Page with a favicon and an icon

Submitted By: Ken Moffat Date: 2021-05-04 Initial Package Version: 20210401-git Upstream Status: Applied Origin: The 5.15 branch of qtwebengine as at 20210503 Description: Consolidated fixes, with various security issues including fixes for: CVE-2021-21233: Heap buffer overflow in ANGLE CVE-2021-21231: Insufficient data validation in V8 CVE-2021-21230: Type Confusion in V8 CVE-2021-21227: Insufficient data validation in V8 CVE-2021-21225: Out of bounds memory access in V8 CVE-2021-21224: Type Confusion in V8 CVE-2021-21223: Integer overflow in Mojo CVE-2021-21222: Heap buffer overflow in V8 CVE-2021-21221: Insufficient validation of untrusted input in Mojo CVE-2021-21220: Insufficient validation of untrusted input in V8 for x86_64 CVE-2021-21219: Uninitialized Use in PDFium CVE-2021-21218: Uninitialized Use in PDFium CVE-2021-21217: Uninitialized Use in PDFium CVE-2021-21214: Use after free in Network API CVE-2021-21213: Use after free in WebMIDI CVE-2021-21209: Inappropriate implementation in storage CVE-2021-21207: Use after free in IndexedDB CVE-2021-21206: Use after free in Blink CVE-2021-21204: Use after free in Blink. CVE-2021-21203: Use after free in Blink CVE-2021-21202: Use after free in extensions. CVE-2021-21201: Use after free in permissions diff -Naur a/examples/webengine/quicknanobrowser/BrowserWindow.qml b/examples/webengine/quicknanobrowser/BrowserWindow.qml --- a/examples/webengine/quicknanobrowser/BrowserWindow.qml 2021-04-01 15:33:27.000000000 +0100 +++ b/examples/webengine/quicknanobrowser/BrowserWindow.qml 2021-04-30 21:32:18.571697411 +0100 @@ -624,6 +624,18 @@ tabs.currentIndex = tabs.count - 1; request.openIn(tab.item); } + + Timer { + id: hideTimer + interval: 0 + running: false + repeat: false + onTriggered: devToolsEnabled.checked = false + } + onWindowCloseRequested: function(request) { + // Delay hiding for keep the inspectedView set to receive the ACK message of close. + hideTimer.running = true; + } } MessageDialog { id: sslDialog diff -Naur a/examples/webenginewidgets/printme/printhandler.cpp b/examples/webenginewidgets/printme/printhandler.cpp --- a/examples/webenginewidgets/printme/printhandler.cpp 2021-04-01 15:33:27.000000000 +0100 +++ b/examples/webenginewidgets/printme/printhandler.cpp 2021-04-30 21:34:49.539660859 +0100 @@ -107,6 +107,7 @@ return; m_inPrintPreview = true; QPrinter printer; + printer.setResolution(300); QPrintPreviewDialog preview(&printer, m_page->view()); connect(&preview, &QPrintPreviewDialog::paintRequested, this, &PrintHandler::printDocument); diff -Naur a/GIT-VERSIONS b/GIT-VERSIONS --- a/GIT-VERSIONS 2021-04-03 00:30:45.000000000 +0100 +++ b/GIT-VERSIONS 2021-05-04 21:35:42.246620082 +0100 @@ -1,47 +1,31 @@ -This is the 5.15 branch of qtwebengine as at 2021-04-01 +This is the 5.15 branch of qtwebengine as at 2021-05-03 Specifically, the main qt code is at -commit e0b4b9436033e9bc376597ed90dd1fca9cdc90ff (HEAD -> 5.15, origin/5.15) -Author: Michael Brüning -Date: Thu Apr 1 13:32:58 2021 +0200 - - Update Chromium - - Submodule update src/3rdparty 8d49f9a2..d13920f2: - - > [Backport] Security bug 1185482 - > [Backport] Security bug 1161847 - > [Backport] Security bug 1161379 - > [Backport] CVE-2021-21198: Out of bounds read in IPC - > [Backport] CVE-2021-21195: Use after free in V8 - - Task-number: QTBUG-92080 - Change-Id: I638a0fa0285d46736cfbf5406874702bd3600580 - Reviewed-by: Jüri Valdmann +commit a7d3b4cb07dd41ae020bdfa2973096332b9d4396 (HEAD -> 5.15, origin/5.15) +Author: Allan Sandfeld Jensen +Date: Thu Apr 22 10:56:02 2021 +0200 + + Allow leaving OCSP off + + This form of OCSP is not good, so try to at least allow it to be + disabled, until we remove it. + + Fixes: QTBUG-91467 + Change-Id: Ied9e8c4960e6ea1503dea39ebbced2ad1af08d5d + Reviewed-by: Qt CI Bot + Reviewed-by: Peter Varga and the src/3rdparty code is from the 87-based branch at -commit d13920f28c2f3922e0cf793996ea33d02b81a0a4 (HEAD -> 87-based, origin/87-based) -Author: Scott Violet -Date: Tue Mar 23 18:47:22 2021 +0000 +commit 6c7b4ffb3fe19e7c6a2db60ce2d05c3b50c16ffc (HEAD -> 87-based, origin/87-based) +Author: Allan Sandfeld Jensen +Date: Tue Apr 27 15:52:43 2021 +0200 - [Backport] Security bug 1185482 - - Cherry-pick of patch originally reviewed on - https://chromium-review.googlesource.com/c/chromium/src/+/2779886: - x11/ozone: fix two edge cases - - WindowTreeHost::OnHostMovedInPixels() may trigger a nested message - loop (tab dragging), which when the stack unravels means this may - be deleted. This adds an early out if this happens. - - X11WholeScreenMoveLoop has a similar issue, in so far as notifying - the delegate may delete this. - - BUG=1185482 - TEST=WindowTreeHostPlatform.DeleteHostFromOnHostMovedInPixels + FIXUP: Avoid crashing on new window in cross-origin isolated content - (cherry picked from commit 5e3a738b1204941aab9f15c0eb3d06e20fefd96e) + Wasn't adapted to 87-based. + Change-Id: I2e07bbcf902be226b76e01c44964293574569f16 + Reviewed-by: Michael Brüning diff -Naur a/src/3rdparty/chromium/chrome/common/BUILD.gn b/src/3rdparty/chromium/chrome/common/BUILD.gn --- a/src/3rdparty/chromium/chrome/common/BUILD.gn 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/chrome/common/BUILD.gn 2021-04-30 20:09:19.944733968 +0100 @@ -330,16 +330,19 @@ } if (is_mac) { - assert(enable_extensions) sources += [ - "extensions/image_writer/image_writer_util_mac.cc", - "extensions/image_writer/image_writer_util_mac.h", "mac/launchd.h", "mac/launchd.mm", "mac/service_management.h", "mac/service_management.mm", "multi_process_lock_mac.cc", ] + if (enable_extensions) { + sources += [ + "extensions/image_writer/image_writer_util_mac.cc", + "extensions/image_writer/image_writer_util_mac.h", + ] + } public_deps += [ ":app_mode_app_support" ] } diff -Naur a/src/3rdparty/chromium/components/permissions/permission_manager.cc b/src/3rdparty/chromium/components/permissions/permission_manager.cc --- a/src/3rdparty/chromium/components/permissions/permission_manager.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/components/permissions/permission_manager.cc 2021-04-30 20:11:17.392753946 +0100 @@ -536,14 +536,14 @@ origin->GetURL()); } -int PermissionManager::SubscribePermissionStatusChange( +PermissionManager::SubscriptionId PermissionManager::SubscribePermissionStatusChange( PermissionType permission, content::RenderFrameHost* render_frame_host, const GURL& requesting_origin, base::RepeatingCallback callback) { DCHECK_CURRENTLY_ON(content::BrowserThread::UI); if (is_shutting_down_) - return 0; + return SubscriptionId(); if (subscriptions_.IsEmpty()) PermissionsClient::Get() @@ -580,16 +580,20 @@ subscription->callback = base::BindRepeating(&SubscriptionCallbackWrapper, std::move(callback)); - return subscriptions_.Add(std::move(subscription)); + auto id = subscription_id_generator_.GenerateNextId(); + subscriptions_.AddWithID(std::move(subscription), id); + return id; } -void PermissionManager::UnsubscribePermissionStatusChange(int subscription_id) { +void PermissionManager::UnsubscribePermissionStatusChange( + SubscriptionId subscription_id) { DCHECK_CURRENTLY_ON(content::BrowserThread::UI); if (is_shutting_down_) return; - // Whether |subscription_id| is known will be checked by the Remove() call. - subscriptions_.Remove(subscription_id); + if (subscriptions_.Lookup(subscription_id)) { + subscriptions_.Remove(subscription_id); + } if (subscriptions_.IsEmpty()) { PermissionsClient::Get() diff -Naur a/src/3rdparty/chromium/components/permissions/permission_manager.h b/src/3rdparty/chromium/components/permissions/permission_manager.h --- a/src/3rdparty/chromium/components/permissions/permission_manager.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/components/permissions/permission_manager.h 2021-04-30 20:11:17.392753946 +0100 @@ -114,13 +114,13 @@ bool IsPermissionOverridableByDevTools( content::PermissionType permission, const base::Optional& origin) override; - int SubscribePermissionStatusChange( + SubscriptionId SubscribePermissionStatusChange( content::PermissionType permission, content::RenderFrameHost* render_frame_host, const GURL& requesting_origin, base::RepeatingCallback callback) override; - void UnsubscribePermissionStatusChange(int subscription_id) override; + void UnsubscribePermissionStatusChange(SubscriptionId subscription_id) override; // TODO(raymes): Rather than exposing this, use the denial reason from // GetPermissionStatus in callers to determine whether a permission is @@ -153,7 +153,8 @@ class PermissionResponseCallback; struct Subscription; - using SubscriptionsMap = base::IDMap>; + using SubscriptionsMap = + base::IDMap, SubscriptionId>; PermissionContextBase* GetPermissionContext(ContentSettingsType type); @@ -186,6 +187,7 @@ content::BrowserContext* browser_context_; PendingRequestsMap pending_requests_; SubscriptionsMap subscriptions_; + SubscriptionId::Generator subscription_id_generator_; PermissionContextMap permission_contexts_; using ContentSettingsTypeOverrides = diff -Naur a/src/3rdparty/chromium/content/browser/appcache/appcache_backfillers.cc b/src/3rdparty/chromium/content/browser/appcache/appcache_backfillers.cc --- a/src/3rdparty/chromium/content/browser/appcache/appcache_backfillers.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/appcache/appcache_backfillers.cc 2021-04-30 21:19:25.173851255 +0100 @@ -7,7 +7,7 @@ #include "content/browser/appcache/appcache_update_job.h" #include "net/http/http_request_headers.h" #include "sql/statement.h" -#include "storage/browser/quota/padding_key.h" +#include "storage/common/quota/padding_key.h" #include "url/gurl.h" namespace content { @@ -18,9 +18,7 @@ std::string manifest_url) { if (GURL(response_url).GetOrigin() == GURL(manifest_url).GetOrigin()) return 0; - return storage::ComputeResponsePadding( - response_url, storage::GetDefaultPaddingKey(), /*has_metadata=*/false, - /*loaded_with_credentials=*/false, net::HttpRequestHeaders::kGetMethod); + return storage::ComputeRandomResponsePadding(); } // Iterates over each Cache record; execute |callable| on each iteration. diff -Naur a/src/3rdparty/chromium/content/browser/appcache/appcache_database.cc b/src/3rdparty/chromium/content/browser/appcache/appcache_database.cc --- a/src/3rdparty/chromium/content/browser/appcache/appcache_database.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/appcache/appcache_database.cc 2021-04-30 21:19:25.173851255 +0100 @@ -19,7 +19,6 @@ #include "sql/meta_table.h" #include "sql/statement.h" #include "sql/transaction.h" -#include "storage/browser/quota/padding_key.h" #include "third_party/blink/public/common/features.h" namespace content { diff -Naur a/src/3rdparty/chromium/content/browser/appcache/appcache_update_job.cc b/src/3rdparty/chromium/content/browser/appcache/appcache_update_job.cc --- a/src/3rdparty/chromium/content/browser/appcache/appcache_update_job.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/appcache/appcache_update_job.cc 2021-04-30 21:19:25.173851255 +0100 @@ -26,7 +26,7 @@ #include "net/base/net_errors.h" #include "net/base/request_priority.h" #include "net/http/http_request_headers.h" -#include "storage/browser/quota/padding_key.h" +#include "storage/common/quota/padding_key.h" #include "third_party/blink/public/common/features.h" #include "third_party/blink/public/mojom/appcache/appcache.mojom.h" #include "third_party/blink/public/mojom/devtools/console_message.mojom.h" @@ -207,10 +207,7 @@ if (response_url.GetOrigin() == manifest_url.GetOrigin()) return 0; - return storage::ComputeResponsePadding( - response_url.spec(), storage::GetDefaultPaddingKey(), - /*has_metadata=*/false, /*loaded_with_credentials=*/false, - net::HttpRequestHeaders::kGetMethod); + return storage::ComputeRandomResponsePadding(); } } // namespace diff -Naur a/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_histogram_utils.h b/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_histogram_utils.h --- a/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_histogram_utils.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_histogram_utils.h 2021-04-30 21:19:25.174852986 +0100 @@ -37,7 +37,8 @@ kCreateBackendDidCreateFailed = 22, kStorageGetAllMatchedEntriesBackendClosed = 23, kStorageHandleNull = 24, - kMaxValue = kStorageHandleNull, + kWriteSideDataDidWriteMetadataWrongBytes = 25, + kMaxValue = kWriteSideDataDidWriteMetadataWrongBytes, }; blink::mojom::CacheStorageError MakeErrorStorage(ErrorStorageType type); diff -Naur a/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_index.cc b/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_index.cc --- a/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_index.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_index.cc 2021-04-30 21:19:46.382508156 +0100 @@ -11,8 +11,7 @@ CacheStorageIndex::CacheStorageIndex() : doomed_cache_metadata_("", CacheStorage::kSizeUnknown, - CacheStorage::kSizeUnknown, - "") { + CacheStorage::kSizeUnknown) { ClearDoomedCache(); } diff -Naur a/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_index.h b/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_index.h --- a/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_index.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/cache_storage/cache_storage_index.h 2021-04-30 21:19:46.382508156 +0100 @@ -21,11 +21,8 @@ class CONTENT_EXPORT CacheStorageIndex { public: struct CacheMetadata { - CacheMetadata(const std::string& name, - int64_t size, - int64_t padding, - const std::string& padding_key) - : name(name), size(size), padding(padding), padding_key(padding_key) {} + CacheMetadata(const std::string& name, int64_t size, int64_t padding) + : name(name), size(size), padding(padding) {} std::string name; // The size (in bytes) of the cache. Set to CacheStorage::kSizeUnknown if // size not known. @@ -35,9 +32,6 @@ // if padding not known. int64_t padding; - // The raw key used to calculate padding for some cache entries. - std::string padding_key; - // The algorithm version used to calculate this padding. int32_t padding_version; }; diff -Naur a/src/3rdparty/chromium/content/browser/cache_storage/cache_storage.proto b/src/3rdparty/chromium/content/browser/cache_storage/cache_storage.proto --- a/src/3rdparty/chromium/content/browser/cache_storage/cache_storage.proto 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/cache_storage/cache_storage.proto 2021-04-30 21:20:05.693885817 +0100 @@ -13,7 +13,7 @@ required string name = 1; optional string cache_dir = 2; optional int64 size = 3; - optional string padding_key = 4; + optional string padding_key = 4 [deprecated = true]; optional int64 padding = 5; optional int32 padding_version = 6; } @@ -49,13 +49,15 @@ optional int64 response_time = 6; repeated string cors_exposed_header_names = 7; repeated string url_list = 8; - optional bool loaded_with_credentials = 9; + optional bool loaded_with_credentials = 9 [deprecated = true]; // Mapped to net::HttpResponseInfo::ConnectionInfo via static casting. optional int32 connection_info = 10; optional string alpn_negotiated_protocol = 11; optional bool was_fetched_via_spdy = 12; optional string mime_type = 13; optional string request_method = 14; + optional int64 padding = 15; + optional int64 side_data_padding = 16; } message CacheMetadata { diff -Naur a/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage_cache.cc b/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage_cache.cc --- a/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage_cache.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage_cache.cc 2021-04-30 21:20:05.693885817 +0100 @@ -53,8 +53,8 @@ #include "net/http/http_status_code.h" #include "services/network/public/mojom/fetch_api.mojom.h" #include "storage/browser/blob/blob_storage_context.h" -#include "storage/browser/quota/padding_key.h" #include "storage/browser/quota/quota_manager_proxy.h" +#include "storage/common/quota/padding_key.h" #include "third_party/blink/public/common/cache_storage/cache_storage_utils.h" #include "third_party/blink/public/common/fetch/fetch_api_request_headers_map.h" #include "third_party/blink/public/mojom/loader/referrer.mojom.h" @@ -79,7 +79,8 @@ // // 1: Uniform random 400K. // 2: Uniform random 14,431K. -const int32_t kCachePaddingAlgorithmVersion = 2; +// 3: FetchAPIResponse.padding and separate side data padding. +const int32_t kCachePaddingAlgorithmVersion = 3; // Maximum number of recursive QueryCacheOpenNextEntry() calls we permit // before forcing an asynchronous task. @@ -374,6 +375,14 @@ std::move(callback).Run(std::move(metadata)); } +bool ShouldPadResourceSize(const content::proto::CacheResponse* response) { + return storage::ShouldPadResponseType( + ProtoResponseTypeToFetchResponseType(response->response_type())); +} +bool ShouldPadResourceSize(const blink::mojom::FetchAPIResponse& response) { + return storage::ShouldPadResponseType(response.response_type); +} + blink::mojom::FetchAPIRequestPtr CreateRequest( const proto::CacheMetadata& metadata, const GURL& request_url) { @@ -394,6 +403,7 @@ } blink::mojom::FetchAPIResponsePtr CreateResponse( + const url::Origin& origin, const proto::CacheMetadata& metadata, const std::string& cache_name) { // We no longer support Responses with only a single URL entry. This field @@ -427,6 +437,15 @@ if (metadata.response().has_request_method()) request_method = metadata.response().request_method(); + auto response_time = + base::Time::FromInternalValue(metadata.response().response_time()); + int64_t padding = 0; + if (metadata.response().has_padding()) { + padding = metadata.response().padding(); + } else if (ShouldPadResourceSize(&metadata.response())) { + padding = storage::ComputeRandomResponsePadding(); + } + // Note that |has_range_requested| can be safely set to false since it only // affects HTTP 206 (Partial) responses, which are blocked from cache storage. // See https://fetch.spec.whatwg.org/#main-fetch for usage of @@ -435,10 +454,9 @@ url_list, metadata.response().status_code(), metadata.response().status_text(), ProtoResponseTypeToFetchResponseType(metadata.response().response_type()), - network::mojom::FetchResponseSource::kCacheStorage, headers, mime_type, - request_method, nullptr /* blob */, - blink::mojom::ServiceWorkerResponseError::kUnknown, - base::Time::FromInternalValue(metadata.response().response_time()), + padding, network::mojom::FetchResponseSource::kCacheStorage, headers, + mime_type, request_method, /*blob=*/nullptr, + blink::mojom::ServiceWorkerResponseError::kUnknown, response_time, cache_name, std::vector( metadata.response().cors_exposed_header_names().begin(), @@ -448,55 +466,28 @@ // Default proto value of 0 maps to CONNECTION_INFO_UNKNOWN. static_cast( metadata.response().connection_info()), - alpn_negotiated_protocol, metadata.response().loaded_with_credentials(), - metadata.response().was_fetched_via_spdy(), - /* has_range_requested */ false); -} - -// The size of opaque (non-cors) resource responses are padded in order -// to obfuscate their actual size. -bool ShouldPadResponseType(network::mojom::FetchResponseType response_type, - bool has_urls) { - switch (response_type) { - case network::mojom::FetchResponseType::kBasic: - case network::mojom::FetchResponseType::kCors: - case network::mojom::FetchResponseType::kDefault: - case network::mojom::FetchResponseType::kError: - return false; - case network::mojom::FetchResponseType::kOpaque: - case network::mojom::FetchResponseType::kOpaqueRedirect: - return has_urls; - } - NOTREACHED(); - return false; -} - -bool ShouldPadResourceSize(const content::proto::CacheResponse* response) { - return ShouldPadResponseType( - ProtoResponseTypeToFetchResponseType(response->response_type()), - response->url_list_size()); -} - -bool ShouldPadResourceSize(const blink::mojom::FetchAPIResponse& response) { - return ShouldPadResponseType(response.response_type, - !response.url_list.empty()); + alpn_negotiated_protocol, metadata.response().was_fetched_via_spdy(), + /*has_range_requested=*/false); } - -int64_t CalculateResponsePaddingInternal( +int64_t CalculateSideDataPadding( + const url::Origin& origin, const ::content::proto::CacheResponse* response, - const crypto::SymmetricKey* padding_key, int side_data_size) { DCHECK(ShouldPadResourceSize(response)); DCHECK_GE(side_data_size, 0); + + if (!side_data_size) + return 0; + // Fallback to random padding if this is for an older entry without + // a url list or request method. + if (response->url_list_size() == 0 || !response->has_request_method()) + return storage::ComputeRandomResponsePadding(); + const std::string& url = response->url_list(response->url_list_size() - 1); - bool loaded_with_credentials = response->has_loaded_with_credentials() && - response->loaded_with_credentials(); - const std::string& request_method = response->has_request_method() - ? response->request_method() - : net::HttpRequestHeaders::kGetMethod; - return storage::ComputeResponsePadding(url, padding_key, side_data_size > 0, - loaded_with_credentials, - request_method); + const base::Time response_time = + base::Time::FromInternalValue(response->response_time()); + return storage::ComputeStableResponsePadding( + origin, url, response_time, response->request_method(), side_data_size); } net::RequestPriority GetDiskCachePriority( @@ -508,12 +499,19 @@ } // namespace struct LegacyCacheStorageCache::QueryCacheResult { - explicit QueryCacheResult(base::Time entry_time) : entry_time(entry_time) {} + QueryCacheResult(base::Time entry_time, + int64_t padding, + int64_t side_data_padding) + : entry_time(entry_time), + padding(padding), + side_data_padding(side_data_padding) {} blink::mojom::FetchAPIRequestPtr request; blink::mojom::FetchAPIResponsePtr response; disk_cache::ScopedEntryPtr entry; base::Time entry_time; + int64_t padding = 0; + int64_t side_data_padding = 0; }; struct LegacyCacheStorageCache::QueryCacheContext { @@ -555,13 +553,12 @@ LegacyCacheStorage* cache_storage, scoped_refptr scheduler_task_runner, scoped_refptr quota_manager_proxy, - scoped_refptr blob_storage_context, - std::unique_ptr cache_padding_key) { + scoped_refptr blob_storage_context) { LegacyCacheStorageCache* cache = new LegacyCacheStorageCache( origin, owner, cache_name, base::FilePath(), cache_storage, std::move(scheduler_task_runner), std::move(quota_manager_proxy), - std::move(blob_storage_context), 0 /* cache_size */, - 0 /* cache_padding */, std::move(cache_padding_key)); + std::move(blob_storage_context), /*cache_size=*/0, + /*cache_padding=*/0); cache->SetObserver(cache_storage); cache->InitBackend(); return base::WrapUnique(cache); @@ -579,13 +576,11 @@ scoped_refptr quota_manager_proxy, scoped_refptr blob_storage_context, int64_t cache_size, - int64_t cache_padding, - std::unique_ptr cache_padding_key) { + int64_t cache_padding) { LegacyCacheStorageCache* cache = new LegacyCacheStorageCache( origin, owner, cache_name, path, cache_storage, std::move(scheduler_task_runner), std::move(quota_manager_proxy), - std::move(blob_storage_context), cache_size, cache_padding, - std::move(cache_padding_key)); + std::move(blob_storage_context), cache_size, cache_padding); cache->SetObserver(cache_storage); cache->InitBackend(); return base::WrapUnique(cache); @@ -1031,8 +1026,7 @@ scoped_refptr quota_manager_proxy, scoped_refptr blob_storage_context, int64_t cache_size, - int64_t cache_padding, - std::unique_ptr cache_padding_key) + int64_t cache_padding) : origin_(origin), owner_(owner), cache_name_(cache_name), @@ -1044,7 +1038,6 @@ scheduler_task_runner_)), cache_size_(cache_size), cache_padding_(cache_padding), - cache_padding_key_(std::move(cache_padding_key)), max_query_size_bytes_(kMaxQueryCacheResultBytes), cache_observer_(nullptr), cache_entry_handler_( @@ -1054,7 +1047,6 @@ memory_only_(path.empty()) { DCHECK(!origin_.opaque()); DCHECK(quota_manager_proxy_.get()); - DCHECK(cache_padding_key_.get()); if (cache_size_ != CacheStorage::kSizeUnknown && cache_padding_ != CacheStorage::kSizeUnknown) { @@ -1248,17 +1240,40 @@ return; } + // Check for older cache entries that need to be padded, but don't + // have any padding stored in the entry. Upgrade these entries + // as we encounter them. This method will be re-entered once the + // new paddings are written back to disk. + if (ShouldPadResourceSize(&metadata->response()) && + !metadata->response().has_padding()) { + QueryCacheUpgradePadding(std::move(query_cache_context), std::move(entry), + std::move(metadata)); + return; + } + // If the entry was created before we started adding entry times, then // default to using the Response object's time for sorting purposes. int64_t entry_time = metadata->has_entry_time() ? metadata->entry_time() : metadata->response().response_time(); - query_cache_context->matches->push_back( - QueryCacheResult(base::Time::FromInternalValue(entry_time))); + // Note, older entries that don't require padding may still not have + // a padding value since we don't pay the cost to upgrade these entries. + // Treat these as a zero padding. + int64_t padding = + metadata->response().has_padding() ? metadata->response().padding() : 0; + int64_t side_data_padding = metadata->response().has_side_data_padding() + ? metadata->response().side_data_padding() + : 0; + + DCHECK(!ShouldPadResourceSize(&metadata->response()) || + (padding + side_data_padding)); + + query_cache_context->matches->push_back(QueryCacheResult( + base::Time::FromInternalValue(entry_time), padding, side_data_padding)); QueryCacheResult* match = &query_cache_context->matches->back(); match->request = CreateRequest(*metadata, GURL(entry->GetKey())); - match->response = CreateResponse(*metadata, cache_name_); + match->response = CreateResponse(origin_, *metadata, cache_name_); if (!match->response) { entry->Doom(); @@ -1320,6 +1335,49 @@ QueryCacheOpenNextEntry(std::move(query_cache_context)); } +void LegacyCacheStorageCache::QueryCacheUpgradePadding( + std::unique_ptr query_cache_context, + disk_cache::ScopedEntryPtr entry, + std::unique_ptr metadata) { + DCHECK(ShouldPadResourceSize(&metadata->response())); + // This should only be called while initializing because the padding + // version change should trigger an immediate query of all resources + // to recompute padding. + DCHECK(initializing_); + auto* response = metadata->mutable_response(); + response->set_padding(storage::ComputeRandomResponsePadding()); + response->set_side_data_padding(CalculateSideDataPadding( + origin_, response, entry->GetDataSize(INDEX_SIDE_DATA))); + // Get a temporary copy of the entry and metadata pointers before moving them + // into base::BindOnce. + disk_cache::Entry* temp_entry_ptr = entry.get(); + auto* temp_metadata_ptr = metadata.get(); + WriteMetadata( + temp_entry_ptr, *temp_metadata_ptr, + base::BindOnce( + [](base::WeakPtr self, + std::unique_ptr query_cache_context, + disk_cache::ScopedEntryPtr entry, + std::unique_ptr metadata, int expected_bytes, + int rv) { + if (!self) + return; + if (expected_bytes != rv) { + entry->Doom(); + self->QueryCacheOpenNextEntry(std::move(query_cache_context)); + return; + } + // We must have a padding here in order to avoid infinite + // recursion. + DCHECK(metadata->response().has_padding()); + self->QueryCacheDidReadMetadata(std::move(query_cache_context), + std::move(entry), + std::move(metadata)); + }, + weak_ptr_factory_.GetWeakPtr(), std::move(query_cache_context), + std::move(entry), std::move(metadata))); +} + // static bool LegacyCacheStorageCache::QueryCacheResultCompare( const QueryCacheResult& lhs, @@ -1346,26 +1404,6 @@ } // static -int64_t LegacyCacheStorageCache::CalculateResponsePadding( - const blink::mojom::FetchAPIResponse& response, - const crypto::SymmetricKey* padding_key, - int side_data_size) { - DCHECK_GE(side_data_size, 0); - if (!ShouldPadResourceSize(response)) - return 0; - // Going forward we should always have a request method here since its - // impossible to create a no-cors Response via the constructor. We must - // handle a missing method, however, since we may get a Response loaded - // from an old cache_storage instance without the data. - std::string request_method = response.request_method.has_value() - ? response.request_method.value() - : net::HttpRequestHeaders::kGetMethod; - return storage::ComputeResponsePadding( - response.url_list.back().spec(), padding_key, side_data_size > 0, - response.loaded_with_credentials, request_method); -} - -// static int32_t LegacyCacheStorageCache::GetResponsePaddingVersion() { return kCachePaddingAlgorithmVersion; } @@ -1458,6 +1496,38 @@ std::move(out_responses)); } +void LegacyCacheStorageCache::WriteMetadata( + disk_cache::Entry* entry, + const proto::CacheMetadata& metadata, + WriteMetadataCallback callback) { + std::unique_ptr serialized = std::make_unique(); + if (!metadata.SerializeToString(serialized.get())) { + std::move(callback).Run(0, -1); + return; + } + + scoped_refptr buffer = + base::MakeRefCounted(std::move(serialized)); + + auto callback_with_expected_bytes = base::BindOnce( + [](WriteMetadataCallback callback, int expected_bytes, int rv) { + std::move(callback).Run(expected_bytes, rv); + }, + std::move(callback), buffer->size()); + + // Create a callback that is copyable, even though it can only be called once. + net::CompletionRepeatingCallback adapted_callback = + base::AdaptCallbackForRepeating(std::move(callback_with_expected_bytes)); + + DCHECK(scheduler_->IsRunningExclusiveOperation()); + int rv = + entry->WriteData(INDEX_HEADERS, /*offset=*/0, buffer.get(), + buffer->size(), adapted_callback, /*truncate=*/true); + + if (rv != net::ERR_IO_PENDING) + std::move(adapted_callback).Run(rv); +} + void LegacyCacheStorageCache::WriteSideDataDidGetQuota( ErrorCallback callback, const GURL& url, @@ -1576,19 +1646,13 @@ if (!headers || headers->response().response_time() != expected_response_time.ToInternalValue()) { WriteSideDataComplete(std::move(callback), std::move(entry), + /*padding=*/0, /*side_data_padding=*/0, CacheStorageError::kErrorNotFound); return; } // Get a temporary copy of the entry pointer before passing it in base::Bind. disk_cache::Entry* temp_entry_ptr = entry.get(); - std::unique_ptr response( - headers->release_response()); - - int side_data_size_before_write = 0; - if (ShouldPadResourceSize(response.get())) - side_data_size_before_write = entry->GetDataSize(INDEX_SIDE_DATA); - // Create a callback that is copyable, even though it can only be called once. // BindRepeating() cannot be used directly because |callback|, |entry| and // |response| are not copyable. @@ -1596,7 +1660,7 @@ base::AdaptCallbackForRepeating(base::BindOnce( &LegacyCacheStorageCache::WriteSideDataDidWrite, weak_ptr_factory_.GetWeakPtr(), std::move(callback), std::move(entry), - buf_len, std::move(response), side_data_size_before_write, trace_id)); + buf_len, std::move(headers), trace_id)); DCHECK(scheduler_->IsRunningExclusiveOperation()); int rv = temp_entry_ptr->WriteData( @@ -1611,8 +1675,7 @@ ErrorCallback callback, ScopedWritableEntry entry, int expected_bytes, - std::unique_ptr<::content::proto::CacheResponse> response, - int side_data_size_before_write, + std::unique_ptr<::content::proto::CacheMetadata> metadata, int64_t trace_id, int rv) { TRACE_EVENT_WITH_FLOW0("CacheStorage", @@ -1620,31 +1683,67 @@ TRACE_ID_GLOBAL(trace_id), TRACE_EVENT_FLAG_FLOW_IN); if (rv != expected_bytes) { WriteSideDataComplete(std::move(callback), std::move(entry), + /*padding=*/0, /*side_data_padding=*/0, CacheStorageError::kErrorStorage); return; } - if (ShouldPadResourceSize(response.get())) { - cache_padding_ -= CalculateResponsePaddingInternal( - response.get(), cache_padding_key_.get(), side_data_size_before_write); + auto* response = metadata->mutable_response(); - cache_padding_ += CalculateResponsePaddingInternal( - response.get(), cache_padding_key_.get(), rv); + if (ShouldPadResourceSize(response)) { + cache_padding_ -= response->side_data_padding(); + + response->set_side_data_padding( + CalculateSideDataPadding(origin_, response, rv)); + cache_padding_ += response->side_data_padding(); + + // Get a temporary copy of the entry pointer before passing it in + // base::Bind. + disk_cache::Entry* temp_entry_ptr = entry.get(); + + WriteMetadata( + temp_entry_ptr, *metadata, + base::BindOnce(&LegacyCacheStorageCache::WriteSideDataDidWriteMetadata, + weak_ptr_factory_.GetWeakPtr(), std::move(callback), + std::move(entry), response->padding(), + response->side_data_padding())); + return; } WriteSideDataComplete(std::move(callback), std::move(entry), + response->padding(), response->side_data_padding(), CacheStorageError::kSuccess); } +void LegacyCacheStorageCache::WriteSideDataDidWriteMetadata( + ErrorCallback callback, + ScopedWritableEntry entry, + int64_t padding, + int64_t side_data_padding, + int expected_bytes, + int rv) { + auto result = blink::mojom::CacheStorageError::kSuccess; + if (rv != expected_bytes) { + result = MakeErrorStorage( + ErrorStorageType::kWriteSideDataDidWriteMetadataWrongBytes); + } + WriteSideDataComplete(std::move(callback), std::move(entry), padding, + side_data_padding, result); +} + void LegacyCacheStorageCache::WriteSideDataComplete( ErrorCallback callback, ScopedWritableEntry entry, + int64_t padding, + int64_t side_data_padding, blink::mojom::CacheStorageError error) { if (error != CacheStorageError::kSuccess) { // If we found the entry, then we possibly wrote something and now we're // dooming the entry, causing a change in size, so update the size before // returning. if (error != CacheStorageError::kErrorNotFound) { + entry.reset(); + cache_padding_ -= (padding + side_data_padding); UpdateCacheSize(base::BindOnce(std::move(callback), error)); return; } @@ -1810,8 +1909,6 @@ put_context->response->response_type)); for (const auto& url : put_context->response->url_list) response_metadata->add_url_list(url.spec()); - response_metadata->set_loaded_with_credentials( - put_context->response->loaded_with_credentials); response_metadata->set_connection_info( put_context->response->connection_info); response_metadata->set_alpn_negotiated_protocol( @@ -1838,40 +1935,33 @@ for (const auto& header : put_context->response->cors_exposed_header_names) response_metadata->add_cors_exposed_header_names(header); - std::unique_ptr serialized(new std::string()); - if (!metadata.SerializeToString(serialized.get())) { - PutComplete( - std::move(put_context), - MakeErrorStorage(ErrorStorageType::kMetadataSerializationFailed)); - return; + DCHECK(!ShouldPadResourceSize(*put_context->response) || + put_context->response->padding); + response_metadata->set_padding(put_context->response->padding); + + int64_t side_data_padding = 0; + if (ShouldPadResourceSize(*put_context->response) && + put_context->side_data_blob) { + side_data_padding = CalculateSideDataPadding( + origin_, response_metadata, put_context->side_data_blob_size); } - - scoped_refptr buffer = - base::MakeRefCounted(std::move(serialized)); + response_metadata->set_side_data_padding(side_data_padding); // Get a temporary copy of the entry pointer before passing it in base::Bind. disk_cache::Entry* temp_entry_ptr = put_context->cache_entry.get(); - // Create a callback that is copyable, even though it can only be called once. - // BindRepeating() cannot be used directly because |put_context| is not - // copyable. - net::CompletionRepeatingCallback write_headers_callback = - base::AdaptCallbackForRepeating( - base::BindOnce(&LegacyCacheStorageCache::PutDidWriteHeaders, - weak_ptr_factory_.GetWeakPtr(), std::move(put_context), - buffer->size())); - - DCHECK(scheduler_->IsRunningExclusiveOperation()); - rv = temp_entry_ptr->WriteData(INDEX_HEADERS, 0 /* offset */, buffer.get(), - buffer->size(), write_headers_callback, - true /* truncate */); - - if (rv != net::ERR_IO_PENDING) - std::move(write_headers_callback).Run(rv); + WriteMetadata( + temp_entry_ptr, metadata, + base::BindOnce(&LegacyCacheStorageCache::PutDidWriteHeaders, + weak_ptr_factory_.GetWeakPtr(), std::move(put_context), + response_metadata->padding(), + response_metadata->side_data_padding())); } void LegacyCacheStorageCache::PutDidWriteHeaders( std::unique_ptr put_context, + int64_t padding, + int64_t side_data_padding, int expected_bytes, int rv) { TRACE_EVENT_WITH_FLOW0("CacheStorage", @@ -1887,11 +1977,9 @@ return; } - if (ShouldPadResourceSize(*put_context->response)) { - cache_padding_ += CalculateResponsePadding(*put_context->response, - cache_padding_key_.get(), - 0 /* side_data_size */); - } + DCHECK(!ShouldPadResourceSize(*put_context->response) || + (padding + side_data_padding)); + cache_padding_ += padding + side_data_padding; PutWriteBlobToCache(std::move(put_context), INDEX_RESPONSE_BODY); } @@ -2075,12 +2163,9 @@ int64_t cache_padding = 0; if (error == CacheStorageError::kSuccess) { for (const auto& result : *query_cache_results) { - if (ShouldPadResourceSize(*result.response)) { - int32_t side_data_size = - result.entry ? result.entry->GetDataSize(INDEX_SIDE_DATA) : 0; - cache_padding += CalculateResponsePadding( - *result.response, cache_padding_key_.get(), side_data_size); - } + DCHECK(!ShouldPadResourceSize(*result.response) || + (result.padding + result.side_data_padding)); + cache_padding += result.padding + result.side_data_padding; } } @@ -2281,9 +2366,9 @@ for (auto& result : *query_cache_results) { disk_cache::ScopedEntryPtr entry = std::move(result.entry); if (ShouldPadResourceSize(*result.response)) { - cache_padding_ -= - CalculateResponsePadding(*result.response, cache_padding_key_.get(), - entry->GetDataSize(INDEX_SIDE_DATA)); + DCHECK(!ShouldPadResourceSize(*result.response) || + (result.padding + result.side_data_padding)); + cache_padding_ -= (result.padding + result.side_data_padding); } entry->Doom(); } diff -Naur a/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage_cache.h b/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage_cache.h --- a/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage_cache.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage_cache.h 2021-04-30 21:19:46.383509887 +0100 @@ -28,10 +28,6 @@ #include "third_party/blink/public/mojom/quota/quota_types.mojom.h" #include "url/origin.h" -namespace crypto { -class SymmetricKey; -} - namespace storage { class QuotaManagerProxy; } // namespace storage @@ -47,7 +43,6 @@ namespace proto { class CacheMetadata; -class CacheResponse; } // namespace proto namespace cache_storage_cache_unittest { @@ -69,8 +64,7 @@ LegacyCacheStorage* cache_storage, scoped_refptr scheduler_task_runner, scoped_refptr quota_manager_proxy, - scoped_refptr blob_storage_context, - std::unique_ptr cache_padding_key); + scoped_refptr blob_storage_context); static std::unique_ptr CreatePersistentCache( const url::Origin& origin, CacheStorageOwner owner, @@ -81,12 +75,7 @@ scoped_refptr quota_manager_proxy, scoped_refptr blob_storage_context, int64_t cache_size, - int64_t cache_padding, - std::unique_ptr cache_padding_key); - static int64_t CalculateResponsePadding( - const blink::mojom::FetchAPIResponse& response, - const crypto::SymmetricKey* padding_key, - int side_data_size); + int64_t cache_padding); static int32_t GetResponsePaddingVersion(); void Match(blink::mojom::FetchAPIRequestPtr request, @@ -147,11 +136,15 @@ // will exit early. Close should only be called once per CacheStorageCache. void Close(base::OnceClosure callback); - // The size of the cache's contents. + // The size of the cache's contents. The callback reports the padded + // size. If you want the unpadded size you may call the cache_size() + // getter method on the cache object when the callback is invoked; the + // getter will have an up-to-date value at that point. void Size(SizeCallback callback); // Gets the cache's size, closes the backend, and then runs |callback| with - // the cache's size. + // the cache's size. As per the comment for Size(), this also returns the + // padded size. void GetSizeThenClose(SizeCallback callback); void Put(blink::mojom::FetchAPIRequestPtr request, @@ -177,10 +170,6 @@ int64_t cache_padding() const { return cache_padding_; } - const crypto::SymmetricKey* cache_padding_key() const { - return cache_padding_key_.get(); - } - // Return the total cache size (actual size + padding). If either is unknown // then CacheStorage::kSizeUnknown is returned. int64_t PaddedCacheSize() const; @@ -252,8 +241,7 @@ scoped_refptr quota_manager_proxy, scoped_refptr blob_storage_context, int64_t cache_size, - int64_t cache_padding, - std::unique_ptr cache_padding_key); + int64_t cache_padding); // Runs |callback| with matching requests/response data. The data provided // in the QueryCacheResults depends on the |query_type|. If |query_type| is @@ -278,6 +266,10 @@ std::unique_ptr query_cache_context, disk_cache::ScopedEntryPtr entry, std::unique_ptr metadata); + void QueryCacheUpgradePadding( + std::unique_ptr query_cache_context, + disk_cache::ScopedEntryPtr entry, + std::unique_ptr metadata); static bool QueryCacheResultCompare(const QueryCacheResult& lhs, const QueryCacheResult& rhs); static size_t EstimatedResponseSizeWithoutBlob( @@ -306,6 +298,13 @@ blink::mojom::CacheStorageError error, std::unique_ptr query_cache_results); + // Utility method to write metadata headers to an entry. + using WriteMetadataCallback = + base::OnceCallback; + void WriteMetadata(disk_cache::Entry* entry, + const proto::CacheMetadata& metadata, + WriteMetadataCallback callback); + // WriteSideData callbacks void WriteSideDataDidGetQuota(ErrorCallback callback, const GURL& url, @@ -351,12 +350,19 @@ ErrorCallback callback, ScopedWritableEntry entry, int expected_bytes, - std::unique_ptr response, - int side_data_size_before_write, + std::unique_ptr metadata, int64_t trace_id, int rv); + void WriteSideDataDidWriteMetadata(ErrorCallback callback, + ScopedWritableEntry entry, + int64_t padding, + int64_t side_data_padding, + int expected_bytes, + int rv); void WriteSideDataComplete(ErrorCallback callback, ScopedWritableEntry entry, + int64_t padding, + int64_t side_data_padding, blink::mojom::CacheStorageError error); // Puts the request and response object in the cache. The response body (if @@ -375,6 +381,8 @@ void PutDidCreateEntry(std::unique_ptr put_context, disk_cache::EntryResult result); void PutDidWriteHeaders(std::unique_ptr put_context, + int64_t padding, + int64_t side_data_padding, int expected_bytes, int rv); void PutWriteBlobToCache(std::unique_ptr put_context, @@ -529,7 +537,6 @@ // The actual cache size (not including padding). int64_t cache_size_; int64_t cache_padding_ = 0; - std::unique_ptr cache_padding_key_; int64_t last_reported_size_ = 0; size_t max_query_size_bytes_; size_t handle_ref_count_ = 0; diff -Naur a/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage.cc b/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage.cc --- a/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/cache_storage/legacy/legacy_cache_storage.cc 2021-04-30 21:19:46.382508156 +0100 @@ -46,7 +46,6 @@ #include "net/base/directory_lister.h" #include "net/base/net_errors.h" #include "storage/browser/blob/blob_storage_context.h" -#include "storage/browser/quota/padding_key.h" #include "storage/browser/quota/quota_manager_proxy.h" #include "third_party/blink/public/mojom/quota/quota_types.mojom.h" @@ -117,8 +116,7 @@ virtual std::unique_ptr CreateCache( const std::string& cache_name, int64_t cache_size, - int64_t cache_padding, - std::unique_ptr cache_padding_key) = 0; + int64_t cache_padding) = 0; // Deletes any pre-existing cache of the same name and then loads it. virtual void PrepareNewCacheDestination(const std::string& cache_name, @@ -186,19 +184,16 @@ std::unique_ptr CreateCache( const std::string& cache_name, int64_t cache_size, - int64_t cache_padding, - std::unique_ptr cache_padding_key) override { + int64_t cache_padding) override { return LegacyCacheStorageCache::CreateMemoryCache( origin_, owner_, cache_name, cache_storage_, scheduler_task_runner_, - quota_manager_proxy_, blob_storage_context_, - storage::CopyDefaultPaddingKey()); + quota_manager_proxy_, blob_storage_context_); } void PrepareNewCacheDestination(const std::string& cache_name, CacheAndErrorCallback callback) override { std::unique_ptr cache = - CreateCache(cache_name, 0 /*cache_size*/, 0 /* cache_padding */, - storage::CopyDefaultPaddingKey()); + CreateCache(cache_name, /*cache_size=*/0, /*cache_padding=*/0); std::move(callback).Run(std::move(cache), CacheStorageError::kSuccess); } @@ -259,8 +254,7 @@ std::unique_ptr CreateCache( const std::string& cache_name, int64_t cache_size, - int64_t cache_padding, - std::unique_ptr cache_padding_key) override { + int64_t cache_padding) override { DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); DCHECK(base::Contains(cache_name_to_cache_dir_, cache_name)); @@ -269,7 +263,7 @@ return LegacyCacheStorageCache::CreatePersistentCache( origin_, owner_, cache_name, cache_storage_, cache_path, scheduler_task_runner_, quota_manager_proxy_, blob_storage_context_, - cache_size, cache_padding, std::move(cache_padding_key)); + cache_size, cache_padding); } void PrepareNewCacheDestination(const std::string& cache_name, @@ -324,8 +318,7 @@ cache_name_to_cache_dir_[cache_name] = cache_dir; std::move(callback).Run( CreateCache(cache_name, LegacyCacheStorage::kSizeUnknown, - LegacyCacheStorage::kSizeUnknown, - storage::CopyDefaultPaddingKey()), + LegacyCacheStorage::kSizeUnknown), CacheStorageError::kSuccess); } @@ -371,7 +364,6 @@ index_cache->clear_size(); else index_cache->set_size(cache_metadata.size); - index_cache->set_padding_key(cache_metadata.padding_key); index_cache->set_padding(cache_metadata.padding); index_cache->set_padding_version( LegacyCacheStorageCache::GetResponsePaddingVersion()); @@ -449,13 +441,8 @@ cache_padding = LegacyCacheStorage::kSizeUnknown; } - std::string cache_padding_key = - cache.has_padding_key() ? cache.padding_key() - : storage::SerializeDefaultPaddingKey(); - - index->Insert(CacheStorageIndex::CacheMetadata( - cache.name(), cache_size, cache_padding, - std::move(cache_padding_key))); + index->Insert(CacheStorageIndex::CacheMetadata(cache.name(), cache_size, + cache_padding)); cache_name_to_cache_dir_[cache.name()] = cache.cache_dir(); cache_dirs->insert(cache.cache_dir()); } @@ -1058,8 +1045,7 @@ cache_map_.insert(std::make_pair(cache_name, std::move(cache))); cache_index_->Insert(CacheStorageIndex::CacheMetadata( - cache_name, cache_ptr->cache_size(), cache_ptr->cache_padding(), - cache_ptr->cache_padding_key()->key())); + cache_name, cache_ptr->cache_size(), cache_ptr->cache_padding())); CacheStorageCacheHandle handle = cache_ptr->CreateHandle(); index_write_task_.Cancel(); @@ -1363,8 +1349,7 @@ DCHECK(metadata); std::unique_ptr new_cache = cache_loader_->CreateCache( - cache_name, metadata->size, metadata->padding, - storage::DeserializePaddingKey(metadata->padding_key)); + cache_name, metadata->size, metadata->padding); CacheStorageCache* cache_ptr = new_cache.get(); map_iter->second = std::move(new_cache); @@ -1380,9 +1365,11 @@ int64_t* accumulator, int64_t size) { auto* impl = LegacyCacheStorageCache::From(cache_handle); - if (doomed_caches_.find(impl) == doomed_caches_.end()) - cache_index_->SetCacheSize(impl->cache_name(), size); - *accumulator += size; + if (doomed_caches_.find(impl) == doomed_caches_.end()) { + cache_index_->SetCacheSize(impl->cache_name(), impl->cache_size()); + cache_index_->SetCachePadding(impl->cache_name(), impl->cache_padding()); + } + *accumulator += (impl->cache_size() + impl->cache_padding()); std::move(closure).Run(); } @@ -1435,8 +1422,9 @@ std::move(callback))); for (const auto& cache_metadata : cache_index_->ordered_cache_metadata()) { - if (cache_metadata.size != LegacyCacheStorage::kSizeUnknown) { - *accumulator_ptr += cache_metadata.size; + if (cache_metadata.size != LegacyCacheStorage::kSizeUnknown && + cache_metadata.padding != LegacyCacheStorage::kSizeUnknown) { + *accumulator_ptr += (cache_metadata.size + cache_metadata.padding); barrier_closure.Run(); continue; } diff -Naur a/src/3rdparty/chromium/content/browser/code_cache/generated_code_cache.cc b/src/3rdparty/chromium/content/browser/code_cache/generated_code_cache.cc --- a/src/3rdparty/chromium/content/browser/code_cache/generated_code_cache.