler@chello.at> -From: Michal Klocek -Date: Wed, 7 Mar 2018 18:36:25 +0100 -Subject: [PATCH] Implement IsMostRecentDownloadItemAtFilePath call - -Implement IsMostRecentDownloadItemAtFilePath -for download_manager_delegate_qt. This is required for -CVE-2018-6033. - -Change-Id: I9f48dfa159d684f0fda894e68b81ff622aceaae2 -Reviewed-by: Allan Sandfeld Jensen ---- - src/core/download_manager_delegate_qt.cpp | 20 ++++++++++++++++++++ - src/core/download_manager_delegate_qt.h | 2 ++ - 2 files changed, 22 insertions(+) - -diff --git a/src/core/download_manager_delegate_qt.cpp b/src/core/download_manager_delegate_qt.cpp -index 40df9b3a..487a831e 100644 ---- a/src/core/download_manager_delegate_qt.cpp -+++ b/src/core/download_manager_delegate_qt.cpp -@@ -293,6 +293,26 @@ void DownloadManagerDelegateQt::ChooseSavePath(content::WebContents *web_content - m_weakPtrFactory.GetWeakPtr())); - } - -+bool DownloadManagerDelegateQt::IsMostRecentDownloadItemAtFilePath(content::DownloadItem *download) -+{ -+ content::BrowserContext *context = download->GetBrowserContext(); -+ std::vector all_downloads; -+ -+ content::DownloadManager* manager = -+ content::BrowserContext::GetDownloadManager(context); -+ if (manager) -+ manager->GetAllDownloads(&all_downloads); -+ -+ for (const auto* item : all_downloads) { -+ if (item->GetGuid() == download->GetGuid() || -+ item->GetTargetFilePath() != download->GetTargetFilePath()) -+ continue; -+ if (item->GetState() == content::DownloadItem::IN_PROGRESS) -+ return false; -+ } -+ return true; -+} -+ - void DownloadManagerDelegateQt::savePackageDownloadCreated(content::DownloadItem *item) - { - OnDownloadUpdated(item); -diff --git a/src/core/download_manager_delegate_qt.h b/src/core/download_manager_delegate_qt.h -index df43211e..7563d5d3 100644 ---- a/src/core/download_manager_delegate_qt.h -+++ b/src/core/download_manager_delegate_qt.h -@@ -81,6 +81,8 @@ public: - const base::FilePath::StringType &default_extension, - bool can_save_as_complete, - const content::SavePackagePathPickedCallback &callback) override; -+ bool IsMostRecentDownloadItemAtFilePath(content::DownloadItem* download) override; -+ - - void cancelDownload(quint32 downloadId); - void pauseDownload(quint32 downloadId); --- -2.14.3 - diff --git a/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch b/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch deleted file mode 100644 index 78b3e55..0000000 --- a/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch +++ /dev/null @@ -1,1245 +0,0 @@ -From d58330a607981f2e12c65c4b72ecbc36c5c52801 Mon Sep 17 00:00:00 2001 -Message-Id: -From: Michal Klocek -Date: Thu, 8 Mar 2018 11:26:33 +0100 -Subject: [PATCH] Backport security fixes from QtWebEngine 5.9.5 (minus FFmpeg - fix) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[Backport] CVE-2017-15429 - -Only open windows with js URLs if the entered window has access - -It's not enough to check that the current window has access, if other -security checks failed and the entered window shouldn't have access to -the current window. - -BUG=788453 -R=haraken@chromium.org,mkwst@chromium.org - -Change-Id: Iea10c52f20bdc49f00eba067cab69dab06f79f01 -Reviewed-on: https://chromium-review.googlesource.com/792934 -Commit-Queue: Jochen Eisinger -Reviewed-by: Mike West -Reviewed-by: Kentaro Hara -Reviewed-by: Yuki Shiino -Cr-Commit-Position: refs/heads/master@{#519683} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6069 - -check for bad buffers in Unpack8 - -Bug:799918 -Change-Id: I0502a487d67ce757bf818823cf0ad46b7703294c -Reviewed-on: https://skia-review.googlesource.com/92841 -Commit-Queue: Mike Reed -Reviewed-by: Florin Malita -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6071 - -detect too many points - -Bug:777318 -Change-Id: Idb52688b6ee4ae020004400da995620c1f548559 -Reviewed-on: https://skia-review.googlesource.com/73821 -Commit-Queue: Mike Reed -Reviewed-by: Herb Derby -Reviewed-by: Allan Sandfeld Jensen - -[Backport] Security Bug 770734 - -Fix a crash in TemplateURLParser. - -It was caused by dereferencing an invalid URL during parsing. - -Bug: 770734 -Change-Id: I4fedd3f310aaf7e1e1d2384aa64939d46b8b2a5a -Reviewed-on: https://chromium-review.googlesource.com/773902 -Commit-Queue: Vasilii Sukhanov -Reviewed-by: Peter Kasting -Cr-Commit-Position: refs/heads/master@{#517751} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] Security Bug 774833 - -Intl.DateTimeFormat: throw RangeError for non-finite input - -intl.js throws an exception when datetime-value to format is -Infinity or NaN, but there was a way to thwart the check. - -Moreover, intl.js and runtime-intl.cc have unnecessary conversions -of 'Number->Date->Number'. I removed the unnecessary conversion -and made 'Number' be passed to %InternalDateFormat. With this -streamlining, the work-around mentioned above does not work -anymore. - -Add a check in runtime_intl.cc for Infinity/NaN and throw a -RangeError. - -Add invalid-time test for invalid datetime-values passed to -Intl.DateTimeFormat.format(). - -Bug: chromium:774833 -Test: intl/date-format/invalid-time.js -Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng -Change-Id: Idc575e532a86ee110dc4bb945ae023d6516650ee -Reviewed-on: https://chromium-review.googlesource.com/724860 -Commit-Queue: Jungshik Shin -Reviewed-by: Adam Klein -Cr-Commit-Position: refs/heads/master@{#48765} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6073 - -Fix CopyTexImage behavior when cubemap workaround is involved. - -The bug is, we need to reset PIXEL_UNPACK_BUFFER as well as UNPACK params -in order to upload data to textures correctly. - -BUG=804118 -TEST=tests in the bug -R=piman@chromium.org -TBR=zmo@chromium.org -NOTRY=true - -(cherry picked from commit a89aa4642cefb79e312c95ca3c66bbaff5263a22) - -Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel -Change-Id: I743f03cdc98b2c6993449ca615b246eb42ef4dfa -Reviewed-on: https://chromium-review.googlesource.com/892282 -Commit-Queue: Zhenyao Mo -Reviewed-by: Antoine Labour -Reviewed-by: Kai Ninomiya -Cr-Original-Commit-Position: refs/heads/master@{#532749} -Reviewed-on: https://chromium-review.googlesource.com/895907 -Reviewed-by: Zhenyao Mo -Cr-Commit-Position: refs/branch-heads/3325@{#208} -Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6076 - -Percent-encode UTF8 characters in