You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1246 lines
53 KiB
1246 lines
53 KiB
From d58330a607981f2e12c65c4b72ecbc36c5c52801 Mon Sep 17 00:00:00 2001
|
|
Message-Id: <d58330a607981f2e12c65c4b72ecbc36c5c52801.1521166869.git.Kevin@tigcc.ticalc.org>
|
|
From: Michal Klocek <michal.klocek@qt.io>
|
|
Date: Thu, 8 Mar 2018 11:26:33 +0100
|
|
Subject: [PATCH] Backport security fixes from QtWebEngine 5.9.5 (minus FFmpeg
|
|
fix)
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
[Backport] CVE-2017-15429
|
|
|
|
Only open windows with js URLs if the entered window has access
|
|
|
|
It's not enough to check that the current window has access, if other
|
|
security checks failed and the entered window shouldn't have access to
|
|
the current window.
|
|
|
|
BUG=788453
|
|
R=haraken@chromium.org,mkwst@chromium.org
|
|
|
|
Change-Id: Iea10c52f20bdc49f00eba067cab69dab06f79f01
|
|
Reviewed-on: https://chromium-review.googlesource.com/792934
|
|
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
|
|
Reviewed-by: Mike West <mkwst@chromium.org>
|
|
Reviewed-by: Kentaro Hara <haraken@chromium.org>
|
|
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
|
|
Cr-Commit-Position: refs/heads/master@{#519683}
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] CVE-2018-6069
|
|
|
|
check for bad buffers in Unpack8
|
|
|
|
Bug:799918
|
|
Change-Id: I0502a487d67ce757bf818823cf0ad46b7703294c
|
|
Reviewed-on: https://skia-review.googlesource.com/92841
|
|
Commit-Queue: Mike Reed <reed@google.com>
|
|
Reviewed-by: Florin Malita <fmalita@chromium.org>
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] CVE-2018-6071
|
|
|
|
detect too many points
|
|
|
|
Bug:777318
|
|
Change-Id: Idb52688b6ee4ae020004400da995620c1f548559
|
|
Reviewed-on: https://skia-review.googlesource.com/73821
|
|
Commit-Queue: Mike Reed <mike@reedtribe.org>
|
|
Reviewed-by: Herb Derby <herb@google.com>
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] Security Bug 770734
|
|
|
|
Fix a crash in TemplateURLParser.
|
|
|
|
It was caused by dereferencing an invalid URL during parsing.
|
|
|
|
Bug: 770734
|
|
Change-Id: I4fedd3f310aaf7e1e1d2384aa64939d46b8b2a5a
|
|
Reviewed-on: https://chromium-review.googlesource.com/773902
|
|
Commit-Queue: Vasilii Sukhanov <vasilii@chromium.org>
|
|
Reviewed-by: Peter Kasting <pkasting@chromium.org>
|
|
Cr-Commit-Position: refs/heads/master@{#517751}
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] Security Bug 774833
|
|
|
|
Intl.DateTimeFormat: throw RangeError for non-finite input
|
|
|
|
intl.js throws an exception when datetime-value to format is
|
|
Infinity or NaN, but there was a way to thwart the check.
|
|
|
|
Moreover, intl.js and runtime-intl.cc have unnecessary conversions
|
|
of 'Number->Date->Number'. I removed the unnecessary conversion
|
|
and made 'Number' be passed to %InternalDateFormat. With this
|
|
streamlining, the work-around mentioned above does not work
|
|
anymore.
|
|
|
|
Add a check in runtime_intl.cc for Infinity/NaN and throw a
|
|
RangeError.
|
|
|
|
Add invalid-time test for invalid datetime-values passed to
|
|
Intl.DateTimeFormat.format().
|
|
|
|
Bug: chromium:774833
|
|
Test: intl/date-format/invalid-time.js
|
|
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
|
|
Change-Id: Idc575e532a86ee110dc4bb945ae023d6516650ee
|
|
Reviewed-on: https://chromium-review.googlesource.com/724860
|
|
Commit-Queue: Jungshik Shin <jshin@chromium.org>
|
|
Reviewed-by: Adam Klein <adamk@chromium.org>
|
|
Cr-Commit-Position: refs/heads/master@{#48765}
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] CVE-2018-6073
|
|
|
|
Fix CopyTexImage behavior when cubemap workaround is involved.
|
|
|
|
The bug is, we need to reset PIXEL_UNPACK_BUFFER as well as UNPACK params
|
|
in order to upload data to textures correctly.
|
|
|
|
BUG=804118
|
|
TEST=tests in the bug
|
|
R=piman@chromium.org
|
|
TBR=zmo@chromium.org
|
|
NOTRY=true
|
|
|
|
(cherry picked from commit a89aa4642cefb79e312c95ca3c66bbaff5263a22)
|
|
|
|
Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
|
|
Change-Id: I743f03cdc98b2c6993449ca615b246eb42ef4dfa
|
|
Reviewed-on: https://chromium-review.googlesource.com/892282
|
|
Commit-Queue: Zhenyao Mo <zmo@chromium.org>
|
|
Reviewed-by: Antoine Labour <piman@chromium.org>
|
|
Reviewed-by: Kai Ninomiya <kainino@chromium.org>
|
|
Cr-Original-Commit-Position: refs/heads/master@{#532749}
|
|
Reviewed-on: https://chromium-review.googlesource.com/895907
|
|
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
|
|
Cr-Commit-Position: refs/branch-heads/3325@{#208}
|
|
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] CVE-2018-6076
|
|
|
|
Percent-encode UTF8 characters in URL fragment identifiers.
|
|
|
|
This brings us into line with Firefox, Safari, and the spec.
|
|
|
|
Bug: 758523
|
|
Reviewed-on: https://chromium-review.googlesource.com/668363
|
|
Commit-Queue: Mike West <mkwst@chromium.org>
|
|
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
|
|
Reviewed-by: Andy Paicu <andypaicu@chromium.org>
|
|
Cr-Commit-Position: refs/heads/master@{#507481}
|
|
|
|
Encode ' ', '"', '<', '>', and '`' in URL fragments.
|
|
|
|
Implements the changes to fragment processing described in
|
|
https://github.com/whatwg/url/pull/347, which adds a new "fragment
|
|
percent-encode set" which contains the C0 control percent-encode set,
|
|
along with:
|
|
|
|
* 0x20 SPACE
|
|
* 0x22 (")
|
|
* 0x3C (<)
|
|
* 0x3E (>)
|
|
* 0x60 (`)
|
|
|
|
This brings our implementation into line with Firefox.
|
|
|
|
Bug: 758523
|
|
Reviewed-on: https://chromium-review.googlesource.com/719004
|
|
Commit-Queue: Mike West <mkwst@chromium.org>
|
|
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
|
|
Cr-Commit-Position: refs/heads/master@{#523383}
|
|
|
|
Change-Id: I25de642017ccb69473626a327ad194b3431a11ed
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] CVE-2018-6079
|
|
|
|
Fix tabs sharing TEXTURE_2D_ARRAY/TEXTURE_3D data.
|
|
|
|
In linux and android, we are seeing an issue where texture data from one
|
|
tab overwrites the texture data of another tab. This is happening for apps
|
|
which are using webgl2 texture of type TEXTURE_2D_ARRAY/TEXTURE_3D.
|
|
Due to a bug in virtual context save/restore code for above texture formats,
|
|
the texture data is not properly restored while switching tabs. Hence
|
|
texture data from one tab overwrites other.
|
|
|
|
This CL has fix for that issue, an update for existing test expectations
|
|
and a new unit test for this bug.
|
|
|
|
Bug: 788448
|
|
Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
|
|
Change-Id: Ie933984cdd2d1381f42eb4638f730c8245207a28
|
|
Reviewed-on: https://chromium-review.googlesource.com/930327
|
|
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
|
|
Commit-Queue: vikas soni <vikassoni@chromium.org>
|
|
Cr-Original-Commit-Position: refs/heads/master@{#539111}(cherry picked from commit d128139d53e9268e87921e82d89b3f2053cb83fd)
|
|
Reviewed-on: https://chromium-review.googlesource.com/939878
|
|
Cr-Commit-Position: refs/branch-heads/3325@{#610}
|
|
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] CVE-2018-6081
|
|
|
|
Fix XSS in supervised user interstitial
|
|
|
|
BUG=797525
|
|
|
|
Change-Id: Ib5cfa732b0f4de8645031c0166e4d67633a65c93
|
|
Reviewed-on: https://chromium-review.googlesource.com/844075
|
|
Reviewed-by: Bernhard Bauer <bauerb@chromium.org>
|
|
Commit-Queue: Rob Wu <rob@robwu.nl>
|
|
Cr-Commit-Position: refs/heads/master@{#526158}
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] CVE-2018-6082
|
|
|
|
Remove port 22 from the set of allowed FTP ports.
|
|
|
|
The collision with SSH ports caused some possible concerns with being
|
|
able to enumerate internal hosts. Analysis shows that Internet hosts
|
|
supporting FTP over port 22 are a small fraction, and likely not
|
|
accessed over the web.
|
|
|
|
Bug: 767354
|
|
Change-Id: I8958b4cc818b34127fd739d2dea58f498fb073c0
|
|
Reviewed-on: https://chromium-review.googlesource.com/860753
|
|
Reviewed-by: Matt Menke <mmenke@chromium.org>
|
|
Commit-Queue: Christopher Thompson <cthomp@chromium.org>
|
|
Cr-Commit-Position: refs/heads/master@{#528461}
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] CVE-2018-6064
|
|
|
|
[elements] Fix Object.entries/values with changing elements
|
|
|
|
Drive-by-cleanup:
|
|
- Add InternalElementsAccessor to expose protected instance methods
|
|
to ElementsAccessor subclasses.
|
|
- Make some more ElementsAccessor methods protected that take the
|
|
raw entry as parameter.
|
|
|
|
Bug: chromium:798644
|
|
Change-Id: Iffd00f1953461e8dd22c123e62298410fb6e049c
|
|
Reviewed-on: https://chromium-review.googlesource.com/856816
|
|
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
|
|
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
|
|
Cr-Commit-Position: refs/heads/master@{#50480}
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] CVE-2018-6062
|
|
|
|
use safemath::mull for buffer sizes
|
|
|
|
Bug:780104
|
|
Change-Id: Ic683abd9c7d15ebb01b6e5d40dbeb6e76f102eff
|
|
Reviewed-on: https://skia-review.googlesource.com/95760
|
|
Reviewed-by: Brian Salomon <bsalomon@google.com>
|
|
Commit-Queue: Mike Reed <reed@google.com>
|
|
(cherry picked from commit fe266c2bce2b8ac4ef953f16c8e1a7801da9c57d)
|
|
Reviewed-on: https://skia-review.googlesource.com/101780
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] CVE-2018-6060
|
|
|
|
Keep AudioHandlers alive until they can be safely deleted.
|
|
|
|
When an AudioNode is disposed, the handler is also disposed. But add
|
|
the handler to the orphan list so that the handler stays alive until
|
|
the context can safely delete it. If we don't do this, the handler
|
|
may get deleted while the audio thread is processing the handler (due
|
|
to, say, channel count changes and such).
|
|
|
|
For an realtime context, save the handler if the context is not closed.
|
|
(Nothing will clean up the handler if the context is closed.)
|
|
|
|
For an offline context, only need to do this when the context is
|
|
running because the context is guaranteed to be stopped if we're not
|
|
in the running state. Hence, there's no possibility of deleting the
|
|
handler while the graph is running.
|
|
|
|
Bug: 780919
|
|
Change-Id: Id8ba47f48504c5681121facebfc5acb85b05de87
|
|
Reviewed-on: https://chromium-review.googlesource.com/868841
|
|
Reviewed-by: Hongchan Choi <hongchan@chromium.org>
|
|
Commit-Queue: Raymond Toy <rtoy@chromium.org>
|
|
Cr-Original-Commit-Position: refs/heads/master@{#530892}(cherry picked from commit ebcf9595bf908b515ffcd31374b071697a69faed)
|
|
Reviewed-on: https://chromium-review.googlesource.com/893626
|
|
Reviewed-by: Raymond Toy <rtoy@chromium.org>
|
|
Cr-Commit-Position: refs/branch-heads/3325@{#180}
|
|
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] Security Bug 798410
|
|
|
|
Crash fix for th with role gridcell in a table with nontraditional css
|
|
|
|
Do not assume we can use ToLayoutCell() in an object that can be created
|
|
for an ARIA cell and may not be associated with an actual table cell.
|
|
|
|
Bug: 798410
|
|
Change-Id: I3db7d09ca146469a4fb87ef04a03e9d4ba8525d3
|
|
Reviewed-on: https://chromium-review.googlesource.com/906953
|
|
Commit-Queue: Aaron Leventhal <aleventhal@chromium.org>
|
|
Reviewed-by: Nektarios Paisios <nektar@chromium.org>
|
|
Cr-Original-Commit-Position: refs/heads/master@{#535462}(cherry picked from commit b0d1618cc5e95f77c152022232257b61b61a952e)
|
|
Reviewed-on: https://chromium-review.googlesource.com/916527
|
|
Reviewed-by: Aaron Leventhal <aleventhal@chromium.org>
|
|
Cr-Commit-Position: refs/branch-heads/3325@{#447}
|
|
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
|
|
[Backport] Security Bug 789764
|
|
|
|
[parser] Fix func numbering inside for in.
|
|
|
|
BUG=chromium:789764
|
|
|
|
Change-Id: I6a466660159721683c4979af32019d740094151b
|
|
Reviewed-on: https://chromium-review.googlesource.com/803217
|
|
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
|
|
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
|
|
Commit-Queue: Marja Hölttä <marja@chromium.org>
|
|
Cr-Commit-Position: refs/heads/master@{#49795}
|
|
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
|
---
|
|
.../search_engines/template_url_parser.cc | 2 +-
|
|
.../supervised_user_block_interstitial.js | 8 +--
|
|
.../gpu/command_buffer/service/context_state.cc | 34 +++++++++-
|
|
.../gpu/command_buffer/service/texture_manager.cc | 6 +-
|
|
chromium/net/base/port_util.cc | 3 +-
|
|
.../bindings/core/v8/custom/V8WindowCustom.cpp | 9 +++
|
|
.../WebKit/Source/core/frame/LocalFrameView.cpp | 5 +-
|
|
.../Source/modules/accessibility/AXTableCell.cpp | 8 +++
|
|
.../WebKit/Source/modules/webaudio/AudioNode.cpp | 41 ++++++++++--
|
|
chromium/third_party/skia/include/core/SkTypes.h | 1 +
|
|
chromium/third_party/skia/src/core/SkMath.cpp | 16 +++++
|
|
chromium/third_party/skia/src/core/SkPathRef.cpp | 22 +++++--
|
|
chromium/third_party/skia/src/core/SkSafeMath.h | 19 ++++++
|
|
.../third_party/skia/src/effects/SkPackBits.cpp | 5 +-
|
|
chromium/third_party/skia/src/effects/SkPackBits.h | 2 +-
|
|
.../third_party/skia/src/gpu/GrBufferAllocPool.cpp | 6 +-
|
|
chromium/url/url_canon_etc.cc | 61 ++++++++++++-----
|
|
chromium/v8/src/ast/ast-traversal-visitor.h | 1 +
|
|
chromium/v8/src/elements.cc | 76 ++++++++++++++++++----
|
|
chromium/v8/src/elements.h | 17 ++---
|
|
chromium/v8/src/js/intl.js | 8 +--
|
|
chromium/v8/src/runtime/runtime-intl.cc | 25 ++++---
|
|
22 files changed, 293 insertions(+), 82 deletions(-)
|
|
|
|
diff --git a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc
|
|
index 64b1385e05..476d879b5f 100644
|
|
--- a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc
|
|
+++ b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc
|
|
@@ -438,7 +438,7 @@ void TemplateURLParsingContext::ProcessURLParams() {
|
|
return;
|
|
|
|
GURL url(is_suggest_url_ ? data_.suggestions_url : data_.url());
|
|
- if (url.is_empty())
|
|
+ if (!url.is_valid())
|
|
return;
|
|
|
|
// If there is a parameter filter, parse the existing URL and remove any
|
|
diff --git a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js
|
|
index d6b9327584..bee21be919 100644
|
|
--- a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js
|
|
+++ b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js
|
|
@@ -67,8 +67,8 @@ function initialize() {
|
|
$('custodian-avatar-img').style.content =
|
|
makeImageSet(avatarURL1x, avatarURL2x);
|
|
}
|
|
- $('custodian-name').innerHTML = custodianName;
|
|
- $('custodian-email').innerHTML = loadTimeData.getString('custodianEmail');
|
|
+ $('custodian-name').textContent = custodianName;
|
|
+ $('custodian-email').textContent = loadTimeData.getString('custodianEmail');
|
|
var secondAvatarURL1x = loadTimeData.getString('secondAvatarURL1x');
|
|
var secondAvatarURL2x = loadTimeData.getString('secondAvatarURL2x');
|
|
var secondCustodianName = loadTimeData.getString('secondCustodianName');
|
|
@@ -79,8 +79,8 @@ function initialize() {
|
|
$('second-custodian-avatar-img').style.content =
|
|
makeImageSet(secondAvatarURL1x, secondAvatarURL2x);
|
|
}
|
|
- $('second-custodian-name').innerHTML = secondCustodianName;
|
|
- $('second-custodian-email').innerHTML = loadTimeData.getString(
|
|
+ $('second-custodian-name').textContent = secondCustodianName;
|
|
+ $('second-custodian-email').textContent = loadTimeData.getString(
|
|
'secondCustodianEmail');
|
|
}
|
|
}
|
|
diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc
|
|
index 3c71d38b25..1b1d647c36 100644
|
|
--- a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc
|
|
+++ b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc
|
|
@@ -29,6 +29,16 @@ GLuint Get2dServiceId(const TextureUnit& unit) {
|
|
? unit.bound_texture_2d->service_id() : 0;
|
|
}
|
|
|
|
+GLuint Get2dArrayServiceId(const TextureUnit& unit) {
|
|
+ return unit.bound_texture_2d_array.get()
|
|
+ ? unit.bound_texture_2d_array->service_id()
|
|
+ : 0;
|
|
+}
|
|
+
|
|
+GLuint Get3dServiceId(const TextureUnit& unit) {
|
|
+ return unit.bound_texture_3d.get() ? unit.bound_texture_3d->service_id() : 0;
|
|
+}
|
|
+
|
|
GLuint GetCubeServiceId(const TextureUnit& unit) {
|
|
return unit.bound_texture_cube_map.get()
|
|
? unit.bound_texture_cube_map->service_id() : 0;
|
|
@@ -239,6 +249,8 @@ void ContextState::RestoreTextureUnitBindings(
|
|
DCHECK_LT(unit, texture_units.size());
|
|
const TextureUnit& texture_unit = texture_units[unit];
|
|
GLuint service_id_2d = Get2dServiceId(texture_unit);
|
|
+ GLuint service_id_2d_array = Get2dArrayServiceId(texture_unit);
|
|
+ GLuint service_id_3d = Get3dServiceId(texture_unit);
|
|
GLuint service_id_cube = GetCubeServiceId(texture_unit);
|
|
GLuint service_id_oes = GetOesServiceId(texture_unit);
|
|
GLuint service_id_arb = GetArbServiceId(texture_unit);
|
|
@@ -249,10 +261,22 @@ void ContextState::RestoreTextureUnitBindings(
|
|
feature_info_->feature_flags().oes_egl_image_external ||
|
|
feature_info_->feature_flags().nv_egl_stream_consumer_external;
|
|
bool bind_texture_arb = feature_info_->feature_flags().arb_texture_rectangle;
|
|
+ // TEXTURE_2D_ARRAY and TEXTURE_3D are only applicable from ES3 version.
|
|
+ // So set it to FALSE by default.
|
|
+ bool bind_texture_2d_array = false;
|
|
+ bool bind_texture_3d = false;
|
|
+ // set the variables to true only if the application is ES3 or newer
|
|
+ if (feature_info_->IsES3Capable()) {
|
|
+ bind_texture_2d_array = true;
|
|
+ bind_texture_3d = true;
|
|
+ }
|
|
|
|
if (prev_state) {
|
|
const TextureUnit& prev_unit = prev_state->texture_units[unit];
|
|
bind_texture_2d = service_id_2d != Get2dServiceId(prev_unit);
|
|
+ bind_texture_2d_array =
|
|
+ service_id_2d_array != Get2dArrayServiceId(prev_unit);
|
|
+ bind_texture_3d = service_id_3d != Get3dServiceId(prev_unit);
|
|
bind_texture_cube = service_id_cube != GetCubeServiceId(prev_unit);
|
|
bind_texture_oes =
|
|
bind_texture_oes && service_id_oes != GetOesServiceId(prev_unit);
|
|
@@ -261,8 +285,8 @@ void ContextState::RestoreTextureUnitBindings(
|
|
}
|
|
|
|
// Early-out if nothing has changed from the previous state.
|
|
- if (!bind_texture_2d && !bind_texture_cube
|
|
- && !bind_texture_oes && !bind_texture_arb) {
|
|
+ if (!bind_texture_2d && !bind_texture_2d_array && !bind_texture_3d &&
|
|
+ !bind_texture_cube && !bind_texture_oes && !bind_texture_arb) {
|
|
return;
|
|
}
|
|
|
|
@@ -279,6 +303,12 @@ void ContextState::RestoreTextureUnitBindings(
|
|
if (bind_texture_arb) {
|
|
glBindTexture(GL_TEXTURE_RECTANGLE_ARB, service_id_arb);
|
|
}
|
|
+ if (bind_texture_2d_array) {
|
|
+ glBindTexture(GL_TEXTURE_2D_ARRAY, service_id_2d_array);
|
|
+ }
|
|
+ if (bind_texture_3d) {
|
|
+ glBindTexture(GL_TEXTURE_3D, service_id_3d);
|
|
+ }
|
|
}
|
|
|
|
void ContextState::RestoreSamplerBinding(GLuint unit,
|
|
diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc
|
|
index f56e04f411..cac58af031 100644
|
|
--- a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc
|
|
+++ b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc
|
|
@@ -2634,9 +2634,6 @@ void TextureManager::DoCubeMapWorkaround(
|
|
TextureRef* texture_ref,
|
|
const char* function_name,
|
|
const DoTexImageArguments& args) {
|
|
- // This workaround code does not work with an unpack buffer bound.
