chore: cherry-pick 3 changes from Release-5-M120 #41015
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
electron/security#451 - 46cb67e3b296 from v8
[codegen] Install BytecodeArray last in SharedFunctionInfoMaglev assumes that when a SharedFunctionInfo has a BytecodeArray,
then it should also have FeedbackMetadata. However, this may not
hold with concurrent compilation when the SharedFunctionInfo is
re-compiled after being flushed. Here the BytecodeArray was installed
on the SFI before the FeedbackMetadata and a concurrent thread could
observe the BytecodeArray but not the FeedbackMetadata.
Drive-by: Reset the age field before setting the BytecodeArray as
well. This ensures that the concurrent marker will not observe the
old age for the new BytecodeArray.
Bug: chromium:1507412
Change-Id: I8855ed7ecc50c4a47d2c89043d62ac053858bc75
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5125960
Reviewed-by: Leszek Swirski leszeks@chromium.org
Commit-Queue: Dominik Inführ dinfuehr@chromium.org
Cr-Commit-Position: refs/heads/main@{#91568}
electron/security#452 - c1cda70a433a from chromium
Speculative fix for UAF in content::WebContentsImpl::ExitFullscreenModeBug: 1506535, 854815
Change-Id: Iace64d63f8cea2dbfbc761ad233db42451ec101c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5146875
Commit-Queue: John Abd-El-Malek jam@chromium.org
Auto-Submit: Mike Wasserman msw@chromium.org
Reviewed-by: John Abd-El-Malek jam@chromium.org
Cr-Commit-Position: refs/heads/main@{#1240353}
electron/security#450 - 78dd4b31847a from v8
[maglev] Fix allocation folding in derived constructorsBug: v8:7700
Change-Id: Ia33724d39d1397c7d47c36d14071abce6ed4b0fc
Fixed: chromium:1515930
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5173470
Commit-Queue: Patrick Thier pthier@chromium.org
Reviewed-by: Patrick Thier pthier@chromium.org
Commit-Queue: Leszek Swirski leszeks@chromium.org
Auto-Submit: Leszek Swirski leszeks@chromium.org
Cr-Commit-Position: refs/heads/main@{#91709}
Notes: