-
Notifications
You must be signed in to change notification settings - Fork 15.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: cherry-pick 2 changes from Release-1-M116 (#39648)
* chore: [22-x-y] cherry-pick 2 changes from Release-1-M116 * 1939f7b78eda from chromium * e4669a74888d from angle * chore: [22-x-y] cherry-pick missing changes from Release-1-M116 * chore: update patches --------- Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
- Loading branch information
1 parent
4938ca5
commit 33f9dce
Showing
5 changed files
with
497 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
84 changes: 84 additions & 0 deletions
84
patches/chromium/don_t_keep_pointer_to_popped_stack_memory_for_has.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Rune Lillesveen <futhark@chromium.org> | ||
Date: Tue, 15 Aug 2023 15:04:39 +0000 | ||
Subject: Don't keep pointer to popped stack memory for :has() | ||
|
||
The sibling_features pass into UpdateFeaturesFromCombinator may be | ||
initialized to last_compound_in_adjacent_chain_features if null. The | ||
outer while loop in | ||
AddFeaturesToInvalidationSetsForLogicalCombinationInHas() could then | ||
reference to the last_compound_in_adjacent_chain_features which is | ||
popped from the stack on every outer iteration. That caused an ASAN | ||
failure for reading stack memory that had been popped. | ||
|
||
Instead make sure each inner iteration restarts with the same | ||
sibling_features pointer, which seems to have been the intent here. | ||
|
||
(cherry picked from commit 5e213507a2f0d6e3c96904a710407b01493670bd) | ||
|
||
Bug: 1470477 | ||
Change-Id: I260c93016f8ab0d165e4b29ca1aea810bede5b97 | ||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4759326 | ||
Commit-Queue: Rune Lillesveen <futhark@chromium.org> | ||
Reviewed-by: Anders Hartvoll Ruud <andruud@chromium.org> | ||
Cr-Original-Commit-Position: refs/heads/main@{#1181365} | ||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4777251 | ||
Cr-Commit-Position: refs/branch-heads/5845@{#1482} | ||
Cr-Branched-From: 5a5dff63a4a4c63b9b18589819bebb2566c85443-refs/heads/main@{#1160321} | ||
|
||
diff --git a/third_party/blink/renderer/core/css/rule_feature_set.cc b/third_party/blink/renderer/core/css/rule_feature_set.cc | ||
index ec7356285d7fa45b7d9c1701be484a121c2a0017..9cb6084b7fca4fc6ff2edd8defadf8fabf2899b5 100644 | ||
--- a/third_party/blink/renderer/core/css/rule_feature_set.cc | ||
+++ b/third_party/blink/renderer/core/css/rule_feature_set.cc | ||
@@ -1227,6 +1227,7 @@ void RuleFeatureSet::AddFeaturesToInvalidationSetsForLogicalCombinationInHas( | ||
descendant_features); | ||
|
||
const CSSSelector* compound_in_logical_combination = complex; | ||
+ InvalidationSetFeatures* inner_sibling_features = sibling_features; | ||
InvalidationSetFeatures last_compound_in_adjacent_chain_features; | ||
while (compound_in_logical_combination) { | ||
AddFeaturesToInvalidationSetsForLogicalCombinationInHasContext context( | ||
@@ -1238,14 +1239,14 @@ void RuleFeatureSet::AddFeaturesToInvalidationSetsForLogicalCombinationInHas( | ||
last_in_compound = | ||
SkipAddingAndGetLastInCompoundForLogicalCombinationInHas( | ||
compound_in_logical_combination, compound_containing_has, | ||
- sibling_features, descendant_features, previous_combinator, | ||
- add_features_method); | ||
+ inner_sibling_features, descendant_features, | ||
+ previous_combinator, add_features_method); | ||
} else { | ||
last_in_compound = | ||
AddFeaturesAndGetLastInCompoundForLogicalCombinationInHas( | ||
compound_in_logical_combination, compound_containing_has, | ||
- sibling_features, descendant_features, previous_combinator, | ||
- add_features_method); | ||
