chore: cherry-pick 3 changes from 0-M132 (#45219)

chore: [33-x-y] cherry-pick 2 changes from 0-M132 * 3c2d220ad025 from v8 * 35f86d6a0a03 from chromium * c17fe9bc158c from skia
2026-04-10 03:01:51 -04:00 · 2025-01-16 21:19:42 +00:00
parent ebe380a2fc
commit be88dbd361
7 changed files with 1506 additions and 1 deletions
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -138,3 +138,4 @@ wayland_support_outgoing_dnd_sessions_with_no_offered_mime_types.patch
 support_bstr_pkey_appusermodel_id_in_windows_shortcuts.patch
 cherry-pick-3dc17c461b12.patch
 cherry-pick-f3300abe2fcd.patch
+cherry-pick-35f86d6a0a03.patch
--- a/patches/chromium/cherry-pick-35f86d6a0a03.patch
+++ b/patches/chromium/cherry-pick-35f86d6a0a03.patch
--- a/patches/config.json
+++ b/patches/config.json
@@ -11,5 +11,6 @@
  { "patch_dir": "src/electron/patches/Mantle", "repo": "src/third_party/squirrel.mac/vendor/Mantle" },
  { "patch_dir": "src/electron/patches/ReactiveObjC", "repo": "src/third_party/squirrel.mac/vendor/ReactiveObjC" },
  { "patch_dir": "src/electron/patches/webrtc", "repo": "src/third_party/webrtc" },
-  { "patch_dir": "src/electron/patches/reclient-configs", "repo": "src/third_party/engflow-reclient-configs" }
+  { "patch_dir": "src/electron/patches/reclient-configs", "repo": "src/third_party/engflow-reclient-configs" },
+  { "patch_dir": "src/electron/patches/skia", "repo": "src/third_party/skia" }
 ]
--- a/patches/skia/.patches
+++ b/patches/skia/.patches
@@ -0,0 +1 @@
+ganesh_avoid_overflow_when_combining_aahairlineops.patch
--- a/patches/skia/ganesh_avoid_overflow_when_combining_aahairlineops.patch
+++ b/patches/skia/ganesh_avoid_overflow_when_combining_aahairlineops.patch
@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: James Godfrey-Kittle <jamesgk@google.com>
+Date: Tue, 17 Dec 2024 12:14:17 -0500
+Subject: [ganesh] Avoid overflow when combining AAHairlineOps
+
+Bug: b/382786791
+Change-Id: I955d943015cce76f75221df9fab0897a6f22fe4b
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/930577
+Reviewed-by: Michael Ludwig <michaelludwig@google.com>
+Commit-Queue: James Godfrey-Kittle <jamesgk@google.com>
+(cherry picked from commit 8b030e47588af50f56ef380d81a17667baeb582b)
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/935337
+Reviewed-by: James Godfrey-Kittle <jamesgk@google.com>
+Auto-Submit: Michael Ludwig <michaelludwig@google.com>
+Commit-Queue: Michael Ludwig <michaelludwig@google.com>
+
+diff --git a/src/gpu/ganesh/ops/AAHairLinePathRenderer.cpp b/src/gpu/ganesh/ops/AAHairLinePathRenderer.cpp
+index 352790443969808d7147d57061a712de0224a867..2c04f3109806e2fd057efef31263b52dd6fe2035 100644
+--- a/src/gpu/ganesh/ops/AAHairLinePathRenderer.cpp
+++ b/src/gpu/ganesh/ops/AAHairLinePathRenderer.cpp
+@@ -27,6 +27,7 @@
+ #include "include/private/base/SkPoint_impl.h"
+ #include "include/private/base/SkTArray.h"
+ #include "include/private/gpu/ganesh/GrTypesPriv.h"
+#include "src/base/SkSafeMath.h"
+ #include "src/core/SkGeometry.h"
+ #include "src/core/SkMatrixPriv.h"
+ #include "src/core/SkPointPriv.h"
+@@ -1219,16 +1220,28 @@ void AAHairlineOp::onPrepareDraws(GrMeshDrawTarget* target) {
+ 
+     int instanceCount = fPaths.size();
+     bool convertConicsToQuads = !target->caps().shaderCaps()->fFloatIs32Bits;
+-    for (int i = 0; i < instanceCount; i++) {
+    SkSafeMath safeMath;
+    for (int i = 0; i < instanceCount && safeMath.ok(); i++) {
+         const PathData& args = fPaths[i];
+-        quadCount += gather_lines_and_quads(args.fPath, args.fViewMatrix, args.fDevClipBounds,
+-                                            args.fCapLength, convertConicsToQuads, &lines, &quads,
+-                                            &conics, &qSubdivs, &cWeights);
+        quadCount = safeMath.addInt(quadCount,
+                                    gather_lines_and_quads(args.fPath,
+                                                           args.fViewMatrix,
+                                                           args.fDevClipBounds,
+                                                           args.fCapLength,
+                                                           convertConicsToQuads,
+                                                           &lines,
+                                                           &quads,
+                                                           &conics,
+                                                           &qSubdivs,
+                                                           &cWeights));
+     }
+ 
+     int lineCount = lines.size() / 2;
+     int conicCount = conics.size() / 3;
+-    int quadAndConicCount = conicCount + quadCount;
+    int quadAndConicCount = safeMath.addInt(conicCount, quadCount);
+    if (!safeMath.ok()) {
+        return;
+    }
+ 
+     static constexpr int kMaxLines = SK_MaxS32 / kLineSegNumVertices;
+     static constexpr int kMaxQuadsAndConics = SK_MaxS32 / kQuadNumVertices;
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@@ -3,3 +3,4 @@ deps_add_v8_object_setinternalfieldfornodecore.patch
 fix_disable_scope_reuse_associated_dchecks.patch
 fix_compiler_failure_on_older_clang.patch
 cherry-pick-0d3c44362eea.patch
+cherry-pick-3c2d220ad025.patch
--- a/patches/v8/cherry-pick-3c2d220ad025.patch
+++ b/patches/v8/cherry-pick-3c2d220ad025.patch
@@ -0,0 +1,107 @@
+From 3c2d220ad025e2c532ea17289d8d29350f0b722a Mon Sep 17 00:00:00 2001
+From: Shu-yu Guo <syg@chromium.org>
+Date: Mon, 18 Nov 2024 16:02:28 -0800
+Subject: [PATCH] Merged: [interpreter] Fix hole elision scope for switch jump tables
+
+(cherry picked from commit 5c3b50c26c50e68dbedf8ff991249e75e46ef06e)
+
+Change-Id: Id6bf2b62598b85a05c6cc7bd06b6cce673d7342a
+Bug: 374627491
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6042925
+Commit-Queue: Shu-yu Guo <syg@chromium.org>
+Commit-Queue: Rezvan Mahdavi Hezaveh <rezvan@chromium.org>
+Auto-Submit: Shu-yu Guo <syg@chromium.org>
+Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@chromium.org>
+Cr-Commit-Position: refs/branch-heads/13.2@{#18}
+Cr-Branched-From: 24068c59cedad9ee976ddc05431f5f497b1ebd71-refs/heads/13.2.152@{#1}
+Cr-Branched-From: 6054ba94db0969220be4f94dc1677fc4696bdc4f-refs/heads/main@{#97085}
+---
+
+diff --git a/src/interpreter/bytecode-generator.cc b/src/interpreter/bytecode-generator.cc
+index a99cc34..5f1e6b3 100644
+--- a/src/interpreter/bytecode-generator.cc
+++ b/src/interpreter/bytecode-generator.cc
+@@ -2526,6 +2526,9 @@
+   // Are we still using any if-else bytecodes to evaluate the switch?
+   bool use_jumps = n_comp_cases != 0;
+ 
+  // Does the comparison for non-jump table jumps need an elision scope?
+  bool jump_comparison_needs_hole_check_elision_scope = false;
+
+   SwitchBuilder switch_builder(builder(), block_coverage_builder_, stmt,
+                                n_comp_cases, jump_table);
+   ControlScopeForBreakable scope(this, stmt, &switch_builder);
+@@ -2583,6 +2586,10 @@
+                                          info.covered_cases);
+ 
+     if (use_jumps) {
+      // When using a jump table, the first jump comparison is conditionally
+      // executed if the discriminant wasn't matched by anything in the jump
+      // table, and so needs its own elision scope.
+      jump_comparison_needs_hole_check_elision_scope = true;
+       builder()->LoadAccumulatorWithRegister(r1);
+     }
+   }
+@@ -2603,16 +2610,14 @@
+       // The comparisons linearly dominate, so no need to open a new elision
+       // scope for each one.
+       std::optional<HoleCheckElisionScope> elider;
+-      bool first_jump_emitted = false;
+       for (int i = 0; i < clauses->length(); ++i) {
+         CaseClause* clause = clauses->at(i);
+         if (clause->is_default()) {
+           info.default_case = i;
+         } else if (!info.CaseExists(clause->label())) {
+-          // The first non-default label is
+-          // unconditionally executed, so we only need to emplace it before
+-          // visiting the second non-default label.
+-          if (first_jump_emitted) elider.emplace(this);
+          if (jump_comparison_needs_hole_check_elision_scope && !elider) {
+            elider.emplace(this);
+          }
+ 
+           // Perform label comparison as if via '===' with tag.
+           VisitForAccumulatorValue(clause->label());
+@@ -2623,7 +2628,9 @@
+ #endif
+           switch_builder.JumpToCaseIfTrue(ToBooleanMode::kAlreadyBoolean,
+                                           case_compare_ctr++);
+-          first_jump_emitted = true;
+          // The second and subsequent non-default comparisons are always
+          // conditionally executed, and need an elision scope.
+          jump_comparison_needs_hole_check_elision_scope = true;
+         }
+       }
+     }
+diff --git a/test/mjsunit/regress/regress-374627491.js b/test/mjsunit/regress/regress-374627491.js
+new file mode 100644
+index 0000000..ebb7e1d
+--- /dev/null
+++ b/test/mjsunit/regress/regress-374627491.js
+@@ -0,0 +1,26 @@
+// Copyright 2024 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+class B { }
+class C extends B {
+  constructor() {
+    let x = 0;
+    switch (0) {
+      case 0:
+      case 1:
+      case 2:
+      case 3:
+      case 4:
+      case 5:
+      case 6:
+      case 7:
+      case 8:
+      case 9:
+        x += this;
+        break;
+      case this:
+    }
+  }
+}
+assertThrows(() => { new C(); }, ReferenceError);
				`@@ -0,0 +1 @@`
				`ganesh_avoid_overflow_when_combining_aahairlineops.patch`