|
|
- ScopedResetPixelUnpackBuffer scoped_reset_pbo(state);
|
|
-
|
|
std::vector<GLenum> undefined_faces;
|
|
Texture* texture = texture_ref->texture();
|
|
if (texture_state->force_cube_complete ||
|
|
@@ -2668,6 +2665,8 @@ void TextureManager::DoCubeMapWorkaround(
|
|
DoTexImageArguments new_args = args;
|
|
std::unique_ptr<char[]> zero(new char[args.pixels_size]);
|
|
memset(zero.get(), 0, args.pixels_size);
|
|
+ // Need to clear PIXEL_UNPACK_BUFFER and UNPACK params for data uploading.
|
|
+ state->PushTextureDecompressionUnpackState();
|
|
for (GLenum face : undefined_faces) {
|
|
new_args.target = face;
|
|
new_args.pixels = zero.get();
|
|
@@ -2675,6 +2674,7 @@ void TextureManager::DoCubeMapWorkaround(
|
|
function_name, texture_ref, new_args);
|
|
texture->MarkLevelAsInternalWorkaround(face, args.level);
|
|
}
|
|
+ state->RestoreUnpackState();
|
|
}
|
|
|
|
void TextureManager::ValidateAndDoTexImage(
|
|
diff --git a/src/3rdparty/chromium/net/base/port_util.cc b/src/3rdparty/chromium/net/base/port_util.cc
|
|
index 543d9db943..83c9821398 100644
|
|
--- a/src/3rdparty/chromium/net/base/port_util.cc
|
|
+++ b/src/3rdparty/chromium/net/base/port_util.cc
|
|
@@ -90,10 +90,9 @@ const int kRestrictedPorts[] = {
|
|
// KURL::port())
|
|
};
|
|
|
|
-// FTP overrides the following restricted ports.
|
|
+// FTP overrides the following restricted port.
|
|
const int kAllowedFtpPorts[] = {
|
|
21, // ftp data
|
|
- 22, // ssh
|
|
};
|
|
|
|
base::LazyInstance<std::multiset<int>>::Leaky g_explicitly_allowed_ports =
|
|
diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
|
|
index 90883c712f..9abef3a420 100644
|
|
--- a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
|
|
+++ b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
|
|
@@ -262,6 +262,15 @@ void V8Window::openMethodCustom(
|
|
return;
|
|
}
|
|
|
|
+ // If the bindings implementation is 100% correct, the current realm and the
|
|
+ // entered realm should be same origin-domain. However, to be on the safe
|
|
+ // side and add some defense in depth, we'll check against the entered realm
|
|
+ // as well here.
|
|
+ if (!BindingSecurity::ShouldAllowAccessTo(EnteredDOMWindow(info.GetIsolate()),
|
|
+ impl, exception_state)) {
|
|
+ return;
|
|
+ }
|
|
+
|
|
TOSTRING_VOID(V8StringResource<kTreatNullAndUndefinedAsNullString>,
|
|
url_string, info[0]);
|
|
AtomicString frame_name;
|
|
diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
|
|
index 8ce1574d45..1c5b193eda 100644
|
|
--- a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
|
|
+++ b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
|
|
@@ -1862,9 +1862,12 @@ void LocalFrameView::ProcessUrlFragment(const KURL& url,
|
|
!frame_->GetDocument()->IsSVGDocument())
|
|
return;
|
|
|
|
+ // Try the raw fragment for HTML documents, but skip it for `svgView()`:
|
|
String fragment_identifier = url.FragmentIdentifier();
|
|
- if (ProcessUrlFragmentHelper(fragment_identifier, behavior))
|
|
+ if (!frame_->GetDocument()->IsSVGDocument() &&
|
|
+ ProcessUrlFragmentHelper(fragment_identifier, behavior)) {
|
|
return;
|
|
+ }
|
|
|
|
// Try again after decoding the ref, based on the document's encoding.
|
|
if (frame_->GetDocument()->Encoding().IsValid()) {
|
|
diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
|
|
index bbe7147921..1b88d0bd4e 100644
|
|
--- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
|
|
+++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
|
|
@@ -156,6 +156,14 @@ AccessibilityRole AXTableCell::ScanToDecideHeaderRole() {
|
|
if (IsColumnHeaderCell())
|
|
return kColumnHeaderRole;
|
|
|
|
+ // This occurs in an edge case that mixes non-table CSS into a
|
|
+ // table, and <th role="gridcell">, see bug 798410.
|
|
+ // The odd CSS causes the <th> to not be a LayoutTableCell,
|
|
+ // and the ARIA role causes it to fall through to here, because
|
|
+ // it is not an ARIA/HTML column/row header.
|
|
+ if (!layout_object_ || !layout_object_->IsTableCell())
|
|
+ return kCellRole; // <th role="gridcell">.
|
|
+
|
|
// Check the previous cell and the next cell on the same row.
|
|
LayoutTableCell* layout_cell = ToLayoutTableCell(layout_object_);
|
|
AccessibilityRole header_role = kCellRole;
|
|
diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp
|
|
index 64cc1d575f..b764fb6145 100644
|
|
--- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp
|
|
+++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp
|
|
@@ -64,6 +64,15 @@ AudioHandler::AudioHandler(NodeType node_type,
|
|
}
|
|
#endif
|
|
InstanceCounters::IncrementCounter(InstanceCounters::kAudioHandlerCounter);
|
|
+
|
|
+#if DEBUG_AUDIONODE_REFERENCES
|
|
+ fprintf(
|
|
+ stderr,
|
|
+ "[%16p]: %16p: %2d: AudioHandler::AudioHandler() %d [%d] total: %u\n",
|
|
+ Context(), this, GetNodeType(), connection_ref_count_,
|
|
+ node_count_[GetNodeType()],
|
|
+ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter));
|
|
+#endif
|
|
}
|
|
|
|
AudioHandler::~AudioHandler() {
|
|
@@ -73,9 +82,13 @@ AudioHandler::~AudioHandler() {
|
|
InstanceCounters::DecrementCounter(InstanceCounters::kAudioHandlerCounter);
|
|
#if DEBUG_AUDIONODE_REFERENCES
|
|
--node_count_[GetNodeType()];
|
|
- fprintf(stderr, "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d]\n",
|
|
- Context(), this, GetNodeType(), connection_ref_count_,
|
|
- node_count_[GetNodeType()]);
|
|
+ fprintf(
|
|
+ stderr,
|
|
+ "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d] remaining: "
|
|
+ "%u\n",
|
|
+ Context(), this, GetNodeType(), connection_ref_count_,
|
|
+ node_count_[GetNodeType()],
|
|
+ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter));
|
|
#endif
|
|
}
|
|
|
|
@@ -542,9 +555,25 @@ void AudioNode::Dispose() {
|
|
#endif
|
|
BaseAudioContext::AutoLocker locker(context());
|
|
Handler().Dispose();
|
|
- if (context()->ContextState() == BaseAudioContext::kRunning) {
|
|
- context()->GetDeferredTaskHandler().AddRenderingOrphanHandler(
|
|
- std::move(handler_));
|
|
+ if (context()->HasRealtimeConstraint()) {
|
|
+ // Add the handler to the orphan list if the context is not
|
|
+ // closed. (Nothing will clean up the orphan list if the context
|
|
+ // is closed.) These will get cleaned up in the post render task
|
|
+ // if audio thread is running or when the context is colleced (in
|
|
+ // the worst case).
|
|
+ if (context()->ContextState() != BaseAudioContext::kClosed) {
|
|
+ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler(
|
|
+ std::move(handler_));
|
|
+ }
|
|
+ } else {
|
|
+ // For an offline context, only need to save the handler when the
|
|
+ // context is running. The change in the context state is
|
|
+ // synchronous with the main thread (even though the offline
|
|
+ // thread is not synchronized to the main thread).