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/code_cache/generated_code_cache.cc 2021-04-30 21:20:24.046606537 +0100 @@ -384,9 +384,18 @@ // [stream1] // [stream0 (checksum key entry)] // [stream1 (checksum key entry)] data + + // Make a copy of the data before hashing. A compromised renderer could + // change shared memory before we can compute the hash and write the data. + // TODO(1135729) Eliminate this copy when the shared memory can't be written + // by the sender. + mojo_base::BigBuffer copy({data.data(), data.size()}); + if (copy.size() != data.size()) + return; + data = mojo_base::BigBuffer(); // Release the old buffer. uint8_t result[crypto::kSHA256Length]; crypto::SHA256HashString( - base::StringPiece(reinterpret_cast(data.data()), data.size()), + base::StringPiece(reinterpret_cast(copy.data()), copy.size()), result, base::size(result)); std::string checksum_key = base::HexEncode(result, base::size(result)); small_buffer = base::MakeRefCounted( @@ -401,7 +410,7 @@ // Issue another write operation for the code, with the checksum as the key // and nothing in the header. auto small_buffer2 = base::MakeRefCounted(0); - auto large_buffer2 = base::MakeRefCounted(std::move(data)); + auto large_buffer2 = base::MakeRefCounted(std::move(copy)); auto op2 = std::make_unique(Operation::kWriteWithSHAKey, checksum_key, small_buffer2, large_buffer2); diff -Naur a/src/3rdparty/chromium/content/browser/devtools/protocol/page_handler.cc b/src/3rdparty/chromium/content/browser/devtools/protocol/page_handler.cc --- a/src/3rdparty/chromium/content/browser/devtools/protocol/page_handler.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/devtools/protocol/page_handler.cc 2021-04-30 20:11:47.273405467 +0100 @@ -501,8 +501,12 @@ params.referrer = Referrer(GURL(referrer.fromMaybe("")), policy); params.transition_type = type; params.frame_tree_node_id = frame_tree_node->frame_tree_node_id(); + // Handler may be destroyed while navigating if the session + // gets disconnected as a result of access checks. + base::WeakPtr weak_self = weak_factory_.GetWeakPtr(); frame_tree_node->navigator().GetController()->LoadURLWithParams(params); - + if (!weak_self) + return; base::UnguessableToken frame_token = frame_tree_node->devtools_frame_token(); auto navigate_callback = navigate_callbacks_.find(frame_token); if (navigate_callback != navigate_callbacks_.end()) { diff -Naur a/src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc b/src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc --- a/src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc 2021-04-30 20:11:47.273405467 +0100 @@ -474,8 +474,11 @@ if (!ShouldAllowSession(session)) restricted_sessions.push_back(session); } - if (!restricted_sessions.empty()) + scoped_refptr protect; + if (!restricted_sessions.empty()) { + protect = this; ForceDetachRestrictedSessions(restricted_sessions); + } UpdateFrameAlive(); } diff -Naur a/src/3rdparty/chromium/content/browser/permissions/permission_controller_impl.cc b/src/3rdparty/chromium/content/browser/permissions/permission_controller_impl.cc --- a/src/3rdparty/chromium/content/browser/permissions/permission_controller_impl.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/permissions/permission_controller_impl.cc 2021-04-30 20:11:17.392753946 +0100 @@ -133,7 +133,8 @@ int render_frame_id = -1; int render_process_id = -1; base::RepeatingCallback callback; - int delegate_subscription_id; + // This is default-initialized to an invalid ID. + PermissionControllerDelegate::SubscriptionId delegate_subscription_id; }; PermissionControllerImpl::~PermissionControllerImpl() { @@ -389,7 +390,8 @@ subscription->callback.Run(status); } -int PermissionControllerImpl::SubscribePermissionStatusChange( +PermissionControllerImpl::SubscriptionId +PermissionControllerImpl::SubscribePermissionStatusChange( PermissionType permission, RenderFrameHost* render_frame_host, const GURL& requesting_origin, @@ -423,22 +425,22 @@ base::BindRepeating( &PermissionControllerImpl::OnDelegatePermissionStatusChange, base::Unretained(this), subscription.get())); - } else { - subscription->delegate_subscription_id = kNoPendingOperation; } - return subscriptions_.Add(std::move(subscription)); + + auto id = subscription_id_generator_.GenerateNextId(); + subscriptions_.AddWithID(std::move(subscription), id); + return id; } void PermissionControllerImpl::UnsubscribePermissionStatusChange( - int subscription_id) { + SubscriptionId subscription_id) { Subscription* subscription = subscriptions_.Lookup(subscription_id); if (!subscription) return; PermissionControllerDelegate* delegate = browser_context_->GetPermissionControllerDelegate(); - if (delegate && - subscription->delegate_subscription_id != kNoPendingOperation) { - delegate->UnsubscribePermissionStatusChange( + if (delegate) { + delegate->UnsubscribePermissionStatusChange( subscription->delegate_subscription_id); } subscriptions_.Remove(subscription_id); diff -Naur a/src/3rdparty/chromium/content/browser/permissions/permission_controller_impl.h b/src/3rdparty/chromium/content/browser/permissions/permission_controller_impl.h --- a/src/3rdparty/chromium/content/browser/permissions/permission_controller_impl.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/permissions/permission_controller_impl.h 2021-04-30 20:11:17.392753946 +0100 @@ -72,18 +72,19 @@ const GURL& requesting_origin, const GURL& embedding_origin); - int SubscribePermissionStatusChange( + SubscriptionId SubscribePermissionStatusChange( PermissionType permission, RenderFrameHost* render_frame_host, const GURL& requesting_origin, const base::RepeatingCallback& callback); - void UnsubscribePermissionStatusChange(int subscription_id); + void UnsubscribePermissionStatusChange(SubscriptionId subscription_id); private: struct Subscription; - using SubscriptionsMap = base::IDMap>; + using SubscriptionsMap = + base::IDMap, SubscriptionId>; using SubscriptionsStatusMap = base::flat_map; @@ -98,7 +99,13 @@ const base::Optional& origin); DevToolsPermissionOverrides devtools_permission_overrides_; + + // Note that SubscriptionId is distinct from + // PermissionControllerDelegate::SubscriptionId, and the concrete ID values + // may be different as well. SubscriptionsMap subscriptions_; + SubscriptionId::Generator subscription_id_generator_; + BrowserContext* browser_context_; DISALLOW_COPY_AND_ASSIGN(PermissionControllerImpl); diff -Naur a/src/3rdparty/chromium/content/browser/permissions/permission_service_context.cc b/src/3rdparty/chromium/content/browser/permissions/permission_service_context.cc --- a/src/3rdparty/chromium/content/browser/permissions/permission_service_context.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/permissions/permission_service_context.cc 2021-04-30 20:11:17.393755677 +0100 @@ -32,7 +32,7 @@ PermissionSubscription& operator=(const PermissionSubscription&) = delete; ~PermissionSubscription() { - DCHECK_NE(id_, 0); + DCHECK(id_); BrowserContext* browser_context = context_->GetBrowserContext(); if (browser_context) { PermissionControllerImpl::FromBrowserContext(browser_context) @@ -41,7 +41,7 @@ } void OnConnectionError() { - DCHECK_NE(id_, 0); + DCHECK(id_); context_->ObserverHadConnectionError(id_); } @@ -49,12 +49,12 @@ observer_->OnPermissionStatusChange(status); } - void set_id(int id) { id_ = id; } + void set_id(PermissionController::SubscriptionId id) { id_ = id; } private: PermissionServiceContext* const context_; mojo::Remote observer_; - int id_ = 0; + PermissionController::SubscriptionId id_; }; PermissionServiceContext::PermissionServiceContext( @@ -108,7 +108,7 @@ } GURL requesting_origin(origin.Serialize()); - int subscription_id = + auto subscription_id = PermissionControllerImpl::FromBrowserContext(browser_context) ->SubscribePermissionStatusChange( permission_type, render_frame_host_, requesting_origin, @@ -119,7 +119,8 @@ subscriptions_[subscription_id] = std::move(subscription); } -void PermissionServiceContext::ObserverHadConnectionError(int subscription_id) { +void PermissionServiceContext::ObserverHadConnectionError( + PermissionController::SubscriptionId subscription_id) { size_t erased = subscriptions_.erase(subscription_id); DCHECK_EQ(1u, erased); } diff -Naur a/src/3rdparty/chromium/content/browser/permissions/permission_service_context.h b/src/3rdparty/chromium/content/browser/permissions/permission_service_context.h --- a/src/3rdparty/chromium/content/browser/permissions/permission_service_context.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/permissions/permission_service_context.h 2021-04-30 20:11:17.393755677 +0100 @@ -9,6 +9,7 @@ #include #include "content/common/content_export.h" +#include "content/public/browser/permission_controller.h" #include "content/public/browser/permission_type.h" #include "content/public/browser/web_contents_observer.h" #include "mojo/public/cpp/bindings/pending_receiver.h" @@ -52,7 +53,8 @@ mojo::PendingRemote observer); // Called when the connection to a PermissionObserver has an error. - void ObserverHadConnectionError(int subscription_id); + void ObserverHadConnectionError( + PermissionController::SubscriptionId subscription_id); // May return nullptr during teardown, or when showing an interstitial. BrowserContext* GetBrowserContext() const; @@ -78,7 +80,8 @@ RenderFrameHost* const render_frame_host_; RenderProcessHost* const render_process_host_; mojo::UniqueReceiverSet services_; - std::unordered_map> + std::unordered_map> subscriptions_; }; diff -Naur a/src/3rdparty/chromium/content/browser/renderer_host/media/media_stream_manager.cc b/src/3rdparty/chromium/content/browser/renderer_host/media/media_stream_manager.cc --- a/src/3rdparty/chromium/content/browser/renderer_host/media/media_stream_manager.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/renderer_host/media/media_stream_manager.cc 2021-04-30 20:11:17.393755677 +0100 @@ -668,9 +668,9 @@ std::string tab_capture_device_id; - int audio_subscription_id = PermissionControllerImpl::kNoPendingOperation; + PermissionController::SubscriptionId audio_subscription_id; - int video_subscription_id = PermissionControllerImpl::kNoPendingOperation; + PermissionController::SubscriptionId video_subscription_id; private: std::vector state_; @@ -2686,8 +2686,8 @@ if (!controller) return; - int audio_subscription_id = PermissionControllerImpl::kNoPendingOperation; - int video_subscription_id = PermissionControllerImpl::kNoPendingOperation; + PermissionController::SubscriptionId audio_subscription_id; + PermissionController::SubscriptionId video_subscription_id; if (is_audio_request) { // It is safe to bind base::Unretained(this) because MediaStreamManager is @@ -2729,8 +2729,8 @@ const std::string& label, int requesting_process_id, int requesting_frame_id, - int audio_subscription_id, - int video_subscription_id) { + PermissionController::SubscriptionId audio_subscription_id, + PermissionController::SubscriptionId video_subscription_id) { DCHECK_CURRENTLY_ON(BrowserThread::IO); DeviceRequest* const request = FindRequest(label); @@ -2757,8 +2757,8 @@ void MediaStreamManager::UnsubscribeFromPermissionControllerOnUIThread( int requesting_process_id, int requesting_frame_id, - int audio_subscription_id, - int video_subscription_id) { + PermissionController::SubscriptionId audio_subscription_id, + PermissionController::SubscriptionId video_subscription_id) { DCHECK_CURRENTLY_ON(BrowserThread::UI); PermissionControllerImpl* controller = diff -Naur a/src/3rdparty/chromium/content/browser/renderer_host/media/media_stream_manager.h b/src/3rdparty/chromium/content/browser/renderer_host/media/media_stream_manager.h --- a/src/3rdparty/chromium/content/browser/renderer_host/media/media_stream_manager.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/renderer_host/media/media_stream_manager.h 2021-04-30 20:11:17.393755677 +0100 @@ -50,6 +50,7 @@ #include "content/public/browser/desktop_media_id.h" #include "content/public/browser/media_request_state.h" #include "content/public/browser/media_stream_request.h" +#include "content/public/browser/permission_controller.h" #include "media/base/video_facing.h" #include "third_party/blink/public/common/mediastream/media_devices.h" #include "third_party/blink/public/common/mediastream/media_stream_controls.h" @@ -557,19 +558,20 @@ // Store the subscription ids on a DeviceRequest in order to allow // unsubscribing when the request is deleted. - void SetPermissionSubscriptionIDs(const std::string& label, - int requesting_process_id, - int requesting_frame_id, - int audio_subscription_id, - int video_subscription_id); + void SetPermissionSubscriptionIDs( + const std::string& label, + int requesting_process_id, + int requesting_frame_id, + PermissionController::SubscriptionId audio_subscription_id, + PermissionController::SubscriptionId video_subscription_id); // Unsubscribe from following permission updates for the two specified // subscription IDs. Called when a request is deleted. static void UnsubscribeFromPermissionControllerOnUIThread( int requesting_process_id, int requesting_frame_id, - int audio_subscription_id, - int video_subscription_id); + PermissionController::SubscriptionId audio_subscription_id, + PermissionController::SubscriptionId video_subscription_id); // Callback that the PermissionController calls when a permission is updated. void PermissionChangedCallback(int requesting_process_id, diff -Naur a/src/3rdparty/chromium/content/browser/renderer_host/render_frame_host_manager.cc b/src/3rdparty/chromium/content/browser/renderer_host/render_frame_host_manager.cc --- a/src/3rdparty/chromium/content/browser/renderer_host/render_frame_host_manager.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/renderer_host/render_frame_host_manager.cc 2021-04-30 21:26:51.989166339 +0100 @@ -159,10 +159,13 @@ const GURL& url, bool is_coop_coep_cross_origin_isolated, bool is_speculative) { + SiteInstanceImpl* site_instance_impl = + static_cast(site_instance); // We do not want cross-origin-isolated have any impact on SiteInstances until // we get an actual COOP value in a redirect or a final response. if (is_speculative) - return true; + return site_instance_impl->IsCoopCoepCrossOriginIsolated() == + is_coop_coep_cross_origin_isolated; // Note: The about blank case is to accommodate web tests that use COOP. They // expect an about:blank page to stay in process, and hang otherwise. In @@ -172,9 +175,6 @@ if (url.IsAboutBlank()) return true; - SiteInstanceImpl* site_instance_impl = - static_cast(site_instance); - if (is_main_frame) { if (site_instance_impl->IsCoopCoepCrossOriginIsolated() != is_coop_coep_cross_origin_isolated) { diff -Naur a/src/3rdparty/chromium/content/browser/renderer_host/render_widget_host_input_event_router.cc b/src/3rdparty/chromium/content/browser/renderer_host/render_widget_host_input_event_router.cc --- a/src/3rdparty/chromium/content/browser/renderer_host/render_widget_host_input_event_router.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/renderer_host/render_widget_host_input_event_router.cc 2021-04-30 21:23:41.798402297 +0100 @@ -345,7 +345,7 @@ // Remove this view from the owner_map. for (auto entry : owner_map_) { - if (entry.second == view) { + if (entry.second.get() == view) { owner_map_.erase(entry.first); // There will only be one instance of a particular view in the map. break; @@ -368,7 +368,7 @@ // replace it with nullptr so that we maintain the 1:1 correspondence between // map entries and the touch sequences that underly them. for (auto it : touchscreen_gesture_target_map_) { - if (it.second == view) + if (it.second.get() == view) it.second = nullptr; } @@ -417,8 +417,10 @@ void RenderWidgetHostInputEventRouter::ClearAllObserverRegistrations() { // Since we're shutting down, it's safe to call RenderWidgetHostViewBase:: // RemoveObserver() directly here. - for (auto entry : owner_map_) - entry.second->RemoveObserver(this); + for (auto entry : owner_map_) { + if (entry.second) + entry.second->RemoveObserver(this); + } owner_map_.clear(); viz::HostFrameSinkManager* manager = GetHostFrameSinkManager(); if (manager) @@ -840,7 +842,7 @@ touch_event.unique_touch_event_id) == touchscreen_gesture_target_map_.end()); touchscreen_gesture_target_map_[touch_event.unique_touch_event_id] = - touch_target_; + touch_target_->GetWeakPtr(); } else if (touch_event.GetType() == blink::WebInputEvent::Type::kTouchStart) { active_touches_ += CountChangedTouchPoints(touch_event); } @@ -1352,7 +1354,7 @@ // We want to be notified if the owner is destroyed so we can remove it from // our map. owner->AddObserver(this); - owner_map_.insert(std::make_pair(id, owner)); + owner_map_.insert(std::make_pair(id, owner->GetWeakPtr())); } void RenderWidgetHostInputEventRouter::RemoveFrameSinkIdOwner( @@ -1364,7 +1366,8 @@ // stale values if the view destructs and isn't an observer anymore. // Note: the view the iterator points at will be deleted in the following // call, and shouldn't be used after this point. - OnRenderWidgetHostViewBaseDestroyed(it_to_remove->second); + if (it_to_remove->second) + OnRenderWidgetHostViewBaseDestroyed(it_to_remove->second.get()); } } @@ -1415,7 +1418,7 @@ bool RenderWidgetHostInputEventRouter::IsViewInMap( const RenderWidgetHostViewBase* view) const { DCHECK(!is_registered(view->GetFrameSinkId()) || - owner_map_.find(view->GetFrameSinkId())->second == view); + owner_map_.find(view->GetFrameSinkId())->second.get() == view); return is_registered(view->GetFrameSinkId()); } @@ -1522,6 +1525,10 @@ base::Optional fallback_target_location; + // Adding crash logs to track the reason of stale pointer value of |target|. + LogTouchscreenGestureTargetCrashKeys( + "RWHIER::DispatchTouchscreenGestureEvent target set from caller"); + if (gesture_event.unique_touch_event_id == 0) { // On Android it is possible for touchscreen gesture events to arrive that // are not associated with touch events, because non-synthetic events can be @@ -1550,9 +1557,19 @@ // don't worry about the fact we're ignoring |result.should_query_view|, as // this is the best we can do until we fix https://crbug.com/595422. target = result.view; + + // Adding crash logs to track the reason of stale pointer value of |target|. + LogTouchscreenGestureTargetCrashKeys( + "RWHIER::DispatchTouchscreenGestureEvent target from " + "FindViewAtLocation"); fallback_target_location = transformed_point; } else if (is_gesture_start) { - target = gesture_target_it->second; + target = gesture_target_it->second.get(); + + // Adding crash logs to track the reason of stale pointer value of |target|. + LogTouchscreenGestureTargetCrashKeys( + "RWHIER::DispatchTouchscreenGestureEvent target from " + "touchscreen_gesture_target_map_"); touchscreen_gesture_target_map_.erase(gesture_target_it); // Abort any scroll bubbling in progress to avoid double entry. @@ -1738,7 +1755,7 @@ // If the point hit a Surface whose namspace is no longer in the map, then // it likely means the RenderWidgetHostView has been destroyed but its // parent frame has not sent a new compositor frame since that happened. - return iter == owner_map_.end() ? nullptr : iter->second; + return iter == owner_map_.end() ? nullptr : iter->second.get(); } bool RenderWidgetHostInputEventRouter::ShouldContinueHitTesting( @@ -1758,8 +1775,10 @@ std::vector RenderWidgetHostInputEventRouter::GetRenderWidgetHostViewsForTests() const { std::vector hosts; - for (auto entry : owner_map_) - hosts.push_back(entry.second); + for (auto entry : owner_map_) { + DCHECK(entry.second); + hosts.push_back(entry.second.get()); + } return hosts; } @@ -1928,8 +1947,10 @@ last_device_scale_factor_ = last_mouse_move_root_view_->current_device_scale_factor(); if (auto* cursor_manager = last_mouse_move_root_view_->GetCursorManager()) { - for (auto it : owner_map_) - cursor_manager->UpdateCursor(it.second, cursor); + for (auto it : owner_map_) { + if (it.second) + cursor_manager->UpdateCursor(it.second.get(), cursor); + } } } @@ -1949,7 +1970,7 @@ const std::vector& hit_test_data) { for (auto& region : hit_test_data) { auto iter = owner_map_.find(region.frame_sink_id); - if (iter != owner_map_.end()) + if (iter != owner_map_.end() && iter->second) iter->second->NotifyHitTestRegionUpdated(region); } } @@ -1981,4 +2002,11 @@ event_targeter_->SetIsAutoScrollInProgress(is_autoscroll_in_progress); } +void RenderWidgetHostInputEventRouter::LogTouchscreenGestureTargetCrashKeys( + const std::string& log_message) { + static auto* target_crash_key = base::debug::AllocateCrashKeyString( + "target_crash_key", base::debug::CrashKeySize::Size256); + base::debug::SetCrashKeyString(target_crash_key, log_message); +} + } // namespace content diff -Naur a/src/3rdparty/chromium/content/browser/renderer_host/render_widget_host_input_event_router.h b/src/3rdparty/chromium/content/browser/renderer_host/render_widget_host_input_event_router.h --- a/src/3rdparty/chromium/content/browser/renderer_host/render_widget_host_input_event_router.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/browser/renderer_host/render_widget_host_input_event_router.h 2021-04-30 21:23:18.134498927 +0100 @@ -195,10 +195,11 @@ FRIEND_TEST_ALL_PREFIXES(BrowserSideFlingBrowserTest, InertialGSUBubblingStopsWhenParentCannotScroll); - using FrameSinkIdOwnerMap = std::unordered_map; - using TargetMap = std::map; + using FrameSinkIdOwnerMap = + std::unordered_map, + viz::FrameSinkIdHash>; + using TargetMap = std::map>; void ClearAllObserverRegistrations(); RenderWidgetTargetResult FindViewAtLocation( @@ -332,6 +333,9 @@ void SetTouchscreenGestureTarget(RenderWidgetHostViewBase* target, bool moved_recently = false); + // TODO(crbug.com/1155297): Remove when bug investigation is complete. + void LogTouchscreenGestureTargetCrashKeys(const std::string& log_message); + FrameSinkIdOwnerMap owner_map_; TargetMap touchscreen_gesture_target_map_; RenderWidgetHostViewBase* touch_target_ = nullptr; diff -Naur a/src/3rdparty/chromium/content/common/background_fetch/background_fetch_types.cc b/src/3rdparty/chromium/content/common/background_fetch/background_fetch_types.cc --- a/src/3rdparty/chromium/content/common/background_fetch/background_fetch_types.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/common/background_fetch/background_fetch_types.cc 2021-04-30 21:20:05.693885817 +0100 @@ -31,16 +31,16 @@ return nullptr; return blink::mojom::FetchAPIResponse::New( response->url_list, response->status_code, response->status_text, - response->response_type, response->response_source, response->headers, - response->mime_type, response->request_method, + response->response_type, response->padding, response->response_source, + response->headers, response->mime_type, response->request_method, CloneSerializedBlob(response->blob), response->error, response->response_time, response->cache_storage_cache_name, response->cors_exposed_header_names, CloneSerializedBlob(response->side_data_blob), CloneSerializedBlob(response->side_data_blob_for_cache_put), mojo::Clone(response->parsed_headers), response->connection_info, - response->alpn_negotiated_protocol, response->loaded_with_credentials, - response->was_fetched_via_spdy, response->has_range_requested); + response->alpn_negotiated_protocol, response->was_fetched_via_spdy, + response->has_range_requested); } // static diff -Naur a/src/3rdparty/chromium/content/common/service_worker/service_worker_loader_helpers.cc b/src/3rdparty/chromium/content/common/service_worker/service_worker_loader_helpers.cc --- a/src/3rdparty/chromium/content/common/service_worker/service_worker_loader_helpers.