Version in base suite: 79.0.3945.130-1~deb10u1 Version in overlay suite: 80.0.3987.132-1~deb10u1 Base version: chromium_80.0.3987.132-1~deb10u1 Target version: chromium_80.0.3987.149-1~deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/chromium/chromium_80.0.3987.132-1~deb10u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/chromium/chromium_80.0.3987.149-1~deb10u1.dsc DEPS | 8 build/util/LASTCHANGE | 2 build/util/LASTCHANGE.committime | 2 chrome/VERSION | 2 chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc | 2 chromeos/constants/chromeos_features.cc | 4 chromeos/profiles/airmont.afdo.newest.txt | 2 components/arc/mojom/net.mojom | 5 components/arc/net/arc_net_host_impl.cc | 74 ++++++-- components/arc/net/arc_net_host_impl.h | 8 content/browser/font_unique_name_lookup/font_unique_name_browsertest.cc | 12 - content/browser/frame_host/render_frame_host_impl.cc | 4 content/browser/renderer_host/dwrite_font_lookup_table_builder_win.cc | 69 ++++++- content/browser/renderer_host/dwrite_font_lookup_table_builder_win.h | 17 + debian/changelog | 18 ++ gpu/config/gpu_lists_version.h | 2 media/gpu/vaapi/vaapi_video_decode_accelerator.cc | 90 ++++++---- media/gpu/vaapi/vaapi_video_decode_accelerator.h | 23 +- media/gpu/vaapi/vaapi_video_decode_accelerator_unittest.cc | 14 - media/gpu/vaapi/vaapi_wrapper.h | 6 media/mojo/services/mojo_video_encode_accelerator_service.cc | 7 net/http/http_cache_transaction.cc | 3 third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc | 2 third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h | 5 third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc | 2 third_party/blink/renderer/modules/webaudio/biquad_filter_node.h | 4 third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc | 5 third_party/blink/renderer/modules/webaudio/deferred_task_handler.h | 4 third_party/blink/renderer/modules/webaudio/iir_filter_node.cc | 6 third_party/blink/renderer/modules/webaudio/iir_filter_node.h | 4 third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.cc | 2 third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c | 5 third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c | 7 v8/include/v8-version.h | 2 v8/src/builtins/builtins-intl.cc | 73 +++----- 35 files changed, 336 insertions(+), 159 deletions(-) diff: /srv/release.debian.org/tmp/apUMyoN5mx/chromium-80.0.3987.132/third_party/perfetto/test/data: No such file or directory diff: /srv/release.debian.org/tmp/d2XEp6yKsj/chromium-80.0.3987.149/third_party/perfetto/test/data: No such file or directory diff -Nru chromium-80.0.3987.132/DEPS chromium-80.0.3987.149/DEPS --- chromium-80.0.3987.132/DEPS 2020-03-03 18:53:46.000000000 +0000 +++ chromium-80.0.3987.149/DEPS 2020-03-17 21:56:24.000000000 +0000 @@ -40,7 +40,7 @@ vars = { - "buildspec_platforms": "linux64, mac64, win, win64, android", + "buildspec_platforms": "linux64, mac64, win, win64, android, chromeos", # Variable that can be used to support multiple build scenarios, like having # Chromium specific targets in a client project's GN file or sync dependencies # conditionally etc. @@ -177,7 +177,7 @@ # Three lines of non-changing comments so that # the commit queue can handle CLs rolling V8 # and whatever else without interference from each other. - 'v8_revision': '2ad0a63d4a25377f3dc5eae52ef87505518867e8', + 'v8_revision': '9c25291e705136181ede345dabcf05fb054812af', # Three lines of non-changing comments so that # the commit queue can handle CLs rolling swarming_client # and whatever else without interference from each other. @@ -1476,7 +1476,7 @@ }, 'src/third_party/usrsctp/usrsctplib': - Var('chromium_git') + '/external/github.com/sctplab/usrsctp' + '@' + '7a8bc9a90ca96634aa56ee712856d97f27d903f8', + Var('chromium_git') + '/external/github.com/sctplab/usrsctp' + '@' + 'a68325e7d9ed844cc84ec134192d788586ea6cc1', # Display server protocol for Linux. 'src/third_party/wayland/src': { @@ -1573,7 +1573,7 @@ Var('chromium_git') + '/v8/v8.git' + '@' + Var('v8_revision'), 'src-internal': { - 'url': 'https://chrome-internal.googlesource.com/chrome/src-internal.git@f945199c3689ef52e7b1ca2a724115268f11b786', + 'url': 'https://chrome-internal.googlesource.com/chrome/src-internal.git@bc883829023812e219a69491c234d814a25a8a48', 'condition': 'checkout_src_internal', }, diff -Nru chromium-80.0.3987.132/build/util/LASTCHANGE chromium-80.0.3987.149/build/util/LASTCHANGE --- chromium-80.0.3987.132/build/util/LASTCHANGE 2020-03-03 19:02:00.000000000 +0000 +++ chromium-80.0.3987.149/build/util/LASTCHANGE 2020-03-17 22:12:26.000000000 +0000 @@ -1 +1 @@ -LASTCHANGE=fcea73228632975e052eb90fcf6cd1752d3b42b4-refs/branch-heads/3987@{#974} +LASTCHANGE=5f4eb224680e5d7dca88504586e9fd951840cac6-refs/branch-heads/3987_137@{#16} diff -Nru chromium-80.0.3987.132/build/util/LASTCHANGE.committime chromium-80.0.3987.149/build/util/LASTCHANGE.committime --- chromium-80.0.3987.132/build/util/LASTCHANGE.committime 2020-03-03 19:02:00.000000000 +0000 +++ chromium-80.0.3987.149/build/util/LASTCHANGE.committime 2020-03-17 22:12:26.000000000 +0000 @@ -1 +1 @@ -1582942554 \ No newline at end of file +1584384788 \ No newline at end of file diff -Nru chromium-80.0.3987.132/chrome/VERSION chromium-80.0.3987.149/chrome/VERSION --- chromium-80.0.3987.132/chrome/VERSION 2020-03-03 18:53:47.000000000 +0000 +++ chromium-80.0.3987.149/chrome/VERSION 2020-03-17 21:56:25.000000000 +0000 @@ -1,4 +1,4 @@ MAJOR=80 MINOR=0 BUILD=3987 -PATCH=132 +PATCH=149 diff -Nru chromium-80.0.3987.132/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc chromium-80.0.3987.149/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc --- chromium-80.0.3987.132/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc 2020-03-03 18:53:51.000000000 +0000 +++ chromium-80.0.3987.149/chrome/browser/chromeos/ownership/owner_settings_service_chromeos.cc 2020-03-17 21:56:27.000000000 +0000 @@ -419,7 +419,7 @@ policy->set_timestamp( (base::Time::Now() - base::Time::UnixEpoch()).InMilliseconds()); policy->set_username(user_id); - if (policy_data->management_mode() == em::PolicyData::LOCAL_OWNER) + if (policy->management_mode() == em::PolicyData::LOCAL_OWNER) FixupLocalOwnerPolicy(user_id, settings); if (!settings->SerializeToString(policy->mutable_policy_value())) return std::unique_ptr(); diff -Nru chromium-80.0.3987.132/chromeos/constants/chromeos_features.cc chromium-80.0.3987.149/chromeos/constants/chromeos_features.cc --- chromium-80.0.3987.132/chromeos/constants/chromeos_features.cc 2020-03-03 18:53:53.000000000 +0000 +++ chromium-80.0.3987.149/chromeos/constants/chromeos_features.cc 2020-03-17 21:56:29.000000000 +0000 @@ -200,8 +200,8 @@ base::FEATURE_ENABLED_BY_DEFAULT}; // Enables or disables Release Notes