From d58330a607981f2e12c65c4b72ecbc36c5c52801 Mon Sep 17 00:00:00 2001
Message-Id: <d58330a607981f2e12c65c4b72ecbc36c5c52801.1521166869.git.Kevin@tigcc.ticalc.org>
From: Michal Klocek <michal.klocek@qt.io>
Date: Thu, 8 Mar 2018 11:26:33 +0100
Subject: [PATCH] Backport security fixes from QtWebEngine 5.9.5 (minus FFmpeg
fix)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
[Backport] CVE-2017-15429
Only open windows with js URLs if the entered window has access
It's not enough to check that the current window has access, if other
security checks failed and the entered window shouldn't have access to
the current window.
BUG=788453
R=haraken@chromium.org,mkwst@chromium.org
Change-Id: Iea10c52f20bdc49f00eba067cab69dab06f79f01
Reviewed-on: https://chromium-review.googlesource.com/792934
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#519683}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] CVE-2018-6069
check for bad buffers in Unpack8
Bug:799918
Change-Id: I0502a487d67ce757bf818823cf0ad46b7703294c
Reviewed-on: https://skia-review.googlesource.com/92841
Commit-Queue: Mike Reed <reed@google.com>
Reviewed-by: Florin Malita <fmalita@chromium.org>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] CVE-2018-6071
detect too many points
Bug:777318
Change-Id: Idb52688b6ee4ae020004400da995620c1f548559
Reviewed-on: https://skia-review.googlesource.com/73821
Commit-Queue: Mike Reed <mike@reedtribe.org>
Reviewed-by: Herb Derby <herb@google.com>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] Security Bug 770734
Fix a crash in TemplateURLParser.
It was caused by dereferencing an invalid URL during parsing.
Bug: 770734
Change-Id: I4fedd3f310aaf7e1e1d2384aa64939d46b8b2a5a
Reviewed-on: https://chromium-review.googlesource.com/773902
Commit-Queue: Vasilii Sukhanov <vasilii@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#517751}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] Security Bug 774833
Intl.DateTimeFormat: throw RangeError for non-finite input
intl.js throws an exception when datetime-value to format is
Infinity or NaN, but there was a way to thwart the check.
Moreover, intl.js and runtime-intl.cc have unnecessary conversions
of 'Number->Date->Number'. I removed the unnecessary conversion
and made 'Number' be passed to %InternalDateFormat. With this
streamlining, the work-around mentioned above does not work
anymore.
Add a check in runtime_intl.cc for Infinity/NaN and throw a
RangeError.
Add invalid-time test for invalid datetime-values passed to
Intl.DateTimeFormat.format().
Bug: chromium:774833
Test: intl/date-format/invalid-time.js
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Idc575e532a86ee110dc4bb945ae023d6516650ee
Reviewed-on: https://chromium-review.googlesource.com/724860
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48765}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] CVE-2018-6073
Fix CopyTexImage behavior when cubemap workaround is involved.
The bug is, we need to reset PIXEL_UNPACK_BUFFER as well as UNPACK params
in order to upload data to textures correctly.
BUG=804118
TEST=tests in the bug
R=piman@chromium.org
TBR=zmo@chromium.org
NOTRY=true
(cherry picked from commit a89aa4642cefb79e312c95ca3c66bbaff5263a22)
Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I743f03cdc98b2c6993449ca615b246eb42ef4dfa
Reviewed-on: https://chromium-review.googlesource.com/892282
Commit-Queue: Zhenyao Mo <zmo@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Reviewed-by: Kai Ninomiya <kainino@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#532749}
Reviewed-on: https://chromium-review.googlesource.com/895907
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Cr-Commit-Position: refs/branch-heads/3325@{#208}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] CVE-2018-6076
Percent-encode UTF8 characters in URL fragment identifiers.
This brings us into line with Firefox, Safari, and the spec.
Bug: 758523
Reviewed-on: https://chromium-review.googlesource.com/668363
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Andy Paicu <andypaicu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#507481}
Encode ' ', '"', '<', '>', and '`' in URL fragments.
Implements the changes to fragment processing described in
https://github.com/whatwg/url/pull/347, which adds a new "fragment
percent-encode set" which contains the C0 control percent-encode set,
along with:
* 0x20 SPACE
* 0x22 (")
* 0x3C (<)
* 0x3E (>)
* 0x60 (`)
This brings our implementation into line with Firefox.
Bug: 758523
Reviewed-on: https://chromium-review.googlesource.com/719004
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523383}
Change-Id: I25de642017ccb69473626a327ad194b3431a11ed
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] CVE-2018-6079
Fix tabs sharing TEXTURE_2D_ARRAY/TEXTURE_3D data.
In linux and android, we are seeing an issue where texture data from one
tab overwrites the texture data of another tab. This is happening for apps
which are using webgl2 texture of type TEXTURE_2D_ARRAY/TEXTURE_3D.
Due to a bug in virtual context save/restore code for above texture formats,
the texture data is not properly restored while switching tabs. Hence
texture data from one tab overwrites other.
This CL has fix for that issue, an update for existing test expectations
and a new unit test for this bug.
Bug: 788448
Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: Ie933984cdd2d1381f42eb4638f730c8245207a28
Reviewed-on: https://chromium-review.googlesource.com/930327
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Commit-Queue: vikas soni <vikassoni@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#539111}(cherry picked from commit d128139d53e9268e87921e82d89b3f2053cb83fd)
Reviewed-on: https://chromium-review.googlesource.com/939878
Cr-Commit-Position: refs/branch-heads/3325@{#610}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] CVE-2018-6081
Fix XSS in supervised user interstitial
BUG=797525
Change-Id: Ib5cfa732b0f4de8645031c0166e4d67633a65c93
Reviewed-on: https://chromium-review.googlesource.com/844075
Reviewed-by: Bernhard Bauer <bauerb@chromium.org>
Commit-Queue: Rob Wu <rob@robwu.nl>
Cr-Commit-Position: refs/heads/master@{#526158}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] CVE-2018-6082
Remove port 22 from the set of allowed FTP ports.
The collision with SSH ports caused some possible concerns with being
able to enumerate internal hosts. Analysis shows that Internet hosts
supporting FTP over port 22 are a small fraction, and likely not
accessed over the web.
