| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
The previously implicit conversion from blink::FloatRect to gfx::RectF
is no longer available when building with newer XCode. Make those
explicit where needed.
Task-number: QTBUG-108207
Change-Id: Ib195f4e423480557d9ff86571254deafb05de8a2
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/443042
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/444719
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When creating DedicatedWorker object with MakeGarbageCollected
initialization done by new placement operator for V8StackTraceId
triggers unaligned access error.
See bug report for the stacktrace.
Do not setup debugger_id in initializer.
Fixes: QTBUG-105908
Task-number: QTBUG-105342
Change-Id: Idc2c9c5795e53168deb536b8f5a0d98339922cba
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trying adding event mouse handler on popup shown,
blink tries to crate EmptyEventListener, unfortunately
MakeGarbageCollected object initialization with placement new
blows up and triggers accessing unaligned address error.
See bug report for the stacktrace.
Add user defined inlined constructor.
Fixes: QTBUG-105900
Task-number: QTBUG-105342
Change-Id: Ie1b2b38655f27ee98b40806fd6e40f6867b9a76f
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Qemu-arm throws unaligned memory access when trying to
allocate AsynFindBuffer for cppgc::MakeGarbageCollected,
which uses new placement operator. The issue happens only
when gesture handling code path gets involved.
See bug report for the stacktrace.
Make user defined constructor inline.
Fixes: QTBUG-105817
Task-number: QTBUG-105342
Change-Id: Ib264d91c183f25c93af699a4af02750ebc1f43e8
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix wierd race condtion which ends in endless loop with
single-process, when gpu_channel_host is not ready in
WidgetBase::RequestNewLayerTreeFrameSink and calls
callbeck with nullptr, which ends in
LayerTreeView::DidFailToInitializeLayerTreeFrameSink
which again calls RequestNewLayerTreeFrameSink wihout giving
a chance to initalize channel and round repets itself.
Give 10ms delay to cover the issue.
Task-number: QTBUG-105342
Change-Id: I575c6e9c2d95caa9afd6b0d6bb5e9e2374f264d0
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3803167:
Don't allow cookies with hidden cookie prefixes
Prevent the creation of any cookies that have an empty name field and
whose value impersonates a cookie name prefix.
This will also delete any previously stored cookies that meet the
conditions by causing them to fail their IsCanonical() check.
(cherry picked from commit f9580905b45edb8dfe7da6cd5f26421ab2b5c285)
Bug: 1345193
Change-Id: I7e1adef3391bb7caee183204bb609cd63bcdaea7
Commit-Queue: Steven Bingler <bingler@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1028000}
Owners-Override: Michael Ershov <miersh@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Reviewed-by: Steven Bingler <bingler@chromium.org>
Reviewed-by: Michael Ershov <miersh@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1685}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3751710:
Don't re-lock DisplayLocks during forced unlock
When a DisplayLock is unlocked via ForceUnlockIfNeeded, subsequent
updates to the DisplayLock can cause it to become locked again which is
problematic.
This patch prevents the DisplayLock from being locked again until the
next frame.
Fixed: 1338135
Change-Id: I07790658e25ea9fe2f4e8de154e3a58e7e08892b
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Reviewed-by: Vladimir Levin <vmpstr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1028405}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
| |
Task-number: QTBUG-104065
Change-Id: I1559d97040b600b2cb4189eb5fa7d0721673d68b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit b80db99e96a39c864b7ee0c66fb7e99744196c66)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3757922:
Speculative fix for IsValidCodePointInIndex() range crash
Bug: 1333970
Cq-Include-Trybots: luci.chromium.try:linux-blink-web-tests-force-accessibility-rel
Change-Id: I5a4c78e708357074fdec1f7a18fa928e39f9c51a
Auto-Submit: Aaron Leventhal <aleventhal@chromium.org>
Reviewed-by: Nektarios Paisios <nektar@chromium.org>
Commit-Queue: Aaron Leventhal <aleventhal@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1025405}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/268460:
Disallow invalid arguments in RestoreEncodingLayers.
Changing DCHECK into CHECK for good measure.
Bug: chromium:1343889
Change-Id: I2cede85dc2d2a4238739f73afe25275047f4aa50
Reviewed-by: Ilya Nikolaevskiy <ilnik@webrtc.org>
Commit-Queue: Henrik Boström <hbos@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#37511}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3770271:
Use WeakPtr in AccountReconcilor to avoid UAF
(cherry picked from commit f65ea3435ff2a10b4e1ce1f855863e8eaa127a04)
Bug: 1341907
Change-Id: I14e8d263e3a5f073d61677fedd53c67395382742
Commit-Queue: David Roger <droger@chromium.org>
Reviewed-by: David Roger <droger@chromium.org>
Commit-Queue: Monica Basta <msalama@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1022147}
Reviewed-by: Monica Basta <msalama@chromium.org>
Cr-Commit-Position: refs/branch-heads/5112@{#1011}
Cr-Branched-From: b13d3fe7b3c47a56354ef54b221008afa754412e-refs/heads/main@{#1012729}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Internals
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3688608:
Sanitize default file name in windows select file dialog
On windows, '%' is a special character and can be used for environment
variables. So if the default file name is '%DATADIR%', it can actually
refer to another directory and thus causing weird behaviors.
And '%' cannot be escaped when used in the file dialog. Both "^%" and
"%%" don't work. This CL mitigates the issue by replacing '%' with '_'.
This only affects the default file name when showing the dialog. Power
users can still change the file name by adding '%' if needed.
BUG=1308422
Change-Id: Ibb275f5c3c2c9458c20d1e97ad527f7c95184eaa
Reviewed-by: Robert Liao <robliao@chromium.org>
Commit-Queue: Min Qin <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1014602}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3707218:
DOM Code conversion cleanups
Improvements to the DOM Code conversion APIs:
- All APIs now accept strings via StringPiece, and return them
as std::strings, since almost all callers store returned
values in std::strings anyway.
- Common contiguous DomCodes (e.g. US_A->US_Z) have their names
dynamically generated, rather than requiring a lookup through
the table.
Some incidental cleanups:
- Removed unused code-string to USB & native conversions.
- Tidied up comments to group conversions better.
(cherry picked from commit 31103fab10169feb448d4d0c18bc73ed946c6628)
Bug: 1321350
Change-Id: I67f2603c281fa11d1b4d8dce86f3455a1f7c75c2
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Commit-Queue: Michael Spang <spang@chromium.org>
Reviewed-by: Kevin Marshall <kmarshall@chromium.org>
Auto-Submit: Wez <wez@chromium.org>
Reviewed-by: Michael Spang <spang@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1013780}
Commit-Queue: Avi Drissman <avi@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Wez <wez@chromium.org>
Reviewed-by: Wez <wez@chromium.org>
Cr-Commit-Position: refs/branch-heads/5112@{#236}
Cr-Branched-From: b13d3fe7b3c47a56354ef54b221008afa754412e-refs/heads/main@{#1012729}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3648376:
Handle notifications sent by gesture provider during destruction
This CL clears `GestureRecognizerImpl::consumer_gesture_provider_`
explicitly so that the notifications from gesture provider during
destruction are handled by `GestureRecognizerImpl` properly.
Bug: 1325256
Change-Id: Iba3b645fc2ad18331947e5556015567a1e8eb513
Commit-Queue: Andrew Xu <andrewxu@chromium.org>
Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1008393}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3758626:
M104: Better define "first result" in PDFiumEngine::AddFindResult().
Currently, changing the PDF layout confuses AddFindResult() and causes
it to fail a DCHECK(). Adjust AddFindResult() to avoid the failing
DCHECK().
This is a cherry-pick of https://crrev.com/1021389 without the test
changes.
Bug: 1339745
Change-Id: I25c2b6b436700f9aeca4924fef662ad2909f0a8c
Reviewed-by: K. Moon <kmoon@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/branch-heads/5112@{#820}
Cr-Branched-From: b13d3fe7b3c47a56354ef54b221008afa754412e-refs/heads/main@{#1012729}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3693143:
[BackgroundFetch] Don't expose URL chain in case of CO redirect
Bug: 1278255
Change-Id: If853327b853e29792e5c8d1dfaeecf21d6fec004
Reviewed-by: Susanne Westphal <swestphal@google.com>
Commit-Queue: Rayan Kanso <rayankans@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1011409}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3712307:
[M96-LTS][Background fetch] passing update_first_party_url_on_redirect=false for fetch
M96 merge issues:
components/download/internal/common/download_utils.cc
Naming conflict for is_main_frame/is_outermost_main_frame
Background fetch doesn't work like regular download as it is not
considered a top frame navigation. This CL let background fetch to
pass update_first_party_url_on_redirect=false to DownloadURLParameters,
and handle it properly w.r.t samesite cookies.
BUG=1268580
Change-Id: I3a1cc33be8578d5d8c796dbbb21fa35a47bdda36
Commit-Queue: Min Qin <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1016316}
(cherry picked from commit bf1e93c6af21dad12088b615feda07a90a85c158)
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3708646:
WebGPU: Mark the context lost on GPU context lost
M102 merge issues:
- dawn_control_client_holder.h/cc:
GetWGPUInstance() not present in M102
Fixes a bug where completely destructing the context instead of
marking it lost when receiving a context lost notification freed
memory still accessible by the page.
Fixed: 1336014
Change-Id: I662e531102af91362b4f62700bfbee507fc44d1f
Commit-Queue: Austin Eng <enga@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1017003}
(cherry picked from commit 6c7f327b7a15aabd3fc5d57e9c05b95d02f1cd36)
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
| |
It used an inline variable, which requires C++17 to be used, which
Chromium does not do in the 94 branch yet.
Change-Id: If41f078c06e31a42a147ee42f2c115023c6264db
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally submitted at
https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2:
* src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
Fixes #1140.
Change-Id: I41ea64c6e68e7c5697463ef205aaa6283ca57773
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally submitted at
https://gitlab.freedesktop.org/freetype/freetype/-/commit/d014387ad4a5dd04d8e7f99587c7dacb70261924:
* src/base/ftobjs.c (ft_open_face_internal): Thinko.
Change-Id: I87abda1c902d1917bd9fbf7b156911a09ebe1b2b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally submitted at
https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5:
* src/base/ftobjs.c (ft_open_face_internal): Properly guard `face_index`.
We must ensure that the cast to `FT_Int` doesn't change the sign.
Fixes #1139.
Change-Id: Ic63e379d5c65bd56d5ca07b80a7015d9f5bc0051
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally submitted on
https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db:
Avoid invalid face index.
Fixes #1138.
* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
Check `face_index` before decrementing.
Change-Id: I1744d27542fc2dd17dada37fa0ade09a0b818b65
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3726349:
Fix incorrect text itemization for \r codepoint
M96 merge issues:
render_text_unittest.cc
Tests Clusterfuzz_Issue_1298286/1299054 aren't present
in M96 and caused a merge conflict.
The "\r" codepoint should be split to be rendered in a single
harfbuzz run (same as "\n").
We do recognize these sequences as newline:
\r
\n
\r\n
Previously, the itemization will leave the "\r" with the previous
run. This is leading to incorrect multiline lines splitting.
(cherry picked from commit eee0c5ca752ad50df9986c551cb98226ce078893)
Bug: 1287804
Change-Id: Idfc00a3cf147eb53258d5da9ea105e2d6dc25f05
Commit-Queue: Etienne Bergeron <etienneb@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1014955}
Reviewed-by: Etienne Bergeron <etienneb@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1662}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch orignally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3765222:
Fix dawn write handle data update OOB check
(cherry picked from commit 0ba6ae3d447de7bc599a191f6792a4e6676f10a3)
Bug: chromium:1340654
Change-Id: I9d87cb868eccc380f707ab6c3c6bdc26c386fbfc
Commit-Queue: Shrek Shao <shrekshao@google.com>
Cr-Original-Commit-Position: refs/heads/main@{#1021911}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1660}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3752921:
Mitigate bad cast in OffscreenCanvas::GetFontSelector
This change will cause the browser to crash if the execution context
is not a Window or WorkerGlobalScope. This is a temporary solution
to handle the case where the execution context is an
AudioWorkletGlobalScope. The longer term solution, which will be
implemented in a follow-up CL, is to block OffscreenCanvas objects from
being transferred to AudioWorklets, as required by the postMessage spec.
