From d58330a607981f2e12c65c4b72ecbc36c5c52801 Mon Sep 17 00:00:00 2001 Message-Id: From: Michal Klocek Date: Thu, 8 Mar 2018 11:26:33 +0100 Subject: [PATCH] Backport security fixes from QtWebEngine 5.9.5 (minus FFmpeg fix) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [Backport] CVE-2017-15429 Only open windows with js URLs if the entered window has access It's not enough to check that the current window has access, if other security checks failed and the entered window shouldn't have access to the current window. BUG=788453 R=haraken@chromium.org,mkwst@chromium.org Change-Id: Iea10c52f20bdc49f00eba067cab69dab06f79f01 Reviewed-on: https://chromium-review.googlesource.com/792934 Commit-Queue: Jochen Eisinger Reviewed-by: Mike West Reviewed-by: Kentaro Hara Reviewed-by: Yuki Shiino Cr-Commit-Position: refs/heads/master@{#519683} Reviewed-by: Allan Sandfeld Jensen [Backport] CVE-2018-6069 check for bad buffers in Unpack8 Bug:799918 Change-Id: I0502a487d67ce757bf818823cf0ad46b7703294c Reviewed-on: https://skia-review.googlesource.com/92841 Commit-Queue: Mike Reed Reviewed-by: Florin Malita Reviewed-by: Allan Sandfeld Jensen [Backport] CVE-2018-6071 detect too many points Bug:777318 Change-Id: Idb52688b6ee4ae020004400da995620c1f548559 Reviewed-on: https://skia-review.googlesource.com/73821 Commit-Queue: Mike Reed Reviewed-by: Herb Derby Reviewed-by: Allan Sandfeld Jensen [Backport] Security Bug 770734 Fix a crash in TemplateURLParser. It was caused by dereferencing an invalid URL during parsing. Bug: 770734 Change-Id: I4fedd3f310aaf7e1e1d2384aa64939d46b8b2a5a Reviewed-on: https://chromium-review.googlesource.com/773902 Commit-Queue: Vasilii Sukhanov Reviewed-by: Peter Kasting Cr-Commit-Position: refs/heads/master@{#517751} Reviewed-by: Allan Sandfeld Jensen [Backport] Security Bug 774833 Intl.DateTimeFormat: throw RangeError for non-finite input intl.js throws an exception when datetime-value to format is Infinity or NaN, but there was a way to thwart the check. Moreover, intl.js and runtime-intl.cc have unnecessary conversions of 'Number->Date->Number'. I removed the unnecessary conversion and made 'Number' be passed to %InternalDateFormat. With this streamlining, the work-around mentioned above does not work anymore. Add a check in runtime_intl.cc for Infinity/NaN and throw a RangeError. Add invalid-time test for invalid datetime-values passed to Intl.DateTimeFormat.format(). Bug: chromium:774833 Test: intl/date-format/invalid-time.js Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng Change-Id: Idc575e532a86ee110dc4bb945ae023d6516650ee Reviewed-on: https://chromium-review.googlesource.com/724860 Commit-Queue: Jungshik Shin Reviewed-by: Adam Klein Cr-Commit-Position: refs/heads/master@{#48765} Reviewed-by: Allan Sandfeld Jensen [Backport] CVE-2018-6073 Fix CopyTexImage behavior when cubemap workaround is involved. The bug is, we need to reset PIXEL_UNPACK_BUFFER as well as UNPACK params in order to upload data to textures correctly. BUG=804118 TEST=tests in the bug R=piman@chromium.org TBR=zmo@chromium.org NOTRY=true (cherry picked from commit a89aa4642cefb79e312c95ca3c66bbaff5263a22) Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Change-Id: I743f03cdc98b2c6993449ca615b246eb42ef4dfa Reviewed-on: https://chromium-review.googlesource.com/892282 Commit-Queue: Zhenyao Mo Reviewed-by: Antoine Labour Reviewed-by: Kai Ninomiya Cr-Original-Commit-Position: refs/heads/master@{#532749} Reviewed-on: https://chromium-review.googlesource.com/895907 Reviewed-by: Zhenyao Mo Cr-Commit-Position: refs/branch-heads/3325@{#208} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} Reviewed-by: Allan Sandfeld Jensen [Backport] CVE-2018-6076 Percent-encode UTF8 characters in URL fragment identifiers. This brings us into line with Firefox, Safari, and the spec. Bug: 758523 Reviewed-on: https://chromium-review.googlesource.com/668363 Commit-Queue: Mike West Reviewed-by: Jochen Eisinger Reviewed-by: Andy Paicu Cr-Commit-Position: refs/heads/master@{#507481} Encode ' ', '"', '<', '>', and '`' in URL fragments. Implements the changes to fragment processing described in https://github.com/whatwg/url/pull/347, which adds a new "fragment percent-encode set" which contains the C0 control percent-encode set, along with: * 0x20 SPACE * 0x22 (") * 0x3C (<) * 0x3E (>) * 0x60 (`) This brings our implementation into line with Firefox. Bug: 758523 Reviewed-on: https://chromium-review.googlesource.com/719004 Commit-Queue: Mike West Reviewed-by: Jochen Eisinger Cr-Commit-Position: refs/heads/master@{#523383} Change-Id: I25de642017ccb69473626a327ad194b3431a11ed Reviewed-by: Allan Sandfeld Jensen [Backport] CVE-2018-6079 Fix tabs sharing TEXTURE_2D_ARRAY/TEXTURE_3D data. In linux and android, we are seeing an issue where texture data from one tab overwrites the texture data of another tab. This is happening for apps which are using webgl2 texture of type TEXTURE_2D_ARRAY/TEXTURE_3D. Due to a bug in virtual context save/restore code for above texture formats, the texture data is not properly restored while switching tabs. Hence texture data from one tab overwrites other. This CL has fix for that issue, an update for existing test expectations and a new unit test for this bug. Bug: 788448 Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Change-Id: Ie933984cdd2d1381f42eb4638f730c8245207a28 Reviewed-on: https://chromium-review.googlesource.com/930327 Reviewed-by: Zhenyao Mo Commit-Queue: vikas soni Cr-Original-Commit-Position: refs/heads/master@{#539111}(cherry