Bug: 767354
Change-Id: I8958b4cc818b34127fd739d2dea58f498fb073c0
Reviewed-on: https://chromium-review.googlesource.com/860753
Reviewed-by: Matt Menke <mmenke@chromium.org>
Commit-Queue: Christopher Thompson <cthomp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#528461}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] CVE-2018-6064
[elements] Fix Object.entries/values with changing elements
Drive-by-cleanup:
- Add InternalElementsAccessor to expose protected instance methods
to ElementsAccessor subclasses.
- Make some more ElementsAccessor methods protected that take the
raw entry as parameter.
Bug: chromium:798644
Change-Id: Iffd00f1953461e8dd22c123e62298410fb6e049c
Reviewed-on: https://chromium-review.googlesource.com/856816
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50480}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] CVE-2018-6062
use safemath::mull for buffer sizes
Bug:780104
Change-Id: Ic683abd9c7d15ebb01b6e5d40dbeb6e76f102eff
Reviewed-on: https://skia-review.googlesource.com/95760
Reviewed-by: Brian Salomon <bsalomon@google.com>
Commit-Queue: Mike Reed <reed@google.com>
(cherry picked from commit fe266c2bce2b8ac4ef953f16c8e1a7801da9c57d)
Reviewed-on: https://skia-review.googlesource.com/101780
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] CVE-2018-6060
Keep AudioHandlers alive until they can be safely deleted.
When an AudioNode is disposed, the handler is also disposed. But add
the handler to the orphan list so that the handler stays alive until
the context can safely delete it. If we don't do this, the handler
may get deleted while the audio thread is processing the handler (due
to, say, channel count changes and such).
For an realtime context, save the handler if the context is not closed.
(Nothing will clean up the handler if the context is closed.)
For an offline context, only need to do this when the context is
running because the context is guaranteed to be stopped if we're not
in the running state. Hence, there's no possibility of deleting the
handler while the graph is running.
Bug: 780919
Change-Id: Id8ba47f48504c5681121facebfc5acb85b05de87
Reviewed-on: https://chromium-review.googlesource.com/868841
Reviewed-by: Hongchan Choi <hongchan@chromium.org>
Commit-Queue: Raymond Toy <rtoy@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#530892}(cherry picked from commit ebcf9595bf908b515ffcd31374b071697a69faed)
Reviewed-on: https://chromium-review.googlesource.com/893626
Reviewed-by: Raymond Toy <rtoy@chromium.org>
Cr-Commit-Position: refs/branch-heads/3325@{#180}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] Security Bug 798410
Crash fix for th with role gridcell in a table with nontraditional css
Do not assume we can use ToLayoutCell() in an object that can be created
for an ARIA cell and may not be associated with an actual table cell.
Bug: 798410
Change-Id: I3db7d09ca146469a4fb87ef04a03e9d4ba8525d3
Reviewed-on: https://chromium-review.googlesource.com/906953
Commit-Queue: Aaron Leventhal <aleventhal@chromium.org>
Reviewed-by: Nektarios Paisios <nektar@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#535462}(cherry picked from commit b0d1618cc5e95f77c152022232257b61b61a952e)
Reviewed-on: https://chromium-review.googlesource.com/916527
Reviewed-by: Aaron Leventhal <aleventhal@chromium.org>
Cr-Commit-Position: refs/branch-heads/3325@{#447}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
[Backport] Security Bug 789764
[parser] Fix func numbering inside for in.
BUG=chromium:789764
Change-Id: I6a466660159721683c4979af32019d740094151b
Reviewed-on: https://chromium-review.googlesource.com/803217
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49795}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
.../search_engines/template_url_parser.cc | 2 +-
.../supervised_user_block_interstitial.js | 8 +--
.../gpu/command_buffer/service/context_state.cc | 34 +++++++++-
.../gpu/command_buffer/service/texture_manager.cc | 6 +-
chromium/net/base/port_util.cc | 3 +-
.../bindings/core/v8/custom/V8WindowCustom.cpp | 9 +++
.../WebKit/Source/core/frame/LocalFrameView.cpp | 5 +-
.../Source/modules/accessibility/AXTableCell.cpp | 8 +++
.../WebKit/Source/modules/webaudio/AudioNode.cpp | 41 ++++++++++--
chromium/third_party/skia/include/core/SkTypes.h | 1 +
chromium/third_party/skia/src/core/SkMath.cpp | 16 +++++
chromium/third_party/skia/src/core/SkPathRef.cpp | 22 +++++--
chromium/third_party/skia/src/core/SkSafeMath.h | 19 ++++++
.../third_party/skia/src/effects/SkPackBits.cpp | 5 +-
chromium/third_party/skia/src/effects/SkPackBits.h | 2 +-
.../third_party/skia/src/gpu/GrBufferAllocPool.cpp | 6 +-
chromium/url/url_canon_etc.cc | 61 ++++++++++++-----
chromium/v8/src/ast/ast-traversal-visitor.h | 1 +
chromium/v8/src/elements.cc | 76 ++++++++++++++++++----
chromium/v8/src/elements.h | 17 ++---
chromium/v8/src/js/intl.js | 8 +--
chromium/v8/src/runtime/runtime-intl.cc | 25 ++++---
22 files changed, 293 insertions(+), 82 deletions(-)
diff --git a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc
index 64b1385e05..476d879b5f 100644
--- a/src/3rdparty/chromium/components/search_engines/template_url_parser.cc
+++ b/src/3rdparty/chromium/components/search_engines/template_url_parser.cc
@@ -438,7 +438,7 @@ void TemplateURLParsingContext::ProcessURLParams() {
return;
GURL url(is_suggest_url_ ? data_.suggestions_url : data_.url());
- if (url.is_empty())
+ if (!url.is_valid())
return;
// If there is a parameter filter, parse the existing URL and remove any
diff --git a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js
index d6b9327584..bee21be919 100644
--- a/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js
+++ b/src/3rdparty/chromium/components/supervised_user_error_page/resources/supervised_user_block_interstitial.js