BUG=1334864
(cherry picked from commit 028c11e59fd41bc22eff06dbec10fe9b0e82bd04)
Change-Id: Ief5e37eca6dff14098b12cdbe6fc362c3dd87d1d
Auto-Submit: Justin Novosad <junov@chromium.org>
Reviewed-by: Juanmi Huertas <juanmihd@chromium.org>
Commit-Queue: Juanmi Huertas <juanmihd@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1017357}
Commit-Queue: Srinivas Sista <srinivassista@chromium.org>
Cr-Commit-Position: refs/branch-heads/5005@{#1254}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3755103:
Merged: [compiler] fix FrameState revisit bug in escape analysis
(cherry picked from commit 17da9e70833014e0a2646db5c11588f0aee02de7)
Bug: chromium:1340335, chromium:1315901
Change-Id: I81cdc6bc3d6c7441ebc333d33801329c05fbd5d4
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/branch-heads/10.2@{#25}
Cr-Branched-From: 374091f382e88095694c1283cbdc2acddc1b1417-refs/heads/10.2.154@{#1}
Cr-Branched-From: f0c353f6315eeb2212ba52478983a3b3af07b5b1-refs/heads/main@{#79976}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3766745:
[M96-LTS] Keep refptr to ServiceWorkerVersion in MaybeTimeoutRequest
The callback in ServiceWorkerVersion::MaybeTimeoutRequest may reduce the
reference to the version object, which can be the last reference to it.
In thet case, the object can be destroyed and the `inflight_requests_`
field access after the callback become invalid.
This CL keeps this to avoid the object destruction.
(cherry picked from commit 5926fa916d9ad53c77e31ee757e1979275d7466c)
Bug: 1339844
Change-Id: I6564627bad0527dea007ca73261c5636dab56755
Commit-Queue: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1023475}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1663}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3726008:
Use weak ptr for webview JavaScriptDialogHelper callback
M96 merge issues:
javascript_dialog_helper.h:
Conflicting types for web_view_guest_
This can be called asynchronously, potentially after the associated
WebViewGuest is destroyed.
(cherry picked from commit 1c09b9292dba7dfdc28b9bd09c61e3a0faf7b302)
Bug: 1336266
Change-Id: I8a4ec5ab124a9d5ca2ad45b1915666c8b7c98f79
Auto-Submit: Kevin McNee <mcnee@chromium.org>
Commit-Queue: James Maclean <wjmaclean@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1015960}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1665}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3687713:
Fix to invalidate cache when binding Transform Feedback.
Bug: chromium:1330379
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I091116286ac511c50f9abcffa4d3cf350be920b4
Commit-Queue: Jamie Madill <jmadill@chromium.org>
(cherry picked from commit d96cee6685099f6bcc392a4d20d28c8ec484673a)
(cherry picked from commit 9768648fffc94a434a7d400a2542ce3706224417)
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Auto-Submit: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/267628:
Ignore RID that appears without an a=simulcast entry
RID is defined for multiple usages in RFC 8851, but we only support
usage with a=simulcast as specified in RFC 8853.
Bug: chromium:1341043
Change-Id: Ie72074c5b394bdc41865938a86ec9c7629e1f5e0
Commit-Queue: Harald Alvestrand <hta@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#37417}
(cherry picked from commit 1c5808145e8b151800b0320b8a7316a09b706488)
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/267281:
Do not allow simulcast to be turned off using SDP munging
This is an error that puts the PC into an inconsistent state, so
causing a crash is the right thing to do.
Bug: chromium:1341043
Change-Id: Ie1eb89400ad87f0c83634b7073236b07e92ec7ab
Commit-Queue: Harald Alvestrand <hta@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#37391}
(cherry picked from commit 3fe8b0d9a980642ee5ebb1f9e429378b063c1f07)
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Partial cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3726007:
make CanCover() transitive
In addition to checking that a node is owned, CanCover() also needs to
check if there are any side-effects in between the current node and
the merged node. When merging inputs of inputs, this check was done
with the wrong side-effect level of the in-between node.
We partially fixed this before with `CanCoverTransitively`.
This CL addresses the issue by always comparing to the side-effect
level of the node from which we started, making `CanCoverTransitively`
superfluous.
(cherry picked from commit 6048f754931e0971cab58fb0de785482d175175b)
Bug: chromium:1336869
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I78479b32461ede81138f8b5d48d60058cfb5fa0a
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#81217}
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Reviewed-by: Artem Sumaneev <asumaneev@google.com>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Owners-Override: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/branch-heads/9.6@{#70}
Cr-Branched-From: 0b7bda016178bf438f09b3c93da572ae3663a1f7-refs/heads/9.6.180@{#1}
Cr-Branched-From: 41a5a247d9430b953e38631e88d17790306f7a4c-refs/heads/main@{#77244}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3689639:
Add Stop method to BatchingMediaLog
Now that ~MediaLog is posted for a later destruction due to garbage
collector ownership of CodecLogger, it's possible for the
SendQueuedMediaEvents call from ~BatchingMediaLog to reference
InspectorMediaEventHandler::inspector_context_ after it has been freed.