URL fragment identifiers. - -This brings us into line with Firefox, Safari, and the spec. - -Bug: 758523 -Reviewed-on: https://chromium-review.googlesource.com/668363 -Commit-Queue: Mike West -Reviewed-by: Jochen Eisinger -Reviewed-by: Andy Paicu -Cr-Commit-Position: refs/heads/master@{#507481} - -Encode ' ', '"', '<', '>', and '`' in URL fragments. - -Implements the changes to fragment processing described in -https://github.com/whatwg/url/pull/347, which adds a new "fragment -percent-encode set" which contains the C0 control percent-encode set, -along with: - -* 0x20 SPACE -* 0x22 (") -* 0x3C (<) -* 0x3E (>) -* 0x60 (`) - -This brings our implementation into line with Firefox. - -Bug: 758523 -Reviewed-on: https://chromium-review.googlesource.com/719004 -Commit-Queue: Mike West -Reviewed-by: Jochen Eisinger -Cr-Commit-Position: refs/heads/master@{#523383} - -Change-Id: I25de642017ccb69473626a327ad194b3431a11ed -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6079 - -Fix tabs sharing TEXTURE_2D_ARRAY/TEXTURE_3D data. - -In linux and android, we are seeing an issue where texture data from one -tab overwrites the texture data of another tab. This is happening for apps -which are using webgl2 texture of type TEXTURE_2D_ARRAY/TEXTURE_3D. -Due to a bug in virtual context save/restore code for above texture formats, -the texture data is not properly restored while switching tabs. Hence -texture data from one tab overwrites other. - -This CL has fix for that issue, an update for existing test expectations -and a new unit test for this bug. - -Bug: 788448 -Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel -Change-Id: Ie933984cdd2d1381f42eb4638f730c8245207a28 -Reviewed-on: https://chromium-review.googlesource.com/930327 -Reviewed-by: Zhenyao Mo -Commit-Queue: vikas soni -Cr-Original-Commit-Position: refs/heads/master@{#539111}(cherry picked from commit d128139d53e9268e87921e82d89b3f2053cb83fd) -Reviewed-on: https://chromium-review.googlesource.com/939878 -Cr-Commit-Position: refs/branch-heads/3325@{#610} -Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6081 - -Fix XSS in supervised user interstitial - -BUG=797525 - -Change-Id: Ib5cfa732b0f4de8645031c0166e4d67633a65c93 -Reviewed-on: https://chromium-review.googlesource.com/844075 -Reviewed-by: Bernhard Bauer -Commit-Queue: Rob Wu -Cr-Commit-Position: refs/heads/master@{#526158} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6082 - -Remove port 22 from the set of allowed FTP ports. - -The collision with SSH ports caused some possible concerns with being -able to enumerate internal hosts. Analysis shows that Internet hosts -supporting FTP over port 22 are a small fraction, and likely not -accessed over the web. - -Bug: 767354 -Change-Id: I8958b4cc818b34127fd739d2dea58f498fb073c0 -Reviewed-on: https://chromium-review.googlesource.com/860753 -Reviewed-by: Matt Menke -Commit-Queue: Christopher Thompson -Cr-Commit-Position: refs/heads/master@{#528461} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6064 - -[elements] Fix Object.entries/values with changing elements - -Drive-by-cleanup: -- Add InternalElementsAccessor to expose protected instance methods -to ElementsAccessor subclasses. -- Make some more ElementsAccessor methods protected that take the -raw entry as parameter. - -Bug: chromium:798644 -Change-Id: Iffd00f1953461e8dd22c123e62298410fb6e049c -Reviewed-on: https://chromium-review.googlesource.com/856816 -Commit-Queue: Camillo Bruni -Reviewed-by: Jakob Kummerow -Cr-Commit-Position: refs/heads/master@{#50480} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6062 - -use safemath::mull for buffer sizes - -Bug:780104 -Change-Id: Ic683abd9c7d15ebb01b6e5d40dbeb6e76f102eff -Reviewed-on: https://skia-review.googlesource.com/95760 -Reviewed-by: Brian Salomon -Commit-Queue: Mike Reed -(cherry picked from commit fe266c2bce2b8ac4ef953f16c8e1a7801da9c57d) -Reviewed-on: https://skia-review.googlesource.com/101780 -Reviewed-by: Allan Sandfeld Jensen - -[Backport] CVE-2018-6060 - -Keep AudioHandlers alive until they can be safely deleted. - -When an AudioNode is disposed, the handler is also disposed. But add -the handler to the orphan list so that the handler stays alive until -the context can safely delete it. If we don't do this, the handler -may get deleted while the audio thread is processing the handler (due -to, say, channel count changes and such). - -For an realtime context, save the handler if the context is not closed. -(Nothing will clean up the handler if the context is closed.) - -For an offline context, only need to do this when the context is -running because the context is guaranteed to be stopped if we're not -in the running state. Hence, there's no possibility of deleting the -handler while the graph is running. - -Bug: 780919 -Change-Id: Id8ba47f48504c5681121facebfc5acb85b05de87 -Reviewed-on: https://chromium-review.googlesource.com/868841 -Reviewed-by: Hongchan Choi -Commit-Queue: Raymond Toy -Cr-Original-Commit-Position: refs/heads/master@{#530892}(cherry picked from commit ebcf9595bf908b515ffcd31374b071697a69faed) -Reviewed-on: https://chromium-review.googlesource.com/893626 -Reviewed-by: Raymond Toy -Cr-Commit-Position: refs/branch-heads/3325@{#180} -Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] Security Bug 798410 - -Crash fix for th with role gridcell in a table with nontraditional css - -Do not assume we can use ToLayoutCell() in an object that can be created -for an ARIA cell and may not be associated with an actual table cell. - -Bug: 798410 -Change-Id: I3db7d09ca146469a4fb87ef04a03e9d4ba8525d3 -Reviewed-on: https://chromium-review.googlesource.com/906953 -Commit-Queue: Aaron Leventhal -Reviewed-by: Nektarios Paisios -Cr-Original-Commit-Position: refs/heads/master@{#535462}(cherry picked from commit b0d1618cc5e95f77c152022232257b61b61a952e) -Reviewed-on: https://chromium-review.googlesource.com/916527 -Reviewed-by: Aaron Leventhal -Cr-Commit-Position: refs/branch-heads/3325@{#447} -Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} -Reviewed-by: Allan Sandfeld Jensen - -[Backport] Security Bug 789764 - -[parser] Fix func numbering inside for in. - -BUG=chromium:789764 - -Change-Id: I6a466660159721683c4979af32019d740094151b -Reviewed-on: https://chromium-review.googlesource.com/803217 -Reviewed-by: Ross McIlroy -Reviewed-by: Jochen Eisinger -Commit-Queue: Marja Hölttä -Cr-Commit-Position: refs/heads/master@{#49795} -Reviewed-by: Allan Sandfeld Jensen ---- - .../search_engines/template_url_parser.cc | 2 +- - .../supervised_user_block_interstitial.js | 8 +-- - .../gpu/command_buffer/service/context_state.cc | 34 +++++++++- - .../gpu/command_buffer/service/texture_manager.cc | 6 +- - chromium/net/base/port_util.cc | 3 +- - .../bindings/core/v8/custom/V8WindowCustom.cpp | 9 +++ - .../WebKit/Source/core/frame/LocalFrameView.cpp | 5 +- - .../Source/modules/accessibility/AXTableCell.cpp | 8 +++ - .../WebKit/Source/modules/webaudio/AudioNode.cpp | 41 ++++++++++-- - chromium/third_party/skia/include/core/SkTypes.h | 1 + - chromium/third_party/skia/src/core/SkMath.cpp | 16 +++++ - chromium/third_party/skia/src/core/SkPathRef.cpp | 22 +++++-- - chromium/third_party/skia/src/core/SkSafeMath.h | 19 ++++++ - .../third_party/skia/src/effects/SkPackBits.cpp | 5 +- - chromium/third_party/skia/src/effects/SkPackBits.h | 2 +- - .../third_party/skia/src/gpu/GrBufferAllocPool.cpp | 6 +- - chromium/url/url_canon_etc.cc | 61 ++++++++++++----- - chromium/v8/src/ast/ast-traversal-visitor.h | 1 + - chromium/v8/src/elements.cc | 76 ++++++++++++++++++---- - chromium/v8/src/elements.h | 17 ++--- - chromium/v8/src/js/intl.js | 8 +-- - chromium/v8/src/runtime/runtime-intl.cc | 25 ++++--- - 22 files changed, 293 insertions(+), 82 deletions(-) - -diff --git a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc -index 64b1385e05..476d879b5f 100644 ---- a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc -+++ b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc -@@ -438,7 +438,7 @@ void TemplateURLParsingContext::ProcessURLParams() { - return; - - GURL url(is_suggest_url_ ? data_.suggestions_url : data_.url()); -- if (url.is_empty()) -+ if (!url.is_valid()) - return; - - // If there is a parameter filter, parse the existing URL and remove any -diff --git a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js -index d6b9327584..bee21be919 100644 ---- a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js -+++ b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js -@@ -67,8 +67,8 @@ function initialize() { - $('custodian-avatar-img').style.content = - makeImageSet(avatarURL1x, avatarURL2x); - } -- $('custodian-name').innerHTML = custodianName; -- $('custodian-email').innerHTML = loadTimeData.getString('custodianEmail'); -+ $('custodian-name').textContent = custodianName; -+ $('custodian-email').textContent = loadTimeData.getString('custodianEmail'); - var secondAvatarURL1x = loadTimeData.getString('secondAvatarURL1x'); - var secondAvatarURL2x = loadTimeData.getString('secondAvatarURL2x'); - var secondCustodianName = loadTimeData.getString('secondCustodianName'); -@@ -79,8 +79,8 @@ function initialize() { - $('second-custodian-avatar-img').style.content = - makeImageSet(secondAvatarURL1x, secondAvatarURL2x); - } -- $('second-custodian-name').innerHTML = secondCustodianName; -- $('second-custodian-email').innerHTML = loadTimeData.getString( -+ $('second-custodian-name').textContent = secondCustodianName; -+ $('second-custodian-email').textContent = loadTimeData.getString( - 'secondCustodianEmail'); - } - } -diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc -index 3c71d38b25..1b1d647c36 100644 ---- a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc -+++ b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc -@@ -29,6 +29,16 @@ GLuint Get2dServiceId(const TextureUnit& unit) { - ? unit.bound_texture_2d->service_id() : 0; - } - -+GLuint Get2dArrayServiceId(const TextureUnit& unit) { -+ return unit.bound_texture_2d_array.get() -+ ? unit.bound_texture_2d_array->service_id() -+ : 0; -+} -+ -+GLuint Get3dServiceId(const TextureUnit& unit) { -+ return unit.bound_texture_3d.get() ? unit.bound_texture_3d->service_id() : 0; -+} -+ - GLuint GetCubeServiceId(const TextureUnit& unit) { - return unit.bound_texture_cube_map.get() - ? unit.bound_texture_cube_map->service_id() : 0; -@@ -239,6 +249,8 @@ void ContextState::RestoreTextureUnitBindings( - DCHECK_LT(unit, texture_units.size()); - const TextureUnit& texture_unit = texture_units[unit]; - GLuint service_id_2d = Get2dServiceId(texture_unit); -+ GLuint service_id_2d_array = Get2dArrayServiceId(texture_unit); -+ GLuint service_id_3d = Get3dServiceId(texture_unit); - GLuint service_id_cube = GetCubeServiceId(texture_unit); - GLuint service_id_oes = GetOesServiceId(texture_unit); - GLuint service_id_arb = GetArbServiceId(texture_unit); -@@ -249,10 +261,22 @@ void ContextState::RestoreTextureUnitBindings( - feature_info_->feature_flags().oes_egl_image_external || - feature_info_->feature_flags().nv_egl_stream_consumer_external; - bool bind_texture_arb = feature_info_->feature_flags().arb_texture_rectangle; -+ // TEXTURE_2D_ARRAY and TEXTURE_3D are only applicable from ES3 version. -+ // So set it to FALSE by default. -+ bool bind_texture_2d_array = false; -+ bool bind_texture_3d = false; -+ // set the variables to true only if the application is ES3 or newer -+ if (feature_info_->IsES3Capable()) { -+ bind_texture_2d_array = true; -+ bind_texture_3d = true; -+ } - - if (prev_state) { - const TextureUnit& prev_unit = prev_state->texture_units[unit]; - bind_texture_2d = service_id_2d != Get2dServiceId(prev_unit); -+ bind_texture_2d_array = -+ service_id_2d_array != Get2dArrayServiceId(prev_unit); -+ bind_texture_3d = service_id_3d != Get3dServiceId(prev_unit); - bind_texture_cube = service_id_cube != GetCubeServiceId(prev_unit); - bind_texture_oes = - bind_texture_oes && service_id_oes != GetOesServiceId(prev_unit); -@@ -261,8 +285,8 @@ void ContextState::RestoreTextureUnitBindings( - } - - // Early-out if nothing has changed from the previous state. -- if (!bind_texture_2d && !bind_texture_cube -- && !bind_texture_oes && !bind_texture_arb) { -+ if (!bind_texture_2d && !bind_texture_2d_array && !bind_texture_3d && -+ !bind_texture_cube && !bind_texture_oes && !bind_texture_arb) { - return; - } - -@@ -279,6 +303,12 @@ void ContextState::RestoreTextureUnitBindings( - if (bind_texture_arb) { - glBindTexture(GL_TEXTURE_RECTANGLE_ARB, service_id_arb); - } -+ if (bind_texture_2d_array) { -+ glBindTexture(GL_TEXTURE_2D_ARRAY, service_id_2d_array); -+ } -+ if (bind_texture_3d) { -+ glBindTexture(GL_TEXTURE_3D, service_id_3d); -+ } - } - - void ContextState::RestoreSamplerBinding(GLuint unit, -diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc -index f56e04f411..cac58af031 100644 ---- a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc -+++ b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc -@@ -2634,9 +2634,6 @@ void TextureManager::DoCubeMapWorkaround( - TextureRef* texture_ref, - const char* function_name, - const DoTexImageArguments& args) { -- // This workaround code does not work with an unpack buffer bound. -- ScopedResetPixelUnpackBuffer scoped_reset_pbo(state); -- - std::vector undefined_faces; - Texture* texture = texture_ref->texture(); - if (texture_state->force_cube_complete || -@@ -2668,6 +2665,8 @@ void TextureManager::DoCubeMapWorkaround( - DoTexImageArguments new_args = args; - std::unique_ptr zero(new char[args.pixels_size]); - memset(zero.get(), 0, args.pixels_size); -+ // Need to clear PIXEL_UNPACK_BUFFER and UNPACK params for data uploading. -+ state->PushTextureDecompressionUnpackState(); - for (GLenum face : undefined_faces) { - new_args.target = face; - new_args.pixels = zero.get(); -@@ -2675,6 +2674,7 @@ void TextureManager::DoCubeMapWorkaround( - function_name, texture_ref, new_args); - texture->MarkLevelAsInternalWorkaround(face, args.level); - } -+ state->RestoreUnpackState(); - } - - void TextureManager::ValidateAndDoTexImage( -diff --git a/src/3rdparty/chromium/net/base/port_util.cc b/src/3rdparty/chromium/net/base/port_util.cc -index 543d9db943..83c9821398 100644 ---- a/src/3rdparty/chromium/net/base/port_util.cc -+++ b/src/3rdparty/chromium/net/base/port_util.cc -@@ -90,10 +90,9 @@ const int kRestrictedPorts[] = { - // KURL::port()) - }; - --// FTP overrides the following restricted ports. -+// FTP overrides the following restricted port. - const int kAllowedFtpPorts[] = { - 21, // ftp data -- 22, // ssh - }; - - base::LazyInstance>::Leaky g_explicitly_allowed_ports = -diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp -index 90883c712f..9abef3a420 100644 ---- a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp -+++ b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp -@@ -262,6 +262,15 @@ void V8Window::openMethodCustom( - return; - } - -+ // If the bindings implementation is 100% correct, the current realm and the -+ // entered realm should be same origin-domain. However, to be on the safe -+ // side and add some defense in depth, we'll check against the entered realm -+ // as well here. -+ if (!BindingSecurity::ShouldAllowAccessTo(EnteredDOMWindow(info.GetIsolate()), -+ impl, exception_state)) { -+ return; -+ } -+ - TOSTRING_VOID(V8StringResource, - url_string, info[0]); - AtomicString frame_name; -diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp -index 8ce1574d45..1c5b193eda 100644 ---- a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp -+++ b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp -@@ -1862,9 +1862,12 @@ void LocalFrameView::ProcessUrlFragment(const KURL& url, - !frame_->GetDocument()->IsSVGDocument()) - return; - -+ // Try the raw fragment for HTML documents, but skip it for `svgView()`: - String fragment_identifier = url.FragmentIdentifier(); -- if (ProcessUrlFragmentHelper(fragment_identifier, behavior)) -+ if (!frame_->GetDocument()->IsSVGDocument() && -+ ProcessUrlFragmentHelper(fragment_identifier, behavior)) { - return; -+ } - - // Try again after decoding the ref, based on the document's encoding. - if (frame_->GetDocument()->Encoding().IsValid()) { -diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp -index bbe7147921..1b88d0bd4e 100644 ---- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp -+++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp -@@ -156,6 +156,14 @@ AccessibilityRole AXTableCell::ScanToDecideHeaderRole() { - if (IsColumnHeaderCell()) - return kColumnHeaderRole; - -+ // This occurs in an edge case that mixes non-table CSS into a -+ // table, and , see bug 798410. -+ // The odd CSS causes the to not be a LayoutTableCell, -+ // and the ARIA role causes it to fall through to here, because -+ // it is not an ARIA/HTML column/row header. -+ if (!layout_object_ || !layout_object_->IsTableCell()) -+ return kCellRole; // . -+ - // Check the previous cell and the next cell on the same row. - LayoutTableCell* layout_cell = ToLayoutTableCell(layout_object_); - AccessibilityRole header_role = kCellRole; -diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp -index 64cc1d575f..b764fb6145 100644 ---- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp -+++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp -@@ -64,6 +64,15 @@ AudioHandler::AudioHandler(NodeType node_type, - } - #endif - InstanceCounters::IncrementCounter(InstanceCounters::kAudioHandlerCounter); -+ -+#if DEBUG_AUDIONODE_REFERENCES -+ fprintf( -+ stderr, -+ "[%16p]: %16p: %2d: AudioHandler::AudioHandler() %d [%d] total: %u\n", -+ Context(), this, GetNodeType(), connection_ref_count_, -+ node_count_[GetNodeType()], -+ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter)); -+#endif - } - - AudioHandler::~AudioHandler() { -@@ -73,9 +82,13 @@ AudioHandler::~AudioHandler() { - InstanceCounters::DecrementCounter(InstanceCounters::kAudioHandlerCounter); - #if DEBUG_AUDIONODE_REFERENCES - --node_count_[GetNodeType()]; -- fprintf(stderr, "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d]\n", -- Context(), this, GetNodeType(), connection_ref_count_, -- node_count_[GetNodeType()]); -+ fprintf( -+ stderr, -+ "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d] remaining: " -+ "%u\n", -+ Context(), this, GetNodeType(), connection_ref_count_, -+ node_count_[GetNodeType()], -+ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter)); - #endif - } - -@@ -542,9 +555,25 @@ void AudioNode::Dispose() { - #endif - BaseAudioContext::AutoLocker locker(context()); - Handler().Dispose(); -- if (context()->ContextState() == BaseAudioContext::kRunning) { -- context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( -- std::move(handler_)); -+ if (context()->HasRealtimeConstraint()) { -+ // Add the handler to the orphan list if the context is not -+ // closed. (Nothing will clean up the orphan list if the context -+ // is closed.) These will get cleaned up in the post render task -+ // if audio thread is running or when the context is colleced (in -+ // the