|
|
+ if (context()->ContextState() == BaseAudioContext::kRunning) {
|
|
+ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler(
|
|
+ std::move(handler_));
|
|
+ }
|
|
}
|
|
}
|
|
|
|
diff --git a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h
|
|
index 1dd672bea4..a3e295e285 100644
|
|
--- a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h
|
|
+++ b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h
|
|
@@ -235,6 +235,7 @@ template <typename D, typename S> D SkTo(S s) {
|
|
#define SK_MaxU32 0xFFFFFFFF
|
|
#define SK_MinU32 0
|
|
#define SK_NaN32 ((int) (1U << 31))
|
|
+#define SK_MaxSizeT SIZE_MAX
|
|
|
|
/** Returns true if the value can be represented with signed 16bits
|
|
*/
|
|
diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp
|
|
index 6eff790c85..947c125b27 100644
|
|
--- a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp
|
|
+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp
|
|
@@ -10,6 +10,8 @@
|
|
#include "SkFloatBits.h"
|
|
#include "SkFloatingPoint.h"
|
|
#include "SkScalar.h"
|
|
+#include "SkSafeMath.h"
|
|
+
|
|
|
|
#define sub_shift(zeros, x, n) \
|
|
zeros -= n; \
|
|
@@ -84,3 +86,17 @@ float SkScalarSinCos(float radians, float* cosValue) {
|
|
}
|
|
return sinValue;
|
|
}
|
|
+
|
|
+///////////////////////////////////////////////////////////////////////////////////////////////////
|
|
+
|
|
+size_t SkSafeMath::Add(size_t x, size_t y) {
|
|
+ SkSafeMath tmp;
|
|
+ size_t sum = tmp.add(x, y);
|
|
+ return tmp.ok() ? sum : SK_MaxSizeT;
|
|
+}
|
|
+
|
|
+size_t SkSafeMath::Mul(size_t x, size_t y) {
|
|
+ SkSafeMath tmp;
|
|
+ size_t prod = tmp.mul(x, y);
|
|
+ return tmp.ok() ? prod : SK_MaxSizeT;
|
|
+}
|
|
diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp
|
|
index 094e6717e6..33008ead35 100644
|
|
--- a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp
|
|
+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp
|
|
@@ -9,7 +9,7 @@
|
|
#include "SkOnce.h"
|
|
#include "SkPath.h"
|
|
#include "SkPathRef.h"
|
|
-#include <limits>
|
|
+#include "SkSafeMath.h"
|
|
|
|
//////////////////////////////////////////////////////////////////////////////
|
|
SkPathRef::Editor::Editor(sk_sp<SkPathRef>* pathRef,
|
|
@@ -195,22 +195,23 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr
|
|
return false;
|
|
}
|
|
|
|
+ SkSafeMath safe;
|
|
int ptCount = 0;
|
|
int conicCount = 0;
|
|
for (int i = 0; i < vCount; ++i) {
|
|
switch (verbs[i]) {
|
|
case SkPath::kMove_Verb:
|
|
case SkPath::kLine_Verb:
|
|
- ptCount += 1;
|
|
+ ptCount = safe.addInt(ptCount, 1);
|
|
break;
|
|
case SkPath::kConic_Verb:
|
|
conicCount += 1;
|
|
// fall-through
|
|
case SkPath::kQuad_Verb:
|
|
- ptCount += 2;
|
|
+ ptCount = safe.addInt(ptCount, 2);
|
|
break;
|
|
case SkPath::kCubic_Verb:
|
|
- ptCount += 3;
|
|
+ ptCount = safe.addInt(ptCount, 3);
|
|
break;
|
|
case SkPath::kClose_Verb:
|
|
break;
|
|
@@ -218,6 +219,9 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr
|
|
return false;
|
|
}
|
|
}
|
|
+ if (!safe) {
|
|
+ return false;
|
|
+ }
|
|
*ptCountPtr = ptCount;
|
|
*conicCountPtr = conicCount;
|
|
return true;
|
|
@@ -554,12 +558,18 @@ SkPoint* SkPathRef::growForVerb(int /* SkPath::Verb*/ verb, SkScalar weight) {
|
|
dirtyAfterEdit = false;
|
|
pCnt = 0;
|
|
}
|
|
+ SkSafeMath safe;
|
|
+ int newPointCnt = safe.addInt(fPointCnt, pCnt);
|
|
+ int newVerbCnt = safe.addInt(fVerbCnt, 1);
|
|
+ if (!safe) {
|
|
+ SK_ABORT("cannot grow path");
|
|
+ }
|
|
size_t space = sizeof(uint8_t) + pCnt * sizeof (SkPoint);
|
|
this->makeSpace(space);
|
|
this->fVerbs[~fVerbCnt] = verb;
|
|
SkPoint* ret = fPoints + fPointCnt;
|
|
- fVerbCnt += 1;
|
|
- fPointCnt += pCnt;
|
|
+ fVerbCnt = newVerbCnt;
|
|
+ fPointCnt = newPointCnt;
|
|
fFreeSpace -= space;
|
|
fBoundsIsDirty = true; // this also invalidates fIsFinite
|
|
if (dirtyAfterEdit) {
|
|
diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h
|
|
index 91200fbb56..74089633ae 100644
|
|
--- a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h
|
|
+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h
|
|
@@ -28,6 +28,25 @@ public:
|
|
return result;
|
|
}
|
|
|
|
+ /**
|
|
+ * Return a + b, unless this result is an overflow/underflow. In those cases, fOK will
|
|
+ * be set to false, and it is undefined what this returns.
|
|
+ */
|
|
+ int addInt(int a, int b) {
|
|
+ if (b < 0 && a < std::numeric_limits<int>::min() - b) {
|
|
+ fOK = false;
|
|
+ return a;
|
|
+ } else if (b > 0 && a > std::numeric_limits<int>::max() - b) {
|
|
+ fOK = false;
|
|
+ return a;
|
|
+ }
|
|
+ return a + b;
|
|
+ }
|
|
+
|
|
+ // These saturate to their results
|
|
+ static size_t Add(size_t x, size_t y);
|
|
+ static size_t Mul(size_t x, size_t y);
|
|
+
|
|
private:
|
|
uint32_t mul32(uint32_t x, uint32_t y) {
|
|
uint64_t bx = x;
|
|
diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp
|
|
index 286d9d140c..d2dfed9de1 100644
|
|
--- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp
|
|
+++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp
|
|
@@ -88,13 +88,13 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize,
|
|
unsigned n = *src++;
|
|
if (n <= 127) { // repeat count (n + 1)
|
|
n += 1;
|
|
- if (dst >(endDst - n)) {
|
|
+ if (dst > (endDst - n) || src >= stop) {
|
|
return 0;
|
|
}
|
|
memset(dst, *src++, n);
|
|
} else { // same count (n - 127)
|
|
n -= 127;
|
|
- if (dst > (endDst - n)) {
|
|
+ if (dst > (endDst - n) || src > (stop - n)) {
|
|
return 0;
|
|
}
|
|
memcpy(dst, src, n);
|
|
@@ -103,5 +103,6 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize,
|
|
dst += n;
|
|
}
|
|
SkASSERT(src <= stop);
|
|
+ SkASSERT(dst <= endDst);
|
|
return SkToInt(dst - origDst);
|
|
}
|
|
diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h
|
|
index 2dc7677afc..773b13e0c1 100644
|
|
--- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h
|
|
+++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h
|
|
@@ -36,7 +36,7 @@ public:
|
|
@param srcSize Number of bytes of src to unpack
|
|
@param dst Buffer (allocated by caller) to expand the src[] into.
