Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick 2 changes from Release-1-M117 #40080

Merged
merged 2 commits into from Oct 6, 2023
Merged

chore: cherry-pick 2 changes from Release-1-M117 #40080

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2e225cf
chore: [22-x-y] cherry-pick 2 changes from Release-1-M117
ppontes Oct 3, 2023
3bd39a2
chore: update patches
patchup[bot] Oct 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions patches/chromium/.patches
View file
Open in desktop
Expand Up @@ -172,3 +172,4 @@ cherry-pick-c60a1ab717c7.patch
networkcontext_don_t_access_url_loader_factories_during_destruction.patch
don_t_keep_pointer_to_popped_stack_memory_for_has.patch
cherry-pick-35c06406a658.patch
cherry-pick-b11e7d07a6f4.patch
40 changes: 40 additions & 0 deletions patches/chromium/cherry-pick-b11e7d07a6f4.patch
View file
Open in desktop
@@ -0,0 +1,40 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Wed, 13 Sep 2023 23:32:40 +0000
Subject: M117: Check for object destruction in PdfViewWebPlugin::UpdateFocus()

PdfViewWebPlugin::UpdateFocus() can potentially triggers its own
destruction. Add a check for this and bail out.

(cherry picked from commit cacf485a202b342526374d444375b80a044add76)

Bug: 1480184
Change-Id: I5e7760ed541a2bffb9dd1ebeb522f10650049033
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4852346
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Code-Coverage: findit-for-me@appspot.gserviceaccount.com <findit-for-me@appspot.gserviceaccount.com>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1194210}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4863395
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/branch-heads/5938@{#1286}
Cr-Branched-From: 2b50cb4bcc2318034581a816714d9535dc38966d-refs/heads/main@{#1181205}

diff --git a/pdf/pdf_view_web_plugin.cc b/pdf/pdf_view_web_plugin.cc
index cdedca1425dd5be31b2d0b5220d0e050d0b0fb59..b14777df757c8c9b3e5474e7f0f73fe316bfee58 100644
--- a/pdf/pdf_view_web_plugin.cc
+++ b/pdf/pdf_view_web_plugin.cc
@@ -519,7 +519,13 @@ void PdfViewWebPlugin::UpdateFocus(bool focused,
if (has_focus_ != focused) {
engine_->UpdateFocus(focused);
client_->UpdateTextInputState();
+
+ // Make sure `this` is still alive after the UpdateSelectionBounds() call.
+ auto weak_this = weak_factory_.GetWeakPtr();
client_->UpdateSelectionBounds();
+ if (!weak_this) {
+ return;
+ }
}
has_focus_ = focused;

1 change: 1 addition & 0 deletions patches/v8/.patches
View file
Open in desktop
Expand Up @@ -31,3 +31,4 @@ merged_compiler_check_for_read-only_property_on.patch
shared-struct_fix_for-in_enumeration.patch
merged_squashed_multiple_commits.patch
cherry-pick-038530c94a06.patch
cherry-pick-b0ad701a609a.patch
56 changes: 56 additions & 0 deletions patches/v8/cherry-pick-b0ad701a609a.patch
View file
Open in desktop
@@ -0,0 +1,56 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shu-yu Guo <syg@chromium.org>
Date: Wed, 6 Sep 2023 17:36:38 -0700
Subject: Merged: [builtins] Clear FixedArray slot in Promise builtins

(cherry picked from commit f1884222ad56734e56d80f9707e0e8279af9049e)

Bug: chromium:1479104
Change-Id: Iddc16d8add4dc6bf6f55f537da44770bea6f4bc3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4862980
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/11.6@{#36}
Cr-Branched-From: e29c028f391389a7a60ee37097e3ca9e396d6fa4-refs/heads/11.6.189@{#3}
Cr-Branched-From: 95cbef20e2aa556a1ea75431a48b36c4de6b9934-refs/heads/main@{#88340}

diff --git a/src/builtins/promise-any.tq b/src/builtins/promise-any.tq
index 45bafac0e6b09143b69b21a7292f9ed6b9c46239..d531d57a375ba33bf11ccf698da5918f1e25f38c 100644
--- a/src/builtins/promise-any.tq
+++ b/src/builtins/promise-any.tq
@@ -106,9 +106,10 @@ PromiseAnyRejectElementClosure(
const index = identityHash - 1;

// 6. Let errors be F.[[Errors]].
- let errors = *ContextSlot(
+ let errorsRef:&FixedArray = ContextSlot(
context,
PromiseAnyRejectElementContextSlots::kPromiseAnyRejectElementErrorsSlot);
+ let errors = *errorsRef;

// 7. Let promiseCapability be F.[[Capability]].

@@ -134,10 +135,7 @@ PromiseAnyRejectElementClosure(
IntPtrMax(SmiUntag(remainingElementsCount) - 1, index + 1);
if (newCapacity > errors.length_intptr) deferred {
errors = ExtractFixedArray(errors, 0, errors.length_intptr, newCapacity);
- *ContextSlot(
- context,
- PromiseAnyRejectElementContextSlots::
- kPromiseAnyRejectElementErrorsSlot) = errors;
+ *errorsRef = errors;
}
errors.objects[index] = value;

@@ -155,6 +153,10 @@ PromiseAnyRejectElementClosure(

// b. Set error.[[AggregateErrors]] to errors.
const error = ConstructAggregateError(errors);
+
+ // After this point, errors escapes to user code. Clear the slot.
+ *errorsRef = kEmptyFixedArray;
+
// c. Return ? Call(promiseCapability.[[Reject]], undefined, « error »).
const capability = *ContextSlot(
context,