notifications on Chrome OS. -const base::Feature kReleaseNotesNotification{"ReleaseNotesNotification", - base::FEATURE_ENABLED_BY_DEFAULT}; +const base::Feature kReleaseNotesNotification{ + "ReleaseNotesNotification", base::FEATURE_DISABLED_BY_DEFAULT}; // Enables or disables long kill timeout for session manager daemon. When // enabled, session manager daemon waits for a longer time (e.g. 12s) for chrome diff -Nru chromium-80.0.3987.132/chromeos/profiles/airmont.afdo.newest.txt chromium-80.0.3987.149/chromeos/profiles/airmont.afdo.newest.txt --- chromium-80.0.3987.132/chromeos/profiles/airmont.afdo.newest.txt 2020-03-03 18:53:53.000000000 +0000 +++ chromium-80.0.3987.149/chromeos/profiles/airmont.afdo.newest.txt 2020-03-17 21:56:29.000000000 +0000 @@ -1 +1 @@ -chromeos-chrome-amd64-airmont-80-3987.89-1581937220-benchmark-80.0.3987.129-r1-redacted.afdo.xz \ No newline at end of file +chromeos-chrome-amd64-airmont-80-3987.89-1581937220-benchmark-80.0.3987.134-r1-redacted.afdo.xz \ No newline at end of file diff -Nru chromium-80.0.3987.132/components/arc/mojom/net.mojom chromium-80.0.3987.149/components/arc/mojom/net.mojom --- chromium-80.0.3987.132/components/arc/mojom/net.mojom 2020-03-03 18:53:53.000000000 +0000 +++ chromium-80.0.3987.149/components/arc/mojom/net.mojom 2020-03-17 21:56:29.000000000 +0000 @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -// Next MinVersion: 12 +// Next MinVersion: 13 // This file defines the mojo interface between the ARC networking stack and // Chrome OS. There are three different groups of interactions: @@ -210,6 +210,9 @@ // True if this network is the host default network. [MinVersion=11] bool is_default_network; + + // The name of the shill service associated with this network connection. + [MinVersion=12] string? service_name; }; // Describes a Wifi network configuration that ARC has requested the host to diff -Nru chromium-80.0.3987.132/components/arc/net/arc_net_host_impl.cc chromium-80.0.3987.149/components/arc/net/arc_net_host_impl.cc --- chromium-80.0.3987.132/components/arc/net/arc_net_host_impl.cc 2020-03-03 18:53:53.000000000 +0000 +++ chromium-80.0.3987.149/components/arc/net/arc_net_host_impl.cc 2020-03-17 21:56:29.000000000 +0000 @@ -37,6 +37,10 @@ namespace { constexpr int kGetNetworksListLimit = 100; +// Delay in millisecond before asking for a network property update when no IP +// configuration can be retrieved for a network. +constexpr base::TimeDelta kNetworkPropertyUpdateDelay = + base::TimeDelta::FromMilliseconds(5000); chromeos::NetworkStateHandler* GetStateHandler() { return chromeos::NetworkHandler::Get()->network_state_handler(); @@ -173,6 +177,13 @@ return configuration; } +// Returns true if the IP configuration is valid enough for ARC. Empty IP +// config objects can be generated when IPv4 DHCP or IPv6 autoconf has not +// completed yet. +bool IsValidIPConfiguration(const arc::mojom::IPConfiguration& ip_config) { + return !ip_config.ip_address.empty() && !ip_config.gateway.empty(); +} + // Returns an IPConfiguration vector from the IPConfigs ONC property, which may // include multiple IP configurations (e.g. IPv4 and IPv6). std::vector IPConfigurationsFromONCIPConfigs( @@ -184,7 +195,7 @@ std::vector result; for (const auto& entry : ip_config_list->GetList()) { arc::mojom::IPConfigurationPtr config = TranslateONCIPConfig(&entry); - if (config) + if (config && IsValidIPConfiguration(*config)) result.push_back(std::move(config)); } return result; @@ -199,7 +210,7 @@ if (!ip_dict) return {}; arc::mojom::IPConfigurationPtr config = TranslateONCIPConfig(ip_dict); - if (!config) + if (!config || !IsValidIPConfiguration(*config)) return {}; std::vector result; result.push_back(std::move(config)); @@ -279,10 +290,6 @@ network->network_interface = device->interface(); - // IP configurations were already obtained through cached ONC properties. - if (network->ip_configs) - return; - std::vector ip_configs; for (const auto& kv : device->ip_configs()) { auto ip_config = arc::mojom::IPConfiguration::New(); @@ -312,10 +319,14 @@ ip_config->name_servers.push_back(dns); } } - ip_configs.push_back(std::move(ip_config)); + if (IsValidIPConfiguration(*ip_config)) + ip_configs.push_back(std::move(ip_config)); } - network->ip_configs = std::move(ip_configs); + // If the DeviceState had any IP configuration, always use them and ignore + // any other IP configuration previously obtained through NetworkState. + if (!ip_configs.empty()) + network->ip_configs = std::move(ip_configs); } arc::mojom::NetworkConfigurationPtr TranslateONCConfiguration( @@ -342,8 +353,7 @@ ip_configs = IPConfigurationsFromONCProperty( dict, onc::network_config::kSavedIPConfig); } - if (!ip_configs.empty()) - mojo->ip_configs = std::move(ip_configs); + mojo->ip_configs = std::move(ip_configs); mojo->guid = GetStringFromONCDictionary(dict, onc::network_config::kGUID, true /* required */); @@ -402,6 +412,7 @@ state, chromeos::network_util::TranslateNetworkStateToONC(state).get()); network->is_default_network = (network_path == GetStateHandler()->default_network_path()); + network->service_name = network_path; networks.push_back(std::move(network)); } return networks; @@ -863,15 +874,14 @@ void ArcNetHostImpl::DefaultNetworkChanged( const chromeos::NetworkState* network) { UpdateDefaultNetwork(); + UpdateActiveNetworks(); +} - // If the the default network switched between two networks, also send an - // ActiveNetworkChanged notification to let ARC observe the switch. +void ArcNetHostImpl::UpdateActiveNetworks() { chromeos::NetworkStateHandler::NetworkStateList network_states; GetStateHandler()->GetActiveNetworkListByType( chromeos::NetworkTypePattern::Default(), &network_states); - if (network_states.size() > 1) { - ActiveNetworksChanged(network_states); - } + ActiveNetworksChanged(network_states); } void ArcNetHostImpl::DeviceListChanged() { @@ -1100,15 +1110,49 @@ std::vector network_configurations = TranslateNetworkStates(arc_vpn_service_path_, active_networks); + + // A newly connected network may not immediately have any usable IP config + // object if IPv4 dhcp or IPv6 autoconf have not completed yet. Schedule + // with a few seconds delay a forced property update for that service to + // ensure the IP configuration is sent to ARC. Ensure that at most one such + // request is scheduled for a given service. + for (const auto& network : network_configurations) { + if (!network->ip_configs->empty()) + continue; + + if (!network->service_name) + continue; + + const std::string& path = network->service_name.value(); + if (pending_service_property_requests_.insert(path).second) { + LOG(WARNING) << "No IP configuration for " << path; + // TODO(hugobenichi): add exponential