@@ -67,8 +67,8 @@ function initialize() {
$('custodian-avatar-img').style.content =
makeImageSet(avatarURL1x, avatarURL2x);
}
- $('custodian-name').innerHTML = custodianName;
- $('custodian-email').innerHTML = loadTimeData.getString('custodianEmail');
+ $('custodian-name').textContent = custodianName;
+ $('custodian-email').textContent = loadTimeData.getString('custodianEmail');
var secondAvatarURL1x = loadTimeData.getString('secondAvatarURL1x');
var secondAvatarURL2x = loadTimeData.getString('secondAvatarURL2x');
var secondCustodianName = loadTimeData.getString('secondCustodianName');
@@ -79,8 +79,8 @@ function initialize() {
$('second-custodian-avatar-img').style.content =
makeImageSet(secondAvatarURL1x, secondAvatarURL2x);
}
- $('second-custodian-name').innerHTML = secondCustodianName;
- $('second-custodian-email').innerHTML = loadTimeData.getString(
+ $('second-custodian-name').textContent = secondCustodianName;
+ $('second-custodian-email').textContent = loadTimeData.getString(
'secondCustodianEmail');
}
}
diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc
index 3c71d38b25..1b1d647c36 100644
--- a/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc
+++ b/src/3rdparty/chromium/gpu/command_buffer/service/context_state.cc
@@ -29,6 +29,16 @@ GLuint Get2dServiceId(const TextureUnit& unit) {
? unit.bound_texture_2d->service_id() : 0;
}
+GLuint Get2dArrayServiceId(const TextureUnit& unit) {
+ return unit.bound_texture_2d_array.get()
+ ? unit.bound_texture_2d_array->service_id()
+ : 0;
+}
+
+GLuint Get3dServiceId(const TextureUnit& unit) {
+ return unit.bound_texture_3d.get() ? unit.bound_texture_3d->service_id() : 0;
+}
+
GLuint GetCubeServiceId(const TextureUnit& unit) {
return unit.bound_texture_cube_map.get()
? unit.bound_texture_cube_map->service_id() : 0;
@@ -239,6 +249,8 @@ void ContextState::RestoreTextureUnitBindings(
DCHECK_LT(unit, texture_units.size());
const TextureUnit& texture_unit = texture_units[unit];
GLuint service_id_2d = Get2dServiceId(texture_unit);
+ GLuint service_id_2d_array = Get2dArrayServiceId(texture_unit);
+ GLuint service_id_3d = Get3dServiceId(texture_unit);
GLuint service_id_cube = GetCubeServiceId(texture_unit);
GLuint service_id_oes = GetOesServiceId(texture_unit);
GLuint service_id_arb = GetArbServiceId(texture_unit);
@@ -249,10 +261,22 @@ void ContextState::RestoreTextureUnitBindings(
feature_info_->feature_flags().oes_egl_image_external ||
feature_info_->feature_flags().nv_egl_stream_consumer_external;
bool bind_texture_arb = feature_info_->feature_flags().arb_texture_rectangle;
+ // TEXTURE_2D_ARRAY and TEXTURE_3D are only applicable from ES3 version.
+ // So set it to FALSE by default.
+ bool bind_texture_2d_array = false;
+ bool bind_texture_3d = false;
+ // set the variables to true only if the application is ES3 or newer
+ if (feature_info_->IsES3Capable()) {
+ bind_texture_2d_array = true;
+ bind_texture_3d = true;
+ }
if (prev_state) {
const TextureUnit& prev_unit = prev_state->texture_units[unit];
bind_texture_2d = service_id_2d != Get2dServiceId(prev_unit);
+ bind_texture_2d_array =
+ service_id_2d_array != Get2dArrayServiceId(prev_unit);
+ bind_texture_3d = service_id_3d != Get3dServiceId(prev_unit);
bind_texture_cube = service_id_cube != GetCubeServiceId(prev_unit);
bind_texture_oes =
bind_texture_oes && service_id_oes != GetOesServiceId(prev_unit);
@@ -261,8 +285,8 @@ void ContextState::RestoreTextureUnitBindings(
}
// Early-out if nothing has changed from the previous state.
- if (!bind_texture_2d && !bind_texture_cube
- && !bind_texture_oes && !bind_texture_arb) {
+ if (!bind_texture_2d && !bind_texture_2d_array && !bind_texture_3d &&
+ !bind_texture_cube && !bind_texture_oes && !bind_texture_arb) {
return;
}
@@ -279,6 +303,12 @@ void ContextState::RestoreTextureUnitBindings(
if (bind_texture_arb) {
glBindTexture(GL_TEXTURE_RECTANGLE_ARB, service_id_arb);
}
+ if (bind_texture_2d_array) {
+ glBindTexture(GL_TEXTURE_2D_ARRAY, service_id_2d_array);
+ }
+ if (bind_texture_3d) {
+ glBindTexture(GL_TEXTURE_3D, service_id_3d);
+ }
}
void ContextState::RestoreSamplerBinding(GLuint unit,
diff --git a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc
index f56e04f411..cac58af031 100644
--- a/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc
+++ b/src/3rdparty/chromium/gpu/command_buffer/service/texture_manager.cc
@@ -2634,9 +2634,6 @@ void TextureManager::DoCubeMapWorkaround(
TextureRef* texture_ref,
const char* function_name,
const DoTexImageArguments& args) {
- // This workaround code does not work with an unpack buffer bound.
- ScopedResetPixelUnpackBuffer scoped_reset_pbo(state);
-
std::vector<GLenum> undefined_faces;
Texture* texture = texture_ref->texture();
if (texture_state->force_cube_complete ||
@@ -2668,6 +2665,8 @@ void TextureManager::DoCubeMapWorkaround(
DoTexImageArguments new_args = args;
std::unique_ptr<char[]> zero(new char[args.pixels_size]);
memset(zero.get(), 0, args.pixels_size);
+ // Need to clear PIXEL_UNPACK_BUFFER and UNPACK params for data uploading.
+ state->PushTextureDecompressionUnpackState();
for (GLenum face : undefined_faces) {
new_args.target = face;
new_args.pixels = zero.get();
@@ -2675,6 +2674,7 @@ void TextureManager::DoCubeMapWorkaround(
function_name, texture_ref, new_args);
texture->MarkLevelAsInternalWorkaround(face, args.level);
}
+ state->RestoreUnpackState();
}
void TextureManager::ValidateAndDoTexImage(
diff --git a/src/3rdparty/chromium/net/base/port_util.cc b/src/3rdparty/chromium/net/base/port_util.cc
index 543d9db943..83c9821398 100644
--- a/src/3rdparty/chromium/net/base/port_util.cc
+++ b/src/3rdparty/chromium/net/base/port_util.cc
@@ -90,10 +90,9 @@ const int kRestrictedPorts[] = {
// KURL::port())
};
-// FTP overrides the following restricted ports.