worst case). -+ if (context()->ContextState() != BaseAudioContext::kClosed) { -+ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( -+ std::move(handler_)); -+ } -+ } else { -+ // For an offline context, only need to save the handler when the -+ // context is running. The change in the context state is -+ // synchronous with the main thread (even though the offline -+ // thread is not synchronized to the main thread). -+ if (context()->ContextState() == BaseAudioContext::kRunning) { -+ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( -+ std::move(handler_)); -+ } - } - } - -diff --git a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h -index 1dd672bea4..a3e295e285 100644 ---- a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h -+++ b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h -@@ -235,6 +235,7 @@ template D SkTo(S s) { - #define SK_MaxU32 0xFFFFFFFF - #define SK_MinU32 0 - #define SK_NaN32 ((int) (1U << 31)) -+#define SK_MaxSizeT SIZE_MAX - - /** Returns true if the value can be represented with signed 16bits - */ -diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp -index 6eff790c85..947c125b27 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp -+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp -@@ -10,6 +10,8 @@ - #include "SkFloatBits.h" - #include "SkFloatingPoint.h" - #include "SkScalar.h" -+#include "SkSafeMath.h" -+ - - #define sub_shift(zeros, x, n) \ - zeros -= n; \ -@@ -84,3 +86,17 @@ float SkScalarSinCos(float radians, float* cosValue) { - } - return sinValue; - } -+ -+/////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+size_t SkSafeMath::Add(size_t x, size_t y) { -+ SkSafeMath tmp; -+ size_t sum = tmp.add(x, y); -+ return tmp.ok() ? sum : SK_MaxSizeT; -+} -+ -+size_t SkSafeMath::Mul(size_t x, size_t y) { -+ SkSafeMath tmp; -+ size_t prod = tmp.mul(x, y); -+ return tmp.ok() ? prod : SK_MaxSizeT; -+} -diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp -index 094e6717e6..33008ead35 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp -+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp -@@ -9,7 +9,7 @@ - #include "SkOnce.h" - #include "SkPath.h" - #include "SkPathRef.h" --#include -+#include "SkSafeMath.h" - - ////////////////////////////////////////////////////////////////////////////// - SkPathRef::Editor::Editor(sk_sp* pathRef, -@@ -195,22 +195,23 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr - return false; - } - -+ SkSafeMath safe; - int ptCount = 0; - int conicCount = 0; - for (int i = 0; i < vCount; ++i) { - switch (verbs[i]) { - case SkPath::kMove_Verb: - case SkPath::kLine_Verb: -- ptCount += 1; -+ ptCount = safe.addInt(ptCount, 1); - break; - case SkPath::kConic_Verb: - conicCount += 1; - // fall-through - case SkPath::kQuad_Verb: -- ptCount += 2; -+ ptCount = safe.addInt(ptCount, 2); - break; - case SkPath::kCubic_Verb: -- ptCount += 3; -+ ptCount = safe.addInt(ptCount, 3); - break; - case SkPath::kClose_Verb: - break; -@@ -218,6 +219,9 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr - return false; - } - } -+ if (!safe) { -+ return false; -+ } - *ptCountPtr = ptCount; - *conicCountPtr = conicCount; - return true; -@@ -554,12 +558,18 @@ SkPoint* SkPathRef::growForVerb(int /* SkPath::Verb*/ verb, SkScalar weight) { - dirtyAfterEdit = false; - pCnt = 0; - } -+ SkSafeMath safe; -+ int newPointCnt = safe.addInt(fPointCnt, pCnt); -+ int newVerbCnt = safe.addInt(fVerbCnt, 1); -+ if (!safe) { -+ SK_ABORT("cannot grow path"); -+ } - size_t space = sizeof(uint8_t) + pCnt * sizeof (SkPoint); - this->makeSpace(space); - this->fVerbs[~fVerbCnt] = verb; - SkPoint* ret = fPoints + fPointCnt; -- fVerbCnt += 1; -- fPointCnt += pCnt; -+ fVerbCnt = newVerbCnt; -+ fPointCnt = newPointCnt; - fFreeSpace -= space; - fBoundsIsDirty = true; // this also invalidates fIsFinite - if (dirtyAfterEdit) { -diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h -index 91200fbb56..74089633ae 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h -+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h -@@ -28,6 +28,25 @@ public: - return result; - } - -+ /** -+ * Return a + b, unless this result is an overflow/underflow. In those cases, fOK will -+ * be set to false, and it is undefined what this returns. -+ */ -+ int addInt(int a, int b) { -+ if (b < 0 && a < std::numeric_limits::min() - b) { -+ fOK = false; -+ return a; -+ } else if (b > 0 && a > std::numeric_limits::max() - b) { -+ fOK = false; -+ return a; -+ } -+ return a + b; -+ } -+ -+ // These saturate to their results -+ static size_t Add(size_t x, size_t y); -+ static size_t Mul(size_t x, size_t y); -+ - private: - uint32_t mul32(uint32_t x, uint32_t y) { - uint64_t bx = x; -diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp -index 286d9d140c..d2dfed9de1 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp -+++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp -@@ -88,13 +88,13 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize, - unsigned n = *src++; - if (n <= 127) { // repeat count (n + 1) - n += 1; -- if (dst >(endDst - n)) { -+ if (dst > (endDst - n) || src >= stop) { - return 0; - } - memset(dst, *src++, n); - } else { // same count (n - 127) - n -= 127; -- if (dst > (endDst - n)) { -+ if (dst > (endDst - n) || src > (stop - n)) { - return 0; - } - memcpy(dst, src, n); -@@ -103,5 +103,6 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize, - dst += n; - } - SkASSERT(src <= stop); -+ SkASSERT(dst <= endDst); - return SkToInt(dst - origDst); - } -diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h -index 2dc7677afc..773b13e0c1 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h -+++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h -@@ -36,7 +36,7 @@ public: - @param srcSize Number of bytes of src to unpack - @param dst Buffer (allocated by caller) to expand the src[] into. - @param dstSize Number of bytes in the output buffer. -- @return the number of bytes written into dst. -+ @return the number of bytes written into dst, or 0 if srcSize or dstSize are too small. - */ - static int Unpack8(const uint8_t src[], size_t srcSize, uint8_t dst[], - size_t dstSize); -diff --git a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp -index 3096ae5eeb..050b5db164 100644 ---- a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp -+++ b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp -@@ -13,7 +13,7 @@ - #include "GrGpu.h" - #include "GrResourceProvider.h" - #include "GrTypes.h" -- -+#include "SkSafeMath.h" - #include "SkTraceEvent.h" - - #ifdef SK_DEBUG -@@ -393,7 +393,7 @@ void* GrVertexBufferAllocPool::makeSpace(size_t vertexSize, - SkASSERT(startVertex); - - size_t offset SK_INIT_TO_AVOID_WARNING; -- void* ptr = INHERITED::makeSpace(vertexSize * vertexCount, -+ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(vertexSize, vertexCount), - vertexSize, - buffer, - &offset); -@@ -447,7 +447,7 @@ void* GrIndexBufferAllocPool::makeSpace(int indexCount, - SkASSERT(startIndex); - - size_t offset SK_INIT_TO_AVOID_WARNING; -- void* ptr = INHERITED::makeSpace(indexCount * sizeof(uint16_t), -+ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(indexCount, sizeof(uint16_t)), - sizeof(uint16_t), - buffer, - &offset); -diff --git a/src/3rdparty/chromium/url/url_canon_etc.cc b/src/3rdparty/chromium/url/url_canon_etc.cc -index 31e9fb5cfa..bbc46270a1 100644 ---- a/src/3rdparty/chromium/url/url_canon_etc.cc -+++ b/src/3rdparty/chromium/url/url_canon_etc.cc -@@ -233,6 +233,43 @@ bool DoPort(const CHAR* spec, - return true; - } - -+// clang-format off -+// Percent-escape all "C0 controls" (0x00-0x1F) -+// https://infra.spec.whatwg.org/#c0-control along with the characters ' ' -+// (0x20), '"' (0x22), '<' (0x3C), '>' (0x3E), and '`' (0x60): -+const bool kShouldEscapeCharInRef[0x80] = { -+// Control characters (0x00-0x1F) -+ true, true, true, true, true, true, true, true, -+ true, true, true, true, true, true, true, true, -+ true, true, true, true, true, true, true, true, -+ true, true, true, true, true, true, true, true, -+// ' ' ! " # $ % & ' -+ true, false, true, false, false, false, false, false, -+// ( ) * + , - . / -+ false, false, false, false, false, false, false, false, -+// 0 1 2 3 4 5 6 7 -+ false, false, false, false, false, false, false, false, -+// 8 9 : ; < = > ? -+ false, false, false, false, true, false, true, false, -+// @ A B C D E F G -+ false, false, false, false, false, false, false, false, -+// H I J K L M N O -+ false, false, false, false, false, false, false, false, -+// P Q R S T U V W -+ false, false, false, false, false, false, false, false, -+// X Y Z [ \ ] ^ _ -+ false, false, false, false, false, false, false, false, -+// ` a b c d e f g -+ true, false, false, false, false, false, false, false, -+// h i j k l m n o -+ false, false, false, false, false, false, false, false, -+// p q r s t u v w -+ false, false, false, false, false, false, false, false, -+// x y z { | } ~ -+ false, false, false, false, false, false, false -+}; -+// clang-format on -+ - template - void DoCanonicalizeRef(const CHAR* spec, - const Component& ref, -@@ -255,22 +292,16 @@ void DoCanonicalizeRef(const CHAR* spec, - if (spec[i] == 0) { - // IE just strips NULLs, so we do too. - continue; -- } else if (static_cast(spec[i]) < 0x20) { -- // Unline IE seems to, we escape control characters. This will probably -- // make the reference fragment unusable on a web page, but people -- // shouldn't be using control characters in their anchor names. -- AppendEscapedChar(static_cast(spec[i]), output); -- } else if (static_cast(spec[i]) < 0x80) { -- // Normal ASCII characters are just appended. -- output->push_back(static_cast(spec[i])); -+ } -+ -+ UCHAR current_char = static_cast(spec[i]); -+ if (current_char < 0x80) { -+ if (kShouldEscapeCharInRef[current_char]) -+ AppendEscapedChar(static_cast(spec[i]), output); -+ else -+ output->push_back(static_cast(spec[i])); - } else { -- // Non-ASCII characters are appended unescaped, but only when they are -- // valid. Invalid Unicode characters are replaced with the "invalid -- // character" as IE seems to (ReadUTFChar puts the unicode replacement -- // character in the output on failure for us). -- unsigned code_point; -- ReadUTFChar(spec, &i, end, &code_point); -- AppendUTF8Value(code_point, output); -+ AppendUTF8EscapedChar(spec, &i, end, output); - } - } - -diff --git a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h -index 5eee300cc3..7026268b77 100644 ---- a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h -+++ b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h -@@ -248,6 +248,7 @@ void AstTraversalVisitor::VisitForStatement(ForStatement* stmt) { - template - void AstTraversalVisitor::VisitForInStatement(ForInStatement* stmt) { - PROCESS_NODE(stmt); -+ RECURSE(Visit(stmt->each())); - RECURSE(Visit(stmt->enumerable())); - RECURSE(Visit(stmt->body())); - } -diff --git a/src/3rdparty/chromium/v8/src/elements.cc b/src/3rdparty/chromium/v8/src/elements.cc -index 716cc00b9a..bc89c77047 100644 ---- a/src/3rdparty/chromium/v8/src/elements.cc -+++ b/src/3rdparty/chromium/v8/src/elements.cc -@@ -518,6 +518,21 @@ static Maybe IndexOfValueSlowPath(Isolate* isolate, - return Just(-1); - } - -+// The InternalElementsAccessor is a helper class to expose otherwise protected -+// methods to its subclasses. Namely, we don't want to publicly expose methods -+// that take an entry (instead of an index) as an argument. -+class InternalElementsAccessor : public ElementsAccessor { -+ public: -+ explicit InternalElementsAccessor(const char* name) -+ : ElementsAccessor(name) {} -+ -+ virtual uint32_t GetEntryForIndex(Isolate* isolate, JSObject* holder, -+ FixedArrayBase* backing_store, -+ uint32_t index) = 0; -+ -+ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; -+}; -+ - // Base class for element handler implementations. Contains the - // the common logic for objects with different ElementsKinds. - // Subclasses must specialize method for which the element -@@ -536,10 +551,10 @@ static Maybe IndexOfValueSlowPath(Isolate* isolate, - // CRTP to guarantee aggressive compile time optimizations (i.e. inlining and - // specialization of SomeElementsAccessor methods). - template --class ElementsAccessorBase : public ElementsAccessor { -+class ElementsAccessorBase : public InternalElementsAccessor { - public: - explicit ElementsAccessorBase(const char* name) -- : ElementsAccessor(name) { } -+ : InternalElementsAccessor(name) {} - - typedef ElementsTraitsParam ElementsTraits; - typedef typename ElementsTraitsParam::BackingStore BackingStore; -@@ -1040,35 +1055,67 @@ class ElementsAccessorBase : public ElementsAccessor { - Isolate* isolate, Handle