backoff for the case when IP + // configuration stays unavailable. + base::ThreadTaskRunnerHandle::Get()->PostDelayedTask( + FROM_HERE, + base::BindOnce(&ArcNetHostImpl::RequestUpdateForNetwork, + weak_factory_.GetWeakPtr(), path), + kNetworkPropertyUpdateDelay); + } + } + net_instance->ActiveNetworksChanged(std::move(network_configurations)); } +void ArcNetHostImpl::RequestUpdateForNetwork(const std::string& service_path) { + // TODO(hugobenichi): skip the request if the IP configuration for this + // service has been received since then and ARC has been notified about it. + pending_service_property_requests_.erase(service_path); + GetStateHandler()->RequestUpdateForNetwork(service_path); +} + void ArcNetHostImpl::NetworkListChanged() { // This is invoked any time the list of services is reordered or changed. // During the transition when a new service comes online, it will // temporarily be ranked below "inferior" services. This callback // informs us that shill's ordering has been updated. UpdateDefaultNetwork(); + UpdateActiveNetworks(); } void ArcNetHostImpl::OnShuttingDown() { diff -Nru chromium-80.0.3987.132/components/arc/net/arc_net_host_impl.h chromium-80.0.3987.149/components/arc/net/arc_net_host_impl.h --- chromium-80.0.3987.132/components/arc/net/arc_net_host_impl.h 2020-03-03 18:53:53.000000000 +0000 +++ chromium-80.0.3987.149/components/arc/net/arc_net_host_impl.h 2020-03-17 21:56:29.000000000 +0000 @@ -7,6 +7,7 @@ #include #include +#include #include #include @@ -107,6 +108,7 @@ private: const chromeos::NetworkState* GetDefaultNetworkFromChrome(); void UpdateDefaultNetwork(); + void UpdateActiveNetworks(); void DefaultNetworkSuccessCallback(const std::string& service_path, const base::DictionaryValue& dictionary); @@ -151,11 +153,17 @@ const std::string& error_name, std::unique_ptr error_data); + // Request properties of the Service corresponding to |service_path|. + void RequestUpdateForNetwork(const std::string& service_path); + ArcBridgeService* const arc_bridge_service_; // Owned by ArcServiceManager. // True if the chrome::NetworkStateHandler is currently being observed for // state changes. bool observing_network_state_ = false; + // Contains all service paths for which a property update request is + // currently scheduled. + std::set pending_service_property_requests_; std::string cached_service_path_; std::string cached_guid_; diff -Nru chromium-80.0.3987.132/content/browser/font_unique_name_lookup/font_unique_name_browsertest.cc chromium-80.0.3987.149/content/browser/font_unique_name_lookup/font_unique_name_browsertest.cc --- chromium-80.0.3987.132/content/browser/font_unique_name_lookup/font_unique_name_browsertest.cc 2020-03-03 18:53:54.000000000 +0000 +++ chromium-80.0.3987.149/content/browser/font_unique_name_lookup/font_unique_name_browsertest.cc 2020-03-17 21:56:30.000000000 +0000 @@ -117,20 +117,10 @@ } #if defined(OS_WIN) - // The Windows service for font unique name lookup needs a cache directory to - // persist the cached information. Configure a temporary one before running - // this test. - void SetUpInProcessBrowserTestFixture() override { - DevToolsProtocolTest::SetUpInProcessBrowserTestFixture(); - DWriteFontLookupTableBuilder* table_builder = - DWriteFontLookupTableBuilder::GetInstance(); - ASSERT_TRUE(cache_directory_.CreateUniqueTempDir()); - table_builder->SetCacheDirectoryForTesting(cache_directory_.GetPath()); - } - void PreRunTestOnMainThread() override { DWriteFontLookupTableBuilder* table_builder = DWriteFontLookupTableBuilder::GetInstance(); + table_builder->ResetStateForTesting(); table_builder->SchedulePrepareFontUniqueNameTableIfNeeded(); DevToolsProtocolTest::PreRunTestOnMainThread(); } diff -Nru chromium-80.0.3987.132/content/browser/frame_host/render_frame_host_impl.cc chromium-80.0.3987.149/content/browser/frame_host/render_frame_host_impl.cc --- chromium-80.0.3987.132/content/browser/frame_host/render_frame_host_impl.cc 2020-03-03 18:53:54.000000000 +0000 +++ chromium-80.0.3987.149/content/browser/frame_host/render_frame_host_impl.cc 2020-03-17 21:56:30.000000000 +0000 @@ -737,6 +737,8 @@ std::move(callback_).Run(nullptr); } + void ResetProxy() { proxy_ = nullptr; } + private: class ListenerProxy : public content::FileSelectListener { public: @@ -747,6 +749,8 @@ << "Should call either FileSelectListener::FileSelected() or " "FileSelectListener::FileSelectionCanceled()"; #endif + if (owner_) + owner_->ResetProxy(); } void ResetOwner() { owner_ = nullptr; } diff -Nru chromium-80.0.3987.132/content/browser/renderer_host/dwrite_font_lookup_table_builder_win.cc chromium-80.0.3987.149/content/browser/renderer_host/dwrite_font_lookup_table_builder_win.cc --- chromium-80.0.3987.132/content/browser/renderer_host/dwrite_font_lookup_table_builder_win.cc 2020-03-03 18:53:54.000000000 +0000 +++ chromium-80.0.3987.149/content/browser/renderer_host/dwrite_font_lookup_table_builder_win.cc 2020-03-17 21:56:30.000000000 +0000 @@ -129,16 +129,30 @@ DWriteFontLookupTableBuilder::DWriteFontLookupTableBuilder() : font_indexing_timeout_(kFontIndexingTimeoutDefault) { + ResetCallbacksAccessTaskRunner(); InitializeCacheDirectoryFromProfile(); } +void DWriteFontLookupTableBuilder::ResetCallbacksAccessTaskRunner() { + callbacks_access_task_runner_ = base::CreateSequencedTaskRunner({ + base::ThreadPool(), +#if DCHECK_IS_ON() + // Needed for DCHECK in DuplicateMemoryRegion() which performs file + // operations to detect cache directory. + base::MayBlock(), +#endif + base::TaskPriority::USER_VISIBLE, + base::TaskShutdownBehavior::SKIP_ON_SHUTDOWN + }); + DETACH_FROM_SEQUENCE(callbacks_access_sequence_checker_); +} + void DWriteFontLookupTableBuilder::InitializeCacheDirectoryFromProfile() { - // In FontUniqueNameBrowserTest the DWriteFontLookupTableBuilder is - // instantiated to configure the cache directory for testing explicitly before - // GetContentClient() is available. Catch this case here. It is safe to not - // set the cache directory here, as an invalid cache directory would be - // detected by TableCacheFilePath and the LoadFromFile and PersistToFile - // methods. + // Unit tests that do not launch a full browser environment usually don't need + // testing of src:local()-style font matching. Check that an environment is + // present here and configcure the cache directory based on that. If none is + // configured, catch this in DuplicateMemoryRegion(), i.e. when a client + // tries to use this API. cache_directory_ = GetContentClient() && GetContentClient()->browser() ? GetContentClient()->browser()->GetFontLookupTableCacheDir() @@ -250,7 +264,8 @@ return font_indexing_timeout_; } -void DWriteFontLookupTableBuilder::PostCallbacks() { +void DWriteFontLookupTableBuilder::PostCallbacksImpl() { + DCHECK_CALLED_ON_VALID_SEQUENCE(callbacks_access_sequence_checker_); for (auto& pending_callback : pending_callbacks_) { pending_callback.task_runner->PostTask( FROM_HERE, base::BindOnce(std::move(pending_callback.mojo_callback), @@ -259,6 +274,13 @@ pending_callbacks_.clear(); } +void DWriteFontLookupTableBuilder::PostCallbacks() { + callbacks_access_task_runner_->PostTask( + FROM_HERE, + base::BindOnce(&DWriteFontLookupTableBuilder::PostCallbacksImpl, + base::Unretained(this))); +} + base::FilePath DWriteFontLookupTableBuilder::TableCacheFilePath() { if (!EnsureCacheDirectory(cache_directory_)) return base::FilePath(); @@ -300,18 +322,38 @@ DWriteFontLookupTableBuilder::CallbackOnTaskRunner::~CallbackOnTaskRunner() = default; +void DWriteFontLookupTableBuilder::QueueShareMemoryRegionWhenReadyImpl( + scoped_refptr task_runner, + blink::mojom::DWriteFontProxy::GetUniqueNameLookupTableCallback callback) { + DCHECK_CALLED_ON_VALID_SEQUENCE(callbacks_access_sequence_checker_); + + // Don't queue but post response directly if the table is already ready for + // sharing with renderers to cover the condition in which the font table + // becomes ready briefly after a renderer asking for + // GetUniqueNameLookupTableIfAvailable(), receiving the information that it + // wasn't ready. (https://crbug.com/977283) + if (font_table_built_.IsSignaled()) { + task_runner->PostTask(FROM_HERE, base::BindOnce(std::move(callback), + DuplicateMemoryRegion())); + return; + } + + pending_callbacks_.push_back( + CallbackOnTaskRunner(std::move(task_runner), std::move(callback))); +} + void DWriteFontLookupTableBuilder::QueueShareMemoryRegionWhenReady( scoped_refptr task_runner, blink::mojom::DWriteFontProxy::GetUniqueNameLookupTableCallback callback) { TRACE_EVENT0("dwrite,fonts", "DWriteFontLookupTableBuilder::QueueShareMemoryRegionWhenReady"); DCHECK(!HasDWriteUniqueFontLookups()); - pending_callbacks_.emplace_back(std::move(task_runner), std::move(callback)); - // Cover for the condition in which the font table becomes ready briefly after - // a renderer asking for GetUniqueNameLookupTableIfAvailable(), receiving the - // information that it wasn't ready. - if (font_table_built_.IsSignaled()) - PostCallbacks(); + CHECK(callbacks_access_task_runner_); + callbacks_access_task_runner_->PostTask( + FROM_HERE, + base::BindOnce( + &DWriteFontLookupTableBuilder::QueueShareMemoryRegionWhenReadyImpl, + base::Unretained(this), std::move(task_runner), std::move(callback))); } bool DWriteFontLookupTableBuilder::FontUniqueNameTableReady() { @@ -730,6 +772,7 @@ font_indexing_timeout_ = kFontIndexingTimeoutDefault; font_table_memory_ = base::MappedReadOnlyRegion(); caching_enabled_ = true; + ResetCallbacksAccessTaskRunner(); font_table_built_.Reset(); } diff -Nru chromium-80.0.3987.132/content/browser/renderer_host/dwrite_font_lookup_table_builder_win.h chromium-80.0.3987.149/content/browser/renderer_host/dwrite_font_lookup_table_builder_win.h --- chromium-80.0.3987.132/content/browser/renderer_host/dwrite_font_lookup_table_builder_win.h 2020-03-03 18:53:54.000000000 +0000 +++ chromium-80.0.3987.149/content/browser/renderer_host/dwrite_font_lookup_table_builder_win.h 2020-03-17 21:56:30.000000000 +0000 @@ -176,6 +176,21 @@ // constructed protobuf to disk. void FinalizeFontTable(); + // Internal implementation of adding a callback request to the list in order + // to sequentialise access to pending_callbacks_. + void QueueShareMemoryRegionWhenReadyImpl( + scoped_refptr task_runner, + blink::mojom::DWriteFontProxy::GetUniqueNameLookupTableCallback callback); + + // Internal implementation of posting the callbacks, running on the sequence + // that sequentialises access to pending_callbacks_. + void PostCallbacksImpl(); + + // Resets the internal task runner guarding access to pending_callbacks_, used + // in unit tests, as the TaskEnvironment used in tests tears down and resets + // the ThreadPool between tests, and the TaskRunner depends on it. + void ResetCallbacksAccessTaskRunner(); + void OnTimeout(); bool IsFontUniqueNameTableValid(); @@ -232,6 +247,8 @@ std::vector pending_callbacks_; std::map scanning_error_reasons_; + scoped_refptr callbacks_access_task_runner_; + SEQUENCE_CHECKER(callbacks_access_sequence_checker_); DISALLOW_COPY_AND_ASSIGN(DWriteFontLookupTableBuilder); }; diff -Nru chromium-80.0.3987.132/debian/changelog chromium-80.0.3987.149/debian/changelog --- chromium-80.0.3987.132/debian/changelog 2020-03-08 12:30:34.000000000 +0000 +++ chromium-80.0.3987.149/debian/changelog 2020-03-21 14:56:46.000000000 +0000 @@ -1,3 +1,21 @@ +chromium (80.0.3987.149-1~deb10u1) buster-security; urgency=medium + + * New upstream security release. + - CVE-2019-20503: Out of bounds read in usersctplib. Reported by Natalie + Silvanovich + - CVE-2020-6422: Use after free in WebGL. Reported by David Manouchehri + - CVE-2020-6424: Use after free in media. Reported by Sergei Glazunov + - CVE-2020-6425: Insufficient policy enforcement in extensions. Reported by + Sergei Glazunov + - CVE-2020-6426: Inappropriate implementation in V8. Reported by Avihay + Cohen + - CVE-2020-6427: Use after free in audio. Reported by Man Yue Mo + - CVE-2020-6428: Use after free in audio. Reported by Man Yue Mo + - CVE-2020-6429: Use after free in audio. Reported by Man Yue Mo + - CVE-2020-6449: Use after free in audio. Reported by Man Yue Mo + + -- Michael Gilbert Sat, 21 Mar 2020 14:56:46 +0000 + chromium (80.0.3987.132-1~deb10u1) buster-security; urgency=medium * New upstream security release. diff -Nru chromium-80.0.3987.132/gpu/config/gpu_lists_version.h chromium-80.0.3987.149/gpu/config/gpu_lists_version.h --- chromium-80.0.3987.132/gpu/config/gpu_lists_version.h 2020-03-03 19:02:00.000000000 +0000 +++ chromium-80.0.3987.149/gpu/config/gpu_lists_version.h 2020-03-17 22:12:26.000000000 +0000 @@ -3,6 +3,6 @@ #ifndef GPU_CONFIG_GPU_LISTS_VERSION_H_ #define GPU_CONFIG_GPU_LISTS_VERSION_H_ -#define GPU_LISTS_VERSION "fcea73228632975e052eb90fcf6cd1752d3b42b4" +#define GPU_LISTS_VERSION "5f4eb224680e5d7dca88504586e9fd951840cac6" #endif // GPU_CONFIG_GPU_LISTS_VERSION_H_ diff -Nru chromium-80.0.3987.132/media/gpu/vaapi/vaapi_video_decode_accelerator.cc chromium-80.0.3987.149/media/gpu/vaapi/vaapi_video_decode_accelerator.cc --- chromium-80.0.3987.132/media/gpu/vaapi/vaapi_video_decode_accelerator.cc 2020-03-03 18:53:55.000000000 +0000 +++ chromium-80.0.3987.149/media/gpu/vaapi/vaapi_video_decode_accelerator.cc 2020-03-17 21:56:31.000000000 +0000 @@ -115,6 +115,24 @@ DISALLOW_COPY_AND_ASSIGN(InputBuffer); }; +class VaapiVideoDecodeAccelerator::ScopedVASurfaceID { + public: + using ReleaseCB = base::OnceCallback; + + ScopedVASurfaceID(VASurfaceID va_surface_id, ReleaseCB release_cb) + : va_surface_id_(va_surface_id), release_cb_(std::move(release_cb)) {} + ~ScopedVASurfaceID() { std::move(release_cb_).Run(va_surface_id_); } + + ScopedVASurfaceID& operator=(const ScopedVASurfaceID&) = delete; + ScopedVASurfaceID(const ScopedVASurfaceID&) = delete; + + VASurfaceID va_surface_id() const { return va_surface_id_; } + + private: + const VASurfaceID va_surface_id_; + ReleaseCB release_cb_; +}; + void VaapiVideoDecodeAccelerator::NotifyError(Error error) { if (!task_runner_->BelongsToCurrentThread()) { DCHECK(decoder_thread_task_runner_->BelongsToCurrentThread()); @@ -157,8 +175,8 @@ bind_image_cb_(bind_image_cb), weak_this_factory_(this) { weak_this_ = weak_this_factory_.GetWeakPtr(); - va_surface_release_cb_ = BindToCurrentLoop(base::BindRepeating( - &VaapiVideoDecodeAccelerator::RecycleVASurfaceID, weak_this_)); + va_surface_recycle_cb_ = BindToCurrentLoop(base::BindRepeating( + &VaapiVideoDecodeAccelerator::RecycleVASurface, weak_this_)); base::trace_event::MemoryDumpManager::GetInstance()->RegisterDumpProvider( this, "media::VaapiVideoDecodeAccelerator", base::ThreadTaskRunnerHandle::Get()); @@ -566,12 +584,8 @@ // All surfaces released, destroy them and dismiss all PictureBuffers. awaiting_va_surfaces_recycle_ = false; - if (buffer_allocation_mode_ != BufferAllocationMode::kNone) { - vaapi_wrapper_->DestroyContextAndSurfaces(std::vector( - available_va_surfaces_.begin(), available_va_surfaces_.end())); - } else { - vaapi_wrapper_->DestroyContext(); - } + vaapi_wrapper_->DestroyContext(); + available_va_surfaces_.clear(); for (auto iter = pictures_.begin(); iter != pictures_.end(); ++iter) { @@ -683,7 +697,6 @@ picture->Allocate(vaapi_picture_factory_->GetBufferFormat()), "Failed to allocate memory for a VaapiPicture", PLATFORM_FAILURE, ); available_picture_buffers_.push_back(buffers[i].id()); - VASurfaceID va_surface_id = picture->va_surface_id(); if (va_surface_id != VA_INVALID_ID) va_surface_ids.push_back(va_surface_id); @@ -695,6 +708,8 @@ surfaces_available_.Signal(); } + base::RepeatingCallback va_surface_release_cb; + // If we aren't in BufferAllocationMode::kNone, we use |va_surface_ids| for // decode, otherwise ask |vaapi_wrapper_| to allocate them for us. if (buffer_allocation_mode_ == BufferAllocationMode::kNone) { @@ -703,6 +718,8 @@ vaapi_wrapper_->CreateContext(requested_pic_size_), "Failed creating VA Context", PLATFORM_FAILURE, ); DCHECK_EQ(va_surface_ids.size(), buffers.size()); + + va_surface_release_cb = base::DoNothing(); } else { const size_t requested_num_surfaces = IsBufferAllocationModeReducedOrSuperReduced() @@ -710,15 +727,22 @@ : pictures_.size(); CHECK_NE(requested_num_surfaces, 0u); va_surface_ids.clear(); + RETURN_AND_NOTIFY_ON_FAILURE( vaapi_wrapper_->CreateContextAndSurfaces( va_surface_format_, requested_pic_size_, VaapiWrapper::SurfaceUsageHint::kVideoDecoder, requested_num_surfaces, &va_surface_ids), "Failed creating VA Surfaces", PLATFORM_FAILURE, ); + + va_surface_release_cb = + base::BindRepeating(&VaapiWrapper::DestroySurface, vaapi_wrapper_); } - available_va_surfaces_.assign(va_surface_ids.begin(), va_surface_ids.end()); + for (const VASurfaceID va_surface_id : va_surface_ids) { + available_va_surfaces_.emplace_back(std::make_unique( + va_surface_id, va_surface_release_cb)); + } // Resume DecodeTask if it is still in decoding state. if (state_ == kDecoding) { @@ -976,14 +1000,13 @@ base::AutoUnlock auto_unlock(lock_); decoder_thread_.Stop(); } - if (vaapi_wrapper_) { - if (buffer_allocation_mode_ != BufferAllocationMode::kNone) { - vaapi_wrapper_->DestroyContextAndSurfaces(std::vector( - available_va_surfaces_.begin(), available_va_surfaces_.end())); - } else { - vaapi_wrapper_->DestroyContext(); - } - } + if (buffer_allocation_mode_ != BufferAllocationMode::kNone) + available_va_surfaces_.clear(); + + vaapi_wrapper_->DestroyContext(); + + if (vpp_vaapi_wrapper_) + vpp_vaapi_wrapper_->DestroyContext(); state_ = kUninitialized; } @@ -1037,7 +1060,8 @@ DCHECK_NE(VA_INVALID_ID, va_surface_format_); DCHECK(!awaiting_va_surfaces_recycle_); if (buffer_allocation_mode_ != BufferAllocationMode::kNone) { - const VASurfaceID id = available_va_surfaces_.front(); + auto va_surface = std::move(available_va_surfaces_.front()); + const VASurfaceID id = va_surface->va_surface_id(); available_va_surfaces_.pop_front(); TRACE_COUNTER_ID2("media,gpu", "Vaapi VASurfaceIDs", this, "used", @@ -1047,36 +1071,44 @@ available_va_surfaces_.size(), "available", available_va_surfaces_.size()); - return new VASurface(id, requested_pic_size_, va_surface_format_, - base::BindOnce(va_surface_release_cb_)); + return new VASurface( + id, requested_pic_size_, va_surface_format_, + base::BindOnce(va_surface_recycle_cb_, std::move(va_surface))); } // Find the first |available_va_surfaces_| id such that the associated // |pictures_| entry is marked as |available_picture_buffers_|. In practice, // we will quickly find an available |va_surface_id|. - for (const VASurfaceID va_surface_id : available_va_surfaces_) { + for (auto it = available_va_surfaces_.begin(); + it != available_va_surfaces_.end(); ++it) { + const VASurfaceID va_surface_id = (*it)->va_surface_id(); for (const auto& id_and_picture : pictures_) { if (id_and_picture.second->va_surface_id() == va_surface_id && base::Contains(available_picture_buffers_, id_and_picture.first)) { // Remove |va_surface_id| from the list of availables, and use the id // to return a new VASurface. - base::Erase(available_va_surfaces_, va_surface_id); - return new VASurface(va_surface_id, requested_pic_size_, - va_surface_format_, - base::BindOnce(va_surface_release_cb_)); + auto va_surface = std::move(*it); + available_va_surfaces_.erase(it); + return new VASurface( + va_surface_id, requested_pic_size_, va_surface_format_, + base::BindOnce(va_surface_recycle_cb_, std::move(va_surface))); } } } return nullptr; } -void VaapiVideoDecodeAccelerator::RecycleVASurfaceID( - VASurfaceID va_surface_id) { +void VaapiVideoDecodeAccelerator::RecycleVASurface( + std::unique_ptr va_surface, + // We don't use |va_surface_id| but it must be here because this method is + // bound as VASurface::ReleaseCB. + VASurfaceID /*va_surface_id*/) { DCHECK(task_runner_->BelongsToCurrentThread()); { base::AutoLock auto_lock(lock_); - available_va_surfaces_.push_back(va_surface_id); + available_va_surfaces_.push_back(std::move(va_surface)); + if (buffer_allocation_mode_ != BufferAllocationMode::kNone) { TRACE_COUNTER_ID2("media,gpu", "Vaapi VASurfaceIDs", this, "used", (IsBufferAllocationModeReducedOrSuperReduced() diff -Nru chromium-80.0.3987.132/media/gpu/vaapi/vaapi_video_decode_accelerator.h chromium-80.0.3987.149/media/gpu/vaapi/vaapi_video_decode_accelerator.h --- chromium-80.0.3987.132/media/gpu/vaapi/vaapi_video_decode_accelerator.h 2020-03-03 18:53:55.000000000 +0000 +++ chromium-80.0.3987.149/media/gpu/vaapi/vaapi_video_decode_accelerator.h 2020-03-17 21:56:31.000000000 +0000 @@ -104,6 +104,8 @@ // An input buffer with id provided by the client and awaiting consumption. class InputBuffer; + // A self-cleaning VASurfaceID. + class ScopedVASurfaceID; // Notify the client that an error has occurred and decoding cannot continue. void NotifyError(Error error); @@ -173,10 +175,11 @@ // Try to OutputPicture() if we have both a ready surface and picture. void TryOutputPicture(); - // Called when a VASurface is no longer in use by the decoder or is not being - // synced/waiting to be synced to a picture. Returns it to the - // |available_va_surfaces_| - void RecycleVASurfaceID(VASurfaceID va_surface_id); + // Called when a VASurface is no longer in use by |decoder_| nor |client_|. + // Returns it to |available_va_surfaces_|. |va_surface_id| is not used but it + // must be here to bind this method as VASurface::ReleaseCB. + void RecycleVASurface(std::unique_ptr va_surface, + VASurfaceID va_surface_id); // Request a new set of |num_pics| PictureBuffers to be allocated by // |client_|. Up to |num_reference_frames| out of |num_pics_| might be needed @@ -264,9 +267,10 @@ // OutputPicture() (|client_| returns them via ReusePictureBuffer()). std::list available_picture_buffers_ GUARDED_BY(lock_); - // VASurfaceIDs no longer in use that can be passed back to |decoder_| for - // reuse, once it requests them. - std::list available_va_surfaces_ GUARDED_BY(lock_); + // VASurfaces available and that can be passed to |decoder_| for its use upon + // CreateSurface() request (and then returned via RecycleVASurface()). + std::list> available_va_surfaces_ + GUARDED_BY(lock_); // Signalled when output surfaces are queued into |available_va_surfaces_|. base::ConditionVariable surfaces_available_; // VASurfaceIDs format, filled in when created. @@ -291,8 +295,9 @@ // decoder thread to the ChildThread should use |weak_this_|. base::WeakPtr weak_this_; - // Callback used when creating VASurface objects. Only used on |task_runner_|. - base::RepeatingCallback va_surface_release_cb_; + // Callback used to recycle VASurfaces. Only used on |task_runner_|. + base::RepeatingCallback, VASurfaceID)> + va_surface_recycle_cb_; // To expose client callbacks from VideoDecodeAccelerator. Used only on // |task_runner_|. diff -Nru chromium-80.0.3987.132/media/gpu/vaapi/vaapi_video_decode_accelerator_unittest.cc chromium-80.0.3987.149/media/gpu/vaapi/vaapi_video_decode_accelerator_unittest.cc --- chromium-80.0.3987.132/media/gpu/vaapi/vaapi_video_decode_accelerator_unittest.cc 2020-03-03 18:53:55.000000000 +0000 +++ chromium-80.0.3987.149/media/gpu/vaapi/vaapi_video_decode_accelerator_unittest.cc 2020-03-17 21:56:31.000000000 +0000 @@ -76,7 +76,8 @@ size_t, std::vector*)); MOCK_METHOD1(CreateContext, bool(const gfx::Size&)); - MOCK_METHOD1(DestroyContextAndSurfaces, void(std::vector)); + MOCK_METHOD0(DestroyContext, void()); + MOCK_METHOD1(DestroySurface, void(VASurfaceID)); private: ~MockVaapiWrapper() override = default; @@ -239,12 +240,7 @@ .WillOnce(Return(kNumReferenceFrames)); EXPECT_CALL(*mock_decoder_, GetVisibleRect()) .WillOnce(Return(gfx::Rect(picture_size))); - if (vda_.buffer_allocation_mode_ != - VaapiVideoDecodeAccelerator::BufferAllocationMode::kNone) { - EXPECT_CALL(*mock_vaapi_wrapper_, DestroyContextAndSurfaces(_)); - } else { - // TODO(crbug.com/971891): Make virtual and expect DestroyContext(). - } + EXPECT_CALL(*mock_vaapi_wrapper_, DestroyContext()); if (expect_dismiss_picture_buffers) { EXPECT_CALL(*this, DismissPictureBuffer(_)) @@ -309,6 +305,10 @@ va_surface_ids->resize(kNumReferenceFrames); })), Return(true))); + EXPECT_CALL(*mock_vaapi_wrapper_, DestroySurface(_)) + .Times(kNumReferenceFrames); + EXPECT_CALL(*mock_decoder_, GetVisibleRect()) + .WillRepeatedly(Return(gfx::Rect(picture_size))); EXPECT_CALL(*mock_vaapi_picture_factory_, MockCreateVaapiPicture(_, picture_size)) .Times(num_pictures); diff -Nru chromium-80.0.3987.132/media/gpu/vaapi/vaapi_wrapper.h chromium-80.0.3987.149/media/gpu/vaapi/vaapi_wrapper.h --- chromium-80.0.3987.132/media/gpu/vaapi/vaapi_wrapper.h 2020-03-03 18:53:55.000000000 +0000 +++ chromium-80.0.3987.149/media/gpu/vaapi/vaapi_wrapper.h 2020-03-17 21:56:31.000000000 +0000 @@ -228,7 +228,7 @@ const base::Optional& visible_size = base::nullopt); // Releases the |va_surfaces| and destroys |va_context_id_|. - virtual void DestroyContextAndSurfaces(std::vector va_surfaces); + void DestroyContextAndSurfaces(std::vector va_surfaces); // Creates a VA Context of |size| and sets |va_context_id_|. In the case of a // VPP VaapiWrapper, |size| is ignored and 0x0 is used to create the context. @@ -237,7 +237,7 @@ virtual bool CreateContext(const gfx::Size& size); // Destroys the context identified by |va_context_id_|. - void DestroyContext(); + virtual void DestroyContext(); // Requests a VA surface of size |size| and |va_rt_format|. Returns a // self-cleaning ScopedVASurface or nullptr if creation failed. If @@ -389,7 +389,7 @@ // vaDestroySurfaces() a vector or a single VASurfaceID. void DestroySurfaces(std::vector va_surfaces); - void DestroySurface(VASurfaceID va_surface_id); + virtual void DestroySurface(VASurfaceID va_surface_id); protected: VaapiWrapper(CodecMode mode); diff -Nru chromium-80.0.3987.132/media/mojo/services/mojo_video_encode_accelerator_service.cc chromium-80.0.3987.149/media/mojo/services/mojo_video_encode_accelerator_service.cc --- chromium-80.0.3987.132/media/mojo/services/mojo_video_encode_accelerator_service.cc 2020-03-03 18:53:55.000000000 +0000 +++ chromium-80.0.3987.149/media/mojo/services/mojo_video_encode_accelerator_service.cc 2020-03-17 21:56:31.000000000 +0000 @@ -49,11 +49,16 @@ InitializeCallback success_callback) { DVLOG(1) << __func__ << " " << config.AsHumanReadableString(); DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); - DCHECK(!encoder_); DCHECK(config.input_format == PIXEL_FORMAT_I420 || config.input_format == PIXEL_FORMAT_NV12) << "Only I420 or NV12 format supported"; + if (encoder_) { + DLOG(ERROR) << __func__ << " VEA is already initialized"; + std::move(success_callback).Run(false); + return; + } + if (!client) { DLOG(ERROR) << __func__ << "null |client|"; std::move(success_callback).Run(false); diff -Nru chromium-80.0.3987.132/net/http/http_cache_transaction.cc chromium-80.0.3987.149/net/http/http_cache_transaction.cc --- chromium-80.0.3987.132/net/http/http_cache_transaction.cc 2020-03-03 18:53:55.000000000 +0000 +++ chromium-80.0.3987.149/net/http/http_cache_transaction.cc 2020-03-17 21:56:31.000000000 +0000 @@ -1432,7 +1432,8 @@ cache_pending_ = false; done_headers_create_new_entry_ = false; - // Speculative fix for rare crash. crbug.com/959194 + // It is unclear exactly how this state is reached with an ERR_CACHE_RACE, but + // this check appears to fix a rare crash. See crbug.com/959194. if (result == ERR_CACHE_RACE) { TransitionToState(STATE_HEADERS_PHASE_CANNOT_PROCEED); return OK; diff -Nru chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc --- chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc 2020-03-03 18:53:14.000000000 +0000 +++ chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.cc 2020-03-17 21:55:54.000000000 +0000 @@ -250,7 +250,7 @@ PostCrossThreadTask( *task_runner_, FROM_HERE, CrossThreadBindOnce(&AudioScheduledSourceHandler::NotifyEnded, - WrapRefCounted(this))); + AsWeakPtr())); } void AudioScheduledSourceHandler::NotifyEnded() { diff -Nru chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h --- chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h 2020-03-03 18:53:56.000000000 +0000 +++ chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/audio_scheduled_source_node.h 2020-03-17 21:56:33.000000000 +0000 @@ -30,6 +30,7 @@ #define THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_AUDIO_SCHEDULED_SOURCE_NODE_H_ #include +#include "base/memory/weak_ptr.h" #include "third_party/blink/renderer/bindings/core/v8/active_script_wrappable.h" #include "third_party/blink/renderer/modules/webaudio/audio_node.h" @@ -38,7 +39,9 @@ class BaseAudioContext; class AudioBus; -class AudioScheduledSourceHandler : public AudioHandler { +class AudioScheduledSourceHandler + : public AudioHandler, + public base::SupportsWeakPtr { public: // These are the possible states an AudioScheduledSourceNode can be in: // diff -Nru chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc --- chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc 2020-03-03 18:53:56.000000000 +0000 +++ chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/biquad_filter_node.cc 2020-03-17 21:56:33.000000000 +0000 @@ -88,7 +88,7 @@ PostCrossThreadTask( *task_runner_, FROM_HERE, CrossThreadBindOnce(&BiquadFilterHandler::NotifyBadState, - WrapRefCounted(this))); + AsWeakPtr())); } } } diff -Nru chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h --- chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h 2020-03-03 18:53:56.000000000 +0000 +++ chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/biquad_filter_node.h 2020-03-17 21:56:33.000000000 +0000 @@ -26,6 +26,7 @@ #ifndef THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_BIQUAD_FILTER_NODE_H_ #define THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_BIQUAD_FILTER_NODE_H_ +#include "base/memory/weak_ptr.h" #include "third_party/blink/renderer/core/typed_arrays/array_buffer_view_helpers.h" #include "third_party/blink/renderer/core/typed_arrays/dom_typed_array.h" #include "third_party/blink/renderer/modules/webaudio/audio_basic_processor_handler.h" @@ -38,7 +39,8 @@ class AudioParam; class BiquadFilterOptions; -class BiquadFilterHandler : public AudioBasicProcessorHandler { +class BiquadFilterHandler : public AudioBasicProcessorHandler, + public base::SupportsWeakPtr { public: static scoped_refptr Create(AudioNode&, float sample_rate, diff -Nru chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc --- chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc 2020-03-03 18:53:56.000000000 +0000 +++ chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc 2020-03-17 21:56:33.000000000 +0000 @@ -77,9 +77,9 @@ // connection. wtf_size_t size = finished_source_handlers_.size(); if (size > 0) { - for (auto* finished : finished_source_handlers_) { - active_source_handlers_.erase(finished); + for (auto finished : finished_source_handlers_) { finished->BreakConnectionWithLock(); + active_source_handlers_.erase(finished); } finished_source_handlers_.clear(); } @@ -356,6 +356,7 @@ deletable_orphan_handlers_.clear(); automatic_pull_handlers_.clear(); rendering_automatic_pull_handlers_.clear(); + finished_source_handlers_.clear(); active_source_handlers_.clear(); } diff -Nru chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h --- chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h 2020-03-03 18:53:14.000000000 +0000 +++ chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/deferred_task_handler.h 2020-03-17 21:56:33.000000000 +0000 @@ -188,7 +188,7 @@ return &active_source_handlers_; } - Vector* GetFinishedSourceHandlers() { + Vector>* GetFinishedSourceHandlers() { return &finished_source_handlers_; } @@ -257,7 +257,7 @@ // connection and elements here are removed from |active_source_handlers_|. // // This must be accessed only from the audio thread. - Vector finished_source_handlers_; + Vector> finished_source_handlers_; scoped_refptr task_runner_; diff -Nru chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc --- chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc 2020-03-03 18:53:56.000000000 +0000 +++ chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/iir_filter_node.cc 2020-03-17 21:56:33.000000000 +0000 @@ -104,9 +104,9 @@ if (HasNonFiniteOutput()) { did_warn_bad_filter_state_ = true; - PostCrossThreadTask(*task_runner_, FROM_HERE, - CrossThreadBindOnce(&IIRFilterHandler::NotifyBadState, - WrapRefCounted(this))); + PostCrossThreadTask( + *task_runner_, FROM_HERE, + CrossThreadBindOnce(&IIRFilterHandler::NotifyBadState, AsWeakPtr())); } } } diff -Nru chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/iir_filter_node.h chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/iir_filter_node.h --- chromium-80.0.3987.132/third_party/blink/renderer/modules/webaudio/iir_filter_node.h 2020-03-03 18:53:56.000000000 +0000 +++ chromium-80.0.3987.149/third_party/blink/renderer/modules/webaudio/iir_filter_node.h 2020-03-17 21:56:33.000000000 +0000 @@ -5,6 +5,7 @@ #ifndef THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_IIR_FILTER_NODE_H_ #define THIRD_PARTY_BLINK_RENDERER_MODULES_WEBAUDIO_IIR_FILTER_NODE_H_ +#include "base/memory/weak_ptr.h" #include "base/single_thread_task_runner.h" #include "third_party/blink/renderer/core/typed_arrays/array_buffer_view_helpers.h" #include "third_party/blink/renderer/core/typed_arrays/dom_typed_array.h" @@ -18,7 +19,8 @@ class ExceptionState; class IIRFilterOptions; -class IIRFilterHandler : public AudioBasicProcessorHandler { +class IIRFilterHandler : public AudioBasicProcessorHandler, + public base::SupportsWeakPtr { public: static scoped_refptr Create( AudioNode&, diff -Nru chromium-80.0.3987.132/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.cc