This fix forces BatchingMediaLog to shut down it's logging capabilities
when the destruction call is caused by the garbage collector deletion
phase
R=liberato
Bug: 1333333
Change-Id: I0bdca72a71177c4c5a6a9dc692aad3de4c25f4e2
Commit-Queue: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Reviewed-by: Eugene Zemtsov <eugene@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1011247}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3691325:
Post media log destruction to avoid destruction
SendQueuedMediaEvents is able to tickle oilpan just enough to cause
the owning BatchingMediaLog to be destroyed in the middle of executing,
causing a UAF.
(cherry picked from commit 57e905d0943695fb96a1a1a251382d15a9b2fee1)
Bug: 1317714
Change-Id: Iac2f32aee70eee183be279b372beb2ff39e6c5a0
Reviewed-by: Frank Liberato <liberato@chromium.org>
Auto-Submit: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Reviewed-by: Thomas Guilbert <tguilbert@chromium.org>
Commit-Queue: Ted (Chromium) Meyer <tmathmeyer@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1009670}
Reviewed-by: Dan Sanders <sandersd@chromium.org>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Dan Sanders <sandersd@chromium.org>
Cr-Commit-Position: refs/branch-heads/5005@{#1126}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3599349:
Only allow capturing screenshots from surface for chrome extensions.
Bug: 1116450
Change-Id: Ia4e081dbd44e0d3e2f85248b9e4ec9306e3ceb72
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Auto-Submit: Danil Somsikov <dsv@chromium.org>
Commit-Queue: Danil Somsikov <dsv@chromium.org>
Cr-Commit-Position: refs/heads/main@{#995663}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3638698:
FSA: Sanitize .url files
Bug: 1307930
Change-Id: I7ed3cca5942a5334ba761d269bdd8961fa9d13fe
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Auto-Submit: Austin Sullivan <asully@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1002495}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/3676863:
Set unregister_token to undefined when unregistering
(cherry picked from commit dd3289d7945dac855d1287cf4ea248883e908d54)
Bug: chromium:1321078
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Change-Id: I426327ffc3d7eebdb562c01a87039a93dfb79a88
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#80349}
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/9.6@{#68}
Cr-Branched-From: 0b7bda016178bf438f09b3c93da572ae3663a1f7-refs/heads/9.6.180@{#1}
Cr-Branched-From: 41a5a247d9430b953e38631e88d17790306f7a4c-refs/heads/main@{#77244}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3703779:
[M102] Ensure raw_ptr<T> and T* are treated identically in //base callback.
There are safety checks associated with raw pointers (e.g. ensuring
receiver pointers are not raw pointers). Make sure these checks are
applied whether the input type is T* or raw_ptr<T>.
- Implement base::IsPointer<T> and base::RemovePointer<T>, which are
similar to std::is_pointer<T> and std::remove_pointer<T>, except they
also consider raw_ptr<T> a raw pointer type.
- Fix failures from the strengthened asserts: WebAppInstallFinalizer
does not need a callback at all, while the privacy sandbox dialog
tests can safely use base::Unretained().
- Add test cases to cover this in the //base callback nocompile test
suite.
- Fix the existing nocompile tests, which did not escape `||` and
inadvertently matched any error text.
(cherry picked from commit 00c072a2c7f24921af3bbf8441abb34ecb0551a6)
Bug: 1335458
Change-Id: I470e3d5bc35ed52bf125136db738a868ef90b7e7
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1013266}
Cr-Commit-Position: refs/branch-heads/5005@{#1173}
Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a followup to https://crrev.com/c/3023887, which made operator==
constant time by using BoringSSL helpers. The same CL also aimed to make
operator!= constant time, but accidentally delegated to base::Token's
operator== which is not constant time.
Patch reviewed on: https://chromium-review.googlesource.com/c/chromium/src/+/3269926
Bug: 1004921
Task-number: QTBUG-104477
Change-Id: Ieda8fb6a736ced143831d9bcde75cddaaff50243
Reviewed-by: Marc Mutz <marc.mutz@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Use union to wrap array as with neon intrinsics this gets
miss-compiled and ends up triggering alignment trap on arm32.
Note the same code without neon support works just fine.