+ inner_sibling_features, descendant_features, | ||
+ previous_combinator, add_features_method); | ||
} | ||
|
||
if (!last_in_compound) | ||
@@ -1259,7 +1260,7 @@ void RuleFeatureSet::AddFeaturesToInvalidationSetsForLogicalCombinationInHas( | ||
? CSSSelector::kIndirectAdjacent | ||
: previous_combinator, | ||
context.last_compound_in_adjacent_chain, | ||
- last_compound_in_adjacent_chain_features, sibling_features, | ||
+ last_compound_in_adjacent_chain_features, inner_sibling_features, | ||
descendant_features); | ||
} | ||
|
||
diff --git a/third_party/blink/web_tests/external/wpt/css/selectors/has-sibling-chrome-crash.html b/third_party/blink/web_tests/external/wpt/css/selectors/has-sibling-chrome-crash.html | ||
new file mode 100644 | ||
index 0000000000000000000000000000000000000000..0306e3e39272c321fc3539aa582b4e239ffe2fa1 | ||
--- /dev/null | ||
+++ b/third_party/blink/web_tests/external/wpt/css/selectors/has-sibling-chrome-crash.html | ||
@@ -0,0 +1,10 @@ | ||
+<!DOCTYPE html> | ||
+<title>CSS Selectors Test: Chrome crash issue 1470477</title> | ||
+<link rel="help" href="https://crbug.com/1470477"> | ||
+<style> | ||
+ :has(> :where(label:first-child + [a="a"]:only-of-type, | ||
+ [a="a"]:only-of-type + label:last-child)) label:last-child { | ||
+ margin-inline: 1em; | ||
+ } | ||
+</style> | ||
+<p>PASS if this tests does not crash</p> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: =?UTF-8?q?Samuel=20Gro=C3=9F?= <saelo@chromium.org> | ||
Date: Thu, 17 Aug 2023 09:10:19 +0000 | ||
Subject: Merged: Squashed multiple commits. | ||
MIME-Version: 1.0 | ||
Content-Type: text/plain; charset=UTF-8 | ||
Content-Transfer-Encoding: 8bit | ||
|
||
Merged: [runtime] Recreate enum cache on map update | ||
Revision: 1c623f9ff6e077be1c66f155485ea4005ddb6574 | ||
|
||
Merged: [runtime] Don't try to create empty enum cache. | ||
Revision: 5516e06237c9f0013121f47319e8c253c896d52d | ||
|
||
BUG=chromium:1470668,chromium:1472317 | ||
R=tebbi@chromium.org | ||
|
||
Change-Id: I31d5491aba663661ba68bb55631747a195ed084e | ||
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4788990 | ||
Commit-Queue: Samuel Groß <saelo@chromium.org> | ||
Reviewed-by: Tobias Tebbi <tebbi@chromium.org> | ||
Cr-Commit-Position: refs/branch-heads/11.6@{#32} | ||
Cr-Branched-From: e29c028f391389a7a60ee37097e3ca9e396d6fa4-refs/heads/11.6.189@{#3} | ||
Cr-Branched-From: 95cbef20e2aa556a1ea75431a48b36c4de6b9934-refs/heads/main@{#88340} | ||
|
||
diff --git a/src/objects/map-updater.cc b/src/objects/map-updater.cc | ||
index be6568aac4730d08601e883b80092bbd6ee8081a..2ebfc84d3e326abf2602a1af8309024a46cb9c9d 100644 | ||
--- a/src/objects/map-updater.cc | ||
+++ b/src/objects/map-updater.cc | ||
@@ -11,6 +11,7 @@ | ||
#include "src/execution/isolate.h" | ||
#include "src/handles/handles.h" | ||
#include "src/objects/field-type.h" | ||
+#include "src/objects/keys.h" | ||
#include "src/objects/objects-inl.h" | ||
#include "src/objects/objects.h" | ||
#include "src/objects/property-details.h" | ||
@@ -1035,6 +1036,13 @@ MapUpdater::State MapUpdater::ConstructNewMap() { | ||
// the new descriptors to maintain descriptors sharing invariant. | ||
split_map->ReplaceDescriptors(isolate_, *new_descriptors); | ||
|
||
+ // If the old descriptors had an enum cache, make sure the new ones do too. | ||
+ if (old_descriptors_->enum_cache().keys().length() > 0 && | ||
+ new_map->NumberOfEnumerableProperties() > 0) { | ||
+ FastKeyAccumulator::InitializeFastPropertyEnumCache( | ||
+ isolate_, new_map, new_map->NumberOfEnumerableProperties()); | ||
+ } | ||
+ | ||
if (has_integrity_level_transition_) { | ||
target_map_ = new_map; | ||
state_ = kAtIntegrityLevelSource; |
Oops, something went wrong.