chromium-80.0.3987.149/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.cc --- chromium-80.0.3987.132/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.cc 2020-03-03 18:53:56.000000000 +0000 +++ chromium-80.0.3987.149/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.cc 2020-03-17 21:56:33.000000000 +0000 @@ -7542,7 +7542,7 @@ void WebGLRenderingContextBase::PrintWarningToConsole(const String& message) { blink::ExecutionContext* context = Host()->GetTopExecutionContext(); - if (context) { + if (context && !context->IsContextDestroyed()) { context->AddConsoleMessage( ConsoleMessage::Create(mojom::ConsoleMessageSource::kRendering, mojom::ConsoleMessageLevel::kWarning, message)); diff -Nru chromium-80.0.3987.132/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c chromium-80.0.3987.149/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c --- chromium-80.0.3987.132/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c 2020-03-03 18:55:29.000000000 +0000 +++ chromium-80.0.3987.149/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c 2020-03-17 22:05:53.000000000 +0000 @@ -34,7 +34,7 @@ #ifdef __FreeBSD__ #include -__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 334532 2018-06-02 16:28:10Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 355931 2019-12-20 15:25:08Z tuexen $"); #endif #include @@ -1455,7 +1455,8 @@ ptype = ntohs(phdr->param_type); plen = ntohs(phdr->param_length); - if ((plen == 0) || (offset + plen > length)) + if ((plen < sizeof(struct sctp_paramhdr)) || + (offset + plen > length)) break; if (ptype == SCTP_RANDOM) { diff -Nru chromium-80.0.3987.132/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c chromium-80.0.3987.149/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c --- chromium-80.0.3987.132/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c 2020-03-03 18:55:29.000000000 +0000 +++ chromium-80.0.3987.149/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c 2020-03-17 22:05:53.000000000 +0000 @@ -34,7 +34,7 @@ #ifdef __FreeBSD__ #include -__FBSDID("$FreeBSD: head/sys/netinet/sctp_pcb.c 334532 2018-06-02 16:28:10Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp_pcb.c 355931 2019-12-20 15:25:08Z tuexen $"); #endif #include @@ -7246,7 +7246,7 @@ if (offset + plen > limit) { break; } - if (plen == 0) { + if (plen < sizeof(struct sctp_paramhdr)) { break; } #ifdef INET @@ -7462,6 +7462,9 @@ if (plen > sizeof(lstore)) { return (-23); } + if (plen < sizeof(struct sctp_asconf_addrv4_param)) { + return (-101); + } phdr = sctp_get_next_param(m, offset, (struct sctp_paramhdr *)&lstore, plen); diff -Nru chromium-80.0.3987.132/v8/include/v8-version.h chromium-80.0.3987.149/v8/include/v8-version.h --- chromium-80.0.3987.132/v8/include/v8-version.h 2020-03-03 18:55:34.000000000 +0000 +++ chromium-80.0.3987.149/v8/include/v8-version.h 2020-03-17 22:05:58.000000000 +0000 @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 8 #define V8_MINOR_VERSION 0 #define V8_BUILD_NUMBER 426 -#define V8_PATCH_LEVEL 26 +#define V8_PATCH_LEVEL 27 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff -Nru chromium-80.0.3987.132/v8/src/builtins/builtins-intl.cc chromium-80.0.3987.149/v8/src/builtins/builtins-intl.cc --- chromium-80.0.3987.132/v8/src/builtins/builtins-intl.cc 2020-03-03 18:55:34.000000000 +0000 +++ chromium-80.0.3987.149/v8/src/builtins/builtins-intl.cc 2020-03-17 22:05:58.000000000 +0000 @@ -265,13 +265,11 @@ // [[Construct]] Handle target = args.target(); - Handle locales = args.atOrUndefined(isolate, 1); Handle options = args.atOrUndefined(isolate, 2); // 2. Let format be ? OrdinaryCreateFromConstructor(newTarget, // "%Prototype%", ...). - Handle map; ASSIGN_RETURN_FAILURE_ON_EXCEPTION( isolate, map, JSFunction::GetDerivedMap(isolate, target, new_target)); @@ -281,45 +279,42 @@ ASSIGN_RETURN_FAILURE_ON_EXCEPTION( isolate, format, T::New(isolate, map, locales, options, method)); // 4. Let this be the this value. - Handle receiver = args.receiver(); - - // 5. If NewTarget is undefined and ? InstanceofOperator(this, %%) - // is true, then - // - // Look up the intrinsic value that has been stored on the context. - // Call the instanceof function - Handle is_instance_of_obj; - ASSIGN_RETURN_FAILURE_ON_EXCEPTION( - isolate, is_instance_of_obj, - Object::InstanceOf(isolate, receiver, constructor)); - - // Get the boolean value of the result - bool is_instance_of = is_instance_of_obj->BooleanValue(isolate); + if (args.new_target()->IsUndefined(isolate)) { + Handle receiver = args.receiver(); - if (args.new_target()->IsUndefined(isolate) && is_instance_of) { - if (!receiver->IsJSReceiver()) { - THROW_NEW_ERROR_RETURN_FAILURE( - isolate, - NewTypeError(MessageTemplate::kIncompatibleMethodReceiver, - isolate->factory()->NewStringFromAsciiChecked(method), - receiver)); + // 5. If NewTarget is undefined and ? InstanceofOperator(this, %%) + // is true, then Look up the intrinsic value that has been stored on + // the context. + Handle is_instance_of_obj; + ASSIGN_RETURN_FAILURE_ON_EXCEPTION( + isolate, is_instance_of_obj, + Object::InstanceOf(isolate, receiver, constructor)); + + if (is_instance_of_obj->BooleanValue(isolate)) { + if (!receiver->IsJSReceiver()) { + THROW_NEW_ERROR_RETURN_FAILURE( + isolate, + NewTypeError(MessageTemplate::kIncompatibleMethodReceiver, + isolate->factory()->NewStringFromAsciiChecked(method), + receiver)); + } + Handle rec = Handle::cast(receiver); + // a. Perform ? DefinePropertyOrThrow(this, + // %Intl%.[[FallbackSymbol]], PropertyDescriptor{ [[Value]]: format, + // [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: false }). + PropertyDescriptor desc; + desc.set_value(format); + desc.set_writable(false); + desc.set_enumerable(false); + desc.set_configurable(false); + Maybe success = JSReceiver::DefineOwnProperty( + isolate, rec, isolate->factory()->intl_fallback_symbol(), &desc, + Just(kThrowOnError)); + MAYBE_RETURN(success, ReadOnlyRoots(isolate).exception()); + CHECK(success.FromJust()); + // b. b. Return this. + return *receiver; } - Handle rec = Handle::cast(receiver); - // a. Perform ? DefinePropertyOrThrow(this, - // %Intl%.[[FallbackSymbol]], PropertyDescriptor{ [[Value]]: format, - // [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: false }). - PropertyDescriptor desc; - desc.set_value(format); - desc.set_writable(false); - desc.set_enumerable(false); - desc.set_configurable(false); - Maybe success = JSReceiver::DefineOwnProperty( - isolate, rec, isolate->factory()->intl_fallback_symbol(), &desc, - Just(kThrowOnError)); - MAYBE_RETURN(success, ReadOnlyRoots(isolate).exception()); - CHECK(success.FromJust()); - // b. b. Return this. - return *receiver; } // 6. Return format. return *format;