object, - Handle values_or_entries, bool get_entries, int* nof_items, - PropertyFilter filter) { -- int count = 0; -+ DCHECK_EQ(*nof_items, 0); - KeyAccumulator accumulator(isolate, KeyCollectionMode::kOwnOnly, - ALL_PROPERTIES); - Subclass::CollectElementIndicesImpl( - object, handle(object->elements(), isolate), &accumulator); - Handle keys = accumulator.GetKeys(); - -- for (int i = 0; i < keys->length(); ++i) { -+ int count = 0; -+ int i = 0; -+ Handle original_map(object->map(), isolate); -+ -+ for (; i < keys->length(); ++i) { - Handle key(keys->get(i), isolate); -- Handle value; - uint32_t index; - if (!key->ToUint32(&index)) continue; - -+ DCHECK_EQ(object->map(), *original_map); - uint32_t entry = Subclass::GetEntryForIndexImpl( - isolate, *object, object->elements(), index, filter); - if (entry == kMaxUInt32) continue; - - PropertyDetails details = Subclass::GetDetailsImpl(*object, entry); - -+ Handle value; - if (details.kind() == kData) { - value = Subclass::GetImpl(isolate, object->elements(), entry); - } else { -+ // This might modify the elements and/or change the elements kind. - LookupIterator it(isolate, object, index, LookupIterator::OWN); - ASSIGN_RETURN_ON_EXCEPTION_VALUE( - isolate, value, Object::GetProperty(&it), Nothing()); - } -- if (get_entries) { -- value = MakeEntryPair(isolate, index, value); -+ if (get_entries) value = MakeEntryPair(isolate, index, value); -+ values_or_entries->set(count++, *value); -+ if (object->map() != *original_map) break; -+ } -+ -+ // Slow path caused by changes in elements kind during iteration. -+ for (; i < keys->length(); i++) { -+ Handle key(keys->get(i), isolate); -+ uint32_t index; -+ if (!key->ToUint32(&index)) continue; -+ -+ if (filter & ONLY_ENUMERABLE) { -+ InternalElementsAccessor* accessor = -+ reinterpret_cast( -+ object->GetElementsAccessor()); -+ -+ uint32_t entry = accessor->GetEntryForIndex(isolate, *object, -+ object->elements(), index); -+ if (entry == kMaxUInt32) continue; -+ PropertyDetails details = accessor->GetDetails(*object, entry); -+ if (!details.IsEnumerable()) continue; - } -+ -+ Handle value; -+ LookupIterator it(isolate, object, index, LookupIterator::OWN); -+ ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, value, Object::GetProperty(&it), -+ Nothing()); -+ -+ if (get_entries) value = MakeEntryPair(isolate, index, value); - values_or_entries->set(count++, *value); - } - -@@ -1668,12 +1715,13 @@ class DictionaryElementsAccessor - return result; - } - } -- -+ Handle original_map(receiver->map(), isolate); - Handle dictionary( - SeededNumberDictionary::cast(receiver->elements()), isolate); - // Iterate through entire range, as accessing elements out of order is - // observable - for (uint32_t k = start_from; k < length; ++k) { -+ DCHECK_EQ(receiver->map(), *original_map); - int entry = dictionary->FindEntry(isolate, k); - if (entry == SeededNumberDictionary::kNotFound) { - if (search_for_hole) return Just(true); -@@ -1738,15 +1786,15 @@ class DictionaryElementsAccessor - uint32_t start_from, uint32_t length) { - DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver)); - -+ Handle original_map(receiver->map(), isolate); - Handle dictionary( - SeededNumberDictionary::cast(receiver->elements()), isolate); - // Iterate through entire range, as accessing elements out of order is - // observable. - for (uint32_t k = start_from; k < length; ++k) { -+ DCHECK_EQ(receiver->map(), *original_map); - int entry = dictionary->FindEntry(isolate, k); -- if (entry == SeededNumberDictionary::kNotFound) { -- continue; -- } -+ if (entry == SeededNumberDictionary::kNotFound) continue; - - PropertyDetails details = GetDetailsImpl(*dictionary, entry); - switch (details.kind()) { -@@ -3622,12 +3670,13 @@ class SloppyArgumentsElementsAccessor - Handle value, - uint32_t start_from, uint32_t length) { - DCHECK(JSObject::PrototypeHasNoElements(isolate, *object)); -- Handle original_map = handle(object->map(), isolate); -+ Handle original_map(object->map(), isolate); - Handle elements( - SloppyArgumentsElements::cast(object->elements()), isolate); - bool search_for_hole = value->IsUndefined(isolate); - - for (uint32_t k = start_from; k < length; ++k) { -+ DCHECK_EQ(object->map(), *original_map); - uint32_t entry = - GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES); - if (entry == kMaxUInt32) { -@@ -3663,11 +3712,12 @@ class SloppyArgumentsElementsAccessor - Handle value, - uint32_t start_from, uint32_t length) { - DCHECK(JSObject::PrototypeHasNoElements(isolate, *object)); -- Handle original_map = handle(object->map(), isolate); -+ Handle original_map(object->map(), isolate); - Handle elements( - SloppyArgumentsElements::cast(object->elements()), isolate); - - for (uint32_t k = start_from; k < length; ++k) { -+ DCHECK_EQ(object->map(), *original_map); - uint32_t entry = - GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES); - if (entry == kMaxUInt32) { -diff --git a/src/3rdparty/chromium/v8/src/elements.h b/src/3rdparty/chromium/v8/src/elements.h -index 9e64764bb0..350264daae 100644 ---- a/src/3rdparty/chromium/v8/src/elements.h -+++ b/src/3rdparty/chromium/v8/src/elements.h -@@ -52,7 +52,6 @@ class ElementsAccessor { - - virtual Handle Get(Handle holder, uint32_t entry) = 0; - -- virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; - virtual bool HasAccessors(JSObject* holder) = 0; - virtual uint32_t NumberOfElements(JSObject* holder) = 0; - -@@ -63,8 +62,6 @@ class ElementsAccessor { - // element that is non-deletable. - virtual void SetLength(Handle holder, uint32_t new_length) = 0; - -- // Deletes an element in an object. -- virtual void Delete(Handle holder, uint32_t entry) = 0; - - // If kCopyToEnd is specified as the copy_size to CopyElements, it copies all - // of elements from source after source_start to the destination array. -@@ -122,11 +119,6 @@ class ElementsAccessor { - - virtual void Set(Handle holder, uint32_t entry, Object* value) = 0; - -- virtual void Reconfigure(Handle object, -- Handle backing_store, uint32_t entry, -- Handle value, -- PropertyAttributes attributes) = 0; -- - virtual void Add(Handle object, uint32_t index, - Handle value, PropertyAttributes attributes, - uint32_t new_capacity) = 0; -@@ -208,6 +200,15 @@ class ElementsAccessor { - FixedArrayBase* backing_store, - uint32_t index) = 