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/common/service_worker/service_worker_loader_helpers.cc 2021-04-30 21:19:25.174852986 +0100 @@ -97,6 +97,7 @@ out_head->was_fallback_required_by_service_worker = false; out_head->url_list_via_service_worker = response.url_list; out_head->response_type = response.response_type; + out_head->padding = response.padding; if (response.mime_type.has_value()) { std::string charset; bool had_charset = false; diff -Naur a/src/3rdparty/chromium/content/public/browser/permission_controller_delegate.h b/src/3rdparty/chromium/content/public/browser/permission_controller_delegate.h --- a/src/3rdparty/chromium/content/public/browser/permission_controller_delegate.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/public/browser/permission_controller_delegate.h 2021-04-30 20:11:17.393755677 +0100 @@ -5,6 +5,7 @@ #ifndef CONTENT_PUBLIC_BROWSER_PERMISSION_CONTROLLER_DELEGATE_H_ #define CONTENT_PUBLIC_BROWSER_PERMISSION_CONTROLLER_DELEGATE_H_ +#include "base/util/type_safety/id_type.h" #include "content/common/content_export.h" #include "content/public/browser/devtools_permission_overrides.h" #include "third_party/blink/public/mojom/permissions/permission_status.mojom.h" @@ -18,6 +19,10 @@ class CONTENT_EXPORT PermissionControllerDelegate { public: using PermissionOverrides = DevToolsPermissionOverrides::PermissionOverrides; + + // Identifier for an active subscription. + using SubscriptionId = util::IdType64; + virtual ~PermissionControllerDelegate() = default; // Requests a permission on behalf of a frame identified by @@ -80,21 +85,21 @@ // Runs the given |callback| whenever the |permission| associated with the // given RenderFrameHost changes. A nullptr should be passed if the request - // is from a worker. Returns the subscription_id to be used to unsubscribe. - // Can be kNoPendingOperation if the subscribe was not successful. - virtual int SubscribePermissionStatusChange( + // is from a worker. Returns the ID to be used to unsubscribe, which can be + // `is_null()` if the subscribe was not successful. + virtual SubscriptionId SubscribePermissionStatusChange( content::PermissionType permission, content::RenderFrameHost* render_frame_host, const GURL& requesting_origin, base::RepeatingCallback callback) = 0; - // Unregisters from permission status change notifications. - // The |subscription_id| must match the value returned by the - // SubscribePermissionStatusChange call. Unsubscribing - // an already unsubscribed |subscription_id| or providing the - // |subscription_id| kNoPendingOperation is a no-op. - virtual void UnsubscribePermissionStatusChange(int subscription_id) = 0; + // Unregisters from permission status change notifications. The + // |subscription_id| must match the value returned by the + // SubscribePermissionStatusChange call. Unsubscribing an already + // unsubscribed |subscription_id| or an `is_null()` ID is a no-op. + virtual void UnsubscribePermissionStatusChange( + SubscriptionId subscription_id) = 0; // Manually overrides default permission settings of delegate, if overrides // are tracked by the delegate. This method should only be called by the @@ -116,4 +121,17 @@ } // namespace content +namespace std { + +template <> +struct hash { + std::size_t operator()( + const content::PermissionControllerDelegate::SubscriptionId& v) const { + content::PermissionControllerDelegate::SubscriptionId::Hasher hasher; + return hasher(v); + } +}; + +} // namespace std + #endif // CONTENT_PUBLIC_BROWSER_PERMISSION_CONTROLLER_DELEGATE_H_ diff -Naur a/src/3rdparty/chromium/content/public/browser/permission_controller.h b/src/3rdparty/chromium/content/public/browser/permission_controller.h --- a/src/3rdparty/chromium/content/public/browser/permission_controller.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/public/browser/permission_controller.h 2021-04-30 20:11:17.393755677 +0100 @@ -6,6 +6,7 @@ #define CONTENT_PUBLIC_BROWSER_PERMISSION_CONTROLLER_H_ #include "base/supports_user_data.h" +#include "base/util/type_safety/id_type.h" #include "content/common/content_export.h" #include "content/public/browser/permission_type.h" #include "third_party/blink/public/mojom/permissions/permission_status.mojom.h" @@ -20,8 +21,13 @@ class CONTENT_EXPORT PermissionController : public base::SupportsUserData::Data { public: - // Constant retured when registering and subscribing if - // cancelling/unsubscribing at a later stage would have no effect. + // Identifier for an active subscription. This is intentionally a distinct + // type from PermissionControllerDelegate::SubscriptionId as the concrete + // identifier values may be different. + using SubscriptionId = util::IdType64; + + // Constant returned when requesting a permission if cancelling at a later + // stage would have no effect. static const int kNoPendingOperation = -1; ~PermissionController() override {} @@ -48,4 +54,17 @@ } // namespace content +namespace std { + +template <> +struct hash { + std::size_t operator()( + const content::PermissionController::SubscriptionId& v) const { + content::PermissionController::SubscriptionId::Hasher hasher; + return hasher(v); + } +}; + +} // namespace std + #endif // CONTENT_PUBLIC_BROWSER_PERMISSION_CONTROLLER_H_ diff -Naur a/src/3rdparty/chromium/content/renderer/loader/web_url_loader_impl.cc b/src/3rdparty/chromium/content/renderer/loader/web_url_loader_impl.cc --- a/src/3rdparty/chromium/content/renderer/loader/web_url_loader_impl.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/renderer/loader/web_url_loader_impl.cc 2021-04-30 21:19:25.174852986 +0100 @@ -929,6 +929,7 @@ response->SetWasFallbackRequiredByServiceWorker( head.was_fallback_required_by_service_worker); response->SetType(head.response_type); + response->SetPadding(head.padding); response->SetUrlListViaServiceWorker(head.url_list_via_service_worker); response->SetCacheStorageCacheName( head.service_worker_response_source == diff -Naur a/src/3rdparty/chromium/content/renderer/render_frame_impl.cc b/src/3rdparty/chromium/content/renderer/render_frame_impl.cc --- a/src/3rdparty/chromium/content/renderer/render_frame_impl.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/content/renderer/render_frame_impl.cc 2021-04-30 20:10:44.929638395 +0100 @@ -3222,6 +3222,10 @@ return; } + if (commit_params->origin_to_commit) { + commit_params->origin_to_commit->SetFullURL(GetOriginalRequestURL(frame_->GetDocumentLoader())); + } + SetOldPageLifecycleStateFromNewPageCommitIfNeeded( commit_params->old_page_info.get()); diff -Naur a/src/3rdparty/chromium/fuchsia/engine/browser/web_engine_permission_delegate.cc b/src/3rdparty/chromium/fuchsia/engine/browser/web_engine_permission_delegate.cc --- a/src/3rdparty/chromium/fuchsia/engine/browser/web_engine_permission_delegate.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/fuchsia/engine/browser/web_engine_permission_delegate.cc 2021-04-30 20:11:17.393755677 +0100 @@ -83,20 +83,21 @@ permission, url::Origin::Create(requesting_origin)); } -int WebEnginePermissionDelegate::SubscribePermissionStatusChange( +WebEnginePermissionDelegate::SubscriptionId +WebEnginePermissionDelegate::SubscribePermissionStatusChange( content::PermissionType permission, content::RenderFrameHost* render_frame_host, const GURL& requesting_origin, base::RepeatingCallback callback) { // TODO(crbug.com/1063094): Implement permission status subscription. It's // used in blink to emit PermissionStatus.onchange notifications. - NOTIMPLEMENTED() << ": " << static_cast(permission); - return content::PermissionController::kNoPendingOperation; + NOTIMPLEMENTED_LOG_ONCE() << ": " << static_cast(permission); + return SubscriptionId(); } void WebEnginePermissionDelegate::UnsubscribePermissionStatusChange( - int subscription_id) { + SubscriptionId subscription_id) { // TODO(crbug.com/1063094): Implement permission status subscription. It's // used in blink to emit PermissionStatus.onchange notifications. - NOTREACHED(); + NOTIMPLEMENTED_LOG_ONCE(); } diff -Naur a/src/3rdparty/chromium/fuchsia/engine/browser/web_engine_permission_delegate.h b/src/3rdparty/chromium/fuchsia/engine/browser/web_engine_permission_delegate.h --- a/src/3rdparty/chromium/fuchsia/engine/browser/web_engine_permission_delegate.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/fuchsia/engine/browser/web_engine_permission_delegate.h 2021-04-30 20:11:17.393755677 +0100 @@ -45,13 +45,14 @@ content::PermissionType permission, content::RenderFrameHost* render_frame_host, const GURL& requesting_origin) override; - int SubscribePermissionStatusChange( + SubscriptionId SubscribePermissionStatusChange( content::PermissionType permission, content::RenderFrameHost* render_frame_host, const GURL& requesting_origin, base::RepeatingCallback callback) override; - void UnsubscribePermissionStatusChange(int subscription_id) override; + void UnsubscribePermissionStatusChange( + SubscriptionId subscription_id) override; }; #endif // FUCHSIA_ENGINE_BROWSER_WEB_ENGINE_PERMISSION_DELEGATE_H_ diff -Naur a/src/3rdparty/chromium/headless/lib/browser/headless_permission_manager.cc b/src/3rdparty/chromium/headless/lib/browser/headless_permission_manager.cc --- a/src/3rdparty/chromium/headless/lib/browser/headless_permission_manager.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/headless/lib/browser/headless_permission_manager.cc 2021-04-30 20:11:17.393755677 +0100 @@ -71,15 +71,16 @@ return blink::mojom::PermissionStatus::ASK; } -int HeadlessPermissionManager::SubscribePermissionStatusChange( +HeadlessPermissionManager::SubscriptionId +HeadlessPermissionManager::SubscribePermissionStatusChange( content::PermissionType permission, content::RenderFrameHost* render_frame_host, const GURL& requesting_origin, base::RepeatingCallback callback) { - return content::PermissionController::kNoPendingOperation; + return SubscriptionId(); } void HeadlessPermissionManager::UnsubscribePermissionStatusChange( - int subscription_id) {} + SubscriptionId subscription_id) {} } // namespace headless diff -Naur a/src/3rdparty/chromium/headless/lib/browser/headless_permission_manager.h b/src/3rdparty/chromium/headless/lib/browser/headless_permission_manager.h --- a/src/3rdparty/chromium/headless/lib/browser/headless_permission_manager.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/headless/lib/browser/headless_permission_manager.h 2021-04-30 20:11:17.393755677 +0100 @@ -46,13 +46,14 @@ content::PermissionType permission, content::RenderFrameHost* render_frame_host, const GURL& requesting_origin) override; - int SubscribePermissionStatusChange( + SubscriptionId SubscribePermissionStatusChange( content::PermissionType permission, content::RenderFrameHost* render_frame_host, const GURL& requesting_origin, base::RepeatingCallback callback) override; - void UnsubscribePermissionStatusChange(int subscription_id) override; + void UnsubscribePermissionStatusChange( + SubscriptionId subscription_id) override; private: content::BrowserContext* browser_context_; diff -Naur a/src/3rdparty/chromium/mojo/core/node_channel.cc b/src/3rdparty/chromium/mojo/core/node_channel.cc --- a/src/3rdparty/chromium/mojo/core/node_channel.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/mojo/core/node_channel.cc 2021-04-30 21:20:48.517902571 +0100 @@ -191,13 +191,16 @@ } // static -void NodeChannel::GetEventMessageData(Channel::Message* message, +bool NodeChannel::GetEventMessageData(Channel::Message& message, void** data, size_t* num_data_bytes) { - // NOTE: OnChannelMessage guarantees that we never accept a Channel::Message - // with a payload of fewer than |sizeof(Header)| bytes. - *data = reinterpret_cast(message->mutable_payload()) + 1; - *num_data_bytes = message->payload_size() - sizeof(Header); + // NOTE: Callers must guarantee that the payload in `message` must be at least + // large enough to hold a Header. + if (message.payload_size() < sizeof(Header)) + return false; + *data = reinterpret_cast(message.mutable_payload()) + 1; + *num_data_bytes = message.payload_size() - sizeof(Header); + return true; } void NodeChannel::Start() { diff -Naur a/src/3rdparty/chromium/mojo/core/node_channel.h b/src/3rdparty/chromium/mojo/core/node_channel.h --- a/src/3rdparty/chromium/mojo/core/node_channel.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/mojo/core/node_channel.h 2021-04-30 21:20:48.517902571 +0100 @@ -90,7 +90,9 @@ void** payload, size_t num_handles); - static void GetEventMessageData(Channel::Message* message, + // Retrieves address and size of an Event message's underlying message data. + // Returns `false` if the message is not a valid Event message. + static bool GetEventMessageData(Channel::Message& message, void** data, size_t* num_data_bytes); diff -Naur a/src/3rdparty/chromium/mojo/core/node_controller.cc b/src/3rdparty/chromium/mojo/core/node_controller.cc --- a/src/3rdparty/chromium/mojo/core/node_controller.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/mojo/core/node_controller.cc 2021-04-30 21:20:48.517902571 +0100 @@ -76,7 +76,9 @@ Channel::MessagePtr channel_message) { void* data; size_t size; - NodeChannel::GetEventMessageData(channel_message.get(), &data, &size); + bool valid = NodeChannel::GetEventMessageData(*channel_message, &data, &size); + if (!valid) + return nullptr; auto event = ports::Event::Deserialize(data, size); if (!event) return nullptr; @@ -943,7 +945,11 @@ void NodeController::OnAcceptBrokerClient(const ports::NodeName& from_node, const ports::NodeName& broker_name, PlatformHandle broker_channel) { - DCHECK(!GetConfiguration().is_broker_process); + if (GetConfiguration().is_broker_process) { + // The broker should never receive this message from anyone. + DropPeer(from_node, nullptr); + return; + } // This node should already have an inviter in bootstrap mode. ports::NodeName inviter_name; @@ -954,8 +960,13 @@ inviter = bootstrap_inviter_channel_; bootstrap_inviter_channel_ = nullptr; } - DCHECK(inviter_name == from_node); - DCHECK(inviter); + + if (inviter_name != from_node || !inviter || + broker_name == ports::kInvalidNodeName) { + // We are not expecting this message. Assume the source is hostile. + DropPeer(from_node, nullptr); + return; + } base::queue pending_broker_clients; std::unordered_map @@ -966,22 +977,22 @@ std::swap(pending_broker_clients, pending_broker_clients_); std::swap(pending_relay_messages, pending_relay_messages_); } - DCHECK(broker_name != ports::kInvalidNodeName); // It's now possible to add both the broker and the inviter as peers. // Note that the broker and inviter may be the same node. scoped_refptr broker; if (broker_name == inviter_name) { - DCHECK(!broker_channel.is_valid()); broker = inviter; - } else { - DCHECK(broker_channel.is_valid()); + } else if (broker_channel.is_valid()) { broker = NodeChannel::Create( this, ConnectionParams(PlatformChannelEndpoint(std::move(broker_channel))), Channel::HandlePolicy::kAcceptHandles, io_task_runner_, ProcessErrorCallback()); AddPeer(broker_name, broker, true /* start_channel */); + } else { + DropPeer(from_node, nullptr); + return; } AddPeer(inviter_name, inviter, false /* start_channel */); diff -Naur a/src/3rdparty/chromium/mojo/core/user_message_impl.cc b/src/3rdparty/chromium/mojo/core/user_message_impl.cc --- a/src/3rdparty/chromium/mojo/core/user_message_impl.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/mojo/core/user_message_impl.cc 2021-04-30 21:20:48.517902571 +0100 @@ -417,7 +417,14 @@ if (channel_message) { void* data; size_t size; - NodeChannel::GetEventMessageData(channel_message.get(), &data, &size); + // The `channel_message` must either be produced locally or must have + // already been validated by the caller, as is done for example by + // NodeController::DeserializeEventMessage before + // NodeController::OnBroadcast re-serializes each copy of the message it + // received. + bool result = + NodeChannel::GetEventMessageData(*channel_message, &data, &size); + DCHECK(result); message_event->Serialize(data); } diff -Naur a/src/3rdparty/chromium/mojo/public/cpp/bindings/receiver_set.h b/src/3rdparty/chromium/mojo/public/cpp/bindings/receiver_set.h --- a/src/3rdparty/chromium/mojo/public/cpp/bindings/receiver_set.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/mojo/public/cpp/bindings/receiver_set.h 2021-04-30 21:14:32.023171502 +0100 @@ -24,7 +24,7 @@ namespace mojo { -using ReceiverId = size_t; +using ReceiverId = uint64_t; template struct ReceiverSetTraits; @@ -361,11 +361,11 @@ Context context, scoped_refptr task_runner) { ReceiverId id = next_receiver_id_++; - DCHECK_GE(next_receiver_id_, 0u); auto entry = std::make_unique(std::move(impl), std::move(receiver), this, id, std::move(context), std::move(task_runner)); - receivers_.insert(std::make_pair(id, std::move(entry))); + auto result = receivers_.insert(std::make_pair(id, std::move(entry))); + CHECK(result.second) << "ReceiverId overflow with collision"; return id; } diff -Naur a/src/3rdparty/chromium/net/cookies/site_for_cookies.cc b/src/3rdparty/chromium/net/cookies/site_for_cookies.cc --- a/src/3rdparty/chromium/net/cookies/site_for_cookies.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/net/cookies/site_for_cookies.cc 2021-04-30 20:10:44.929638395 +0100 @@ -37,6 +37,7 @@ bool SiteForCookies::FromWire(const std::string& scheme, const std::string& registrable_domain, bool schemefully_same, + GURL first_party_url, SiteForCookies* out) { // Make sure scheme meets precondition of methods like // GURL::SchemeIsCryptographic. @@ -45,6 +46,8 @@ // registrable_domain_ should also be canonicalized. SiteForCookies candidate(scheme, registrable_domain); + candidate.first_party_url_ = first_party_url; + if (registrable_domain != candidate.registrable_domain_) return false; @@ -60,7 +63,12 @@ if (origin.opaque()) return SiteForCookies(); - return SiteForCookies(origin.scheme(), origin.host()); + SiteForCookies site_for_cookies = SiteForCookies(origin.scheme(), origin.host()); + if (!origin.GetFullURL().is_empty()) + site_for_cookies.first_party_url_ = origin.GetFullURL(); + else + site_for_cookies.first_party_url_ = origin.GetURL(); + return site_for_cookies; } // static @@ -191,4 +199,11 @@ return registrable_domain_ == other_registrable_domain; } +GURL SiteForCookies::first_party_url() const { + if (first_party_url_.is_empty()) + return RepresentativeUrl(); + + return first_party_url_; +} + } // namespace net diff -Naur a/src/3rdparty/chromium/net/cookies/site_for_cookies.h b/src/3rdparty/chromium/net/cookies/site_for_cookies.h --- a/src/3rdparty/chromium/net/cookies/site_for_cookies.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/net/cookies/site_for_cookies.h 2021-04-30 20:10:44.929638395 +0100 @@ -52,6 +52,7 @@ static bool FromWire(const std::string& scheme, const std::string& registrable_domain, bool schemefully_same, + GURL first_party_url, SiteForCookies* out); // If the origin is opaque, returns SiteForCookies that matches nothing. @@ -112,6 +113,8 @@ const std::string& registrable_domain() const { return registrable_domain_; } + GURL first_party_url() const; + // Used for serialization/deserialization. This value is irrelevant if // IsNull() is true. bool schemefully_same() const { return schemefully_same_; } @@ -162,6 +165,8 @@ // irrelevant (For tests this value can also be modified by // SetSchemefullySameForTesting()). bool schemefully_same_; + + GURL first_party_url_; }; } // namespace net diff -Naur a/src/3rdparty/chromium/pdf/pdfium/pdfium_engine.cc b/src/3rdparty/chromium/pdf/pdfium/pdfium_engine.cc --- a/src/3rdparty/chromium/pdf/pdfium/pdfium_engine.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/pdf/pdfium/pdfium_engine.cc 2021-04-30 21:15:54.646977959 +0100 @@ -1019,8 +1019,7 @@ FPDF_ANNOTATION last_focused_annot = nullptr; FPDF_BOOL ret = FORM_GetFocusedAnnot(form(), &last_focused_page_, &last_focused_annot); - DCHECK(ret); - if (PageIndexInBounds(last_focused_page_) && last_focused_annot) { + if (ret && PageIndexInBounds(last_focused_page_) && last_focused_annot) { last_focused_annot_index_ = FPDFPage_GetAnnotIndex( pages_[last_focused_page_]->GetPage(), last_focused_annot); } else { @@ -1041,8 +1040,8 @@ break; } case FocusElementType::kPage: { - int page_index; - FPDF_ANNOTATION focused_annot; + int page_index = -1; + FPDF_ANNOTATION focused_annot = nullptr; FPDF_BOOL ret = FORM_GetFocusedAnnot(form(), &page_index, &focused_annot); DCHECK(ret); @@ -3492,7 +3491,8 @@ const gfx::Point& device_point, double* page_x, double* page_y) { - *page_x = *page_y = 0; + *page_x = 0; + *page_y = 0; float device_x = device_point.x(); float device_y = device_point.y(); int temp_x = static_cast((device_x + position_.x()) / current_zoom_ - diff -Naur a/src/3rdparty/chromium/pdf/pdfium/pdfium_page.cc b/src/3rdparty/chromium/pdf/pdfium/pdfium_page.cc --- a/src/3rdparty/chromium/pdf/pdfium/pdfium_page.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/pdf/pdfium/pdfium_page.cc 2021-04-30 21:15:33.190893400 +0100 @@ -766,14 +766,15 @@ LinkTarget* target) { if (!available_) return NONSELECTABLE_AREA; + gfx::Point device_point = point - rect_.OffsetFromOrigin(); double new_x; double new_y; - FPDF_BOOL ret = - FPDF_DeviceToPage(GetPage(), 0, 0, rect_.width(), rect_.height(), - ToPDFiumRotation(orientation), device_point.x(), - device_point.y(), &new_x, &new_y); - DCHECK(ret); + if (!FPDF_DeviceToPage(GetPage(), 0, 0, rect_.width(), rect_.height(), + ToPDFiumRotation(orientation), device_point.x(), + device_point.y(), &new_x, &new_y)) { + return NONSELECTABLE_AREA; + } // hit detection tolerance, in points. constexpr double kTolerance = 20.0; @@ -1012,7 +1013,8 @@ double top; double right; double bottom; - FPDFLink_GetRect(links.get(), i, j, &left, &top, &right, &bottom); + if (!FPDFLink_GetRect(links.get(), i, j, &left, &top, &right, &bottom)) + continue; gfx::Rect rect = PageToScreen(gfx::Point(), 1.0, left, top, right, bottom, PageOrientation::kOriginal); if (rect.IsEmpty()) @@ -1095,9 +1097,9 @@ float top; float right; float bottom; - FPDF_BOOL ret = - FPDFPageObj_GetBounds(page_object, &left, &bottom, &right, &top); - DCHECK(ret); + if (!FPDFPageObj_GetBounds(page_object, &left, &bottom, &right, &top)) + continue; + Image image; image.bounding_rect = PageToScreen(gfx::Point(), 1.0, left, top, right, bottom, PageOrientation::kOriginal); diff -Naur a/src/3rdparty/chromium/services/network/public/cpp/net_ipc_param_traits.cc b/src/3rdparty/chromium/services/network/public/cpp/net_ipc_param_traits.cc --- a/src/3rdparty/chromium/services/network/public/cpp/net_ipc_param_traits.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/services/network/public/cpp/net_ipc_param_traits.cc 2021-04-30 20:10:44.929638395 +0100 @@ -572,20 +572,23 @@ WriteParam(m, p.scheme()); WriteParam(m, p.registrable_domain()); WriteParam(m, p.schemefully_same()); + WriteParam(m, p.first_party_url().spec()); } bool ParamTraits::Read(const base::Pickle* m, base::PickleIterator* iter, param_type* r) { - std::string scheme, registrable_domain; + std::string scheme, registrable_domain, first_party_url; bool schemefully_same; if (!ReadParam(m, iter, &scheme) || !ReadParam(m, iter, ®istrable_domain) || - !ReadParam(m, iter, &schemefully_same)) + !ReadParam(m, iter, &schemefully_same) || + !ReadParam(m, iter, &first_party_url)) return false; return net::SiteForCookies::FromWire(scheme, registrable_domain, - schemefully_same, r); + schemefully_same, + GURL(first_party_url), r); } void ParamTraits::Log(const param_type& p, diff -Naur a/src/3rdparty/chromium/services/network/public/cpp/site_for_cookies_mojom_traits.cc b/src/3rdparty/chromium/services/network/public/cpp/site_for_cookies_mojom_traits.cc --- a/src/3rdparty/chromium/services/network/public/cpp/site_for_cookies_mojom_traits.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/services/network/public/cpp/site_for_cookies_mojom_traits.cc 2021-04-30 20:10:44.929638395 +0100 @@ -11,7 +11,7 @@ bool StructTraits:: Read(network::mojom::SiteForCookiesDataView data, net::SiteForCookies* out) { - std::string scheme, registrable_domain; + std::string scheme, registrable_domain, first_party_url; if (!data.ReadScheme(&scheme)) { return false; } @@ -19,8 +19,13 @@ return false; } + if (!data.ReadFirstPartyUrl(&first_party_url)) { + return false; + } + bool result = net::SiteForCookies::FromWire(scheme, registrable_domain, - data.schemefully_same(), out); + data.schemefully_same(), + GURL(first_party_url), out); if (!result) { network::debug::SetDeserializationCrashKeyString("site_for_cookie"); } diff -Naur a/src/3rdparty/chromium/services/network/public/cpp/site_for_cookies_mojom_traits.h b/src/3rdparty/chromium/services/network/public/cpp/site_for_cookies_mojom_traits.h --- a/src/3rdparty/chromium/services/network/public/cpp/site_for_cookies_mojom_traits.