picked from commit d128139d53e9268e87921e82d89b3f2053cb83fd) Reviewed-on: https://chromium-review.googlesource.com/939878 Cr-Commit-Position: refs/branch-heads/3325@{#610} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} Reviewed-by: Allan Sandfeld Jensen [Backport] CVE-2018-6081 Fix XSS in supervised user interstitial BUG=797525 Change-Id: Ib5cfa732b0f4de8645031c0166e4d67633a65c93 Reviewed-on: https://chromium-review.googlesource.com/844075 Reviewed-by: Bernhard Bauer Commit-Queue: Rob Wu Cr-Commit-Position: refs/heads/master@{#526158} Reviewed-by: Allan Sandfeld Jensen [Backport] CVE-2018-6082 Remove port 22 from the set of allowed FTP ports. The collision with SSH ports caused some possible concerns with being able to enumerate internal hosts. Analysis shows that Internet hosts supporting FTP over port 22 are a small fraction, and likely not accessed over the web. Bug: 767354 Change-Id: I8958b4cc818b34127fd739d2dea58f498fb073c0 Reviewed-on: https://chromium-review.googlesource.com/860753 Reviewed-by: Matt Menke Commit-Queue: Christopher Thompson Cr-Commit-Position: refs/heads/master@{#528461} Reviewed-by: Allan Sandfeld Jensen [Backport] CVE-2018-6064 [elements] Fix Object.entries/values with changing elements Drive-by-cleanup: - Add InternalElementsAccessor to expose protected instance methods to ElementsAccessor subclasses. - Make some more ElementsAccessor methods protected that take the raw entry as parameter. Bug: chromium:798644 Change-Id: Iffd00f1953461e8dd22c123e62298410fb6e049c Reviewed-on: https://chromium-review.googlesource.com/856816 Commit-Queue: Camillo Bruni Reviewed-by: Jakob Kummerow Cr-Commit-Position: refs/heads/master@{#50480} Reviewed-by: Allan Sandfeld Jensen [Backport] CVE-2018-6062 use safemath::mull for buffer sizes Bug:780104 Change-Id: Ic683abd9c7d15ebb01b6e5d40dbeb6e76f102eff Reviewed-on: https://skia-review.googlesource.com/95760 Reviewed-by: Brian Salomon Commit-Queue: Mike Reed (cherry picked from commit fe266c2bce2b8ac4ef953f16c8e1a7801da9c57d) Reviewed-on: https://skia-review.googlesource.com/101780 Reviewed-by: Allan Sandfeld Jensen [Backport] CVE-2018-6060 Keep AudioHandlers alive until they can be safely deleted. When an AudioNode is disposed, the handler is also disposed. But add the handler to the orphan list so that the handler stays alive until the context can safely delete it. If we don't do this, the handler may get deleted while the audio thread is processing the handler (due to, say, channel count changes and such). For an realtime context, save the handler if the context is not closed. (Nothing will clean up the handler if the context is closed.) For an offline context, only need to do this when the context is running because the context is guaranteed to be stopped if we're not in the running state. Hence, there's no possibility of deleting the handler while the graph is running. Bug: 780919 Change-Id: Id8ba47f48504c5681121facebfc5acb85b05de87 Reviewed-on: https://chromium-review.googlesource.com/868841 Reviewed-by: Hongchan Choi Commit-Queue: Raymond Toy Cr-Original-Commit-Position: refs/heads/master@{#530892}(cherry picked from commit ebcf9595bf908b515ffcd31374b071697a69faed) Reviewed-on: https://chromium-review.googlesource.com/893626 Reviewed-by: Raymond Toy Cr-Commit-Position: refs/branch-heads/3325@{#180} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} Reviewed-by: Allan Sandfeld Jensen [Backport] Security Bug 798410 Crash fix for th with role gridcell in a table with nontraditional css Do not assume we can use ToLayoutCell() in an object that can be created for an ARIA cell and may not be associated with an actual table cell. Bug: 798410 Change-Id: I3db7d09ca146469a4fb87ef04a03e9d4ba8525d3 Reviewed-on: https://chromium-review.googlesource.com/906953 Commit-Queue: Aaron Leventhal Reviewed-by: Nektarios Paisios Cr-Original-Commit-Position: refs/heads/master@{#535462}(cherry picked from commit b0d1618cc5e95f77c152022232257b61b61a952e) Reviewed-on: https://chromium-review.googlesource.com/916527 Reviewed-by: Aaron Leventhal Cr-Commit-Position: refs/branch-heads/3325@{#447} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} Reviewed-by: Allan Sandfeld Jensen [Backport] Security Bug 789764 [parser] Fix func numbering inside for in. BUG=chromium:789764 Change-Id: I6a466660159721683c4979af32019d740094151b Reviewed-on: https://chromium-review.googlesource.com/803217 Reviewed-by: Ross McIlroy Reviewed-by: Jochen Eisinger Commit-Queue: Marja Hölttä Cr-Commit-Position: refs/heads/master@{#49795} Reviewed-by: Allan Sandfeld Jensen --- .../search_engines/template_url_parser.cc | 2 +- .../supervised_user_block_interstitial.js | 8 +-- .../gpu/command_buffer/service/context_state.cc | 34 +++++++++- .../gpu/command_buffer/service/texture_manager.cc | 6 +- chromium/net/base/port_util.cc | 3 +- .../bindings/core/v8/custom/V8WindowCustom.cpp | 9 +++ .../WebKit/Source/core/frame/LocalFrameView.cpp | 5 +- .../Source/modules/accessibility/AXTableCell.cpp | 8 +++ .../WebKit/Source/modules/webaudio/AudioNode.cpp | 41 ++++++++++-- chromium/third_party/skia/include/core/SkTypes.h | 1 + chromium/third_party/skia/src/core/SkMath.cpp | 16 +++++ chromium/third_party/skia/src/core/SkPathRef.cpp | 22 +++++-- chromium/third_party/skia/src/core/SkSafeMath.h | 19 ++++++ .../third_party/skia/src/effects/SkPackBits.cpp | 5 +- chromium/third_party/skia/src/effects/SkPackBits.h | 2 +- .../third_party/skia/src/gpu/GrBufferAllocPool.cpp | 6 +- chromium/url/url_canon_etc.cc | 61 ++++++++++++----- chromium/v8/src/ast/ast-traversal-visitor.h | 1 + chromium/v8/src/elements.cc | 76 ++++++++++++++++++---- chromium/v8/src/elements.h | 17 ++--- chromium/v8/src/js/intl.js | 8 +-- chromium/v8/src/runtime/runtime-intl.cc | 25 ++++--- 22 files changed, 293 insertions(+), 82 deletions(-) diff --git a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc index 64b1385e05..476d879b5f 100644 --- a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc +++ b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc @@ -438,7 +438,7 @@ void TemplateURLParsingContext::ProcessURLParams() { return; GURL url(is_suggest_url_ ? data_.suggestions_url : data_.url()); - if (url.is_empty()) + if (!url.is_valid()) return; // If there is a parameter filter, parse the existing URL and remove any diff --git a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js index d6b9327584..bee21be919 100644 --- a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js +++ b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js @@ -67,8 +67,8 @@ function initialize() { $('custodian-avatar-img').style.content = makeImageSet(avatarURL1x, avatarURL2x); } - $('custodian-name').innerHTML = custodianName; - $('custodian-email').innerHTML = loadTimeData.getString('custodianEmail'); + $('custodian-name').textContent = custodianName; + $('custodian-email').textContent = loadTimeData.getString('custodianEmail'); var secondAvatarURL1x = loadTimeData.getString('secondAvatarURL1x'); var secondAvatarURL2x = loadTimeData.getString('secondAvatarURL2x'); var secondCustodianName = loadTimeData.getString('secondCustodianName'); @@ -79,8 +79,8 @@ function initialize() { $('second-custodian-avatar-img').style.content = makeImageSet(secondAvatarURL1x, secondAvatarURL2x); } - $('second-custodian-name').innerHTML = secondCustodianName; - $('second-custodian-email').innerHTML = loadTimeData.getString( + $('second-custodian-name').textContent = secondCustodianName; + $('second-custodian-email').textContent = loadTimeData.getString( 'secondCustodianEmail'); } } diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc index 3c71d38b25..1b1d647c36 100644 --- a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc +++ b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc @@ -29,6 +29,16 @@ GLuint Get2dServiceId(const TextureUnit& unit) { ? unit.bound_texture_2d->service_id() : 0; } +GLuint Get2dArrayServiceId(const TextureUnit& unit) { + return unit.bound_texture_2d_array.get() + ? unit.bound_texture_2d_array->service_id() + : 0; +} + +GLuint Get3dServiceId(const TextureUnit& unit) { + return unit.bound_texture_3d.get() ? unit.bound_texture_3d->service_id() : 0; +} + GLuint GetCubeServiceId(const TextureUnit& unit) { return unit.bound_texture_cube_map.get() ? unit.bound_texture_cube_map->service_id() : 0; @@ -239,6 +249,8 @@ void ContextState::RestoreTextureUnitBindings( DCHECK_LT(unit, texture_units.size()); const TextureUnit& texture_unit = texture_units[unit]; GLuint service_id_2d = Get2dServiceId(texture_unit); + GLuint service_id_2d_array = Get2dArrayServiceId(texture_unit); + GLuint service_id_3d = Get3dServiceId(texture_unit); GLuint service_id_cube = GetCubeServiceId(texture_unit); GLuint service_id_oes = GetOesServiceId(texture_unit); GLuint service_id_arb = GetArbServiceId(texture_unit); @@ -249,10 +261,22 @@ void ContextState::RestoreTextureUnitBindings( feature_info_->feature_flags().oes_egl_image_external || feature_info_->feature_flags().nv_egl_stream_consumer_external; bool bind_texture_arb = feature_info_->feature_flags().arb_texture_rectangle; + // TEXTURE_2D_ARRAY and TEXTURE_3D are only applicable from ES3 version. + // So set it to FALSE by default. + bool bind_texture_2d_array = false; + bool bind_texture_3d = false; + // set the variables to true only if the application is ES3 or newer + if (feature_info_->IsES3Capable()) { + bind_texture_2d_array = true; + bind_texture_3d = true; + } if (prev_state) { const TextureUnit& prev_unit = prev_state->texture_units[unit]; bind_texture_2d = service_id_2d != Get2dServiceId(prev_unit); + bind_texture_2d_array = + service_id_2d_array != Get2dArrayServiceId(prev_unit); + bind_texture_3d = service_id_3d != Get3dServiceId(prev_unit); bind_texture_cube = service_id_cube != GetCubeServiceId(prev_unit); bind_texture_oes = bind_texture_oes && service_id_oes != GetOesServiceId(prev_unit); @@ -261,8 +285,8 @@ void ContextState::RestoreTextureUnitBindings( } // Early-out if nothing has changed from the previous state. - if (!bind_texture_2d && !bind_texture_cube - && !bind_texture_oes && !bind_texture_arb) { + if (!bind_texture_2d && !bind_texture_2d_array && !bind_texture_3d && + !bind_texture_cube && !bind_texture_oes && !bind_texture_arb) { return; } @@ -279,6 +303,12 @@ void ContextState::RestoreTextureUnitBindings( if (bind_texture_arb) { glBindTexture(GL_TEXTURE_RECTANGLE_ARB, service_id_arb); } + if (bind_texture_2d_array) { + glBindTexture(GL_TEXTURE_2D_ARRAY, service_id_2d_array); + } + if (bind_texture_3d) { + glBindTexture(GL_TEXTURE_3D, service_id_3d); + } } void ContextState::RestoreSamplerBinding(GLuint unit, diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc index f56e04f411..cac58af031 100644 --- a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc +++ b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc @@ -2634,9 +2634,6 @@ void TextureManager::DoCubeMapWorkaround( TextureRef* texture_ref, const char* function_name, const DoTexImageArguments& args) { - // This workaround code does not work with