|
|
@param dstSize Number of bytes in the output buffer.
|
|
- @return the number of bytes written into dst.
|
|
+ @return the number of bytes written into dst, or 0 if srcSize or dstSize are too small.
|
|
*/
|
|
static int Unpack8(const uint8_t src[], size_t srcSize, uint8_t dst[],
|
|
size_t dstSize);
|
|
diff --git a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp
|
|
index 3096ae5eeb..050b5db164 100644
|
|
--- a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp
|
|
+++ b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp
|
|
@@ -13,7 +13,7 @@
|
|
#include "GrGpu.h"
|
|
#include "GrResourceProvider.h"
|
|
#include "GrTypes.h"
|
|
-
|
|
+#include "SkSafeMath.h"
|
|
#include "SkTraceEvent.h"
|
|
|
|
#ifdef SK_DEBUG
|
|
@@ -393,7 +393,7 @@ void* GrVertexBufferAllocPool::makeSpace(size_t vertexSize,
|
|
SkASSERT(startVertex);
|
|
|
|
size_t offset SK_INIT_TO_AVOID_WARNING;
|
|
- void* ptr = INHERITED::makeSpace(vertexSize * vertexCount,
|
|
+ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(vertexSize, vertexCount),
|
|
vertexSize,
|
|
buffer,
|
|
&offset);
|
|
@@ -447,7 +447,7 @@ void* GrIndexBufferAllocPool::makeSpace(int indexCount,
|
|
SkASSERT(startIndex);
|
|
|
|
size_t offset SK_INIT_TO_AVOID_WARNING;
|
|
- void* ptr = INHERITED::makeSpace(indexCount * sizeof(uint16_t),
|
|
+ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(indexCount, sizeof(uint16_t)),
|
|
sizeof(uint16_t),
|
|
buffer,
|
|
&offset);
|
|
diff --git a/src/3rdparty/chromium/url/url_canon_etc.cc b/src/3rdparty/chromium/url/url_canon_etc.cc
|
|
index 31e9fb5cfa..bbc46270a1 100644
|
|
--- a/src/3rdparty/chromium/url/url_canon_etc.cc
|
|
+++ b/src/3rdparty/chromium/url/url_canon_etc.cc
|
|
@@ -233,6 +233,43 @@ bool DoPort(const CHAR* spec,
|
|
return true;
|
|
}
|
|
|
|
+// clang-format off
|
|
+// Percent-escape all "C0 controls" (0x00-0x1F)
|
|
+// https://infra.spec.whatwg.org/#c0-control along with the characters ' '
|
|
+// (0x20), '"' (0x22), '<' (0x3C), '>' (0x3E), and '`' (0x60):
|
|
+const bool kShouldEscapeCharInRef[0x80] = {
|
|
+// Control characters (0x00-0x1F)
|
|
+ true, true, true, true, true, true, true, true,
|
|
+ true, true, true, true, true, true, true, true,
|
|
+ true, true, true, true, true, true, true, true,
|
|
+ true, true, true, true, true, true, true, true,
|
|
+// ' ' ! " # $ % & '
|
|
+ true, false, true, false, false, false, false, false,
|
|
+// ( ) * + , - . /
|
|
+ false, false, false, false, false, false, false, false,
|
|
+// 0 1 2 3 4 5 6 7
|
|
+ false, false, false, false, false, false, false, false,
|
|
+// 8 9 : ; < = > ?
|
|
+ false, false, false, false, true, false, true, false,
|
|
+// @ A B C D E F G
|
|
+ false, false, false, false, false, false, false, false,
|
|
+// H I J K L M N O
|
|
+ false, false, false, false, false, false, false, false,
|
|
+// P Q R S T U V W
|
|
+ false, false, false, false, false, false, false, false,
|
|
+// X Y Z [ \ ] ^ _
|
|
+ false, false, false, false, false, false, false, false,
|
|
+// ` a b c d e f g
|
|
+ true, false, false, false, false, false, false, false,
|
|
+// h i j k l m n o
|
|
+ false, false, false, false, false, false, false, false,
|
|
+// p q r s t u v w
|
|
+ false, false, false, false, false, false, false, false,
|
|
+// x y z { | } ~
|
|
+ false, false, false, false, false, false, false
|
|
+};
|
|
+// clang-format on
|
|
+
|
|
template<typename CHAR, typename UCHAR>
|
|
void DoCanonicalizeRef(const CHAR* spec,
|
|
const Component& ref,
|
|
@@ -255,22 +292,16 @@ void DoCanonicalizeRef(const CHAR* spec,
|
|
if (spec[i] == 0) {
|
|
// IE just strips NULLs, so we do too.
|
|
continue;
|
|
- } else if (static_cast<UCHAR>(spec[i]) < 0x20) {
|
|
- // Unline IE seems to, we escape control characters. This will probably
|
|
- // make the reference fragment unusable on a web page, but people
|
|
- // shouldn't be using control characters in their anchor names.
|
|
- AppendEscapedChar(static_cast<unsigned char>(spec[i]), output);
|
|
- } else if (static_cast<UCHAR>(spec[i]) < 0x80) {
|
|
- // Normal ASCII characters are just appended.
|
|
- output->push_back(static_cast<char>(spec[i]));
|
|
+ }
|
|
+
|
|
+ UCHAR current_char = static_cast<UCHAR>(spec[i]);
|
|
+ if (current_char < 0x80) {
|
|
+ if (kShouldEscapeCharInRef[current_char])
|
|
+ AppendEscapedChar(static_cast<unsigned char>(spec[i]), output);
|
|
+ else
|
|
+ output->push_back(static_cast<char>(spec[i]));
|
|
} else {
|
|
- // Non-ASCII characters are appended unescaped, but only when they are
|
|
- // valid. Invalid Unicode characters are replaced with the "invalid
|
|
- // character" as IE seems to (ReadUTFChar puts the unicode replacement
|
|
- // character in the output on failure for us).
|
|
- unsigned code_point;
|
|
- ReadUTFChar(spec, &i, end, &code_point);
|
|
- AppendUTF8Value(code_point, output);
|
|
+ AppendUTF8EscapedChar(spec, &i, end, output);
|
|
}
|
|
}
|
|
|
|
diff --git a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h
|
|
index 5eee300cc3..7026268b77 100644
|
|
--- a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h
|
|
+++ b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h
|
|
@@ -248,6 +248,7 @@ void AstTraversalVisitor<Subclass>::VisitForStatement(ForStatement* stmt) {
|
|
template <class Subclass>
|
|
void AstTraversalVisitor<Subclass>::VisitForInStatement(ForInStatement* stmt) {
|
|
PROCESS_NODE(stmt);
|
|
+ RECURSE(Visit(stmt->each()));
|
|
RECURSE(Visit(stmt->enumerable()));
|
|
RECURSE(Visit(stmt->body()));
|
|
}
|
|
diff --git a/src/3rdparty/chromium/v8/src/elements.cc b/src/3rdparty/chromium/v8/src/elements.cc
|
|
index 716cc00b9a..bc89c77047 100644
|
|
--- a/src/3rdparty/chromium/v8/src/elements.cc
|
|
+++ b/src/3rdparty/chromium/v8/src/elements.cc
|
|
@@ -518,6 +518,21 @@ static Maybe<int64_t> IndexOfValueSlowPath(Isolate* isolate,
|
|
return Just<int64_t>(-1);
|
|
}
|
|
|
|
+// The InternalElementsAccessor is a helper class to expose otherwise protected
|
|
+// methods to its subclasses. Namely, we don't want to publicly expose methods
|
|
+// that take an entry (instead of an index) as an argument.
|
|
+class InternalElementsAccessor : public ElementsAccessor {
|
|
+ public:
|
|
+ explicit InternalElementsAccessor(const char* name)
|
|
+ : ElementsAccessor(name) {}
|
|
+
|
|
+ virtual uint32_t GetEntryForIndex(Isolate* isolate, JSObject* holder,
|
|
+ FixedArrayBase* backing_store,
|
|
+ uint32_t index) = 0;
|
|
+
|
|
+ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0;
|
|
+};
|
|
+
|
|
// Base class for element handler implementations. Contains the
|
|
// the common logic for objects with different ElementsKinds.
|
|
// Subclasses must specialize method for which the element
|
|
@@ -536,10 +551,10 @@ static Maybe<int64_t> IndexOfValueSlowPath(Isolate* isolate,
|
|
// CRTP to guarantee aggressive compile time optimizations (i.e. inlining and
|
|
// specialization of SomeElementsAccessor methods).
|
|
template <typename Subclass, typename ElementsTraitsParam>
|
|
-class ElementsAccessorBase : public ElementsAccessor {
|
|
+class ElementsAccessorBase : public InternalElementsAccessor {
|
|
public:
|
|
explicit ElementsAccessorBase(const char* name)
|
|
- : ElementsAccessor(name) { }
|
|
+ : InternalElementsAccessor(name) {}
|
|
|
|
typedef ElementsTraitsParam ElementsTraits;
|
|
typedef typename ElementsTraitsParam::BackingStore BackingStore;
|
|
@@ -1040,35 +1055,67 @@ class ElementsAccessorBase : public ElementsAccessor {
|
|
Isolate* isolate, Handle<JSObject> object,
|
|
Handle<FixedArray> values_or_entries, bool get_entries, int* nof_items,
|
|
PropertyFilter filter) {
|
|
- int count = 0;
|
|
+ DCHECK_EQ(*nof_items, 0);
|
|
KeyAccumulator accumulator(isolate, KeyCollectionMode::kOwnOnly,
|
|
ALL_PROPERTIES);
|
|
Subclass::CollectElementIndicesImpl(
|
|
object, handle(object->elements(), isolate), &accumulator);
|
|
Handle<FixedArray> keys = accumulator.GetKeys();
|
|
|
|
- for (int i = 0; i < keys->length(); ++i) {
|
|
+ int count = 0;
|
|
+ int i = 0;
|
|
+ Handle<Map> original_map(object->map(), isolate);
|
|
+
|
|
+ for (; i < keys->length(); ++i) {
|
|
Handle<Object> key(keys->get(i), isolate);
|
|
- Handle<Object> value;
|
|
uint32_t index;
|
|
if (!key->ToUint32(&index)) continue;
|
|
|
|
+ DCHECK_EQ(object->map(), *original_map);
|
|
uint32_t entry = Subclass::GetEntryForIndexImpl(
|
|
isolate, *object, object->elements(), index, filter);
|
|
if (entry == kMaxUInt32) continue;
|
|
|
|
PropertyDetails details = Subclass::GetDetailsImpl(*object, entry);
|
|
|
|
+ Handle<Object> value;
|
|
if (details.kind() == kData) {
|
|
value = Subclass::GetImpl(isolate, object->elements(), entry);
|
|
} else {
|
|
+ // This might modify the elements and/or change the elements kind.
|
|
LookupIterator it(isolate, object, index, LookupIterator::OWN);
|
|
ASSIGN_RETURN_ON_EXCEPTION_VALUE(
|
|
isolate, value, Object::GetProperty(&it), Nothing<bool>());
|
|
}
|
|
- if (get_entries) {
|
|
- value = MakeEntryPair(isolate, index, value);
|
|
+ if (get_entries) value = MakeEntryPair(isolate, index, value);
|
|
+ values_or_entries->set(count++, *value);
|
|
+ if (object->map() != *original_map) break;
|
|
+ }
|
|
+
|
|
+ // Slow path caused by changes in elements kind during iteration.
|
|
+ for (; i < keys->length(); i++) {
|
|
+ Handle<Object> key(keys->get(i), isolate);
|
|
+ uint32_t index;
|
|
+ if (!key->ToUint32(&index)) continue;
|
|
+
|
|
+ if (filter & ONLY_ENUMERABLE) {
|
|
+ InternalElementsAccessor* accessor =
|
|
+ reinterpret_cast<InternalElementsAccessor*>(
|
|
+ object->GetElementsAccessor());
|
|
+
|
|
+ uint32_t entry = accessor->GetEntryForIndex(isolate, *object,
|
|
+ object->elements(), index);
|
|
+ if (entry == kMaxUInt32) continue;
|
|
+ PropertyDetails details = accessor->GetDetails(*object, entry);
|
|
+ if (!details.IsEnumerable()) continue;
|
|
}
|
|
+
|
|
+ Handle<Object> value;
|
|
+ LookupIterator it(isolate, object, index, LookupIterator::OWN);
|
|
+ ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, value, Object::GetProperty(&it),
|
|
+ Nothing<bool>());
|
|
+
|
|
+ if (get_entries) value = MakeEntryPair(isolate, index, value);
|
|
values_or_entries->set(count++, *value);
|
|
}
|
|
|
|
@@ -1668,12 +1715,13 @@ class DictionaryElementsAccessor
|
|
return result;
|
|
}
|
|
}
|
|
-
|
|
+ Handle<Map> original_map(receiver->map(), isolate);
|
|
Handle<SeededNumberDictionary> dictionary(
|
|
SeededNumberDictionary::cast(receiver->elements()), isolate);
|
|
// Iterate through entire range, as accessing elements out of order is
|
|
// observable
|
|
for (uint32_t k = start_from; k < length; ++k) {
|
|
+ DCHECK_EQ(receiver->map(), *original_map);
|
|
int entry = dictionary->FindEntry(isolate, k);
|
|
if (entry == SeededNumberDictionary::kNotFound) {
|
|
if (search_for_hole) return Just(true);
|
|
@@ -1738,15 +1786,15 @@ class DictionaryElementsAccessor
|
|
uint32_t start_from, uint32_t length) {
|
|
DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver));
|
|
|
|
+ Handle<Map> original_map(receiver->map(), isolate);
|
|
Handle<SeededNumberDictionary> dictionary(
|
|
SeededNumberDictionary::cast(receiver->elements()), isolate);
|
|
// Iterate through entire range, as accessing elements out of order is
|
|
// observable.