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/services/network/public/cpp/site_for_cookies_mojom_traits.h 2021-04-30 20:10:44.929638395 +0100 @@ -29,6 +29,11 @@ return input.schemefully_same(); } + static std::string first_party_url( + const net::SiteForCookies& input) { + return input.first_party_url().spec(); + } + static bool Read(network::mojom::SiteForCookiesDataView data, net::SiteForCookies* out); }; diff -Naur a/src/3rdparty/chromium/services/network/public/mojom/site_for_cookies.mojom b/src/3rdparty/chromium/services/network/public/mojom/site_for_cookies.mojom --- a/src/3rdparty/chromium/services/network/public/mojom/site_for_cookies.mojom 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/services/network/public/mojom/site_for_cookies.mojom 2021-04-30 20:10:44.929638395 +0100 @@ -11,4 +11,5 @@ string scheme; string registrable_domain; bool schemefully_same; + string first_party_url; }; diff -Naur a/src/3rdparty/chromium/services/network/public/mojom/url_response_head.mojom b/src/3rdparty/chromium/services/network/public/mojom/url_response_head.mojom --- a/src/3rdparty/chromium/services/network/public/mojom/url_response_head.mojom 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/services/network/public/mojom/url_response_head.mojom 2021-04-30 21:19:25.175854718 +0100 @@ -134,6 +134,12 @@ // https://fetch.spec.whatwg.org/#concept-response-type FetchResponseType response_type = FetchResponseType.kDefault; + // Pre-computed padding. This should only be non-zero when |response_type| + // is set to kOpaque. Note, this is not set by network service, but will be + // populated if the response was provided by a service worker FetchEvent + // handler. + int64 padding = 0; + // The cache name of the CacheStorage from where the response is served via // the ServiceWorker. Empty if the response isn't from the CacheStorage. string cache_storage_cache_name; diff -Naur a/src/3rdparty/chromium/storage/browser/BUILD.gn b/src/3rdparty/chromium/storage/browser/BUILD.gn --- a/src/3rdparty/chromium/storage/browser/BUILD.gn 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/storage/browser/BUILD.gn 2021-04-30 21:19:25.175854718 +0100 @@ -183,8 +183,6 @@ "file_system/watcher_manager.h", "quota/client_usage_tracker.cc", "quota/client_usage_tracker.h", - "quota/padding_key.cc", - "quota/padding_key.h", "quota/quota_callbacks.h", "quota/quota_client.h", "quota/quota_client_type.cc", diff -Naur a/src/3rdparty/chromium/storage/browser/quota/padding_key.cc b/src/3rdparty/chromium/storage/browser/quota/padding_key.cc --- a/src/3rdparty/chromium/storage/browser/quota/padding_key.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/storage/browser/quota/padding_key.cc 1970-01-01 01:00:00.000000000 +0100 @@ -1,87 +0,0 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "storage/browser/quota/padding_key.h" - -#include -#include - -#include "base/no_destructor.h" -#include "crypto/hmac.h" -#include "net/http/http_request_headers.h" - -using crypto::SymmetricKey; - -namespace storage { - -namespace { - -const SymmetricKey::Algorithm kPaddingKeyAlgorithm = SymmetricKey::AES; - -// The range of the padding added to response sizes for opaque resources. -// Increment the CacheStorage padding version if changed. -constexpr uint64_t kPaddingRange = 14431 * 1024; - -std::unique_ptr* GetPaddingKeyInternal() { - static base::NoDestructor> s_padding_key([] { - return SymmetricKey::GenerateRandomKey(kPaddingKeyAlgorithm, 128); - }()); - return s_padding_key.get(); -} - -} // namespace - -const SymmetricKey* GetDefaultPaddingKey() { - return GetPaddingKeyInternal()->get(); -} - -std::unique_ptr CopyDefaultPaddingKey() { - return SymmetricKey::Import(kPaddingKeyAlgorithm, - (*GetPaddingKeyInternal())->key()); -} - -std::unique_ptr DeserializePaddingKey( - const std::string& raw_key) { - return SymmetricKey::Import(kPaddingKeyAlgorithm, raw_key); -} - -std::string SerializeDefaultPaddingKey() { - return (*GetPaddingKeyInternal())->key(); -} - -void ResetPaddingKeyForTesting() { - *GetPaddingKeyInternal() = - SymmetricKey::GenerateRandomKey(kPaddingKeyAlgorithm, 128); -} - -int64_t ComputeResponsePadding(const std::string& response_url, - const crypto::SymmetricKey* padding_key, - bool has_metadata, - bool loaded_with_credentials, - const std::string& request_method) { - DCHECK(!response_url.empty()); - - crypto::HMAC hmac(crypto::HMAC::SHA256); - CHECK(hmac.Init(padding_key)); - - std::string key = response_url; - if (has_metadata) - key += "METADATA"; - if (loaded_with_credentials) - key += "CREDENTIALED"; - - // It should only be possible to have a CORS safelisted method here since - // the spec does not permit other methods for no-cors requests. - DCHECK(request_method == net::HttpRequestHeaders::kGetMethod || - request_method == net::HttpRequestHeaders::kHeadMethod || - request_method == net::HttpRequestHeaders::kPostMethod); - key += request_method; - - uint64_t digest_start; - CHECK(hmac.Sign(key, reinterpret_cast(&digest_start), - sizeof(digest_start))); - return digest_start % kPaddingRange; -} - -} // namespace storage diff -Naur a/src/3rdparty/chromium/storage/browser/quota/padding_key.h b/src/3rdparty/chromium/storage/browser/quota/padding_key.h --- a/src/3rdparty/chromium/storage/browser/quota/padding_key.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/storage/browser/quota/padding_key.h 1970-01-01 01:00:00.000000000 +0100 @@ -1,70 +0,0 @@ -// Copyright 2019 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef STORAGE_BROWSER_QUOTA_PADDING_KEY_H_ -#define STORAGE_BROWSER_QUOTA_PADDING_KEY_H_ - -#include -#include - -#include "base/component_export.h" -#include "crypto/symmetric_key.h" -#include "url/gurl.h" - -namespace storage { - -COMPONENT_EXPORT(STORAGE_BROWSER) -const crypto::SymmetricKey* GetDefaultPaddingKey(); - -// Returns a copy of the default key used to calculate padding sizes. -// -// The default padding key is a singleton object whose value is randomly -// generated the first time it is requested on every browser startup. In -// CacheStorage, when a cache does not have a padding key, it is assigned the -// current default key. -COMPONENT_EXPORT(STORAGE_BROWSER) -std::unique_ptr CopyDefaultPaddingKey(); - -// Builds a key whose value is the given string. -// -// May return null if deserializing fails (e.g. if the raw key is the wrong -// size). -COMPONENT_EXPORT(STORAGE_BROWSER) -std::unique_ptr DeserializePaddingKey( - const std::string& raw_key); - -// Gets the raw value of the default padding key. -// -// Each cache stores the raw value of the key that should be used when -// calculating its padding size. -COMPONENT_EXPORT(STORAGE_BROWSER) -std::string SerializeDefaultPaddingKey(); - -// Resets the default key to a random value. -// -// Simulating a key change across a browser restart lets us test that padding -// calculations are using the appropriate key. -COMPONENT_EXPORT(STORAGE_BROWSER) -void ResetPaddingKeyForTesting(); - -// Computes the padding size for a resource. -// -// For AppCache, which does not support storing metadata for a resource, -// |has_metadata| will always be false. -// -// For CacheStorage, the padding size of an entry depends on whether it contains -// metadata (a.k.a. "side data") and if the response was loaded with -// credentials. If metadata is added to the entry, the entry must be assigned a -// new padding size. Otherwise, the growth in the entry's size would leak the -// exact size of the added metadata. -COMPONENT_EXPORT(STORAGE_BROWSER) -int64_t ComputeResponsePadding(const std::string& response_url, - const crypto::SymmetricKey* padding_key, - bool has_metadata, - bool loaded_with_credentials, - const std::string& request_method); - -} // namespace storage - -#endif // STORAGE_BROWSER_QUOTA_PADDING_KEY_H_ diff -Naur a/src/3rdparty/chromium/storage/common/BUILD.gn b/src/3rdparty/chromium/storage/common/BUILD.gn --- a/src/3rdparty/chromium/storage/common/BUILD.gn 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/storage/common/BUILD.gn 2021-04-30 21:19:25.175854718 +0100 @@ -17,6 +17,8 @@ "file_system/file_system_types.h", "file_system/file_system_util.cc", "file_system/file_system_util.h", + "quota/padding_key.cc", + "quota/padding_key.h", ] # TODO(jschuh): crbug.com/167187 fix size_t to int truncations. diff -Naur a/src/3rdparty/chromium/storage/common/quota/padding_key.cc b/src/3rdparty/chromium/storage/common/quota/padding_key.cc --- a/src/3rdparty/chromium/storage/common/quota/padding_key.cc 1970-01-01 01:00:00.000000000 +0100 +++ b/src/3rdparty/chromium/storage/common/quota/padding_key.cc 2021-04-30 21:19:46.383509887 +0100 @@ -0,0 +1,146 @@ +// Copyright 2019 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "storage/common/quota/padding_key.h" + +#include +#include +#include +#include "base/no_destructor.h" +#include "base/strings/stringprintf.h" +#include "base/time/time.h" +#include "crypto/hmac.h" +#include "crypto/random.h" +#include "crypto/symmetric_key.h" +#include "net/base/registry_controlled_domains/registry_controlled_domain.h" +#include "net/base/url_util.h" +#include "net/http/http_request_headers.h" +#include "services/network/public/mojom/url_response_head.mojom-shared.h" +#include "url/gurl.h" +#include "url/origin.h" +#include "url/url_canon.h" +#include "url/url_constants.h" +#include "url/url_util.h" + +using crypto::SymmetricKey; + +namespace storage { + +namespace { + +const SymmetricKey::Algorithm kPaddingKeyAlgorithm = SymmetricKey::AES; + +// The range of the padding added to response sizes for opaque resources. +// Increment the CacheStorage padding version if changed. +constexpr uint64_t kPaddingRange = 14431 * 1024; + +std::unique_ptr* GetPaddingKeyInternal() { + static base::NoDestructor> s_padding_key([] { + return SymmetricKey::GenerateRandomKey(kPaddingKeyAlgorithm, 128); + }()); + return s_padding_key.get(); +} + +static bool IsStandardSchemeWithNetworkHost(base::StringPiece scheme) { + // file scheme is special. Windows file share origins can have network hosts. + if (scheme == url::kFileScheme) + return true; + + url::SchemeType scheme_type; + if (!url::GetStandardSchemeType( + scheme.data(), url::Component(0, scheme.length()), &scheme_type)) { + return false; + } + return scheme_type == url::SCHEME_WITH_HOST_PORT_AND_USER_INFORMATION || + scheme_type == url::SCHEME_WITH_HOST_AND_PORT; +} + + +static url::Origin SchemefuleSiteReplacement( + const url::Origin& origin) { + // 1. If origin is an opaque origin, then return origin. + if (origin.opaque()) + return origin; + + std::string registerable_domain; + + // Non-normative step. + // We only lookup the registerable domain for schemes with network hosts, this + // is non-normative. Other schemes for non-opaque origins do not + // meaningfully have a registerable domain for their host, so they are + // skipped. + if (IsStandardSchemeWithNetworkHost(origin.scheme())) { + registerable_domain = GetDomainAndRegistry( + origin, net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); + } + + // If origin's host's registrable domain is null, then return (origin's + // scheme, origin's host). + // + // `GetDomainAndRegistry()` returns an empty string for IP literals and + // effective TLDs. + // + // Note that `registerable_domain` could still end up empty, since the + // `origin` might have a scheme that permits empty hostnames, such as "file". + bool used_registerable_domain = !registerable_domain.empty(); + if (!used_registerable_domain) + registerable_domain = origin.host(); + + int port = url::DefaultPortForScheme(origin.scheme().c_str(), + origin.scheme().length()); + + // Provide a default port of 0 for non-standard schemes. + if (port == url::PORT_UNSPECIFIED) + port = 0; + + return url::Origin::CreateFromNormalizedTuple(origin.scheme(), + registerable_domain, port); +} + +} // namespace + +bool ShouldPadResponseType(network::mojom::FetchResponseType type) { + return type == network::mojom::FetchResponseType::kOpaque || + type == network::mojom::FetchResponseType::kOpaqueRedirect; +} + +int64_t ComputeRandomResponsePadding() { + uint64_t raw_random = 0; + crypto::RandBytes(&raw_random, sizeof(uint64_t)); + return raw_random % kPaddingRange; +} + +int64_t ComputeStableResponsePadding(const url::Origin& origin, + const std::string& response_url, + const base::Time& response_time, + const std::string& request_method, + int64_t side_data_size) { + DCHECK(!response_url.empty()); + + url::Origin site = SchemefuleSiteReplacement(origin); + + DCHECK_GT(response_time, base::Time::UnixEpoch()); + int64_t microseconds = + (response_time - base::Time::UnixEpoch()).InMicroseconds(); + + // It should only be possible to have a CORS safelisted method here since + // the spec does not permit other methods for no-cors requests. + DCHECK(request_method == net::HttpRequestHeaders::kGetMethod || + request_method == net::HttpRequestHeaders::kHeadMethod || + request_method == net::HttpRequestHeaders::kPostMethod); + + std::string key = base::StringPrintf( + "%s-%" PRId64 "-%s-%s-%" PRId64, response_url.c_str(), microseconds, + site.Serialize().c_str(), request_method.c_str(), side_data_size); + + crypto::HMAC hmac(crypto::HMAC::SHA256); + CHECK(hmac.Init(GetPaddingKeyInternal()->get())); + + uint64_t digest_start = 0; + CHECK(hmac.Sign(key, reinterpret_cast(&digest_start), + sizeof(digest_start))); + return digest_start % kPaddingRange; +} + +} // namespace storage diff -Naur a/src/3rdparty/chromium/storage/common/quota/padding_key.h b/src/3rdparty/chromium/storage/common/quota/padding_key.h --- a/src/3rdparty/chromium/storage/common/quota/padding_key.h 1970-01-01 01:00:00.000000000 +0100 +++ b/src/3rdparty/chromium/storage/common/quota/padding_key.h 2021-04-30 21:19:46.383509887 +0100 @@ -0,0 +1,51 @@ +// Copyright 2019 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef STORAGE_COMMON_QUOTA_PADDING_KEY_H_ +#define STORAGE_COMMON_QUOTA_PADDING_KEY_H_ + +#include +#include + +#include "base/component_export.h" +#include "services/network/public/mojom/url_response_head.mojom-shared.h" +#include "url/gurl.h" + +namespace base { +class Time; +} // namespace base + +namespace url { +class Origin; +} // namespace url + +namespace storage { + +// Utility method to determine if a given type of response should be padded. +COMPONENT_EXPORT(STORAGE_COMMON) +bool ShouldPadResponseType(network::mojom::FetchResponseType type); + +// Compute a purely random padding size for a resource. A random padding is +// preferred except in cases where a site could rapidly trigger a large number +// of padded values for the same resource; e.g. from http cache. +COMPONENT_EXPORT(STORAGE_COMMON) +int64_t ComputeRandomResponsePadding(); + +// Compute a stable padding value for a resource. This should be used for +// cases where a site could trigger a large number of padding values to be +// generated for the same resource; e.g. http cache. The |origin| is the +// origin of the context that loaded the resource. Note, its important that the +// |response_time| be the time stored in the cache and not just the current +// time. The |side_data_size| should only be passed if padding is being +// computed for a side data blob. +COMPONENT_EXPORT(STORAGE_COMMON) +int64_t ComputeStableResponsePadding(const url::Origin& origin, + const std::string& response_url, + const base::Time& response_time, + const std::string& request_method, + int64_t side_data_size = 0); + +} // namespace storage + +#endif // STORAGE_COMMON_QUOTA_PADDING_KEY_H_ diff -Naur a/src/3rdparty/chromium/third_party/angle/src/libANGLE/angletypes.h b/src/3rdparty/chromium/third_party/angle/src/libANGLE/angletypes.h --- a/src/3rdparty/chromium/third_party/angle/src/libANGLE/angletypes.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/angle/src/libANGLE/angletypes.h 2021-04-30 21:25:18.485535817 +0100 @@ -74,7 +74,7 @@ bool operator==(const Rectangle &a, const Rectangle &b); bool operator!=(const Rectangle &a, const Rectangle &b); -bool ClipRectangle(const Rectangle &source, const Rectangle &clip, Rectangle *intersection); +ANGLE_NO_DISCARD bool ClipRectangle(const Rectangle &source, const Rectangle &clip, Rectangle *intersection); struct Offset { diff -Naur a/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp b/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp --- a/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/d3d/d3d11/Blit11.cpp 2021-04-30 21:25:18.485535817 +0100 @@ -141,7 +141,10 @@ uint8_t *destData) { gl::Rectangle clippedDestArea(destArea.x, destArea.y, destArea.width, destArea.height); - gl::ClipRectangle(clippedDestArea, clipRect, &clippedDestArea); + if (!gl::ClipRectangle(clippedDestArea, clipRect, &clippedDestArea)) + { + return; + } // Determine if entire rows can be copied at once instead of each individual pixel. There // must be no out of bounds lookups, whole rows copies, and no scale. diff -Naur a/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/FramebufferGL.cpp b/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/FramebufferGL.cpp --- a/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/FramebufferGL.cpp 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/FramebufferGL.cpp 2021-04-30 21:25:18.486537548 +0100 @@ -1117,7 +1117,10 @@ // If pixels lying outside the read framebuffer, adjust src region // and dst region to appropriate in-bounds regions respectively. gl::Rectangle realSourceRegion; - ClipRectangle(bounds.sourceRegion, bounds.sourceBounds, &realSourceRegion); + if (!ClipRectangle(bounds.sourceRegion, bounds.sourceBounds, &realSourceRegion)) + { + return angle::Result::Stop; + } GLuint xOffset = realSourceRegion.x - bounds.sourceRegion.x; GLuint yOffset = realSourceRegion.y - bounds.sourceRegion.y; diff -Naur a/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/metal/ContextMtl.mm b/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/metal/ContextMtl.mm --- a/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/metal/ContextMtl.mm 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/metal/ContextMtl.mm 2021-04-30 21:25:18.486537548 +0100 @@ -1362,7 +1362,10 @@ // Clip the render area to the viewport. gl::Rectangle viewportClippedRenderArea; - gl::ClipRectangle(renderArea, glState.getViewport(), &viewportClippedRenderArea); + if (!gl::ClipRectangle(renderArea, glState.getViewport(), &viewportClippedRenderArea)) + { + viewportClippedRenderArea = gl::Rectangle(); + } gl::Rectangle scissoredArea = ClipRectToScissor(getState(), viewportClippedRenderArea, false); if (framebufferMtl->flipY()) diff -Naur a/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/vulkan/ContextVk.cpp b/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/vulkan/ContextVk.cpp --- a/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/vulkan/ContextVk.cpp 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/vulkan/ContextVk.cpp 2021-04-30 21:25:18.486537548 +0100 @@ -2824,8 +2824,11 @@ // Clip the render area to the viewport. gl::Rectangle viewportClippedRenderArea; - gl::ClipRectangle(renderArea, getCorrectedViewport(glState.getViewport()), - &viewportClippedRenderArea); + if (!gl::ClipRectangle(renderArea, getCorrectedViewport(glState.getViewport()), + &viewportClippedRenderArea)) + { + viewportClippedRenderArea = gl::Rectangle(); + } gl::Rectangle scissoredArea = ClipRectToScissor(getState(), viewportClippedRenderArea, false); gl::Rectangle rotatedScissoredArea; diff -Naur a/src/3rdparty/chromium/third_party/blink/public/mojom/fetch/fetch_api_response.mojom b/src/3rdparty/chromium/third_party/blink/public/mojom/fetch/fetch_api_response.mojom --- a/src/3rdparty/chromium/third_party/blink/public/mojom/fetch/fetch_api_response.mojom 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/public/mojom/fetch/fetch_api_response.mojom 2021-04-30 21:20:05.693885817 +0100 @@ -36,6 +36,10 @@ network.mojom.FetchResponseType response_type = network.mojom.FetchResponseType.kDefault; + // Pre-computed padding for this response. This should only be non-zero + // for when |response_type| is kOpaque. + int64 padding = 0; + // The source of this response, e.g. network, CacheStorage. network.mojom.FetchResponseSource response_source = network.mojom.FetchResponseSource.kUnspecified; @@ -89,19 +93,6 @@ // ALPN negotiated protocol of the socket which fetched this resource. string alpn_negotiated_protocol = "unknown"; - // True if the response was loaded with a Request where the credentials mode - // would potentially send cookies to the server: - // - // https://fetch.spec.whatwg.org/#requestcredentials - // - // For example, if RequestCredentials is 'include' this field will be true. - // If RequestCredentials is 'same-origin', but the Response was loaded - // cross-origin then this field will be false. - // - // This field may be true even if there were no cookies actually available - // to send. - bool loaded_with_credentials = false; - // True if the response was originally loaded via a request fetched over a // SPDY channel. bool was_fetched_via_spdy = false; diff -Naur a/src/3rdparty/chromium/third_party/blink/public/platform/web_url_response.h b/src/3rdparty/chromium/third_party/blink/public/platform/web_url_response.h --- a/src/3rdparty/chromium/third_party/blink/public/platform/web_url_response.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/public/platform/web_url_response.h 2021-04-30 21:19:25.175854718 +0100 @@ -264,6 +264,12 @@ BLINK_PLATFORM_EXPORT void SetType(network::mojom::FetchResponseType); BLINK_PLATFORM_EXPORT network::mojom::FetchResponseType GetType() const; + // Pre-computed padding. This should only be non-zero if the type is + // kOpaque. In addition, it is only set for responses provided by a + // service worker FetchEvent handler. + BLINK_PLATFORM_EXPORT void SetPadding(int64_t); + BLINK_PLATFORM_EXPORT int64_t GetPadding() const; + // The URL list of the Response object the ServiceWorker passed to // respondWith(). See // network::ResourceResponseInfo::url_list_via_service_worker for details. diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc b/src/3rdparty/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/animation/css_interpolation_types_map.cc 2021-04-30 21:13:28.150774858 +0100 @@ -83,28 +83,22 @@ DEFINE_STATIC_LOCAL(ApplicableTypesMap, all_applicable_types_map, ()); DEFINE_STATIC_LOCAL(ApplicableTypesMap, composited_applicable_types_map, ()); - ApplicableTypesMap& applicable_types_map = - allow_all_animations_ ? all_applicable_types_map - : composited_applicable_types_map; - - auto entry = applicable_types_map.find(property); - bool found_entry = entry != applicable_types_map.end(); - // Custom property interpolation types may change over time so don't trust the - // applicableTypesMap without checking the registry. + // applicable_types_map without checking the registry. Also since the static + // map is shared between documents, the registered type may be different in + // the different documents. if (registry_ && property.IsCSSCustomProperty()) { - const auto* registration = GetRegistration(registry_, property); - if (registration) { - if (found_entry) { - applicable_types_map.erase(entry); - } + if (const auto* registration = GetRegistration(registry_, property)) return registration->GetInterpolationTypes(); - } } - if (found_entry) { + ApplicableTypesMap& applicable_types_map = + allow_all_animations_ ? all_applicable_types_map + : composited_applicable_types_map; + + auto entry = applicable_types_map.find(property); + if (entry != applicable_types_map.end()) return *entry->value; - } std::unique_ptr applicable_types = std::make_unique(); diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/core/BUILD.gn b/src/3rdparty/chromium/third_party/blink/renderer/core/BUILD.gn --- a/src/3rdparty/chromium/third_party/blink/renderer/core/BUILD.gn 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/BUILD.gn 2021-04-30 21:19:25.175854718 +0100 @@ -199,6 +199,7 @@ ] deps = [ "//components/paint_preview/common", + "//storage/common", "//third_party/blink/public/common", "//third_party/blink/renderer/platform", "//third_party/blink/renderer/platform/wtf", diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/DEPS b/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/DEPS --- a/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/DEPS 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/DEPS 2021-04-30 21:19:25.175854718 +0100 @@ -9,6 +9,7 @@ "+net/http/http_response_info.h", "+services/network/public/cpp", "+services/network/public/mojom", + "+storage/common/quota/padding_key.h", "+url/gurl.h", ] diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_manager.cc b/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_manager.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_manager.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_manager.cc 2021-04-30 21:19:25.175854718 +0100 @@ -423,16 +423,21 @@ FetchResponseData* response_data = FetchResponseData::CreateWithBuffer( BodyStreamBuffer::Create(script_state, place_holder_body_, signal_)); - response_data->InitFromResourceResponse( - url_list_, fetch_request_data_->Method(), - fetch_request_data_->Credentials(), tainting, response); - - FetchResponseData* tainted_response = nullptr; - DCHECK(!(network_utils::IsRedirectResponseCode(response_http_status_code_) && HasNonEmptyLocationHeader(response_data->HeaderList()) && fetch_request_data_->Redirect() != RedirectMode::kManual)); + auto response_type = response.GetType(); + if (network_utils::IsRedirectResponseCode(response_http_status_code_) && + fetch_request_data_->Redirect() == RedirectMode::kManual) + response_type = network::mojom::FetchResponseType::kOpaqueRedirect; + + response_data->InitFromResourceResponse( + execution_context_, response_type, url_list_, + fetch_request_data_->Method(), fetch_request_data_->Credentials(), + tainting, response); + + FetchResponseData* tainted_response = nullptr; if (network_utils::IsRedirectResponseCode(response_http_status_code_) && fetch_request_data_->Redirect() == RedirectMode::kManual) { tainted_response = response_data->CreateOpaqueRedirectFilteredResponse(); diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_response_data.cc b/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_response_data.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_response_data.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_response_data.cc 2021-04-30 21:20:05.693885817 +0100 @@ -4,6 +4,7 @@ #include "third_party/blink/renderer/core/fetch/fetch_response_data.h" +#include "storage/common/quota/padding_key.h" #include "third_party/blink/public/mojom/fetch/fetch_api_response.mojom-blink.h" #include "third_party/blink/renderer/core/fetch/fetch_header_list.h" #include "third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h" @@ -188,6 +189,7 @@ ExceptionState& exception_state) { FetchResponseData* new_response = Create(); new_response->type_ = type_; + new_response->padding_ = padding_; new_response->response_source_ = response_source_; if (termination_reason_) { new_response->termination_reason_ = std::make_unique(); @@ -204,7 +206,6 @@ new_response->cors_exposed_header_names_ = cors_exposed_header_names_; new_response->connection_info_ = connection_info_; new_response->alpn_negotiated_protocol_ = alpn_negotiated_protocol_; - new_response->loaded_with_credentials_ = loaded_with_credentials_; new_response->was_fetched_via_spdy_ = was_fetched_via_spdy_; new_response->has_range_requested_ = has_range_requested_; @@ -269,6 +270,7 @@ response->status_code = status_; response->status_text = status_message_; response->response_type = type_; + response->padding = padding_; response->response_source = response_source_; response->mime_type = mime_type_; response->request_method = request_method_; @@ -278,7 +280,6 @@ HeaderSetToVector(cors_exposed_header_names_); response->connection_info = connection_info_; response->alpn_negotiated_protocol = alpn_negotiated_protocol_; - response->loaded_with_credentials = loaded_with_credentials_; response->was_fetched_via_spdy = was_fetched_via_spdy_; response->has_range_requested = has_range_requested_; for (const auto& header : HeaderList()->List()) @@ -289,6 +290,8 @@ } void FetchResponseData::InitFromResourceResponse( + ExecutionContext* context, + network::mojom::FetchResponseType response_type, const Vector& request_url_list, const AtomicString& request_method, network::mojom::CredentialsMode request_credentials, @@ -339,14 +342,23 @@ SetWasFetchedViaSpdy(response.WasFetchedViaSPDY()); - // TODO(wanderview): Remove |tainting| and use |response.GetType()| - // instead once the OOR-CORS disabled path is removed. - SetLoadedWithCredentials( - request_credentials == network::mojom::CredentialsMode::kInclude || - (request_credentials == network::mojom::CredentialsMode::kSameOrigin && - tainting == FetchRequestData::kBasicTainting)); - SetHasRangeRequested(response.HasRangeRequested()); + + // Use the explicit padding in the response provided by a service worker + // or compute a new padding if necessary. + if (response.GetPadding()) { + SetPadding(response.GetPadding()); + } else { + if (storage::ShouldPadResponseType(response_type)) { + int64_t padding = response.WasCached() + ? storage::ComputeStableResponsePadding( + context->GetSecurityOrigin()->ToUrlOrigin(), + Url()->GetString().Utf8(), ResponseTime(), + request_method.Utf8()) + : storage::ComputeRandomResponsePadding(); + SetPadding(padding); + } + } } FetchResponseData::FetchResponseData(Type type, @@ -354,6 +366,7 @@ uint16_t status, AtomicString status_message) : type_(type), + padding_(0), response_source_(source), status_(status), status_message_(status_message), @@ -361,7 +374,6 @@ response_time_(base::Time::Now()), connection_info_(net::HttpResponseInfo::CONNECTION_INFO_UNKNOWN), alpn_negotiated_protocol_("unknown"), - loaded_with_credentials_(false), was_fetched_via_spdy_(false), has_range_requested_(false) {} diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_response_data.h b/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_response_data.h --- a/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_response_data.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/fetch_response_data.h 2021-04-30 21:20:05.693885817 +0100 @@ -85,6 +85,8 @@ } bool HasRangeRequested() const { return has_range_requested_; } + int64_t GetPadding() const { return padding_; } + void SetPadding(int64_t padding) { padding_ = padding; } void SetResponseSource(network::mojom::FetchResponseSource response_source) { response_source_ = response_source; } @@ -116,9 +118,6 @@ void SetAlpnNegotiatedProtocol(AtomicString alpn_negotiated_protocol) { alpn_negotiated_protocol_ = alpn_negotiated_protocol; } - void SetLoadedWithCredentials(bool loaded_with_credentials) { - loaded_with_credentials_ = loaded_with_credentials; - } void SetWasFetchedViaSpdy(bool was_fetched_via_spdy) { was_fetched_via_spdy_ = was_fetched_via_spdy; } @@ -138,6 +137,8 @@ // Initialize non-body data from the given |response|. void InitFromResourceResponse( + ExecutionContext* context, + network::mojom::FetchResponseType response_type, const Vector& request_url_list, const AtomicString& request_method, network::mojom::CredentialsMode request_credentials, @@ -148,6 +149,7 @@ private: network::mojom::FetchResponseType type_; + int64_t padding_; network::mojom::FetchResponseSource response_source_; std::unique_ptr termination_reason_; Vector url_list_; @@ -163,7 +165,6 @@ HTTPHeaderSet cors_exposed_header_names_; net::HttpResponseInfo::ConnectionInfo connection_info_; AtomicString alpn_negotiated_protocol_; - bool loaded_with_credentials_; bool was_fetched_via_spdy_; bool has_range_requested_; diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/response.cc b/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/response.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/response.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/fetch/response.cc 2021-04-30 21:20:05.694887549 +0100 @@ -374,6 +374,7 @@ else response = FetchResponseData::CreateNetworkErrorResponse(); + response->SetPadding(fetch_api_response.padding); response->SetResponseSource(fetch_api_response.response_source); response->SetURLList(fetch_api_response.url_list); response->SetStatus(fetch_api_response.status_code); @@ -386,8 +387,6 @@ response->SetConnectionInfo(fetch_api_response.connection_info); response->SetAlpnNegotiatedProtocol( WTF::AtomicString(fetch_api_response.alpn_negotiated_protocol)); - response->SetLoadedWithCredentials( - fetch_api_response.loaded_with_credentials); response->SetWasFetchedViaSpdy(fetch_api_response.was_fetched_via_spdy); response->SetHasRangeRequested(fetch_api_response.has_range_requested); diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc b/src/3rdparty/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/frame/local_frame_view.cc 2021-04-30 20:09:39.234077417 +0100 @@ -2766,11 +2766,14 @@ for (PaintLayerScrollableArea* area : *animating_scrollable_areas) area->UpdateCompositorScrollAnimations(); } - frame_view.GetLayoutView() - ->GetDocument() - .GetDocumentAnimations() - .UpdateAnimations(DocumentLifecycle::kPaintClean, - paint_artifact_compositor_.get()); + { + ScriptForbiddenScope forbid_script; + frame_view.GetLayoutView() + ->GetDocument() + .GetDocumentAnimations() + .UpdateAnimations(DocumentLifecycle::kPaintClean, + paint_artifact_compositor_.get()); + } }); // Initialize animation properties in the newly created paint property diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc b/src/3rdparty/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc 2021-04-30 21:16:34.639100084 +0100 @@ -122,12 +122,6 @@ ResourceLoaderOptions options(&modulator_->GetScriptState()->World()); - // If destination is "worker" or "sharedworker" and the - // top-level module fetch flag is set, then set request's mode to - // "same-origin". - // Cross-origin workers are not supported due to security checks in - // AbstractWorker::ResolveURL, so no action needs to be taken here. - // Set up the module script request given request and // options. // @@ -178,6 +172,26 @@ fetch_client_settings_object.GetSecurityOrigin(), options_.CredentialsMode()); + // If destination is "worker" or "sharedworker" and the + // top-level module fetch flag is set, then set request's mode to + // "same-origin". + // + // `kServiceWorker` is included here for consistency, while it isn't mentioned + // in the spec. This doesn't affect the behavior, because we already forbid + // redirects and cross-origin response URLs in other places. + if ((module_request.Destination() == + network::mojom::RequestDestination::kWorker || + module_request.Destination() == + network::mojom::RequestDestination::kSharedWorker || + module_request.Destination() == + network::mojom::RequestDestination::kServiceWorker) && + level == ModuleGraphLevel::kTopLevelModuleFetch) { + // This should be done after SetCrossOriginAccessControl() that sets the + // mode to kCors. + fetch_params.MutableResourceRequest().SetMode( + network::mojom::RequestMode::kSameOrigin); + } + // ... referrer is referrer, ... fetch_params.MutableResourceRequest().SetReferrerString( module_request.ReferrerString()); diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/core/scroll/scroll_animator_mac.mm b/src/3rdparty/chromium/third_party/blink/renderer/core/scroll/scroll_animator_mac.mm --- a/src/3rdparty/chromium/third_party/blink/renderer/core/scroll/scroll_animator_mac.mm 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/core/scroll/scroll_animator_mac.mm 2021-04-30 21:13:46.598660068 +0100 @@ -327,6 +327,11 @@ double fraction = delta / duration_; fraction = clampTo(fraction, 0.0, 1.0); double progress = timing_function_->Evaluate(fraction); + // In some scenarios, animation_ gets released during the call to + // setCurrentProgress. Because BlinkScrollbarPartAnimationTimer is a + // member variable of BlinkScrollbarPartAnimation animation_ the timer + // gets freed at the same time with animation_. In that case, it will + // not be safe to call any other code after animation_ setCurrentProgress. [animation_ setCurrentProgress:progress]; } @@ -401,6 +406,10 @@ - (void)setCurrentProgress:(NSAnimationProgress)progress { DCHECK(_scrollbar); + // In some scenarios, BlinkScrollbarPartAnimation is released in the middle + // of this method by _scrollbarPainter. This is why we have to retain the self + // pointer when we run this method. + [self retain]; CGFloat currentValue; if (_startValue > _endValue) @@ -427,7 +436,13 @@ break; } - _scrollbar->SetNeedsPaintInvalidation(invalidParts); + // Before BlinkScrollbarPartAnimation is released by _scrollbarPainter, + // invalidate is called and _scrollbar is set to nullptr. Check to see + // if _scrollbar is non-null before calling SetNeedsPaintInvalidation. + if (_scrollbar) + _scrollbar->SetNeedsPaintInvalidation(invalidParts); + + [self release]; } - (void)invalidate { diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/modules/service_worker/fetch_event.cc b/src/3rdparty/chromium/third_party/blink/renderer/modules/service_worker/fetch_event.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/modules/service_worker/fetch_event.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/modules/service_worker/fetch_event.cc 2021-04-30 21:19:25.176856449 +0100 @@ -158,13 +158,19 @@ Vector url_list(1); url_list[0] = preload_response_->CurrentRequestUrl(); + auto response_type = + network_utils::IsRedirectResponseCode(preload_response_->HttpStatusCode()) + ? network::mojom::FetchResponseType::kOpaqueRedirect + : network::mojom::FetchResponseType::kBasic; + response_data->InitFromResourceResponse( - url_list, http_names::kGET, network::mojom::CredentialsMode::kInclude, + ExecutionContext::From(script_state), response_type, url_list, + http_names::kGET, network::mojom::CredentialsMode::kInclude, FetchRequestData::kBasicTainting, preload_response_->ToResourceResponse()); FetchResponseData* tainted_response = - network_utils::IsRedirectResponseCode(preload_response_->HttpStatusCode()) + response_type == network::mojom::FetchResponseType::kOpaqueRedirect ? response_data->CreateOpaqueRedirectFilteredResponse() : response_data->CreateBasicFilteredResponse(); preload_response_property_->Resolve( diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/modules/webmidi/midi_dispatcher.cc b/src/3rdparty/chromium/third_party/blink/renderer/modules/webmidi/midi_dispatcher.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/modules/webmidi/midi_dispatcher.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/modules/webmidi/midi_dispatcher.cc 2021-04-30 21:14:54.318706961 +0100 @@ -101,8 +101,13 @@ void MIDIDispatcher::SessionStarted(midi::mojom::blink::Result result) { TRACE_EVENT0("midi", "MIDIDispatcher::OnSessionStarted"); + // We always have a valid instance in `client_` in the production code, but + // just in case to be robust for mojo injections and code changes in the + // future. Other methods protect accesses to `client_` by `initialized_` flag + // that is set below. + SECURITY_CHECK(client_); + DCHECK(!initialized_); - DCHECK(client_); initialized_ = true; if (result == midi::mojom::blink::Result::OK) { diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/platform/exported/web_url_response.cc b/src/3rdparty/chromium/third_party/blink/renderer/platform/exported/web_url_response.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/platform/exported/web_url_response.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/platform/exported/web_url_response.cc 2021-04-30 21:19:25.176856449 +0100 @@ -374,6 +374,13 @@ return resource_response_->GetType(); } +void WebURLResponse::SetPadding(int64_t padding) { + resource_response_->SetPadding(padding); +} +int64_t WebURLResponse::GetPadding() const { + return resource_response_->GetPadding(); +} + void WebURLResponse::SetUrlListViaServiceWorker( const WebVector& url_list_via_service_worker) { Vector url_list(url_list_via_service_worker.size()); diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/platform/loader/fetch/resource_response.h b/src/3rdparty/chromium/third_party/blink/renderer/platform/loader/fetch/resource_response.h --- a/src/3rdparty/chromium/third_party/blink/renderer/platform/loader/fetch/resource_response.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/platform/loader/fetch/resource_response.h 2021-04-30 21:19:25.176856449 +0100 @@ -358,6 +358,9 @@ // https://html.spec.whatwg.org/C/#cors-cross-origin bool IsCorsCrossOrigin() const; + int64_t GetPadding() const { return padding_; } + void SetPadding(int64_t padding) { padding_ = padding; } + // See network::ResourceResponseInfo::url_list_via_service_worker. const Vector& UrlListViaServiceWorker() const { return url_list_via_service_worker_; @@ -597,6 +600,11 @@ network::mojom::FetchResponseType response_type_ = network::mojom::FetchResponseType::kDefault; + // Pre-computed padding. This should only be non-zero if |response_type| is + // set to kOpaque. In addition, it is only set if the response was provided + // by a service worker FetchEvent handler. + int64_t padding_ = 0; + // HTTP version used in the response, if known. HTTPVersion http_version_ = kHTTPVersionUnknown; diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/platform/network/network_state_notifier.cc b/src/3rdparty/chromium/third_party/blink/renderer/platform/network/network_state_notifier.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/platform/network/network_state_notifier.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/platform/network/network_state_notifier.cc 2021-04-30 21:15:14.791091301 +0100 @@ -395,8 +395,14 @@ // If any observers were removed during the iteration they will have // 0 values, clean them up. - for (wtf_size_t i = 0; i < list->zeroed_observers.size(); ++i) - list->observers.EraseAt(list->zeroed_observers[i]); + std::sort(list->zeroed_observers.begin(), list->zeroed_observers.end()); + int removed = 0; + for (wtf_size_t i = 0; i < list->zeroed_observers.size(); ++i) { + int index_to_remove = list->zeroed_observers[i] - removed; + DCHECK_EQ(nullptr, list->observers[index_to_remove]); + list->observers.EraseAt(index_to_remove); + removed += 1; + } list->zeroed_observers.clear(); diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/platform/network/network_state_notifier_test.cc b/src/3rdparty/chromium/third_party/blink/renderer/platform/network/network_state_notifier_test.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/platform/network/network_state_notifier_test.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/platform/network/network_state_notifier_test.cc 2021-04-30 21:15:14.791091301 +0100 @@ -528,6 +528,53 @@ kUnknownThroughputMbps, SaveData::kOff)); } +// It should be safe to remove multiple observers in one iteration. +TEST_F(NetworkStateNotifierTest, RemoveMultipleObserversWhileNotifying) { + StateObserver observer1, observer2, observer3; + std::unique_ptr handle1 = + notifier_.AddConnectionObserver(&observer1, GetTaskRunner()); + std::unique_ptr handle2 = + notifier_.AddConnectionObserver(&observer2, GetTaskRunner()); + std::unique_ptr handle3 = + notifier_.AddConnectionObserver(&observer3, GetTaskRunner()); + observer1.RemoveObserverOnNotification(std::move(handle1)); + observer3.RemoveObserverOnNotification(std::move(handle3)); + + // Running the first time should delete observers 1 and 3. + SetConnection(kWebConnectionTypeBluetooth, kBluetoothMaxBandwidthMbps, + WebEffectiveConnectionType::kTypeUnknown, kUnknownRtt, + kUnknownRtt, kUnknownThroughputMbps, SaveData::kOff); + EXPECT_TRUE(VerifyObservations( + observer1, kWebConnectionTypeBluetooth, kBluetoothMaxBandwidthMbps, + WebEffectiveConnectionType::kTypeUnknown, kUnknownRtt, kUnknownRtt, + kUnknownThroughputMbps, SaveData::kOff)); + EXPECT_TRUE(VerifyObservations( + observer2, kWebConnectionTypeBluetooth, kBluetoothMaxBandwidthMbps, + WebEffectiveConnectionType::kTypeUnknown, kUnknownRtt, kUnknownRtt, + kUnknownThroughputMbps, SaveData::kOff)); + EXPECT_TRUE(VerifyObservations( + observer3, kWebConnectionTypeBluetooth, kBluetoothMaxBandwidthMbps, + WebEffectiveConnectionType::kTypeUnknown, kUnknownRtt, kUnknownRtt, + kUnknownThroughputMbps, SaveData::kOff)); + + // Run again and only observer 2 should have been updated. + SetConnection(kWebConnectionTypeEthernet, kEthernetMaxBandwidthMbps, + WebEffectiveConnectionType::kTypeUnknown, kUnknownRtt, + kUnknownRtt, kUnknownThroughputMbps, SaveData::kOff); + EXPECT_TRUE(VerifyObservations( + observer1, kWebConnectionTypeBluetooth, kBluetoothMaxBandwidthMbps, + WebEffectiveConnectionType::kTypeUnknown, kUnknownRtt, kUnknownRtt, + kUnknownThroughputMbps, SaveData::kOff)); + EXPECT_TRUE(VerifyObservations( + observer2, kWebConnectionTypeEthernet, kEthernetMaxBandwidthMbps, + WebEffectiveConnectionType::kTypeUnknown, kUnknownRtt, kUnknownRtt, + kUnknownThroughputMbps, SaveData::kOff)); + EXPECT_TRUE(VerifyObservations( + observer3, kWebConnectionTypeBluetooth, kBluetoothMaxBandwidthMbps, + WebEffectiveConnectionType::kTypeUnknown, kUnknownRtt, kUnknownRtt, + kUnknownThroughputMbps, SaveData::kOff)); +} + TEST_F(NetworkStateNotifierTest, MultipleContextsAddObserver) { StateObserver observer1, observer2; std::unique_ptr handle1 = diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/platform/weborigin/security_origin.cc b/src/3rdparty/chromium/third_party/blink/renderer/platform/weborigin/security_origin.cc --- a/src/3rdparty/chromium/third_party/blink/renderer/platform/weborigin/security_origin.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/platform/weborigin/security_origin.cc 2021-04-30 20:10:44.929638395 +0100 @@ -143,7 +143,8 @@ domain_(host_), port_(IsDefaultPortForProtocol(url.Port(), protocol_) ? kInvalidPort : url.Port()), - effective_port_(port_ ? port_ : DefaultPortForProtocol(protocol_)) { + effective_port_(port_ ? port_ : DefaultPortForProtocol(protocol_)), + full_url_(url.Copy()) { DCHECK(!ShouldTreatAsOpaqueOrigin(url)); // NOTE(juvaldma)(Chromium 67.0.3396.47) @@ -193,7 +194,8 @@ agent_cluster_id_(other->agent_cluster_id_), precursor_origin_(other->precursor_origin_ ? other->precursor_origin_->IsolatedCopy() - : nullptr) {} + : nullptr), + full_url_(other->full_url_.Copy()) {} SecurityOrigin::SecurityOrigin(const SecurityOrigin* other, ConstructSameThreadCopy) @@ -212,7 +214,8 @@ other->is_opaque_origin_potentially_trustworthy_), cross_agent_cluster_access_(other->cross_agent_cluster_access_), agent_cluster_id_(other->agent_cluster_id_), - precursor_origin_(other->precursor_origin_) {} + precursor_origin_(other->precursor_origin_), + full_url_(other->full_url_.Copy()) {} scoped_refptr SecurityOrigin::CreateWithReferenceOrigin( const KURL& url, @@ -281,6 +284,7 @@ url::Origin::Nonce(*nonce_if_opaque), tuple_origin.get())); } CHECK(tuple_origin); + tuple_origin->full_url_ = KURL(origin.GetFullURL()); return tuple_origin; } @@ -297,6 +301,7 @@ } url::Origin result = url::Origin::CreateFromNormalizedTuple( std::move(scheme), std::move(host), port); + result.SetFullURL(full_url_); CHECK(!result.opaque()); return result; } diff -Naur a/src/3rdparty/chromium/third_party/blink/renderer/platform/weborigin/security_origin.h b/src/3rdparty/chromium/third_party/blink/renderer/platform/weborigin/security_origin.h --- a/src/3rdparty/chromium/third_party/blink/renderer/platform/weborigin/security_origin.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/renderer/platform/weborigin/security_origin.h 2021-04-30 20:10:44.929638395 +0100 @@ -35,6 +35,7 @@ #include "base/gtest_prod_util.h" #include "base/macros.h" #include "third_party/blink/renderer/platform/platform_export.h" +#include "third_party/blink/renderer/platform/weborigin/kurl.h" #include "third_party/blink/renderer/platform/wtf/allocator/allocator.h" #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h" #include "third_party/blink/renderer/platform/wtf/thread_safe_ref_counted.h" @@ -424,6 +425,8 @@ // origin is derived. const scoped_refptr precursor_origin_; + KURL full_url_; + DISALLOW_COPY_AND_ASSIGN(SecurityOrigin); }; diff -Naur a/src/3rdparty/chromium/third_party/blink/tools/blinkpy/presubmit/audit_non_blink_usage.py b/src/3rdparty/chromium/third_party/blink/tools/blinkpy/presubmit/audit_non_blink_usage.py --- a/src/3rdparty/chromium/third_party/blink/tools/blinkpy/presubmit/audit_non_blink_usage.py 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/blink/tools/blinkpy/presubmit/audit_non_blink_usage.py 2021-04-30 21:19:25.176856449 +0100 @@ -1172,6 +1172,15 @@ 'allowed': ['net::RequestPriority'], }, { + 'paths': + ['third_party/blink/renderer/core/fetch/fetch_response_data.cc'], + 'allowed': [ + 'storage::ComputeRandomResponsePadding', + 'storage::ComputeStableResponsePadding', + 'storage::ShouldPadResponseType' + ], + }, + { 'paths': ['third_party/blink/renderer/core/frame/local_frame_view.cc'], 'allowed': ['cc::frame_viewer_instrumentation::IsTracingLayerTreeSnapshots'], diff -Naur a/src/3rdparty/chromium/third_party/skia/src/core/SkScalerContext.cpp b/src/3rdparty/chromium/third_party/skia/src/core/SkScalerContext.cpp --- a/src/3rdparty/chromium/third_party/skia/src/core/SkScalerContext.cpp 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/skia/src/core/SkScalerContext.cpp 2021-04-30 21:17:25.854620657 +0100 @@ -541,41 +541,39 @@ } void SkScalerContext::getImage(const SkGlyph& origGlyph) { - const SkGlyph* glyph = &origGlyph; + const SkGlyph* unfilteredGlyph = &origGlyph; SkGlyph tmpGlyph{origGlyph.getPackedID()}; // in case we need to call generateImage on a mask-format that is different // (i.e. larger) than what our caller allocated by looking at origGlyph. SkAutoMalloc tmpGlyphImageStorage; - if (fMaskFilter) { // restore the prefilter bounds - + if (fMaskFilter) { // need the original bounds, sans our maskfilter sk_sp mf = std::move(fMaskFilter); this->getMetrics(&tmpGlyph); fMaskFilter = std::move(mf); - // we need the prefilter bounds to be <= filter bounds - SkASSERT(tmpGlyph.fWidth <= origGlyph.fWidth); - SkASSERT(tmpGlyph.fHeight <= origGlyph.fHeight); - - if (tmpGlyph.fMaskFormat == origGlyph.fMaskFormat) { + // Use the origGlyph storage for the temporary unfiltered mask if it will fit. + if (tmpGlyph.fMaskFormat == origGlyph.fMaskFormat && + tmpGlyph.imageSize() <= origGlyph.imageSize()) + { tmpGlyph.fImage = origGlyph.fImage; } else { tmpGlyphImageStorage.reset(tmpGlyph.imageSize()); tmpGlyph.fImage = tmpGlyphImageStorage.get(); } - glyph = &tmpGlyph; + unfilteredGlyph = &tmpGlyph; } if (!fGenerateImageFromPath) { - generateImage(*glyph); + generateImage(*unfilteredGlyph); } else { SkPath devPath; - SkMask mask = glyph->mask(); + SkMask mask = unfilteredGlyph->mask(); - if (!this->internalGetPath(glyph->getPackedID(), &devPath)) { - generateImage(*glyph); + if (!this->internalGetPath(unfilteredGlyph->getPackedID(), &devPath)) { + generateImage(*unfilteredGlyph); } else { SkASSERT(SkMask::kARGB32_Format != origGlyph.fMaskFormat); SkASSERT(SkMask::kARGB32_Format != mask.fFormat); @@ -587,39 +585,98 @@ } if (fMaskFilter) { - // the src glyph image shouldn't be 3D - SkASSERT(SkMask::k3D_Format != glyph->fMaskFormat); + // k3D_Format should not be mask filtered. + SkASSERT(SkMask::k3D_Format != unfilteredGlyph->fMaskFormat); + + SkMask filteredMask; + SkMask srcMask; + SkMatrix m; + fRec.getMatrixFrom2x2(&m); + + if (as_MFB(fMaskFilter)->filterMask(&filteredMask, unfilteredGlyph->mask(), m, nullptr)) { + // Filter succeeded; filteredMask.fImage was allocated. + srcMask = filteredMask; + } else if (unfilteredGlyph->fImage == tmpGlyphImageStorage.get()) { + // Filter did nothing; unfiltered mask is independent of origGlyph.fImage. + srcMask = unfilteredGlyph->mask(); + } else if (origGlyph.iRect() == unfilteredGlyph->iRect()) { + // Filter did nothing; the unfiltered mask is in origGlyph.fImage and matches. + return; + } else { + // Filter did nothing; the unfiltered mask is in origGlyph.fImage and conflicts. + srcMask = unfilteredGlyph->mask(); + size_t imageSize = unfilteredGlyph->imageSize(); + tmpGlyphImageStorage.reset(imageSize); + srcMask.fImage = static_cast(tmpGlyphImageStorage.get()); + memcpy(srcMask.fImage, unfilteredGlyph->fImage, imageSize); + } + + SkASSERT_RELEASE(srcMask.fFormat == origGlyph.fMaskFormat); + SkMask dstMask = origGlyph.mask(); + SkIRect origBounds = dstMask.fBounds; + + // Find the intersection of src and dst while updating the fImages. + if (srcMask.fBounds.fTop < dstMask.fBounds.fTop) { + int32_t topDiff = dstMask.fBounds.fTop - srcMask.fBounds.fTop; + srcMask.fImage += srcMask.fRowBytes * topDiff; + srcMask.fBounds.fTop = dstMask.fBounds.fTop; + } + if (dstMask.fBounds.fTop < srcMask.fBounds.fTop) { + int32_t topDiff = srcMask.fBounds.fTop - dstMask.fBounds.fTop; + dstMask.fImage += dstMask.fRowBytes * topDiff; + dstMask.fBounds.fTop = srcMask.fBounds.fTop; + } + + if (srcMask.fBounds.fLeft < dstMask.fBounds.fLeft) { + int32_t leftDiff = dstMask.fBounds.fLeft - srcMask.fBounds.fLeft; + srcMask.fImage += leftDiff; + srcMask.fBounds.fLeft = dstMask.fBounds.fLeft; + } + if (dstMask.fBounds.fLeft < srcMask.fBounds.fLeft) { + int32_t leftDiff = srcMask.fBounds.fLeft - dstMask.fBounds.fLeft; + dstMask.fImage += leftDiff; + dstMask.fBounds.fLeft = srcMask.fBounds.fLeft; + } + + if (srcMask.fBounds.fBottom < dstMask.fBounds.fBottom) { + dstMask.fBounds.fBottom = srcMask.fBounds.fBottom; + } + if (dstMask.fBounds.fBottom < srcMask.fBounds.fBottom) { + srcMask.fBounds.fBottom = dstMask.fBounds.fBottom; + } + + if (srcMask.fBounds.fRight < dstMask.fBounds.fRight) { + dstMask.fBounds.fRight = srcMask.fBounds.fRight; + } + if (dstMask.fBounds.fRight < srcMask.fBounds.fRight) { + srcMask.fBounds.fRight = dstMask.fBounds.fRight; + } + + SkASSERT(srcMask.fBounds == dstMask.fBounds); + int width = srcMask.fBounds.width(); + int height = srcMask.fBounds.height(); + int dstRB = dstMask.fRowBytes; + int srcRB = srcMask.fRowBytes; + + const uint8_t* src = srcMask.fImage; + uint8_t* dst = dstMask.fImage; + + if (SkMask::k3D_Format == filteredMask.fFormat) { + // we have to copy 3 times as much + height *= 3; + } + + // If not filling the full original glyph, clear it out first. + if (dstMask.fBounds != origBounds) { + sk_bzero(origGlyph.fImage, origGlyph.fHeight * origGlyph.rowBytes()); + } - SkMask srcM = glyph->mask(), - dstM; - SkMatrix matrix; - - fRec.getMatrixFrom2x2(&matrix); - - if (as_MFB(fMaskFilter)->filterMask(&dstM, srcM, matrix, nullptr)) { - int width = std::min(origGlyph.fWidth, dstM.fBounds.width()); - int height = std::min(origGlyph.fHeight, dstM.fBounds.height()); - int dstRB = origGlyph.rowBytes(); - int srcRB = dstM.fRowBytes; - - const uint8_t* src = (const uint8_t*)dstM.fImage; - uint8_t* dst = (uint8_t*)origGlyph.fImage; - - if (SkMask::k3D_Format == dstM.fFormat) { - // we have to copy 3 times as much - height *= 3; - } - - // clean out our glyph, since it may be larger than dstM - //sk_bzero(dst, height * dstRB); - - while (--height >= 0) { - memcpy(dst, src, width); - src += srcRB; - dst += dstRB; - } - SkMask::FreeImage(dstM.fImage); + while (--height >= 0) { + memcpy(dst, src, width); + src += srcRB; + dst += dstRB; } + SkMask::FreeImage(filteredMask.fImage); } } diff -Naur a/src/3rdparty/chromium/third_party/sqlite/src/amalgamation/sqlite3.c b/src/3rdparty/chromium/third_party/sqlite/src/amalgamation/sqlite3.c --- a/src/3rdparty/chromium/third_party/sqlite/src/amalgamation/sqlite3.c 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/sqlite/src/amalgamation/sqlite3.c 2021-04-30 21:16:15.249587377 +0100 @@ -50422,6 +50422,7 @@ p->page.pExtra = &p[1]; p->isBulkLocal = 0; p->isAnchor = 0; + p->pLruPrev = 0; /* Initializing this saves a valgrind error */ } (*pCache->pnPurgeable)++; return p; @@ -72324,7 +72325,9 @@ } pgno = get4byte(pRight); while( 1 ){ - rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0); + if( rc==SQLITE_OK ){ + rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0); + } if( rc ){ memset(apOld, 0, (i+1)*sizeof(MemPage*)); goto balance_cleanup; @@ -72363,12 +72366,10 @@ if( pBt->btsFlags & BTS_FAST_SECURE ){ int iOff; + /* If the following if() condition is not true, the db is corrupted. + ** The call to dropCell() below will detect this. */ iOff = SQLITE_PTR_TO_INT(apDiv[i]) - SQLITE_PTR_TO_INT(pParent->aData); - if( (iOff+szNew[i])>(int)pBt->usableSize ){ - rc = SQLITE_CORRUPT_BKPT; - memset(apOld, 0, (i+1)*sizeof(MemPage*)); - goto balance_cleanup; - }else{ + if( (iOff+szNew[i])<=(int)pBt->usableSize ){ memcpy(&aOvflSpace[iOff], apDiv[i], szNew[i]); apDiv[i] = &aOvflSpace[apDiv[i]-pParent->aData]; } @@ -231234,7 +231235,7 @@ #endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */ /************** End of stmt.c ************************************************/ -#if __LINE__!=231237 +#if __LINE__!=231238 #undef SQLITE_SOURCE_ID #define SQLITE_SOURCE_ID "2020-12-01 16:14:00 b7738010bc8ef02ba84820368e557306390a33c38adaa5c7703154bae3edalt2" #endif diff -Naur a/src/3rdparty/chromium/third_party/sqlite/src/amalgamation_dev/sqlite3.c b/src/3rdparty/chromium/third_party/sqlite/src/amalgamation_dev/sqlite3.c --- a/src/3rdparty/chromium/third_party/sqlite/src/amalgamation_dev/sqlite3.c 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/sqlite/src/amalgamation_dev/sqlite3.c 2021-04-30 21:16:15.268620272 +0100 @@ -50435,6 +50435,7 @@ p->page.pExtra = &p[1]; p->isBulkLocal = 0; p->isAnchor = 0; + p->pLruPrev = 0; /* Initializing this saves a valgrind error */ } (*pCache->pnPurgeable)++; return p; @@ -72337,7 +72338,9 @@ } pgno = get4byte(pRight); while( 1 ){ - rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0); + if( rc==SQLITE_OK ){ + rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0); + } if( rc ){ memset(apOld, 0, (i+1)*sizeof(MemPage*)); goto balance_cleanup; @@ -72376,12 +72379,10 @@ if( pBt->btsFlags & BTS_FAST_SECURE ){ int iOff; + /* If the following if() condition is not true, the db is corrupted. + ** The call to dropCell() below will detect this. */ iOff = SQLITE_PTR_TO_INT(apDiv[i]) - SQLITE_PTR_TO_INT(pParent->aData); - if( (iOff+szNew[i])>(int)pBt->usableSize ){ - rc = SQLITE_CORRUPT_BKPT; - memset(apOld, 0, (i+1)*sizeof(MemPage*)); - goto balance_cleanup; - }else{ + if( (iOff+szNew[i])<=(int)pBt->usableSize ){ memcpy(&aOvflSpace[iOff], apDiv[i], szNew[i]); apDiv[i] = &aOvflSpace[apDiv[i]-pParent->aData]; } @@ -231747,7 +231748,7 @@ #endif /* !defined(SQLITE_CORE) || defined(SQLITE_ENABLE_STMTVTAB) */ /************** End of stmt.c ************************************************/ -#if __LINE__!=231750 +#if __LINE__!=231751 #undef SQLITE_SOURCE_ID #define SQLITE_SOURCE_ID "2020-12-01 16:14:00 b7738010bc8ef02ba84820368e557306390a33c38adaa5c7703154bae3edalt2" #endif diff -Naur a/src/3rdparty/chromium/third_party/sqlite/src/src/btree.c b/src/3rdparty/chromium/third_party/sqlite/src/src/btree.c --- a/src/3rdparty/chromium/third_party/sqlite/src/src/btree.c 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/sqlite/src/src/btree.c 2021-04-30 21:16:15.270623735 +0100 @@ -7618,7 +7618,9 @@ } pgno = get4byte(pRight); while( 1 ){ - rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0); + if( rc==SQLITE_OK ){ + rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0); + } if( rc ){ memset(apOld, 0, (i+1)*sizeof(MemPage*)); goto balance_cleanup; @@ -7657,12 +7659,10 @@ if( pBt->btsFlags & BTS_FAST_SECURE ){ int iOff; + /* If the following if() condition is not true, the db is corrupted. + ** The call to dropCell() below will detect this. */ iOff = SQLITE_PTR_TO_INT(apDiv[i]) - SQLITE_PTR_TO_INT(pParent->aData); - if( (iOff+szNew[i])>(int)pBt->usableSize ){ - rc = SQLITE_CORRUPT_BKPT; - memset(apOld, 0, (i+1)*sizeof(MemPage*)); - goto balance_cleanup; - }else{ + if( (iOff+szNew[i])<=(int)pBt->usableSize ){ memcpy(&aOvflSpace[iOff], apDiv[i], szNew[i]); apDiv[i] = &aOvflSpace[apDiv[i]-pParent->aData]; } diff -Naur a/src/3rdparty/chromium/third_party/sqlite/src/src/pcache1.c b/src/3rdparty/chromium/third_party/sqlite/src/src/pcache1.c --- a/src/3rdparty/chromium/third_party/sqlite/src/src/pcache1.c 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/sqlite/src/src/pcache1.c 2021-04-30 21:16:15.270623735 +0100 @@ -461,6 +461,7 @@ p->page.pExtra = &p[1]; p->isBulkLocal = 0; p->isAnchor = 0; + p->pLruPrev = 0; /* Initializing this saves a valgrind error */ } (*pCache->pnPurgeable)++; return p; diff -Naur a/src/3rdparty/chromium/third_party/webrtc/media/sctp/sctp_transport.cc b/src/3rdparty/chromium/third_party/webrtc/media/sctp/sctp_transport.cc --- a/src/3rdparty/chromium/third_party/webrtc/media/sctp/sctp_transport.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/webrtc/media/sctp/sctp_transport.cc 2021-04-30 21:18:03.541758869 +0100 @@ -20,6 +20,7 @@ // Successful return value from usrsctp callbacks. Is not actually used by // usrsctp, but all example programs for usrsctp use 1 as their return value. constexpr int kSctpSuccessReturn = 1; +constexpr int kSctpErrorReturn = 0; } // namespace @@ -27,6 +28,7 @@ #include #include +#include #include #include @@ -79,59 +81,22 @@ PPID_TEXT_LAST = 51 }; -// Maps SCTP transport ID to SctpTransport object, necessary in send threshold -// callback and outgoing packet callback. -// TODO(crbug.com/1076703): Remove once the underlying problem is fixed or -// workaround is provided in usrsctp. -class SctpTransportMap { - public: - SctpTransportMap() = default; - - // Assigns a new unused ID to the following transport. - uintptr_t Register(cricket::SctpTransport* transport) { - webrtc::MutexLock lock(&lock_); - // usrsctp_connect fails with a value of 0... - if (next_id_ == 0) { - ++next_id_; - } - // In case we've wrapped around and need to find an empty spot from a - // removed transport. Assumes we'll never be full. - while (map_.find(next_id_) != map_.end()) { - ++next_id_; - if (next_id_ == 0) { - ++next_id_; - } - }; - map_[next_id_] = transport; - return next_id_++; - } - - // Returns true if found. - bool Deregister(uintptr_t id) { - webrtc::MutexLock lock(&lock_); - return map_.erase(id) > 0; - } - - cricket::SctpTransport* Retrieve(uintptr_t id) const { - webrtc::MutexLock lock(&lock_); - auto it = map_.find(id); - if (it == map_.end()) { - return nullptr; - } - return it->second; - } +// Should only be modified by UsrSctpWrapper. +ABSL_CONST_INIT cricket::SctpTransportMap* g_transport_map_ = nullptr; +// Helper that will call C's free automatically. +// TODO(b/181900299): Figure out why unique_ptr with a custom deleter is causing +// issues in a certain build environment. +class AutoFreedPointer { + public: + explicit AutoFreedPointer(void* ptr) : ptr_(ptr) {} + AutoFreedPointer(AutoFreedPointer&& o) : ptr_(o.ptr_) { o.ptr_ = nullptr; } + ~AutoFreedPointer() { free(ptr_); } + void* get() const { return ptr_; } private: - mutable webrtc::Mutex lock_; - - uintptr_t next_id_ RTC_GUARDED_BY(lock_) = 0; - std::unordered_map map_ - RTC_GUARDED_BY(lock_); + void* ptr_; }; -// Should only be modified by UsrSctpWrapper. -ABSL_CONST_INIT SctpTransportMap* g_transport_map_ = nullptr; - // Helper for logging SCTP messages. #if defined(__GNUC__) __attribute__((__format__(__printf__, 1, 2))) @@ -256,6 +221,71 @@ namespace cricket { +// Maps SCTP transport ID to SctpTransport object, necessary in send threshold +// callback and outgoing packet callback. It also provides a facility to +// safely post a task to an SctpTransport's network thread from another thread. +class SctpTransportMap { + public: + SctpTransportMap() = default; + + // Assigns a new unused ID to the following transport. + uintptr_t Register(cricket::SctpTransport* transport) { + webrtc::MutexLock lock(&lock_); + // usrsctp_connect fails with a value of 0... + if (next_id_ == 0) { + ++next_id_; + } + // In case we've wrapped around and need to find an empty spot from a + // removed transport. Assumes we'll never be full. + while (map_.find(next_id_) != map_.end()) { + ++next_id_; + if (next_id_ == 0) { + ++next_id_; + } + }; + map_[next_id_] = transport; + return next_id_++; + } + + // Returns true if found. + bool Deregister(uintptr_t id) { + webrtc::MutexLock lock(&lock_); + return map_.erase(id) > 0; + } + + // Posts |action| to the network thread of the transport identified by |id| + // and returns true if found, all while holding a lock to protect against the + // transport being simultaneously deleted/deregistered, or returns false if + // not found. + template + bool PostToTransportThread(uintptr_t id, F action) const { + webrtc::MutexLock lock(&lock_); + SctpTransport* transport = RetrieveWhileHoldingLock(id); + if (!transport) { + return false; + } + transport->invoker_.AsyncInvoke( + RTC_FROM_HERE, transport->network_thread_, + [transport, action{std::move(action)}]() { action(transport); }); + return true; + } + + private: + SctpTransport* RetrieveWhileHoldingLock(uintptr_t id) const + RTC_EXCLUSIVE_LOCKS_REQUIRED(lock_) { + auto it = map_.find(id); + if (it == map_.end()) { + return nullptr; + } + return it->second; + } + + mutable webrtc::Mutex lock_; + + uintptr_t next_id_ RTC_GUARDED_BY(lock_) = 0; + std::unordered_map map_ RTC_GUARDED_BY(lock_); +}; + // Handles global init/deinit, and mapping from usrsctp callbacks to // SctpTransport calls. class SctpTransport::UsrSctpWrapper { @@ -357,14 +387,6 @@ << "OnSctpOutboundPacket called after usrsctp uninitialized?"; return EINVAL; } - SctpTransport* transport = - g_transport_map_->Retrieve(reinterpret_cast(addr)); - if (!transport) { - RTC_LOG(LS_ERROR) - << "OnSctpOutboundPacket: Failed to get transport for socket ID " - << addr; - return EINVAL; - } RTC_LOG(LS_VERBOSE) << "global OnSctpOutboundPacket():" "addr: " << addr << "; length: " << length @@ -372,13 +394,23 @@ << "; set_df: " << rtc::ToHex(set_df); VerboseLogPacket(data, length, SCTP_DUMP_OUTBOUND); + // Note: We have to copy the data; the caller will delete it. rtc::CopyOnWriteBuffer buf(reinterpret_cast(data), length); - // TODO(deadbeef): Why do we need an AsyncInvoke here? We're already on the - // right thread and don't need to unwind the stack. - transport->invoker_.AsyncInvoke( - RTC_FROM_HERE, transport->network_thread_, - rtc::Bind(&SctpTransport::OnPacketFromSctpToNetwork, transport, buf)); + + // PostsToTransportThread protects against the transport being + // simultaneously deregistered/deleted, since this callback may come from + // the SCTP timer thread and thus race with the network thread. + bool found = g_transport_map_->PostToTransportThread( + reinterpret_cast(addr), [buf](SctpTransport* transport) { + transport->OnPacketFromSctpToNetwork(buf); + }); + if (!found) { + RTC_LOG(LS_ERROR) + << "OnSctpOutboundPacket: Failed to get transport for socket ID " + << addr << "; possibly was already destroyed."; + return EINVAL; + } return 0; } @@ -393,28 +425,45 @@ struct sctp_rcvinfo rcv, int flags, void* ulp_info) { - SctpTransport* transport = GetTransportFromSocket(sock); - if (!transport) { + AutoFreedPointer owned_data(data); + absl::optional id = GetTransportIdFromSocket(sock); + if (!id) { RTC_LOG(LS_ERROR) - << "OnSctpInboundPacket: Failed to get transport for socket " << sock - << "; possibly was already destroyed."; - free(data); - return 0; + << "OnSctpInboundPacket: Failed to get transport ID from socket " + << sock; + return kSctpErrorReturn; } - // Sanity check that both methods of getting the SctpTransport pointer - // yield the same result. - RTC_CHECK_EQ(transport, static_cast(ulp_info)); - int result = - transport->OnDataOrNotificationFromSctp(data, length, rcv, flags); - free(data); - return result; + + if (!g_transport_map_) { + RTC_LOG(LS_ERROR) + << "OnSctpInboundPacket called after usrsctp uninitialized?"; + return kSctpErrorReturn; + } + // PostsToTransportThread protects against the transport being + // simultaneously deregistered/deleted, since this callback may come from + // the SCTP timer thread and thus race with the network thread. + bool found = g_transport_map_->PostToTransportThread( + *id, [owned_data{std::move(owned_data)}, length, rcv, + flags](SctpTransport* transport) { + transport->OnDataOrNotificationFromSctp(owned_data.get(), length, rcv, + flags); + }); + if (!found) { + RTC_LOG(LS_ERROR) + << "OnSctpInboundPacket: Failed to get transport for socket ID " + << *id << "; possibly was already destroyed."; + return kSctpErrorReturn; + } + return kSctpSuccessReturn; } - static SctpTransport* GetTransportFromSocket(struct socket* sock) { + static absl::optional GetTransportIdFromSocket( + struct socket* sock) { + absl::optional ret; struct sockaddr* addrs = nullptr; int naddrs = usrsctp_getladdrs(sock, 0, &addrs); if (naddrs <= 0 || addrs[0].sa_family != AF_CONN) { - return nullptr; + return ret; } // usrsctp_getladdrs() returns the addresses bound to this socket, which // contains the SctpTransport id as sconn_addr. Read the id, @@ -423,17 +472,10 @@ // id of the transport that created them, so [0] is as good as any other. struct sockaddr_conn* sconn = reinterpret_cast(&addrs[0]); - if (!g_transport_map_) { - RTC_LOG(LS_ERROR) - << "GetTransportFromSocket called after usrsctp uninitialized?"; - usrsctp_freeladdrs(addrs); - return nullptr; - } - SctpTransport* transport = g_transport_map_->Retrieve( - reinterpret_cast(sconn->sconn_addr)); + ret = reinterpret_cast(sconn->sconn_addr); usrsctp_freeladdrs(addrs); - return transport; + return ret; } // TODO(crbug.com/webrtc/11899): This is a legacy callback signature, remove @@ -442,14 +484,26 @@ // Fired on our I/O thread. SctpTransport::OnPacketReceived() gets // a packet containing acknowledgments, which goes into usrsctp_conninput, // and then back here. - SctpTransport* transport = GetTransportFromSocket(sock); - if (!transport) { + absl::optional id = GetTransportIdFromSocket(sock); + if (!id) { + RTC_LOG(LS_ERROR) + << "SendThresholdCallback: Failed to get transport ID from socket " + << sock; + return 0; + } + if (!g_transport_map_) { RTC_LOG(LS_ERROR) - << "SendThresholdCallback: Failed to get transport for socket " - << sock << "; possibly was already destroyed."; + << "SendThresholdCallback called after usrsctp uninitialized?"; return 0; } - transport->OnSendThresholdCallback(); + bool found = g_transport_map_->PostToTransportThread( + *id, + [](SctpTransport* transport) { transport->OnSendThresholdCallback(); }); + if (!found) { + RTC_LOG(LS_ERROR) + << "SendThresholdCallback: Failed to get transport for socket ID " + << *id << "; possibly was already destroyed."; + } return 0; } @@ -459,17 +513,26 @@ // Fired on our I/O thread. SctpTransport::OnPacketReceived() gets // a packet containing acknowledgments, which goes into usrsctp_conninput, // and then back here. - SctpTransport* transport = GetTransportFromSocket(sock); - if (!transport) { + absl::optional id = GetTransportIdFromSocket(sock); + if (!id) { RTC_LOG(LS_ERROR) - << "SendThresholdCallback: Failed to get transport for socket " - << sock << "; possibly was already destroyed."; + << "SendThresholdCallback: Failed to get transport ID from socket " + << sock; return 0; } - // Sanity check that both methods of getting the SctpTransport pointer - // yield the same result. - RTC_CHECK_EQ(transport, static_cast(ulp_info)); - transport->OnSendThresholdCallback(); + if (!g_transport_map_) { + RTC_LOG(LS_ERROR) + << "SendThresholdCallback called after usrsctp uninitialized?"; + return 0; + } + bool found = g_transport_map_->PostToTransportThread( + *id, + [](SctpTransport* transport) { transport->OnSendThresholdCallback(); }); + if (!found) { + RTC_LOG(LS_ERROR) + << "SendThresholdCallback: Failed to get transport for socket ID " + << *id << "; possibly was already destroyed."; + } return 0; } }; @@ -1120,24 +1183,25 @@ rtc::PacketOptions(), PF_NORMAL); } -int SctpTransport::InjectDataOrNotificationFromSctpForTesting( +void SctpTransport::InjectDataOrNotificationFromSctpForTesting( void* data, size_t length, struct sctp_rcvinfo rcv, int flags) { - return OnDataOrNotificationFromSctp(data, length, rcv, flags); + OnDataOrNotificationFromSctp(data, length, rcv, flags); } -int SctpTransport::OnDataOrNotificationFromSctp(void* data, - size_t length, - struct sctp_rcvinfo rcv, - int flags) { +void SctpTransport::OnDataOrNotificationFromSctp(void* data, + size_t length, + struct sctp_rcvinfo rcv, + int flags) { + RTC_DCHECK_RUN_ON(network_thread_); // If data is NULL, the SCTP association has been closed. if (!data) { RTC_LOG(LS_INFO) << debug_name_ << "->OnDataOrNotificationFromSctp(...): " "No data; association closed."; - return kSctpSuccessReturn; + return; } // Handle notifications early. @@ -1150,13 +1214,10 @@ << "->OnDataOrNotificationFromSctp(...): SCTP notification" << " length=" << length; - // Copy and dispatch asynchronously rtc::CopyOnWriteBuffer notification(reinterpret_cast(data), length); - invoker_.AsyncInvoke( - RTC_FROM_HERE, network_thread_, - rtc::Bind(&SctpTransport::OnNotificationFromSctp, this, notification)); - return kSctpSuccessReturn; + OnNotificationFromSctp(notification); + return; } // Log data chunk @@ -1174,7 +1235,7 @@ // Unexpected PPID, dropping RTC_LOG(LS_ERROR) << "Received an unknown PPID " << ppid << " on an SCTP packet. Dropping."; - return kSctpSuccessReturn; + return; } // Expect only continuation messages belonging to the same SID. The SCTP @@ -1210,7 +1271,7 @@ if (partial_incoming_message_.size() < kSctpSendBufferSize) { // We still have space in the buffer. Continue buffering chunks until // the message is complete before handing it out. - return kSctpSuccessReturn; + return; } else { // The sender is exceeding the maximum message size that we announced. // Spit out a warning but still hand out the partial message. Note that @@ -1224,17 +1285,11 @@ } } - // Dispatch the complete message. - // The ownership of the packet transfers to |invoker_|. Using - // CopyOnWriteBuffer is the most convenient way to do this. - invoker_.AsyncInvoke( - RTC_FROM_HERE, network_thread_, - rtc::Bind(&SctpTransport::OnDataFromSctpToTransport, this, params, - partial_incoming_message_)); + // Dispatch the complete message and reset the message buffer. - // Reset the message buffer + // Dispatch the complete message and reset the message buffer. + OnDataFromSctpToTransport(params, partial_incoming_message_); partial_incoming_message_.Clear(); - return kSctpSuccessReturn; } void SctpTransport::OnDataFromSctpToTransport( diff -Naur a/src/3rdparty/chromium/third_party/webrtc/media/sctp/sctp_transport.h b/src/3rdparty/chromium/third_party/webrtc/media/sctp/sctp_transport.h --- a/src/3rdparty/chromium/third_party/webrtc/media/sctp/sctp_transport.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/third_party/webrtc/media/sctp/sctp_transport.h 2021-04-30 21:18:03.542760600 +0100 @@ -96,10 +96,10 @@ void set_debug_name_for_testing(const char* debug_name) override { debug_name_ = debug_name; } - int InjectDataOrNotificationFromSctpForTesting(void* data, - size_t length, - struct sctp_rcvinfo rcv, - int flags); + void InjectDataOrNotificationFromSctpForTesting(void* data, + size_t length, + struct sctp_rcvinfo rcv, + int flags); // Exposed to allow Post call from c-callbacks. // TODO(deadbeef): Remove this or at least make it return a const pointer. @@ -180,12 +180,12 @@ // Called using |invoker_| to send packet on the network. void OnPacketFromSctpToNetwork(const rtc::CopyOnWriteBuffer& buffer); - // Called on the SCTP thread. + // Called on the network thread. // Flags are standard socket API flags (RFC 6458). - int OnDataOrNotificationFromSctp(void* data, - size_t length, - struct sctp_rcvinfo rcv, - int flags); + void OnDataOrNotificationFromSctp(void* data, + size_t length, + struct sctp_rcvinfo rcv, + int flags); // Called using |invoker_| to decide what to do with the data. void OnDataFromSctpToTransport(const ReceiveDataParams& params, const rtc::CopyOnWriteBuffer& buffer); @@ -281,6 +281,8 @@ // various callbacks. uintptr_t id_ = 0; + friend class SctpTransportMap; + RTC_DISALLOW_COPY_AND_ASSIGN(SctpTransport); }; @@ -299,6 +301,8 @@ rtc::Thread* network_thread_; }; +class SctpTransportMap; + } // namespace cricket #endif // MEDIA_SCTP_SCTP_TRANSPORT_H_ diff -Naur a/src/3rdparty/chromium/tools/metrics/histograms/enums.xml b/src/3rdparty/chromium/tools/metrics/histograms/enums.xml --- a/src/3rdparty/chromium/tools/metrics/histograms/enums.xml 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/tools/metrics/histograms/enums.xml 2021-04-30 21:19:25.182866837 +0100 @@ -8777,6 +8777,8 @@ + + diff -Naur a/src/3rdparty/chromium/ui/views/win/hwnd_message_handler.cc b/src/3rdparty/chromium/ui/views/win/hwnd_message_handler.cc --- a/src/3rdparty/chromium/ui/views/win/hwnd_message_handler.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/ui/views/win/hwnd_message_handler.cc 2021-04-30 21:22:19.598325383 +0100 @@ -1661,7 +1661,13 @@ const gfx::Size& screen_size) { TRACE_EVENT0("ui", "HWNDMessageHandler::OnDisplayChange"); + base::WeakPtr ref(msg_handler_weak_factory_.GetWeakPtr()); delegate_->HandleDisplayChange(); + + // HandleDisplayChange() may result in |this| being deleted. + if (!ref) + return; + // Force a WM_NCCALCSIZE to occur to ensure that we handle auto hide // taskbars correctly. SendFrameChanged(); diff -Naur a/src/3rdparty/chromium/url/origin.cc b/src/3rdparty/chromium/url/origin.cc --- a/src/3rdparty/chromium/url/origin.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/url/origin.cc 2021-04-30 20:10:44.929638395 +0100 @@ -54,7 +54,10 @@ if (!tuple.IsValid()) return Origin(); - return Origin(std::move(tuple)); + + Origin origin = Origin(std::move(tuple)); + origin.full_url_ = url; + return origin; } Origin Origin::Resolve(const GURL& url, const Origin& base_origin) { @@ -152,6 +155,17 @@ return tuple_.GetURL(); } +GURL Origin::GetFullURL() const { + if (opaque()) + return GURL(); + + return full_url_; +} + +void Origin::SetFullURL(const GURL &url) { + full_url_ = url; +} + base::Optional Origin::GetNonceForSerialization() const { // TODO(nasko): Consider not making a copy here, but return a reference to diff -Naur a/src/3rdparty/chromium/url/origin.h b/src/3rdparty/chromium/url/origin.h --- a/src/3rdparty/chromium/url/origin.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/url/origin.h 2021-04-30 20:10:44.930640127 +0100 @@ -20,6 +20,7 @@ #include "base/unguessable_token.h" #include "build/build_config.h" #include "ipc/ipc_param_traits.h" +#include "url/gurl.h" #include "url/scheme_host_port.h" #include "url/third_party/mozilla/url_parse.h" #include "url/url_canon.h" @@ -260,6 +261,9 @@ // URL (e.g. with a path component). GURL GetURL() const; + GURL GetFullURL() const; + void SetFullURL(const GURL &url); + // Same as GURL::DomainIs. If |this| origin is opaque, then returns false. bool DomainIs(base::StringPiece canonical_domain) const; @@ -414,6 +418,8 @@ // nonce is preserved when an opaque origin is copied or moved. An Origin // is considered opaque if and only if |nonce_| holds a value. base::Optional nonce_; + + GURL full_url_; }; // Pretty-printers for logging. These expose the internal state of the nonce. diff -Naur a/src/3rdparty/chromium/v8/AUTHORS b/src/3rdparty/chromium/v8/AUTHORS --- a/src/3rdparty/chromium/v8/AUTHORS 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/v8/AUTHORS 2021-04-30 21:21:55.406512413 +0100 @@ -69,6 +69,7 @@ Ben Noordhuis Benjamin Tan Bert Belder +Brendon Tiszka Burcu Dogan Caitlin Potter Craig Schlenter diff -Naur a/src/3rdparty/chromium/v8/src/builtins/builtins-array.cc b/src/3rdparty/chromium/v8/src/builtins/builtins-array.cc --- a/src/3rdparty/chromium/v8/src/builtins/builtins-array.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/v8/src/builtins/builtins-array.cc 2021-04-30 21:21:55.406512413 +0100 @@ -649,11 +649,14 @@ index_offset_(0u), bit_field_(FastElementsField::encode(fast_elements) | ExceedsLimitField::encode(false) | - IsFixedArrayField::encode(storage->IsFixedArray()) | + IsFixedArrayField::encode(storage->IsFixedArray(isolate)) | HasSimpleElementsField::encode( - storage->IsFixedArray() || - !storage->map().IsCustomElementsReceiverMap())) { - DCHECK(!(this->fast_elements() && !is_fixed_array())); + storage->IsFixedArray(isolate) || + // Don't take fast path for storages that might have + // side effects when storing to them. + (!storage->map(isolate).IsCustomElementsReceiverMap() && + !storage->IsJSTypedArray(isolate)))) { + DCHECK_IMPLIES(this->fast_elements(), is_fixed_array()); } ~ArrayConcatVisitor() { clear_storage(); } @@ -1063,8 +1066,8 @@ return IterateElementsSlow(isolate, receiver, length, visitor); } - if (!HasOnlySimpleElements(isolate, *receiver) || - !visitor->has_simple_elements()) { + if (!visitor->has_simple_elements() || + !HasOnlySimpleElements(isolate, *receiver)) { return IterateElementsSlow(isolate, receiver, length, visitor); } Handle array = Handle::cast(receiver); @@ -1080,6 +1083,9 @@ case HOLEY_SEALED_ELEMENTS: case HOLEY_NONEXTENSIBLE_ELEMENTS: case HOLEY_ELEMENTS: { + // Disallow execution so the cached elements won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + // Run through the elements FixedArray and use HasElement and GetElement // to check the prototype for missing elements. Handle elements(FixedArray::cast(array->elements()), isolate); @@ -1106,6 +1112,9 @@ } case HOLEY_DOUBLE_ELEMENTS: case PACKED_DOUBLE_ELEMENTS: { + // Disallow execution so the cached elements won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + // Empty array is FixedArray but not FixedDoubleArray. if (length == 0) break; // Run through the elements FixedArray and use HasElement and GetElement @@ -1142,6 +1151,9 @@ } case DICTIONARY_ELEMENTS: { + // Disallow execution so the cached dictionary won't change mid execution. + DisallowJavascriptExecution no_js(isolate); + Handle dict(array->element_dictionary(), isolate); std::vector indices; indices.reserve(dict->Capacity() / 2); diff -Naur a/src/3rdparty/chromium/v8/src/compiler/backend/x64/instruction-selector-x64.cc b/src/3rdparty/chromium/v8/src/compiler/backend/x64/instruction-selector-x64.cc --- a/src/3rdparty/chromium/v8/src/compiler/backend/x64/instruction-selector-x64.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/v8/src/compiler/backend/x64/instruction-selector-x64.cc 2021-04-30 20:09:58.530432989 +0100 @@ -1279,7 +1279,9 @@ opcode = load_rep.IsSigned() ? kX64Movsxwq : kX64Movzxwq; break; case MachineRepresentation::kWord32: - opcode = load_rep.IsSigned() ? kX64Movsxlq : kX64Movl; + // ChangeInt32ToInt64 must interpret its input as a _signed_ 32-bit + // integer, so here we must sign-extend the loaded value in any case. + opcode = kX64Movsxlq; break; default: UNREACHABLE(); diff -Naur a/src/3rdparty/chromium/v8/src/compiler/js-call-reducer.cc b/src/3rdparty/chromium/v8/src/compiler/js-call-reducer.cc --- a/src/3rdparty/chromium/v8/src/compiler/js-call-reducer.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/v8/src/compiler/js-call-reducer.cc 2021-04-30 21:26:06.294177911 +0100 @@ -5251,24 +5251,31 @@ } // Compute the new {length}. - length = graph()->NewNode(simplified()->NumberSubtract(), length, - jsgraph()->OneConstant()); + Node* new_length = graph()->NewNode(simplified()->NumberSubtract(), + length, jsgraph()->OneConstant()); + + // This extra check exists solely to break an exploitation technique + // that abuses typer mismatches. + new_length = efalse = graph()->NewNode( + simplified()->CheckBounds(p.feedback(), + CheckBoundsFlag::kAbortOnOutOfBounds), + new_length, length, efalse, if_false); // Store the new {length} to the {receiver}. efalse = graph()->NewNode( simplified()->StoreField(AccessBuilder::ForJSArrayLength(kind)), - receiver, length, efalse, if_false); + receiver, new_length, efalse, if_false); // Load the last entry from the {elements}. vfalse = efalse = graph()->NewNode( simplified()->LoadElement(AccessBuilder::ForFixedArrayElement(kind)), - elements, length, efalse, if_false); + elements, new_length, efalse, if_false); // Store a hole to the element we just removed from the {receiver}. efalse = graph()->NewNode( simplified()->StoreElement( AccessBuilder::ForFixedArrayElement(GetHoleyElementsKind(kind))), - elements, length, jsgraph()->TheHoleConstant(), efalse, if_false); + elements, new_length, jsgraph()->TheHoleConstant(), efalse, if_false); } control = graph()->NewNode(common()->Merge(2), if_true, if_false); @@ -5444,19 +5451,27 @@ } // Compute the new {length}. - length = graph()->NewNode(simplified()->NumberSubtract(), length, - jsgraph()->OneConstant()); + Node* new_length = graph()->NewNode(simplified()->NumberSubtract(), + length, jsgraph()->OneConstant()); + + // This extra check exists solely to break an exploitation technique + // that abuses typer mismatches. + new_length = etrue1 = graph()->NewNode( + simplified()->CheckBounds(p.feedback(), + CheckBoundsFlag::kAbortOnOutOfBounds), + new_length, length, etrue1, if_true1); // Store the new {length} to the {receiver}. etrue1 = graph()->NewNode( simplified()->StoreField(AccessBuilder::ForJSArrayLength(kind)), - receiver, length, etrue1, if_true1); + receiver, new_length, etrue1, if_true1); // Store a hole to the element we just removed from the {receiver}. etrue1 = graph()->NewNode( simplified()->StoreElement(AccessBuilder::ForFixedArrayElement( GetHoleyElementsKind(kind))), - elements, length, jsgraph()->TheHoleConstant(), etrue1, if_true1); + elements, new_length, jsgraph()->TheHoleConstant(), etrue1, + if_true1); } Node* if_false1 = graph()->NewNode(common()->IfFalse(), branch1); diff -Naur a/src/3rdparty/chromium/v8/src/compiler/representation-change.cc b/src/3rdparty/chromium/v8/src/compiler/representation-change.cc --- a/src/3rdparty/chromium/v8/src/compiler/representation-change.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/v8/src/compiler/representation-change.cc 2021-04-30 21:26:31.349488557 +0100 @@ -211,7 +211,10 @@ return GetFloat32RepresentationFor(node, output_rep, output_type, use_info.truncation()); case MachineRepresentation::kFloat64: - DCHECK_NE(TypeCheckKind::kBigInt, use_info.type_check()); + DCHECK(use_info.type_check() == TypeCheckKind::kNone || + use_info.type_check() == TypeCheckKind::kNumber || + use_info.type_check() == TypeCheckKind::kNumberOrBoolean || + use_info.type_check() == TypeCheckKind::kNumberOrOddball); return GetFloat64RepresentationFor(node, output_rep, output_type, use_node, use_info); case MachineRepresentation::kBit: @@ -727,15 +730,22 @@ } } else if (IsAnyTagged(output_rep)) { if (output_type.Is(Type::Undefined())) { - if (use_info.type_check() == TypeCheckKind::kNumberOrBoolean) { + if (use_info.type_check() == TypeCheckKind::kNumberOrOddball || + (use_info.type_check() == TypeCheckKind::kNone && + use_info.truncation().TruncatesOddballAndBigIntToNumber())) { + return jsgraph()->Float64Constant( + std::numeric_limits::quiet_NaN()); + } else { + DCHECK(use_info.type_check() == TypeCheckKind::kNone || + use_info.type_check() == TypeCheckKind::kNumber || + use_info.type_check() == TypeCheckKind::kNumberOrBoolean); Node* unreachable = InsertUnconditionalDeopt( - use_node, DeoptimizeReason::kNotANumberOrBoolean); + use_node, use_info.type_check() == TypeCheckKind::kNumber + ? DeoptimizeReason::kNotANumber + : DeoptimizeReason::kNotANumberOrBoolean); return jsgraph()->graph()->NewNode( jsgraph()->common()->DeadValue(MachineRepresentation::kFloat64), unreachable); - } else { - return jsgraph()->Float64Constant( - std::numeric_limits::quiet_NaN()); } } else if (output_rep == MachineRepresentation::kTaggedSigned) { node = InsertChangeTaggedSignedToInt32(node); @@ -747,12 +757,13 @@ output_type.Is(Type::NumberOrHole())) { // JavaScript 'null' is an Oddball that results in +0 when truncated to // Number. In a context like -0 == null, which must evaluate to false, - // this truncation must not happen. For this reason we restrict this case - // to when either the user explicitly requested a float (and thus wants - // +0 if null is the input) or we know from the types that the input can - // only be Number | Hole. The latter is necessary to handle the operator - // CheckFloat64Hole. We did not put in the type (Number | Oddball \ Null) - // to discover more bugs related to this conversion via crashes. + // this truncation must not happen. For this reason we restrict this + // case to when either the user explicitly requested a float (and thus + // wants +0 if null is the input) or we know from the types that the + // input can only be Number | Hole. The latter is necessary to handle + // the operator CheckFloat64Hole. We did not put in the type (Number | + // Oddball \ Null) to discover more bugs related to this conversion via + // crashes. op = simplified()->TruncateTaggedToFloat64(); } else if (use_info.type_check() == TypeCheckKind::kNumber || (use_info.type_check() == TypeCheckKind::kNumberOrOddball && @@ -949,10 +960,10 @@ return node; } else if (output_rep == MachineRepresentation::kWord64) { if (output_type.Is(Type::Signed32()) || - output_type.Is(Type::Unsigned32())) { - op = machine()->TruncateInt64ToInt32(); - } else if (output_type.Is(cache_->kSafeInteger) && - use_info.truncation().IsUsedAsWord32()) { + (output_type.Is(Type::Unsigned32()) && + use_info.type_check() == TypeCheckKind::kNone) || + (output_type.Is(cache_->kSafeInteger) && + use_info.truncation().IsUsedAsWord32())) { op = machine()->TruncateInt64ToInt32(); } else if (use_info.type_check() == TypeCheckKind::kSignedSmall || use_info.type_check() == TypeCheckKind::kSigned32 || diff -Naur a/src/3rdparty/chromium/v8/src/compiler/simplified-lowering.cc b/src/3rdparty/chromium/v8/src/compiler/simplified-lowering.cc --- a/src/3rdparty/chromium/v8/src/compiler/simplified-lowering.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/v8/src/compiler/simplified-lowering.cc 2021-04-30 21:24:53.213851142 +0100 @@ -1453,10 +1453,15 @@ Type right_feedback_type = TypeOf(node->InputAt(1)); // Using Signed32 as restriction type amounts to promising there won't be - // signed overflow. This is incompatible with relying on a Word32 - // truncation in order to skip the overflow check. + // signed overflow. This is incompatible with relying on a Word32 truncation + // in order to skip the overflow check. Similarly, we must not drop -0 from + // the result type unless we deopt for -0 inputs. Type const restriction = - truncation.IsUsedAsWord32() ? Type::Any() : Type::Signed32(); + truncation.IsUsedAsWord32() + ? Type::Any() + : (truncation.identify_zeros() == kIdentifyZeros) + ? Type::Signed32OrMinusZero() + : Type::Signed32(); // Handle the case when no int32 checks on inputs are necessary (but // an overflow check is needed on the output). Note that we do not diff -Naur a/src/3rdparty/chromium/v8/src/compiler/type-cache.h b/src/3rdparty/chromium/v8/src/compiler/type-cache.h --- a/src/3rdparty/chromium/v8/src/compiler/type-cache.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/v8/src/compiler/type-cache.h 2021-04-30 21:25:41.333030031 +0100 @@ -80,7 +80,7 @@ Type::Union(kPositiveIntegerOrMinusZero, Type::NaN(), zone()); Type const kAdditiveSafeInteger = - CreateRange(-4503599627370496.0, 4503599627370496.0); + CreateRange(-4503599627370495.0, 4503599627370495.0); Type const kSafeInteger = CreateRange(-kMaxSafeInteger, kMaxSafeInteger); Type const kAdditiveSafeIntegerOrMinusZero = Type::Union(kAdditiveSafeInteger, Type::MinusZero(), zone()); diff -Naur a/src/3rdparty/chromium/v8/src/deoptimizer/deoptimize-reason.h b/src/3rdparty/chromium/v8/src/deoptimizer/deoptimize-reason.h --- a/src/3rdparty/chromium/v8/src/deoptimizer/deoptimize-reason.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/v8/src/deoptimizer/deoptimize-reason.h 2021-04-30 21:26:31.349488557 +0100 @@ -43,6 +43,7 @@ V(NotAJavaScriptObject, "not a JavaScript object") \ V(NotAJavaScriptObjectOrNullOrUndefined, \ "not a JavaScript object, Null or Undefined") \ + V(NotANumber, "not a Number") \ V(NotANumberOrBoolean, "not a Number or Boolean") \ V(NotANumberOrOddball, "not a Number or Oddball") \ V(NotAnArrayIndex, "not an array index") \ diff -Naur a/src/3rdparty/chromium/v8/src/heap/memory-chunk-layout.cc b/src/3rdparty/chromium/v8/src/heap/memory-chunk-layout.cc --- a/src/3rdparty/chromium/v8/src/heap/memory-chunk-layout.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/v8/src/heap/memory-chunk-layout.cc 2021-04-30 21:16:58.934091394 +0100 @@ -42,7 +42,7 @@ } intptr_t MemoryChunkLayout::ObjectStartOffsetInDataPage() { - return RoundUp(MemoryChunk::kHeaderSize + Bitmap::kSize, kTaggedSize); + return RoundUp(MemoryChunk::kHeaderSize + Bitmap::kSize, kDoubleSize); } size_t MemoryChunkLayout::ObjectStartOffsetInMemoryChunk( diff -Naur a/src/3rdparty/chromium/v8/src/objects/fixed-array-inl.h b/src/3rdparty/chromium/v8/src/objects/fixed-array-inl.h --- a/src/3rdparty/chromium/v8/src/objects/fixed-array-inl.h 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/v8/src/objects/fixed-array-inl.h 2021-04-30 21:21:35.277721939 +0100 @@ -336,7 +336,7 @@ double FixedDoubleArray::get_scalar(int index) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); - DCHECK(index >= 0 && index < this->length()); + DCHECK_LT(static_cast(index), static_cast(length())); DCHECK(!is_the_hole(index)); return ReadField(kHeaderSize + index * kDoubleSize); } @@ -344,7 +344,7 @@ uint64_t FixedDoubleArray::get_representation(int index) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); - DCHECK(index >= 0 && index < this->length()); + DCHECK_LT(static_cast(index), static_cast(length())); int offset = kHeaderSize + index * kDoubleSize; // Bug(v8:8875): Doubles may be unaligned. return base::ReadUnalignedValue(field_address(offset)); @@ -362,6 +362,7 @@ void FixedDoubleArray::set(int index, double value) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); + DCHECK_LT(static_cast(index), static_cast(length())); int offset = kHeaderSize + index * kDoubleSize; if (std::isnan(value)) { WriteField(offset, std::numeric_limits::quiet_NaN()); @@ -378,6 +379,7 @@ void FixedDoubleArray::set_the_hole(int index) { DCHECK(map() != GetReadOnlyRoots().fixed_cow_array_map() && map() != GetReadOnlyRoots().fixed_array_map()); + DCHECK_LT(static_cast(index), static_cast(length())); int offset = kHeaderSize + index * kDoubleSize; base::WriteUnalignedValue(field_address(offset), kHoleNanInt64); } diff -Naur a/src/3rdparty/chromium/v8/src/objects/js-list-format.cc b/src/3rdparty/chromium/v8/src/objects/js-list-format.cc --- a/src/3rdparty/chromium/v8/src/objects/js-list-format.cc 2021-04-01 12:19:23.000000000 +0100 +++ b/src/3rdparty/chromium/v8/src/objects/js-list-format.cc 2021-04-30 21:24:17.541187323 +0100 @@ -28,6 +28,35 @@ namespace v8 { namespace internal { +#if U_ICU_VERSION_MAJOR_NUM >= 67 +namespace { + +UListFormatterWidth GetIcuWidth(JSListFormat::Style style) { + switch (style) { + case JSListFormat::Style::LONG: + return ULISTFMT_WIDTH_WIDE; + case JSListFormat::Style::SHORT: + return ULISTFMT_WIDTH_SHORT; + case JSListFormat::Style::NARROW: + return ULISTFMT_WIDTH_NARROW; + } + UNREACHABLE(); +} + +UListFormatterType GetIcuType(JSListFormat::Type type) { + switch (type) { + case JSListFormat::Type::CONJUNCTION: + return ULISTFMT_TYPE_AND; + case JSListFormat::Type::DISJUNCTION: + return ULISTFMT_TYPE_OR; + case JSListFormat::Type::UNIT: + return ULISTFMT_TYPE_UNITS; + } + UNREACHABLE(); +} + +} // namespace +#else namespace { const char* kStandard = "standard"; const char* kOr = "or"; @@ -74,7 +103,7 @@ } } // namespace - +#endif MaybeHandle JSListFormat::New(Isolate* isolate, Handle map, Handle