an unpack buffer bound. - ScopedResetPixelUnpackBuffer scoped_reset_pbo(state); - std::vector undefined_faces; Texture* texture = texture_ref->texture(); if (texture_state->force_cube_complete || @@ -2668,6 +2665,8 @@ void TextureManager::DoCubeMapWorkaround( DoTexImageArguments new_args = args; std::unique_ptr zero(new char[args.pixels_size]); memset(zero.get(), 0, args.pixels_size); + // Need to clear PIXEL_UNPACK_BUFFER and UNPACK params for data uploading. + state->PushTextureDecompressionUnpackState(); for (GLenum face : undefined_faces) { new_args.target = face; new_args.pixels = zero.get(); @@ -2675,6 +2674,7 @@ void TextureManager::DoCubeMapWorkaround( function_name, texture_ref, new_args); texture->MarkLevelAsInternalWorkaround(face, args.level); } + state->RestoreUnpackState(); } void TextureManager::ValidateAndDoTexImage( diff --git a/src/3rdparty/chromium/net/base/port_util.cc b/src/3rdparty/chromium/net/base/port_util.cc index 543d9db943..83c9821398 100644 --- a/src/3rdparty/chromium/net/base/port_util.cc +++ b/src/3rdparty/chromium/net/base/port_util.cc @@ -90,10 +90,9 @@ const int kRestrictedPorts[] = { // KURL::port()) }; -// FTP overrides the following restricted ports. +// FTP overrides the following restricted port. const int kAllowedFtpPorts[] = { 21, // ftp data - 22, // ssh }; base::LazyInstance>::Leaky g_explicitly_allowed_ports = diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp index 90883c712f..9abef3a420 100644 --- a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp +++ b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp @@ -262,6 +262,15 @@ void V8Window::openMethodCustom( return; } + // If the bindings implementation is 100% correct, the current realm and the + // entered realm should be same origin-domain. However, to be on the safe + // side and add some defense in depth, we'll check against the entered realm + // as well here. + if (!BindingSecurity::ShouldAllowAccessTo(EnteredDOMWindow(info.GetIsolate()), + impl, exception_state)) { + return; + } + TOSTRING_VOID(V8StringResource, url_string, info[0]); AtomicString frame_name; diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp index 8ce1574d45..1c5b193eda 100644 --- a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp +++ b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp @@ -1862,9 +1862,12 @@ void LocalFrameView::ProcessUrlFragment(const KURL& url, !frame_->GetDocument()->IsSVGDocument()) return; + // Try the raw fragment for HTML documents, but skip it for `svgView()`: String fragment_identifier = url.FragmentIdentifier(); - if (ProcessUrlFragmentHelper(fragment_identifier, behavior)) + if (!frame_->GetDocument()->IsSVGDocument() && + ProcessUrlFragmentHelper(fragment_identifier, behavior)) { return; + } // Try again after decoding the ref, based on the document's encoding. if (frame_->GetDocument()->Encoding().IsValid()) { diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp index bbe7147921..1b88d0bd4e 100644 --- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp +++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp @@ -156,6 +156,14 @@ AccessibilityRole AXTableCell::ScanToDecideHeaderRole() { if (IsColumnHeaderCell()) return kColumnHeaderRole; + // This occurs in an edge case that mixes non-table CSS into a + // table, and , see bug 798410. + // The odd CSS causes the to not be a LayoutTableCell, + // and the ARIA role causes it to fall through to here, because + // it is not an ARIA/HTML column/row header. + if (!layout_object_ || !layout_object_->IsTableCell()) + return kCellRole; // . + // Check the previous cell and the next cell on the same row. LayoutTableCell* layout_cell = ToLayoutTableCell(layout_object_); AccessibilityRole header_role = kCellRole; diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp index 64cc1d575f..b764fb6145 100644 --- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp +++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp @@ -64,6 +64,15 @@ AudioHandler::AudioHandler(NodeType node_type, } #endif InstanceCounters::IncrementCounter(InstanceCounters::kAudioHandlerCounter); + +#if DEBUG_AUDIONODE_REFERENCES + fprintf( + stderr, + "[%16p]: %16p: %2d: AudioHandler::AudioHandler() %d [%d] total: %u\n", + Context(), this, GetNodeType(), connection_ref_count_, + node_count_[GetNodeType()], + InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter)); +#endif } AudioHandler::~AudioHandler() { @@ -73,9 +82,13 @@ AudioHandler::~AudioHandler() { InstanceCounters::DecrementCounter(InstanceCounters::kAudioHandlerCounter); #if DEBUG_AUDIONODE_REFERENCES --node_count_[GetNodeType()]; - fprintf(stderr, "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d]\n", - Context(), this, GetNodeType(), connection_ref_count_, - node_count_[GetNodeType()]); + fprintf( + stderr, + "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d] remaining: " + "%u\n", + Context(), this, GetNodeType(), connection_ref_count_, + node_count_[GetNodeType()], + InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter)); #endif } @@ -542,9 +555,25 @@ void AudioNode::Dispose() { #endif BaseAudioContext::AutoLocker locker(context()); Handler().Dispose(); - if (context()->ContextState() == BaseAudioContext::kRunning) { - context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( - std::move(handler_)); + if (context()->HasRealtimeConstraint()) { + // Add the handler to the orphan list if the context is not + // closed. (Nothing will clean up the orphan list if the context + // is closed.) These