+// FTP overrides the following restricted port.
const int kAllowedFtpPorts[] = {
21, // ftp data
- 22, // ssh
};
base::LazyInstance<std::multiset<int>>::Leaky g_explicitly_allowed_ports =
diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
index 90883c712f..9abef3a420 100644
--- a/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
+++ b/src/3rdparty/chromium/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
@@ -262,6 +262,15 @@ void V8Window::openMethodCustom(
return;
}
+ // If the bindings implementation is 100% correct, the current realm and the
+ // entered realm should be same origin-domain. However, to be on the safe
+ // side and add some defense in depth, we'll check against the entered realm
+ // as well here.
+ if (!BindingSecurity::ShouldAllowAccessTo(EnteredDOMWindow(info.GetIsolate()),
+ impl, exception_state)) {
+ return;
+ }
+
TOSTRING_VOID(V8StringResource<kTreatNullAndUndefinedAsNullString>,
url_string, info[0]);
AtomicString frame_name;
diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
index 8ce1574d45..1c5b193eda 100644
--- a/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
+++ b/src/3rdparty/chromium/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
@@ -1862,9 +1862,12 @@ void LocalFrameView::ProcessUrlFragment(const KURL& url,
!frame_->GetDocument()->IsSVGDocument())
return;
+ // Try the raw fragment for HTML documents, but skip it for `svgView()`:
String fragment_identifier = url.FragmentIdentifier();
- if (ProcessUrlFragmentHelper(fragment_identifier, behavior))
+ if (!frame_->GetDocument()->IsSVGDocument() &&
+ ProcessUrlFragmentHelper(fragment_identifier, behavior)) {
return;
+ }
// Try again after decoding the ref, based on the document's encoding.
if (frame_->GetDocument()->Encoding().IsValid()) {
diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
index bbe7147921..1b88d0bd4e 100644
--- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
+++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
@@ -156,6 +156,14 @@ AccessibilityRole AXTableCell::ScanToDecideHeaderRole() {
if (IsColumnHeaderCell())
return kColumnHeaderRole;
+ // This occurs in an edge case that mixes non-table CSS into a
+ // table, and <th role="gridcell">, see bug 798410.
+ // The odd CSS causes the <th> to not be a LayoutTableCell,
+ // and the ARIA role causes it to fall through to here, because
+ // it is not an ARIA/HTML column/row header.
+ if (!layout_object_ || !layout_object_->IsTableCell())
+ return kCellRole; // <th role="gridcell">.
+
// Check the previous cell and the next cell on the same row.
LayoutTableCell* layout_cell = ToLayoutTableCell(layout_object_);
AccessibilityRole header_role = kCellRole;
diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp
index 64cc1d575f..b764fb6145 100644
--- a/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp
+++ b/src/3rdparty/chromium/third_party/WebKit/Source/modules/webaudio/AudioNode.cpp
@@ -64,6 +64,15 @@ AudioHandler::AudioHandler(NodeType node_type,
}
#endif
InstanceCounters::IncrementCounter(InstanceCounters::kAudioHandlerCounter);
+
+#if DEBUG_AUDIONODE_REFERENCES
+ fprintf(
+ stderr,
+ "[%16p]: %16p: %2d: AudioHandler::AudioHandler() %d [%d] total: %u\n",
+ Context(), this, GetNodeType(), connection_ref_count_,
+ node_count_[GetNodeType()],
+ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter));
+#endif
}
AudioHandler::~AudioHandler() {
@@ -73,9 +82,13 @@ AudioHandler::~AudioHandler() {
InstanceCounters::DecrementCounter(InstanceCounters::kAudioHandlerCounter);
#if DEBUG_AUDIONODE_REFERENCES
--node_count_[GetNodeType()];
- fprintf(stderr, "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d]\n",
- Context(), this, GetNodeType(), connection_ref_count_,
- node_count_[GetNodeType()]);
+ fprintf(
+ stderr,
+ "[%16p]: %16p: %2d: AudioHandler::~AudioHandler() %d [%d] remaining: "
+ "%u\n",
+ Context(), this, GetNodeType(), connection_ref_count_,
+ node_count_[GetNodeType()],
+ InstanceCounters::CounterValue(InstanceCounters::kAudioHandlerCounter));
#endif
}
@@ -542,9 +555,25 @@ void AudioNode::Dispose() {
#endif
BaseAudioContext::AutoLocker locker(context());
Handler().Dispose();
- if (context()->ContextState() == BaseAudioContext::kRunning) {
- context()->GetDeferredTaskHandler().AddRenderingOrphanHandler(
- std::move(handler_));
+ if (context()->HasRealtimeConstraint()) {
+ // Add the handler to the orphan list if the context is not
+ // closed. (Nothing will clean up the orphan list if the context
+ // is closed.) These will get cleaned up in the post render task
+ // if audio thread is running or when the context is colleced (in
+ // the worst case).
+ if (context()->ContextState() != BaseAudioContext::kClosed) {
+ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler(
+ std::move(handler_));
+ }
+ } else {
+ // For an offline context, only need to save the handler when the
+ // context is running. The change in the context state is
+ // synchronous with the main thread (even though the offline
+ // thread is not synchronized to the main thread).