Pick-to: 98-based 102-based
Fixes: QTBUG-104477
Fixes: QTBUG-103149
Change-Id: I9dd183c16874021e62135c5dcfa6865ab9783fcf
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bundled zlib when cross compiling with neon support
assumes armv8 and requires built-in intrinsics for the
ARMv8-A CRC32. However qt supports armv7 with neon support,
which will end up in false armv8 outcome architecture for
final library and will end up in unusable binaries for
armv7 platform.
Disable neon optimization for crc32, we should use
system zlib anyway which is fixed in other patches.
Task-number: QTBUG-103149
Change-Id: Ibfb5caa67cfea53b4c6a1bc1ed4948816c05ca38
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
(cherry picked from commit 88398c89a7b34606120ff919f873cb59ce3bcf2f)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Allow redirects from local schemes to local schemes, and clean up
the general logic. We still allow almost anything from custom url
schemes.
Fixes: QTBUG-99207
Change-Id: I7d1b7edc91f82064edbf6c1a41682d5874b42d12
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
(cherry picked from commit 3a4c9ba6936ec8b11a97ea0b3c684b3002f01a12)
|
| |
|
|
|
| |
Change-Id: Ib9ce0b7750ca2a033b04d46b1d77b525a3a03b83
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3683869:
Ignore eglBind/ReleaseTexImage calls for lost contexts.
eglBindTexImage and eglReleaseTexImage no-op when no context is
current. Extend this to lost contexts to match the behaviour of making
a GL call on a lost context.
This avoids potential unexpected bad accesses in the backends.
Bug: chromium:1316578
Change-Id: I7b309c297e0c803019720733dee2950abb4c4b5f
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Alexis Hétu <sugoi@google.com>
Reviewed-by: Alexis Hétu <sugoi@chromium.org>
Commit-Queue: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/3651153:
D3D: Fix race condition with parallel shader compile.
Bug: chromium:1317673
Change-Id: I0fb7c9a66248852e41e8700e80c295393ef941e8
Reviewed-by: Jie A Chen <jie.a.chen@intel.com>
Reviewed-by: Lingfeng Yang <lfy@google.com>
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3669596:
PaintOpReader: Harden PaintImage deserialization
This fix prevents the deserialization of PaintImage pixel data from
reading data out of bounds when the block of serialized pixel data isn't
large enough to cover the expected amount of data, given the size and
format of the image.
Bug: 1325298
Change-Id: Icbeb405d2031d7d8ce4537836d7996ce7885f6d1
Commit-Queue: Justin Novosad <junov@chromium.org>
Reviewed-by: Jonathan Ross <jonross@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1007804}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3584284:
UIDevTools: fix bounds check for websocket connections
Bug: 1313600
Change-Id: Ic97da6e5cf5595d530a100bc8bbbee12467cef05
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Leonard Grey <lgrey@chromium.org>
Cr-Commit-Position: refs/heads/main@{#991786}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3532010:
Fix COOP-based opener removal on FrameTreeNodes.
When a page A opens a page B, B can access A via window.opener. If
either of these pages navigate causing a BrowsingInstance swap, the
links need to be severed. Currently it only works well if B navigates.
If A navigates, we do not find the frames that were opened by it and
remove their openers on the browser side. This is now done in the
RenderFrameHostManager.
We also clarify how this information is carried to the renderer, which
was quite obscure and maybe even involuntary. Explains that the
RenderView suppression will trigger an opener clear.
BUG=1305394
Change-Id: I4bb2a9733c523dac78ffb270877ba07aba6984a4
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Arthur Hemery <ahemery@chromium.org>
Cr-Commit-Position: refs/heads/main@{#985876}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3669247:
Handle late ACKed touch events more properly
This CL adds an extra function named
`OnGestureProviderAuraWillBeDestroyed()` to `GestureProviderAuraClient`
so that `GestureProviderAuraClient` can response to destruction of
a `GestureProviderAura` instance.
See the comment 27 under this issue for more details.
(cherry picked from commit d2fdb99a2b5d87c75fef69968d4d477cbd66ebd9)
Bug: 1292264
Change-Id: I53502e896d3a36f9610ca48c11b07422e5b4ce03
Commit-Queue: Andrew Xu <andrewxu@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#984964}
Reviewed-by: Simon Hangl <simonha@google.com>
Owners-Override: Simon Hangl <simonha@google.com>
Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
Cr-Commit-Position: refs/branch-heads/4664@{#1641}
Cr-Branched-From: 24dc4ee75e01a29d390d43c9c264372a169273a7-refs/heads/main@{#929512}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
|