0; - -+ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; -+ virtual void Reconfigure(Handle object, -+ Handle backing_store, uint32_t entry, -+ Handle value, -+ PropertyAttributes attributes) = 0; -+ -+ // Deletes an element in an object. -+ virtual void Delete(Handle holder, uint32_t entry) = 0; -+ - // NOTE: this method violates the handlified function signature convention: - // raw pointer parameter |source_holder| in the function that allocates. - // This is done intentionally to avoid ArrayConcat() builtin performance -diff --git a/src/3rdparty/chromium/v8/src/js/intl.js b/src/3rdparty/chromium/v8/src/js/intl.js -index 1579337fc1..7fc137f5c7 100644 ---- a/src/3rdparty/chromium/v8/src/js/intl.js -+++ b/src/3rdparty/chromium/v8/src/js/intl.js -@@ -1682,9 +1682,7 @@ function formatDate(formatter, dateValue) { - dateMs = TO_NUMBER(dateValue); - } - -- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange); -- -- return %InternalDateFormat(formatter, new GlobalDate(dateMs)); -+ return %InternalDateFormat(formatter, dateMs); - } - - DEFINE_METHOD( -@@ -1706,9 +1704,7 @@ DEFINE_METHOD( - dateMs = TO_NUMBER(dateValue); - } - -- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange); -- -- return %InternalDateFormatToParts(this, new GlobalDate(dateMs)); -+ return %InternalDateFormatToParts(this, dateMs); - } - ); - -diff --git a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc -index 4bd6bebdc7..875fd719ef 100644 ---- a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc -+++ b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc -@@ -7,7 +7,7 @@ - #endif // V8_INTL_SUPPORT - - #include "src/runtime/runtime-utils.h" -- -+#include - #include - - #include "src/api-natives.h" -@@ -247,17 +247,21 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormat) { - DCHECK_EQ(2, args.length()); - - CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0); -- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1); -+ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1); - -- Handle value; -- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date)); -+ double date_value = date->Number(); -+ // Check for +-Infinity and Nan -+ if (!std::isfinite(date_value)) { -+ THROW_NEW_ERROR_RETURN_FAILURE( -+ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue)); -+ } - - icu::SimpleDateFormat* date_format = - DateFormat::UnpackDateFormat(isolate, date_format_holder); - CHECK_NOT_NULL(date_format); - - icu::UnicodeString result; -- date_format->format(value->Number(), result); -+ date_format->format(date_value, result); - - RETURN_RESULT_OR_FAILURE( - isolate, isolate->factory()->NewStringFromTwoByte(Vector( -@@ -349,10 +353,13 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) { - DCHECK_EQ(2, args.length()); - - CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0); -- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1); -+ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1); - -- Handle value; -- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date)); -+ double date_value = date->Number(); -+ if (!std::isfinite(date_value)) { -+ THROW_NEW_ERROR_RETURN_FAILURE( -+ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue)); -+ } - - icu::SimpleDateFormat* date_format = - DateFormat::UnpackDateFormat(isolate, date_format_holder); -@@ -362,7 +369,7 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) { - icu::FieldPositionIterator fp_iter; - icu::FieldPosition fp; - UErrorCode status = U_ZERO_ERROR; -- date_format->format(value->Number(), formatted, &fp_iter, status); -+ date_format->format(date_value, formatted, &fp_iter, status); - if (U_FAILURE(status)) return isolate->heap()->undefined_value(); - - Handle result = factory->NewJSArray(0); --- -2.14.3 - diff --git a/qtwebengine-opensource-src-5.6.0-no-icudtl-dat.patch b/qtwebengine-everywhere-src-5.11.0-no-icudtl-dat.patch similarity index 63% rename from qtwebengine-opensource-src-5.6.0-no-icudtl-dat.patch rename to qtwebengine-everywhere-src-5.11.0-no-icudtl-dat.patch index 00cbfc2..59da86e 100644 --- a/qtwebengine-opensource-src-5.6.0-no-icudtl-dat.patch +++ b/qtwebengine-everywhere-src-5.11.0-no-icudtl-dat.patch @@ -1,12 +1,17 @@ -diff -ur qtwebengine-opensource-src-5.6.0/src/core/web_engine_library_info.cpp qtwebengine-opensource-src-5.6.0-no-icudtl-dat/src/core/web_engine_library_info.cpp ---- qtwebengine-opensource-src-5.6.0/src/core/web_engine_library_info.cpp 2016-03-03 17:02:28.000000000 +0100 -+++ qtwebengine-opensource-src-5.6.0-no-icudtl-dat/src/core/web_engine_library_info.cpp 2016-03-18 03:08:24.385444415 +0100 -@@ -207,24 +207,7 @@ +diff -up qtwebengine-everywhere-src-5.11.0/src/core/web_engine_library_info.cpp.no-icudtl-dat qtwebengine-everywhere-src-5.11.0/src/core/web_engine_library_info.cpp +--- qtwebengine-everywhere-src-5.11.0/src/core/web_engine_library_info.cpp.no-icudtl-dat 2018-06-14 09:23:48.931195271 -0500 ++++ qtwebengine-everywhere-src-5.11.0/src/core/web_engine_library_info.cpp 2018-06-14 09:27:26.248014325 -0500 +@@ -258,28 +258,12 @@ QString dictionariesPath() + + QString icuDataPath() + { +- static bool initialized = false; + static QString potentialResourcesPath = #if defined(OS_MACOSX) && defined(QT_MAC_FRAMEWORK_BUILD) - return getResourcesPath(frameworkBundle()); + getResourcesPath(frameworkBundle()); #else -- static bool initialized = false; - static QString potentialResourcesPath = QLibraryInfo::location(QLibraryInfo::DataPath) % QLatin1String("/resources"); + QLibraryInfo::location(QLibraryInfo::DataPath) % QLatin1String("/resources"); + #endif - if (!initialized) { - initialized = true; - if (!QFileInfo::exists(potentialResourcesPath % QLatin1String("/icudtl.dat"))) { @@ -22,7 +27,6 @@ diff -ur qtwebengine-opensource-src-5.6.0/src/core/web_engine_library_info.cpp q - potentialResourcesPath = fallbackDir(); - } - } -- + return potentialResourcesPath; - #endif } diff --git a/sources b/sources index 61e3d5f..ddc17ce 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (qtwebengine-everywhere-src-5.10.1-clean.tar.xz) = b992aef0d2f9fe7d40b5378519113d5c41577b120830bee86eda211ffc97649022d1deacf82916007fb9fd1b6e18a855d4890c79752142165e66e2ea047486b8 +SHA512 (qtwebengine-everywhere-src-5.11.0-clean.tar.xz) = fb6a9a047e77478f6ea9bc9cdb4c7ea05520e9b2919a346d39e7eb09bd88747e35a97ef41bfa06aaed8eb9c3db9372c17dc4e24d1ed2e734f9bf6f58783c4616