will get cleaned up in the post render task + // if audio thread is running or when the context is colleced (in + // the worst case). + if (context()->ContextState() != BaseAudioContext::kClosed) { + context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( + std::move(handler_)); + } + } else { + // For an offline context, only need to save the handler when the + // context is running. The change in the context state is + // synchronous with the main thread (even though the offline + // thread is not synchronized to the main thread). + if (context()->ContextState() == BaseAudioContext::kRunning) { + context()->GetDeferredTaskHandler().AddRenderingOrphanHandler( + std::move(handler_)); + } } } diff --git a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h index 1dd672bea4..a3e295e285 100644 --- a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h +++ b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h @@ -235,6 +235,7 @@ template D SkTo(S s) { #define SK_MaxU32 0xFFFFFFFF #define SK_MinU32 0 #define SK_NaN32 ((int) (1U << 31)) +#define SK_MaxSizeT SIZE_MAX /** Returns true if the value can be represented with signed 16bits */ diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp index 6eff790c85..947c125b27 100644 --- a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp +++ b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp @@ -10,6 +10,8 @@ #include "SkFloatBits.h" #include "SkFloatingPoint.h" #include "SkScalar.h" +#include "SkSafeMath.h" + #define sub_shift(zeros, x, n) \ zeros -= n; \ @@ -84,3 +86,17 @@ float SkScalarSinCos(float radians, float* cosValue) { } return sinValue; } + +/////////////////////////////////////////////////////////////////////////////////////////////////// + +size_t SkSafeMath::Add(size_t x, size_t y) { + SkSafeMath tmp; + size_t sum = tmp.add(x, y); + return tmp.ok() ? sum : SK_MaxSizeT; +} + +size_t SkSafeMath::Mul(size_t x, size_t y) { + SkSafeMath tmp; + size_t prod = tmp.mul(x, y); + return tmp.ok() ? prod : SK_MaxSizeT; +} diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp index 094e6717e6..33008ead35 100644 --- a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp +++ b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp @@ -9,7 +9,7 @@ #include "SkOnce.h" #include "SkPath.h" #include "SkPathRef.h" -#include +#include "SkSafeMath.h" ////////////////////////////////////////////////////////////////////////////// SkPathRef::Editor::Editor(sk_sp* pathRef, @@ -195,22 +195,23 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr return false; } + SkSafeMath safe; int ptCount = 0; int conicCount = 0; for (int i = 0; i < vCount; ++i) { switch (verbs[i]) { case SkPath::kMove_Verb: case SkPath::kLine_Verb: - ptCount += 1; + ptCount = safe.addInt(ptCount, 1); break; case SkPath::kConic_Verb: conicCount += 1; // fall-through case SkPath::kQuad_Verb: - ptCount += 2; + ptCount = safe.addInt(ptCount, 2); break; case SkPath::kCubic_Verb: - ptCount += 3; + ptCount = safe.addInt(ptCount, 3); break; case SkPath::kClose_Verb: break; @@ -218,6 +219,9 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr return false; } } + if (!safe) { + return false; + } *ptCountPtr = ptCount; *conicCountPtr = conicCount; return true; @@ -554,12 +558,18 @@ SkPoint* SkPathRef::growForVerb(int /* SkPath::Verb*/ verb, SkScalar weight) { dirtyAfterEdit = false; pCnt = 0; } + SkSafeMath safe; + int newPointCnt = safe.addInt(fPointCnt, pCnt); + int newVerbCnt = safe.addInt(fVerbCnt, 1); + if (!safe) { + SK_ABORT("cannot grow path"); + } size_t space = sizeof(uint8_t) + pCnt * sizeof (SkPoint); this->makeSpace(space); this->fVerbs[~fVerbCnt] = verb; SkPoint* ret = fPoints + fPointCnt; - fVerbCnt += 1; - fPointCnt += pCnt; + fVerbCnt = newVerbCnt; + fPointCnt = newPointCnt; fFreeSpace -= space; fBoundsIsDirty = true; // this also invalidates fIsFinite if (dirtyAfterEdit) { diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h index 91200fbb56..74089633ae 100644 --- a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h +++ b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h @@ -28,6 +28,25 @@ public: return result; } + /** + * Return a + b, unless this result is an overflow/underflow. In those cases, fOK will + * be set to false, and it is undefined what this returns. + */ + int addInt(int a, int b) { + if (b < 0 && a < std::numeric_limits::min() - b) { + fOK = false; + return a; + } else if (b > 0 && a > std::numeric_limits::max() - b) { + fOK = false; + return a; + } + return a + b; + } + + // These saturate to their results + static size_t Add(size_t x, size_t y); + static size_t Mul(size_t x, size_t y); + private: uint32_t mul32(uint32_t x, uint32_t y) { uint64_t bx = x; diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp index 286d9d140c..d2dfed9de1 100644 --- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp +++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp @@ -88,13 +88,13 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize, unsigned n = *src++; if (n <= 127) { // repeat count (n + 1) n += 1; - if (dst >(endDst - n)) { + if (dst > (endDst - n) || src >= stop) { return 0; } memset(dst, *src++, n); } else { // same count (n - 127) n -= 127; - if (dst > (endDst - n)) { + if (dst > (endDst - n) || src > (stop - n)) { return 0; } memcpy(dst, src, n); @@ -103,5 +103,6 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize, dst += n; } SkASSERT(src <= stop); + SkASSERT(dst <= endDst); return SkToInt(dst - origDst); } diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h