+ if (context()->ContextState() == BaseAudioContext::kRunning) {
+ context()->GetDeferredTaskHandler().AddRenderingOrphanHandler(
+ std::move(handler_));
+ }
}
}
diff --git a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h
index 1dd672bea4..a3e295e285 100644
--- a/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h
+++ b/src/3rdparty/chromium/third_party/skia/include/core/SkTypes.h
@@ -235,6 +235,7 @@ template <typename D, typename S> D SkTo(S s) {
#define SK_MaxU32 0xFFFFFFFF
#define SK_MinU32 0
#define SK_NaN32 ((int) (1U << 31))
+#define SK_MaxSizeT SIZE_MAX
/** Returns true if the value can be represented with signed 16bits
*/
diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp
index 6eff790c85..947c125b27 100644
--- a/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp
+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkMath.cpp
@@ -10,6 +10,8 @@
#include "SkFloatBits.h"
#include "SkFloatingPoint.h"
#include "SkScalar.h"
+#include "SkSafeMath.h"
+
#define sub_shift(zeros, x, n) \
zeros -= n; \
@@ -84,3 +86,17 @@ float SkScalarSinCos(float radians, float* cosValue) {
}
return sinValue;
}
+
+///////////////////////////////////////////////////////////////////////////////////////////////////
+
+size_t SkSafeMath::Add(size_t x, size_t y) {
+ SkSafeMath tmp;
+ size_t sum = tmp.add(x, y);
+ return tmp.ok() ? sum : SK_MaxSizeT;
+}
+
+size_t SkSafeMath::Mul(size_t x, size_t y) {
+ SkSafeMath tmp;
+ size_t prod = tmp.mul(x, y);
+ return tmp.ok() ? prod : SK_MaxSizeT;
+}
diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp
index 094e6717e6..33008ead35 100644
--- a/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp
+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkPathRef.cpp
@@ -9,7 +9,7 @@
#include "SkOnce.h"
#include "SkPath.h"
#include "SkPathRef.h"
-#include <limits>
+#include "SkSafeMath.h"
//////////////////////////////////////////////////////////////////////////////
SkPathRef::Editor::Editor(sk_sp<SkPathRef>* pathRef,
@@ -195,22 +195,23 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr
return false;
}
+ SkSafeMath safe;
int ptCount = 0;
int conicCount = 0;
for (int i = 0; i < vCount; ++i) {
switch (verbs[i]) {
case SkPath::kMove_Verb:
case SkPath::kLine_Verb:
- ptCount += 1;
+ ptCount = safe.addInt(ptCount, 1);
break;
case SkPath::kConic_Verb:
conicCount += 1;
// fall-through
case SkPath::kQuad_Verb:
- ptCount += 2;
+ ptCount = safe.addInt(ptCount, 2);
break;
case SkPath::kCubic_Verb:
- ptCount += 3;
+ ptCount = safe.addInt(ptCount, 3);
break;
case SkPath::kClose_Verb:
break;
@@ -218,6 +219,9 @@ static bool deduce_pts_conics(const uint8_t verbs[], int vCount, int* ptCountPtr
return false;
}
}
+ if (!safe) {
+ return false;
+ }
*ptCountPtr = ptCount;
*conicCountPtr = conicCount;
return true;
@@ -554,12 +558,18 @@ SkPoint* SkPathRef::growForVerb(int /* SkPath::Verb*/ verb, SkScalar weight) {
dirtyAfterEdit = false;
pCnt = 0;
}
+ SkSafeMath safe;
+ int newPointCnt = safe.addInt(fPointCnt, pCnt);
+ int newVerbCnt = safe.addInt(fVerbCnt, 1);
+ if (!safe) {
+ SK_ABORT("cannot grow path");
+ }
size_t space = sizeof(uint8_t) + pCnt * sizeof (SkPoint);
this->makeSpace(space);
this->fVerbs[~fVerbCnt] = verb;
SkPoint* ret = fPoints + fPointCnt;
- fVerbCnt += 1;
- fPointCnt += pCnt;
+ fVerbCnt = newVerbCnt;
+ fPointCnt = newPointCnt;
fFreeSpace -= space;
fBoundsIsDirty = true; // this also invalidates fIsFinite
if (dirtyAfterEdit) {
diff --git a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h
index 91200fbb56..74089633ae 100644
--- a/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h
+++ b/src/3rdparty/chromium/third_party/skia/src/core/SkSafeMath.h
@@ -28,6 +28,25 @@ public:
return result;
}
+ /**
+ * Return a + b, unless this result is an overflow/underflow. In those cases, fOK will
+ * be set to false, and it is undefined what this returns.
+ */
+ int addInt(int a, int b) {
+ if (b < 0 && a < std::numeric_limits<int>::min() - b) {
+ fOK = false;
+ return a;
+ } else if (b > 0 && a > std::numeric_limits<int>::max() - b) {
+ fOK = false;
+ return a;
+ }
+ return a + b;
+ }
+
+ // These saturate to their results
+ static size_t Add(size_t x, size_t y);
+ static size_t Mul(size_t x, size_t y);
+
private:
uint32_t mul32(uint32_t x, uint32_t y) {
uint64_t bx = x;
diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp
index 286d9d140c..d2dfed9de1 100644
--- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp
+++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.cpp
@@ -88,13 +88,13 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize,
unsigned n = *src++;
if (n <= 127) { // repeat count (n + 1)
n += 1;
- if (dst >(endDst - n)) {
+ if (dst > (endDst - n) || src >= stop) {
return 0;
}
memset(dst, *src++, n);
} else { // same count (n - 127)
n -= 127;
- if (dst > (endDst - n)) {
+ if (dst > (endDst - n) || src > (stop - n)) {
return 0;
}
memcpy(dst, src, n);
@@ -103,5 +103,6 @@ int SkPackBits::Unpack8(const uint8_t* SK_RESTRICT src, size_t srcSize,
dst += n;
}
SkASSERT(src <= stop);
+ SkASSERT(dst <= endDst);
return SkToInt(dst - origDst);
}
diff --git a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h
index 2dc7677afc..773b13e0c1 100644
--- a/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h
+++ b/src/3rdparty/chromium/third_party/skia/src/effects/SkPackBits.h
@@ -36,7 +36,7 @@ public:
@param srcSize Number of bytes of src to unpack
@param dst Buffer (allocated by caller) to expand the src[] into.
@param dstSize Number of bytes in the output buffer.
- @return the number of bytes written into dst.
+ @return the number of bytes written into dst, or 0 if srcSize or dstSize are too small.