|
|
for (uint32_t k = start_from; k < length; ++k) {
|
|
+ DCHECK_EQ(receiver->map(), *original_map);
|
|
int entry = dictionary->FindEntry(isolate, k);
|
|
- if (entry == SeededNumberDictionary::kNotFound) {
|
|
- continue;
|
|
- }
|
|
+ if (entry == SeededNumberDictionary::kNotFound) continue;
|
|
|
|
PropertyDetails details = GetDetailsImpl(*dictionary, entry);
|
|
switch (details.kind()) {
|
|
@@ -3622,12 +3670,13 @@ class SloppyArgumentsElementsAccessor
|
|
Handle<Object> value,
|
|
uint32_t start_from, uint32_t length) {
|
|
DCHECK(JSObject::PrototypeHasNoElements(isolate, *object));
|
|
- Handle<Map> original_map = handle(object->map(), isolate);
|
|
+ Handle<Map> original_map(object->map(), isolate);
|
|
Handle<SloppyArgumentsElements> elements(
|
|
SloppyArgumentsElements::cast(object->elements()), isolate);
|
|
bool search_for_hole = value->IsUndefined(isolate);
|
|
|
|
for (uint32_t k = start_from; k < length; ++k) {
|
|
+ DCHECK_EQ(object->map(), *original_map);
|
|
uint32_t entry =
|
|
GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES);
|
|
if (entry == kMaxUInt32) {
|
|
@@ -3663,11 +3712,12 @@ class SloppyArgumentsElementsAccessor
|
|
Handle<Object> value,
|
|
uint32_t start_from, uint32_t length) {
|
|
DCHECK(JSObject::PrototypeHasNoElements(isolate, *object));
|
|
- Handle<Map> original_map = handle(object->map(), isolate);
|
|
+ Handle<Map> original_map(object->map(), isolate);
|
|
Handle<SloppyArgumentsElements> elements(
|
|
SloppyArgumentsElements::cast(object->elements()), isolate);
|
|
|
|
for (uint32_t k = start_from; k < length; ++k) {
|
|
+ DCHECK_EQ(object->map(), *original_map);
|
|
uint32_t entry =
|
|
GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES);
|
|
if (entry == kMaxUInt32) {
|
|
diff --git a/src/3rdparty/chromium/v8/src/elements.h b/src/3rdparty/chromium/v8/src/elements.h
|
|
index 9e64764bb0..350264daae 100644
|
|
--- a/src/3rdparty/chromium/v8/src/elements.h
|
|
+++ b/src/3rdparty/chromium/v8/src/elements.h
|
|
@@ -52,7 +52,6 @@ class ElementsAccessor {
|
|
|
|
virtual Handle<Object> Get(Handle<JSObject> holder, uint32_t entry) = 0;
|
|
|
|
- virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0;
|
|
virtual bool HasAccessors(JSObject* holder) = 0;
|
|
virtual uint32_t NumberOfElements(JSObject* holder) = 0;
|
|
|
|
@@ -63,8 +62,6 @@ class ElementsAccessor {
|
|
// element that is non-deletable.
|
|
virtual void SetLength(Handle<JSArray> holder, uint32_t new_length) = 0;
|
|
|
|
- // Deletes an element in an object.
|
|
- virtual void Delete(Handle<JSObject> holder, uint32_t entry) = 0;
|
|
|
|
// If kCopyToEnd is specified as the copy_size to CopyElements, it copies all
|
|
// of elements from source after source_start to the destination array.
|
|
@@ -122,11 +119,6 @@ class ElementsAccessor {
|
|
|
|
virtual void Set(Handle<JSObject> holder, uint32_t entry, Object* value) = 0;
|
|
|
|
- virtual void Reconfigure(Handle<JSObject> object,
|
|
- Handle<FixedArrayBase> backing_store, uint32_t entry,
|
|
- Handle<Object> value,
|
|
- PropertyAttributes attributes) = 0;
|
|
-
|
|
virtual void Add(Handle<JSObject> object, uint32_t index,
|
|
Handle<Object> value, PropertyAttributes attributes,
|
|
uint32_t new_capacity) = 0;
|
|
@@ -208,6 +200,15 @@ class ElementsAccessor {
|
|
FixedArrayBase* backing_store,
|
|
uint32_t index) = 0;
|
|
|
|
+ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0;
|
|
+ virtual void Reconfigure(Handle<JSObject> object,
|
|
+ Handle<FixedArrayBase> backing_store, uint32_t entry,
|
|
+ Handle<Object> value,
|
|
+ PropertyAttributes attributes) = 0;
|
|
+
|
|
+ // Deletes an element in an object.
|
|
+ virtual void Delete(Handle<JSObject> holder, uint32_t entry) = 0;
|
|
+
|
|
// NOTE: this method violates the handlified function signature convention:
|
|
// raw pointer parameter |source_holder| in the function that allocates.
|
|
// This is done intentionally to avoid ArrayConcat() builtin performance
|
|
diff --git a/src/3rdparty/chromium/v8/src/js/intl.js b/src/3rdparty/chromium/v8/src/js/intl.js
|
|
index 1579337fc1..7fc137f5c7 100644
|
|
--- a/src/3rdparty/chromium/v8/src/js/intl.js
|
|
+++ b/src/3rdparty/chromium/v8/src/js/intl.js
|
|
@@ -1682,9 +1682,7 @@ function formatDate(formatter, dateValue) {
|
|
dateMs = TO_NUMBER(dateValue);
|
|
}
|
|
|
|
- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange);
|
|
-
|
|
- return %InternalDateFormat(formatter, new GlobalDate(dateMs));
|
|
+ return %InternalDateFormat(formatter, dateMs);
|
|
}
|
|
|
|
DEFINE_METHOD(
|
|
@@ -1706,9 +1704,7 @@ DEFINE_METHOD(
|
|
dateMs = TO_NUMBER(dateValue);
|
|
}
|
|
|
|
- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange);
|
|
-
|
|
- return %InternalDateFormatToParts(this, new GlobalDate(dateMs));
|
|
+ return %InternalDateFormatToParts(this, dateMs);
|
|
}
|
|
);
|
|
|
|
diff --git a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc
|
|
index 4bd6bebdc7..875fd719ef 100644
|
|
--- a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc
|
|
+++ b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc
|
|
@@ -7,7 +7,7 @@
|
|
#endif // V8_INTL_SUPPORT
|
|
|
|
#include "src/runtime/runtime-utils.h"
|
|
-
|
|
+#include <cmath>
|
|
#include <memory>
|
|
|
|
#include "src/api-natives.h"
|
|
@@ -247,17 +247,21 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormat) {
|
|
DCHECK_EQ(2, args.length());
|
|
|
|
CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0);
|
|
- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1);
|
|
+ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1);
|
|
|
|
- Handle<Object> value;
|
|
- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date));
|
|
+ double date_value = date->Number();
|
|
+ // Check for +-Infinity and Nan
|
|
+ if (!std::isfinite(date_value)) {
|
|
+ THROW_NEW_ERROR_RETURN_FAILURE(
|
|
+ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue));
|
|
+ }
|
|
|
|
icu::SimpleDateFormat* date_format =
|
|
DateFormat::UnpackDateFormat(isolate, date_format_holder);
|
|
CHECK_NOT_NULL(date_format);
|
|
|
|
icu::UnicodeString result;
|
|
- date_format->format(value->Number(), result);
|
|
+ date_format->format(date_value, result);
|
|
|
|
RETURN_RESULT_OR_FAILURE(
|
|
isolate, isolate->factory()->NewStringFromTwoByte(Vector<const uint16_t>(
|
|
@@ -349,10 +353,13 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) {
|
|
DCHECK_EQ(2, args.length());
|
|
|
|
CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0);
|
|
- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1);
|
|
+ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1);
|
|
|
|
- Handle<Object> value;
|
|
- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date));
|
|
+ double date_value = date->Number();
|
|
+ if (!std::isfinite(date_value)) {
|
|
+ THROW_NEW_ERROR_RETURN_FAILURE(
|
|
+ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue));
|
|
+ }
|
|
|
|
icu::SimpleDateFormat* date_format =
|
|
DateFormat::UnpackDateFormat(isolate, date_format_holder);
|
|
@@ -362,7 +369,7 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) {
|
|
icu::FieldPositionIterator fp_iter;
|
|
icu::FieldPosition fp;
|
|
UErrorCode status = U_ZERO_ERROR;
|
|
- date_format->format(value->Number(), formatted, &fp_iter, status);
|
|
+ date_format->format(date_value, formatted, &fp_iter, status);
|
|
if (U_FAILURE(status)) return isolate->heap()->undefined_value();
|
|
|
|
Handle<JSArray> result = factory->NewJSArray(0);
|
|
--
|
|
2.14.3
|
|
|