index 2dc7677afc..773b13e0c1 100644 --- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h +++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h @@ -36,7 +36,7 @@ public: @param srcSize Number of bytes of src to unpack @param dst Buffer (allocated by caller) to expand the src[] into. @param dstSize Number of bytes in the output buffer. - @return the number of bytes written into dst. + @return the number of bytes written into dst, or 0 if srcSize or dstSize are too small. */ static int Unpack8(const uint8_t src[], size_t srcSize, uint8_t dst[], size_t dstSize); diff --git a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp index 3096ae5eeb..050b5db164 100644 --- a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp +++ b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp @@ -13,7 +13,7 @@ #include "GrGpu.h" #include "GrResourceProvider.h" #include "GrTypes.h" - +#include "SkSafeMath.h" #include "SkTraceEvent.h" #ifdef SK_DEBUG @@ -393,7 +393,7 @@ void* GrVertexBufferAllocPool::makeSpace(size_t vertexSize, SkASSERT(startVertex); size_t offset SK_INIT_TO_AVOID_WARNING; - void* ptr = INHERITED::makeSpace(vertexSize * vertexCount, + void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(vertexSize, vertexCount), vertexSize, buffer, &offset); @@ -447,7 +447,7 @@ void* GrIndexBufferAllocPool::makeSpace(int indexCount, SkASSERT(startIndex); size_t offset SK_INIT_TO_AVOID_WARNING; - void* ptr = INHERITED::makeSpace(indexCount * sizeof(uint16_t), + void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(indexCount, sizeof(uint16_t)), sizeof(uint16_t), buffer, &offset); diff --git a/src/3rdparty/chromium/url/url_canon_etc.cc b/src/3rdparty/chromium/url/url_canon_etc.cc index 31e9fb5cfa..bbc46270a1 100644 --- a/src/3rdparty/chromium/url/url_canon_etc.cc +++ b/src/3rdparty/chromium/url/url_canon_etc.cc @@ -233,6 +233,43 @@ bool DoPort(const CHAR* spec, return true; } +// clang-format off +// Percent-escape all "C0 controls" (0x00-0x1F) +// https://infra.spec.whatwg.org/#c0-control along with the characters ' ' +// (0x20), '"' (0x22), '<' (0x3C), '>' (0x3E), and '`' (0x60): +const bool kShouldEscapeCharInRef[0x80] = { +// Control characters (0x00-0x1F) + true, true, true, true, true, true, true, true, + true, true, true, true, true, true, true, true, + true, true, true, true, true, true, true, true, + true, true, true, true, true, true, true, true, +// ' ' ! " # $ % & ' + true, false, true, false, false, false, false, false, +// ( ) * + , - . / + false, false, false, false, false, false, false, false, +// 0 1 2 3 4 5 6 7 + false, false, false, false, false, false, false, false, +// 8 9 : ; < = > ? + false, false, false, false, true, false, true, false, +// @ A B C D E F G + false, false, false, false, false, false, false, false, +// H I J K L M N O + false, false, false, false, false, false, false, false, +// P Q R S T U V W + false, false, false, false, false, false, false, false, +// X Y Z [ \ ] ^ _ + false, false, false, false, false, false, false, false, +// ` a b c d e f g + true, false, false, false, false, false, false, false, +// h i j k l m n o + false, false, false, false, false, false, false, false, +// p q r s t u v w + false, false, false, false, false, false, false, false, +// x y z { | } ~ + false, false, false, false, false, false, false +}; +// clang-format on + template void DoCanonicalizeRef(const CHAR* spec, const Component& ref, @@ -255,22 +292,16 @@ void DoCanonicalizeRef(const CHAR* spec, if (spec[i] == 0) { // IE just strips NULLs, so we do too. continue; - } else if (static_cast(spec[i]) < 0x20) { - // Unline IE seems to, we escape control characters. This will probably - // make the reference fragment unusable on a web page, but people - // shouldn't be using control characters in their anchor names. - AppendEscapedChar(static_cast(spec[i]), output); - } else if (static_cast(spec[i]) < 0x80) { - // Normal ASCII characters are just appended. - output->push_back(static_cast(spec[i])); + } + + UCHAR current_char = static_cast(spec[i]); + if (current_char < 0x80) { + if (kShouldEscapeCharInRef[current_char]) + AppendEscapedChar(static_cast(spec[i]), output); + else + output->push_back(static_cast(spec[i])); } else { - // Non-ASCII characters are appended unescaped, but only when they are - // valid. Invalid Unicode characters are replaced with the "invalid - // character" as IE seems to (ReadUTFChar puts the unicode replacement - // character in the output on failure for us). - unsigned code_point; - ReadUTFChar(spec, &i, end, &code_point); - AppendUTF8Value(code_point, output); + AppendUTF8EscapedChar(spec, &i, end, output); } } diff --git a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h index 5eee300cc3..7026268b77 100644 --- a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h +++ b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h @@ -248,6 +248,7 @@ void AstTraversalVisitor::VisitForStatement(ForStatement* stmt) { template void AstTraversalVisitor::VisitForInStatement(ForInStatement* stmt) { PROCESS_NODE(stmt); + RECURSE(Visit(stmt->each())); RECURSE(Visit(stmt->enumerable())); RECURSE(Visit(stmt->body())); } diff --git a/src/3rdparty/chromium/v8/src/elements.cc b/src/3rdparty/chromium/v8/src/elements.cc index 716cc00b9a..bc89c77047 100644 --- a/src/3rdparty/chromium/v8/src/elements.cc +++ b/src/3rdparty/chromium/v8/src/elements.cc @@ -518,6 +518,21 @@ static Maybe IndexOfValueSlowPath(Isolate* isolate, return Just(-1); } +// The InternalElementsAccessor is a helper