*/
static int Unpack8(const uint8_t src[], size_t srcSize, uint8_t dst[],
size_t dstSize);
diff --git a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp
index 3096ae5eeb..050b5db164 100644
--- a/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp
+++ b/src/3rdparty/chromium/third_party/skia/src/gpu/GrBufferAllocPool.cpp
@@ -13,7 +13,7 @@
#include "GrGpu.h"
#include "GrResourceProvider.h"
#include "GrTypes.h"
-
+#include "SkSafeMath.h"
#include "SkTraceEvent.h"
#ifdef SK_DEBUG
@@ -393,7 +393,7 @@ void* GrVertexBufferAllocPool::makeSpace(size_t vertexSize,
SkASSERT(startVertex);
size_t offset SK_INIT_TO_AVOID_WARNING;
- void* ptr = INHERITED::makeSpace(vertexSize * vertexCount,
+ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(vertexSize, vertexCount),
vertexSize,
buffer,
&offset);
@@ -447,7 +447,7 @@ void* GrIndexBufferAllocPool::makeSpace(int indexCount,
SkASSERT(startIndex);
size_t offset SK_INIT_TO_AVOID_WARNING;
- void* ptr = INHERITED::makeSpace(indexCount * sizeof(uint16_t),
+ void* ptr = INHERITED::makeSpace(SkSafeMath::Mul(indexCount, sizeof(uint16_t)),
sizeof(uint16_t),
buffer,
&offset);
diff --git a/src/3rdparty/chromium/url/url_canon_etc.cc b/src/3rdparty/chromium/url/url_canon_etc.cc
index 31e9fb5cfa..bbc46270a1 100644
--- a/src/3rdparty/chromium/url/url_canon_etc.cc
+++ b/src/3rdparty/chromium/url/url_canon_etc.cc
@@ -233,6 +233,43 @@ bool DoPort(const CHAR* spec,
return true;
}
+// clang-format off
+// Percent-escape all "C0 controls" (0x00-0x1F)
+// https://infra.spec.whatwg.org/#c0-control along with the characters ' '
+// (0x20), '"' (0x22), '<' (0x3C), '>' (0x3E), and '`' (0x60):
+const bool kShouldEscapeCharInRef[0x80] = {
+// Control characters (0x00-0x1F)
+ true, true, true, true, true, true, true, true,
+ true, true, true, true, true, true, true, true,
+ true, true, true, true, true, true, true, true,
+ true, true, true, true, true, true, true, true,
+// ' ' ! " # $ % & '
+ true, false, true, false, false, false, false, false,
+// ( ) * + , - . /
+ false, false, false, false, false, false, false, false,
+// 0 1 2 3 4 5 6 7
+ false, false, false, false, false, false, false, false,
+// 8 9 : ; < = > ?
+ false, false, false, false, true, false, true, false,
+// @ A B C D E F G
+ false, false, false, false, false, false, false, false,
+// H I J K L M N O
+ false, false, false, false, false, false, false, false,
+// P Q R S T U V W
+ false, false, false, false, false, false, false, false,
+// X Y Z [ \ ] ^ _
+ false, false, false, false, false, false, false, false,
+// ` a b c d e f g
+ true, false, false, false, false, false, false, false,
+// h i j k l m n o
+ false, false, false, false, false, false, false, false,
+// p q r s t u v w
+ false, false, false, false, false, false, false, false,
+// x y z { | } ~
+ false, false, false, false, false, false, false
+};
+// clang-format on
+
template<typename CHAR, typename UCHAR>
void DoCanonicalizeRef(const CHAR* spec,
const Component& ref,
@@ -255,22 +292,16 @@ void DoCanonicalizeRef(const CHAR* spec,
if (spec[i] == 0) {
// IE just strips NULLs, so we do too.
continue;
- } else if (static_cast<UCHAR>(spec[i]) < 0x20) {
- // Unline IE seems to, we escape control characters. This will probably
- // make the reference fragment unusable on a web page, but people
- // shouldn't be using control characters in their anchor names.
- AppendEscapedChar(static_cast<unsigned char>(spec[i]), output);
- } else if (static_cast<UCHAR>(spec[i]) < 0x80) {
- // Normal ASCII characters are just appended.
- output->push_back(static_cast<char>(spec[i]));
+ }
+
+ UCHAR current_char = static_cast<UCHAR>(spec[i]);
+ if (current_char < 0x80) {
+ if (kShouldEscapeCharInRef[current_char])
+ AppendEscapedChar(static_cast<unsigned char>(spec[i]), output);
+ else
+ output->push_back(static_cast<char>(spec[i]));
} else {
- // Non-ASCII characters are appended unescaped, but only when they are
- // valid. Invalid Unicode characters are replaced with the "invalid
- // character" as IE seems to (ReadUTFChar puts the unicode replacement
- // character in the output on failure for us).
- unsigned code_point;
- ReadUTFChar(spec, &i, end, &code_point);
- AppendUTF8Value(code_point, output);
+ AppendUTF8EscapedChar(spec, &i, end, output);
}
}
diff --git a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h
index 5eee300cc3..7026268b77 100644
--- a/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h
+++ b/src/3rdparty/chromium/v8/src/ast/ast-traversal-visitor.h
@@ -248,6 +248,7 @@ void AstTraversalVisitor<Subclass>::VisitForStatement(ForStatement* stmt) {
template <class Subclass>
void AstTraversalVisitor<Subclass>::VisitForInStatement(ForInStatement* stmt) {
PROCESS_NODE(stmt);
+ RECURSE(Visit(stmt->each()));
RECURSE(Visit(stmt->enumerable()));
RECURSE(Visit(stmt->body()));
}
diff --git a/src/3rdparty/chromium/v8/src/elements.cc b/src/3rdparty/chromium/v8/src/elements.cc
index 716cc00b9a..bc89c77047 100644
--- a/src/3rdparty/chromium/v8/src/elements.cc
+++ b/src/3rdparty/chromium/v8/src/elements.cc
@@ -518,6 +518,21 @@ static Maybe<int64_t> IndexOfValueSlowPath(Isolate* isolate,
return Just<int64_t>(-1);
}
+// The InternalElementsAccessor is a helper class to expose otherwise protected
+// methods to its subclasses. Namely, we don't want to publicly expose methods
+// that take an entry (instead of an index) as an argument.
+class InternalElementsAccessor : public ElementsAccessor {
+ public:
+ explicit InternalElementsAccessor(const char* name)
+ : ElementsAccessor(name) {}
+
+ virtual uint32_t GetEntryForIndex(Isolate* isolate, JSObject* holder,
+ FixedArrayBase* backing_store,
+ uint32_t index) = 0;
+
+ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0;
+};
+
// Base class for element handler implementations. Contains the
// the common logic for objects with different ElementsKinds.