class to expose otherwise protected +// methods to its subclasses. Namely, we don't want to publicly expose methods +// that take an entry (instead of an index) as an argument. +class InternalElementsAccessor : public ElementsAccessor { + public: + explicit InternalElementsAccessor(const char* name) + : ElementsAccessor(name) {} + + virtual uint32_t GetEntryForIndex(Isolate* isolate, JSObject* holder, + FixedArrayBase* backing_store, + uint32_t index) = 0; + + virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; +}; + // Base class for element handler implementations. Contains the // the common logic for objects with different ElementsKinds. // Subclasses must specialize method for which the element @@ -536,10 +551,10 @@ static Maybe IndexOfValueSlowPath(Isolate* isolate, // CRTP to guarantee aggressive compile time optimizations (i.e. inlining and // specialization of SomeElementsAccessor methods). template -class ElementsAccessorBase : public ElementsAccessor { +class ElementsAccessorBase : public InternalElementsAccessor { public: explicit ElementsAccessorBase(const char* name) - : ElementsAccessor(name) { } + : InternalElementsAccessor(name) {} typedef ElementsTraitsParam ElementsTraits; typedef typename ElementsTraitsParam::BackingStore BackingStore; @@ -1040,35 +1055,67 @@ class ElementsAccessorBase : public ElementsAccessor { Isolate* isolate, Handle object, Handle values_or_entries, bool get_entries, int* nof_items, PropertyFilter filter) { - int count = 0; + DCHECK_EQ(*nof_items, 0); KeyAccumulator accumulator(isolate, KeyCollectionMode::kOwnOnly, ALL_PROPERTIES); Subclass::CollectElementIndicesImpl( object, handle(object->elements(), isolate), &accumulator); Handle keys = accumulator.GetKeys(); - for (int i = 0; i < keys->length(); ++i) { + int count = 0; + int i = 0; + Handle original_map(object->map(), isolate); + + for (; i < keys->length(); ++i) { Handle key(keys->get(i), isolate); - Handle value; uint32_t index; if (!key->ToUint32(&index)) continue; + DCHECK_EQ(object->map(), *original_map); uint32_t entry = Subclass::GetEntryForIndexImpl( isolate, *object, object->elements(), index, filter); if (entry == kMaxUInt32) continue; PropertyDetails details = Subclass::GetDetailsImpl(*object, entry); + Handle value; if (details.kind() == kData) { value = Subclass::GetImpl(isolate, object->elements(), entry); } else { + // This might modify the elements and/or change the elements kind. LookupIterator it(isolate, object, index, LookupIterator::OWN); ASSIGN_RETURN_ON_EXCEPTION_VALUE( isolate, value, Object::GetProperty(&it), Nothing()); } - if (get_entries) { - value = MakeEntryPair(isolate, index, value); + if (get_entries) value = MakeEntryPair(isolate, index, value); + values_or_entries->set(count++, *value); + if (object->map() != *original_map) break; + } + + // Slow path caused by changes in elements kind during iteration. + for (; i < keys->length(); i++) { + Handle key(keys->get(i), isolate); + uint32_t index; + if (!key->ToUint32(&index)) continue; + + if (filter & ONLY_ENUMERABLE) { + InternalElementsAccessor* accessor = + reinterpret_cast( + object->GetElementsAccessor()); + + uint32_t entry = accessor->GetEntryForIndex(isolate, *object, + object->elements(), index); + if (entry == kMaxUInt32) continue; + PropertyDetails details = accessor->GetDetails(*object, entry); + if (!details.IsEnumerable()) continue; } + + Handle value; + LookupIterator it(isolate, object, index, LookupIterator::OWN); + ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, value, Object::GetProperty(&it), + Nothing()); + + if (get_entries) value = MakeEntryPair(isolate, index, value); values_or_entries->set(count++, *value); } @@ -1668,12 +1715,13 @@ class DictionaryElementsAccessor return result; } } - + Handle original_map(receiver->map(), isolate); Handle dictionary( SeededNumberDictionary::cast(receiver->elements()), isolate); // Iterate through entire range, as accessing elements out of order is // observable for (uint32_t k = start_from; k < length; ++k) { + DCHECK_EQ(receiver->map(), *original_map); int entry = dictionary->FindEntry(isolate, k); if (entry == SeededNumberDictionary::kNotFound) { if (search_for_hole) return Just(true); @@ -1738,15 +1786,15 @@ class DictionaryElementsAccessor uint32_t start_from, uint32_t length) { DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver)); + Handle original_map(receiver->map(), isolate); Handle dictionary( SeededNumberDictionary::cast(receiver->elements()), isolate); // Iterate through entire range, as accessing elements out of order is // observable. for (uint32_t k = start_from; k < length; ++k) { + DCHECK_EQ(receiver->map(), *original_map); int entry = dictionary->FindEntry(isolate, k); - if (entry == SeededNumberDictionary::kNotFound) { - continue; - } + if (entry == SeededNumberDictionary::kNotFound) continue; PropertyDetails details = GetDetailsImpl(*dictionary, entry); switch (details.kind()) { @@ -3622,12 +3670,13 @@ class SloppyArgumentsElementsAccessor Handle value, uint32_t start_from, uint32_t length) { DCHECK(JSObject::PrototypeHasNoElements(isolate, *object)); - Handle original_map = handle(object->map(), isolate); + Handle original_map(object->map(), isolate); Handle elements( SloppyArgumentsElements::cast(object->elements()), isolate); bool search_for_hole = value->IsUndefined(isolate); for (uint32_t k = start_from; k < length; ++k) { + DCHECK_EQ(object->map(), *original_map); uint32_t entry = GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES); if (entry == kMaxUInt32) { @@ -3663,11 +3712,12 @@ class SloppyArgumentsElementsAccessor Handle value, uint32_t start_from, uint32_t length) { DCHECK(JSObject::PrototypeHasNoElements(isolate, *object)); - Handle original_map = handle(object->map(), isolate); + Handle original_map(object->map(), isolate); Handle elements( SloppyArgumentsElements::cast(object->elements()), isolate); for (uint32_t k = start_from; k < length; ++k) { + DCHECK_EQ(object->map(), *original_map); uint32_t entry = GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES); if (entry == kMaxUInt32) { diff --git a/src/3rdparty/chromium/v8/src/elements.h b/src/3rdparty/chromium/v8/src/elements.h index 9e64764bb0..350264daae 100644 --- a/src/3rdparty/chromium/v8/src/elements.h +++ b/src/3rdparty/chromium/v8/src/elements.h @@ -52,7 +52,6 @@ class ElementsAccessor { virtual Handle Get(Handle holder, uint32_t entry) = 0; - virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; virtual bool HasAccessors(JSObject* holder) = 0; virtual uint32_t NumberOfElements(JSObject* holder) = 0; @@ -63,8 +62,6 @@ class ElementsAccessor { // element that is non-deletable. virtual void SetLength(Handle holder, uint32_t new_length) = 0; - // Deletes an element in an object. - virtual void Delete(Handle holder, uint32_t entry) = 0; // If kCopyToEnd is specified as the copy_size to CopyElements, it copies all // of elements from source after source_start to the destination array. @@ -122,11 +119,6 @@ class ElementsAccessor { virtual void Set(Handle holder, uint32_t entry, Object* value) = 0; - virtual void Reconfigure(Handle object, - Handle backing_store, uint32_t entry, - Handle value, - PropertyAttributes attributes) = 0; - virtual void Add(Handle object, uint32_t index, Handle value, PropertyAttributes attributes, uint32_t new_capacity) = 0; @@ -208,6 +200,15 @@ class ElementsAccessor { FixedArrayBase* backing_store, uint32_t index) = 0; + virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0; + virtual void Reconfigure(Handle object, + Handle backing_store, uint32_t entry, + Handle value, + PropertyAttributes attributes) = 0; + + // Deletes an element in an object. + virtual void Delete(Handle holder, uint32_t entry) = 0; + // NOTE: this method violates the handlified function signature convention: // raw pointer parameter |source_holder| in the function that allocates. // This is done intentionally to avoid ArrayConcat() builtin performance diff --git a/src/3rdparty/chromium/v8/src/js/intl.js b/src/3rdparty/chromium/v8/src/js/intl.js index 1579337fc1..7fc137f5c7 100644 --- a/src/3rdparty/chromium/v8/src/js/intl.js +++ b/src/3rdparty/chromium/v8/src/js/intl.js @@ -1682,9 +1682,7 @@ function formatDate(formatter, dateValue) { dateMs = TO_NUMBER(dateValue); } - if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange); - - return %InternalDateFormat(formatter, new GlobalDate(dateMs)); + return %InternalDateFormat(formatter, dateMs); } DEFINE_METHOD( @@ -1706,9 +1704,7 @@ DEFINE_METHOD( dateMs = TO_NUMBER(dateValue); } - if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange); - - return %InternalDateFormatToParts(this, new GlobalDate(dateMs)); + return %InternalDateFormatToParts(this, dateMs); } ); diff --git a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc index 4bd6bebdc7..875fd719ef 100644 --- a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc +++ b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc @@ -7,7 +7,7 @@ #endif // V8_INTL_SUPPORT #include "src/runtime/runtime-utils.h" - +#include #include #include "src/api-natives.h" @@ -247,17 +247,21 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormat) { DCHECK_EQ(2, args.length()); CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0); - CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1); + CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1); - Handle value; - ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date)); + double date_value = date->Number(); + // Check for +-Infinity and Nan + if (!std::isfinite(date_value)) { + THROW_NEW_ERROR_RETURN_FAILURE( + isolate, NewRangeError(MessageTemplate::kInvalidTimeValue)); + } icu::SimpleDateFormat* date_format = DateFormat::UnpackDateFormat(isolate, date_format_holder); CHECK_NOT_NULL(date_format); icu::UnicodeString result; - date_format->format(value->Number(), result); + date_format->format(date_value, result); RETURN_RESULT_OR_FAILURE( isolate, isolate->factory()->NewStringFromTwoByte(Vector( @@ -349,10 +353,13 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) { DCHECK_EQ(2, args.length()); CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0); - CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1); + CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1); - Handle value; - ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date)); + double date_value = date->Number(); + if (!std::isfinite(date_value)) { + THROW_NEW_ERROR_RETURN_FAILURE( + isolate, NewRangeError(MessageTemplate::kInvalidTimeValue)); + } icu::SimpleDateFormat* date_format = DateFormat::UnpackDateFormat(isolate, date_format_holder); @@ -362,7 +369,7 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) { icu::FieldPositionIterator fp_iter; icu::FieldPosition fp; UErrorCode status = U_ZERO_ERROR; - date_format->format(value->Number(), formatted, &fp_iter, status); + date_format->format(date_value, formatted, &fp_iter, status); if (U_FAILURE(status)) return isolate->heap()->undefined_value(); Handle result = factory->NewJSArray(0); -- 2.14.3