// Subclasses must specialize method for which the element
@@ -536,10 +551,10 @@ static Maybe<int64_t> IndexOfValueSlowPath(Isolate* isolate,
// CRTP to guarantee aggressive compile time optimizations (i.e. inlining and
// specialization of SomeElementsAccessor methods).
template <typename Subclass, typename ElementsTraitsParam>
-class ElementsAccessorBase : public ElementsAccessor {
+class ElementsAccessorBase : public InternalElementsAccessor {
public:
explicit ElementsAccessorBase(const char* name)
- : ElementsAccessor(name) { }
+ : InternalElementsAccessor(name) {}
typedef ElementsTraitsParam ElementsTraits;
typedef typename ElementsTraitsParam::BackingStore BackingStore;
@@ -1040,35 +1055,67 @@ class ElementsAccessorBase : public ElementsAccessor {
Isolate* isolate, Handle<JSObject> object,
Handle<FixedArray> values_or_entries, bool get_entries, int* nof_items,
PropertyFilter filter) {
- int count = 0;
+ DCHECK_EQ(*nof_items, 0);
KeyAccumulator accumulator(isolate, KeyCollectionMode::kOwnOnly,
ALL_PROPERTIES);
Subclass::CollectElementIndicesImpl(
object, handle(object->elements(), isolate), &accumulator);
Handle<FixedArray> keys = accumulator.GetKeys();
- for (int i = 0; i < keys->length(); ++i) {
+ int count = 0;
+ int i = 0;
+ Handle<Map> original_map(object->map(), isolate);
+
+ for (; i < keys->length(); ++i) {
Handle<Object> key(keys->get(i), isolate);
- Handle<Object> value;
uint32_t index;
if (!key->ToUint32(&index)) continue;
+ DCHECK_EQ(object->map(), *original_map);
uint32_t entry = Subclass::GetEntryForIndexImpl(
isolate, *object, object->elements(), index, filter);
if (entry == kMaxUInt32) continue;
PropertyDetails details = Subclass::GetDetailsImpl(*object, entry);
+ Handle<Object> value;
if (details.kind() == kData) {
value = Subclass::GetImpl(isolate, object->elements(), entry);
} else {
+ // This might modify the elements and/or change the elements kind.
LookupIterator it(isolate, object, index, LookupIterator::OWN);
ASSIGN_RETURN_ON_EXCEPTION_VALUE(
isolate, value, Object::GetProperty(&it), Nothing<bool>());
}
- if (get_entries) {
- value = MakeEntryPair(isolate, index, value);
+ if (get_entries) value = MakeEntryPair(isolate, index, value);
+ values_or_entries->set(count++, *value);
+ if (object->map() != *original_map) break;
+ }
+
+ // Slow path caused by changes in elements kind during iteration.
+ for (; i < keys->length(); i++) {
+ Handle<Object> key(keys->get(i), isolate);
+ uint32_t index;
+ if (!key->ToUint32(&index)) continue;
+
+ if (filter & ONLY_ENUMERABLE) {
+ InternalElementsAccessor* accessor =
+ reinterpret_cast<InternalElementsAccessor*>(
+ object->GetElementsAccessor());
+
+ uint32_t entry = accessor->GetEntryForIndex(isolate, *object,
+ object->elements(), index);
+ if (entry == kMaxUInt32) continue;
+ PropertyDetails details = accessor->GetDetails(*object, entry);
+ if (!details.IsEnumerable()) continue;
}
+
+ Handle<Object> value;
+ LookupIterator it(isolate, object, index, LookupIterator::OWN);
+ ASSIGN_RETURN_ON_EXCEPTION_VALUE(isolate, value, Object::GetProperty(&it),
+ Nothing<bool>());
+
+ if (get_entries) value = MakeEntryPair(isolate, index, value);
values_or_entries->set(count++, *value);
}
@@ -1668,12 +1715,13 @@ class DictionaryElementsAccessor
return result;
}
}
-
+ Handle<Map> original_map(receiver->map(), isolate);
Handle<SeededNumberDictionary> dictionary(
SeededNumberDictionary::cast(receiver->elements()), isolate);
// Iterate through entire range, as accessing elements out of order is
// observable
for (uint32_t k = start_from; k < length; ++k) {
+ DCHECK_EQ(receiver->map(), *original_map);
int entry = dictionary->FindEntry(isolate, k);
if (entry == SeededNumberDictionary::kNotFound) {
if (search_for_hole) return Just(true);
@@ -1738,15 +1786,15 @@ class DictionaryElementsAccessor
uint32_t start_from, uint32_t length) {
DCHECK(JSObject::PrototypeHasNoElements(isolate, *receiver));
+ Handle<Map> original_map(receiver->map(), isolate);
Handle<SeededNumberDictionary> dictionary(
SeededNumberDictionary::cast(receiver->elements()), isolate);
// Iterate through entire range, as accessing elements out of order is
// observable.
for (uint32_t k = start_from; k < length; ++k) {
+ DCHECK_EQ(receiver->map(), *original_map);
int entry = dictionary->FindEntry(isolate, k);
- if (entry == SeededNumberDictionary::kNotFound) {
- continue;
- }
+ if (entry == SeededNumberDictionary::kNotFound) continue;
PropertyDetails details = GetDetailsImpl(*dictionary, entry);
switch (details.kind()) {
@@ -3622,12 +3670,13 @@ class SloppyArgumentsElementsAccessor
Handle<Object> value,
uint32_t start_from, uint32_t length) {
DCHECK(JSObject::PrototypeHasNoElements(isolate, *object));
- Handle<Map> original_map = handle(object->map(), isolate);
+ Handle<Map> original_map(object->map(), isolate);
Handle<SloppyArgumentsElements> elements(
SloppyArgumentsElements::cast(object->elements()), isolate);
bool search_for_hole = value->IsUndefined(isolate);
for (uint32_t k = start_from; k < length; ++k) {
+ DCHECK_EQ(object->map(), *original_map);
uint32_t entry =
GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES);
if (entry == kMaxUInt32) {
@@ -3663,11 +3712,12 @@ class SloppyArgumentsElementsAccessor
Handle<Object> value,
uint32_t start_from, uint32_t length) {
DCHECK(JSObject::PrototypeHasNoElements(isolate, *object));
- Handle<Map> original_map = handle(object->map(), isolate);
+ Handle<Map> original_map(object->map(), isolate);
Handle<SloppyArgumentsElements> elements(
SloppyArgumentsElements::cast(object->elements()), isolate);
for (uint32_t k = start_from; k < length; ++k) {
+ DCHECK_EQ(object->map(), *original_map);
uint32_t entry =
GetEntryForIndexImpl(isolate, *object, *elements, k, ALL_PROPERTIES);
if (entry == kMaxUInt32) {
diff --git a/src/3rdparty/chromium/v8/src/elements.h b/src/3rdparty/chromium/v8/src/elements.h
index 9e64764bb0..350264daae 100644
--- a/src/3rdparty/chromium/v8/src/elements.h
+++ b/src/3rdparty/chromium/v8/src/elements.h
@@ -52,7 +52,6 @@ class ElementsAccessor {
virtual Handle<Object> Get(Handle<JSObject> holder, uint32_t entry) = 0;
- virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0;
virtual bool HasAccessors(JSObject* holder) = 0;
virtual uint32_t NumberOfElements(JSObject* holder) = 0;
@@ -63,8 +62,6 @@ class ElementsAccessor {
// element that is non-deletable.
virtual void SetLength(Handle<JSArray> holder, uint32_t new_length) = 0;
- // Deletes an element in an object.
- virtual void Delete(Handle<JSObject> holder, uint32_t entry) = 0;
// If kCopyToEnd is specified as the copy_size to CopyElements, it copies all
// of elements from source after source_start to the destination array.
@@ -122,11 +119,6 @@ class ElementsAccessor {
virtual void Set(Handle<JSObject> holder, uint32_t entry, Object* value) = 0;
- virtual void Reconfigure(Handle<JSObject> object,
- Handle<FixedArrayBase> backing_store, uint32_t entry,
- Handle<Object> value,
- PropertyAttributes attributes) = 0;
-
virtual void Add(Handle<JSObject> object, uint32_t index,
Handle<Object> value, PropertyAttributes attributes,
uint32_t new_capacity) = 0;
@@ -208,6 +200,15 @@ class ElementsAccessor {
FixedArrayBase* backing_store,
uint32_t index) = 0;
+ virtual PropertyDetails GetDetails(JSObject* holder, uint32_t entry) = 0;
+ virtual void Reconfigure(Handle<JSObject> object,
+ Handle<FixedArrayBase> backing_store, uint32_t entry,
+ Handle<Object> value,
+ PropertyAttributes attributes) = 0;
+
+ // Deletes an element in an object.
+ virtual void Delete(Handle<JSObject> holder, uint32_t entry) = 0;
+
// NOTE: this method violates the handlified function signature convention:
// raw pointer parameter |source_holder| in the function that allocates.
// This is done intentionally to avoid ArrayConcat() builtin performance
diff --git a/src/3rdparty/chromium/v8/src/js/intl.js b/src/3rdparty/chromium/v8/src/js/intl.js
index 1579337fc1..7fc137f5c7 100644
--- a/src/3rdparty/chromium/v8/src/js/intl.js
+++ b/src/3rdparty/chromium/v8/src/js/intl.js
@@ -1682,9 +1682,7 @@ function formatDate(formatter, dateValue) {
dateMs = TO_NUMBER(dateValue);
}
- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange);
-
- return %InternalDateFormat(formatter, new GlobalDate(dateMs));
+ return %InternalDateFormat(formatter, dateMs);
}
DEFINE_METHOD(
@@ -1706,9 +1704,7 @@ DEFINE_METHOD(
dateMs = TO_NUMBER(dateValue);
}
- if (!NUMBER_IS_FINITE(dateMs)) throw %make_range_error(kDateRange);
-
- return %InternalDateFormatToParts(this, new GlobalDate(dateMs));
+ return %InternalDateFormatToParts(this, dateMs);
}
);
diff --git a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc
index 4bd6bebdc7..875fd719ef 100644
--- a/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc
+++ b/src/3rdparty/chromium/v8/src/runtime/runtime-intl.cc
@@ -7,7 +7,7 @@
#endif // V8_INTL_SUPPORT
#include "src/runtime/runtime-utils.h"
-
+#include <cmath>
#include <memory>
#include "src/api-natives.h"
@@ -247,17 +247,21 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormat) {
DCHECK_EQ(2, args.length());
CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0);
- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1);
+ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1);
- Handle<Object> value;
- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date));
+ double date_value = date->Number();
+ // Check for +-Infinity and Nan
+ if (!std::isfinite(date_value)) {
+ THROW_NEW_ERROR_RETURN_FAILURE(
+ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue));
+ }
icu::SimpleDateFormat* date_format =
DateFormat::UnpackDateFormat(isolate, date_format_holder);
CHECK_NOT_NULL(date_format);
icu::UnicodeString result;
- date_format->format(value->Number(), result);
+ date_format->format(date_value, result);
RETURN_RESULT_OR_FAILURE(
isolate, isolate->factory()->NewStringFromTwoByte(Vector<const uint16_t>(
@@ -349,10 +353,13 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) {
DCHECK_EQ(2, args.length());
CONVERT_ARG_HANDLE_CHECKED(JSObject, date_format_holder, 0);
- CONVERT_ARG_HANDLE_CHECKED(JSDate, date, 1);
+ CONVERT_NUMBER_ARG_HANDLE_CHECKED(date, 1);
- Handle<Object> value;
- ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, value, Object::ToNumber(date));
+ double date_value = date->Number();
+ if (!std::isfinite(date_value)) {
+ THROW_NEW_ERROR_RETURN_FAILURE(
+ isolate, NewRangeError(MessageTemplate::kInvalidTimeValue));
+ }
icu::SimpleDateFormat* date_format =
DateFormat::UnpackDateFormat(isolate, date_format_holder);
@@ -362,7 +369,7 @@ RUNTIME_FUNCTION(Runtime_InternalDateFormatToParts) {
icu::FieldPositionIterator fp_iter;
icu::FieldPosition fp;
UErrorCode status = U_ZERO_ERROR;
- date_format->format(value->Number(), formatted, &fp_iter, status);
+ date_format->format(date_value, formatted, &fp_iter, status);
if (U_FAILURE(status)) return isolate->heap()->undefined_value();
Handle<JSArray> result = factory->NewJSArray(0);
--
2.14.3