chore: bump chromium to 120.0.6099.225 (28-x-y) (#40974)

* chore: bump chromium in DEPS to 120.0.6099.217 * chore: bump chromium in DEPS to 120.0.6099.224 * chore: update patches * chore: update patches * chore: bump chromium in DEPS to 120.0.6099.226 * chore: fixup patches after rebase * test: fixup assertNotWindows (#41045) * chore: fixup assertNotWindows * remove logging (cherry picked from commit 3dafb318a8) * chore: bump chromium in DEPS to 120.0.6099.225 * chore: cleanup global reject handler leaking into tests (#40689) (cherry picked from commit 3a510a26d0) --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org> Co-authored-by: Robo <hop2deep@gmail.com>
2026-04-10 03:01:51 -04:00 · 2024-01-22 16:39:25 -05:00
parent cdf99a215a
commit d60d4c6b2d
17 changed files with 38 additions and 468 deletions
--- a/2
+++ b/2
@@ -2,7 +2,7 @@ gclient_gn_args_from = 'src'

 vars = {
  'chromium_version':
-    '120.0.6099.216',
+    '120.0.6099.225',
  'node_version':
    'v18.18.2',
  'nan_version':
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -143,5 +143,4 @@ fix_font_flooding_in_dev_tools.patch
 feat_allow_code_cache_in_custom_schemes.patch
 enable_partition_alloc_ref_count_size.patch
 reland_mojom_ts_generator_handle_empty_module_path_identically_to.patch
-cherry-pick-c1cda70a433a.patch
 ensure_an_axcontext_before_painting.patch
--- a/patches/chromium/build_do_not_depend_on_packed_resource_integrity.patch
+++ b/patches/chromium/build_do_not_depend_on_packed_resource_integrity.patch
@@ -33,7 +33,7 @@ index 0594fc8f8122b5f66457c262890ea93be3a579d8..19f045d14c6072c1b0b8fb6a50bf4caf
           "//base",
           "//build:branding_buildflags",
 diff --git a/chrome/browser/BUILD.gn b/chrome/browser/BUILD.gn
-index 44d3b5e543101ce7ff5fed778fc430532e7ae9fb..48799f517e4b83f157c86e9b579cd98007fa47d7 100644
+index cd46c4c79d47637d3b1364a44f6b2fb54976a979..2ca8c638b78dfba0e2dc491163f028892c4d5376 100644
 --- a/chrome/browser/BUILD.gn
 +++ b/chrome/browser/BUILD.gn
@@ -4821,7 +4821,7 @@ static_library("browser") {
--- a/patches/chromium/can_create_window.patch
+++ b/patches/chromium/can_create_window.patch
@@ -21,10 +21,10 @@ index c1a712883d4b5af6d77d2174589f2f95625cb05e..390866ca02889c9c7dc58561f32d2e19
           &no_javascript_access);
 
 diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
-index 63eafd910dad5686ca4114468e4563082821dd01..daeece42f6fe4e57ca3f88ff7b5d9d0a1c142b9f 100644
+index dba3fa7b487fe9fb7ff975df647ac30f2ffbd202..910ea0d1e11e1dc3deb660b322b67bf223735822 100644
 --- a/content/browser/web_contents/web_contents_impl.cc
 +++ b/content/browser/web_contents/web_contents_impl.cc
-@@ -4487,6 +4487,12 @@ FrameTree* WebContentsImpl::CreateNewWindow(
+@@ -4492,6 +4492,12 @@ FrameTree* WebContentsImpl::CreateNewWindow(
 
   auto* new_contents_impl = new_contents.get();
 
@@ -37,7 +37,7 @@ index 63eafd910dad5686ca4114468e4563082821dd01..daeece42f6fe4e57ca3f88ff7b5d9d0a
   // If the new frame has a name, make sure any SiteInstances that can find
   // this named frame have proxies for it.  Must be called after
   // SetSessionStorageNamespace, since this calls CreateRenderView, which uses
-@@ -4528,12 +4534,6 @@ FrameTree* WebContentsImpl::CreateNewWindow(
+@@ -4533,12 +4539,6 @@ FrameTree* WebContentsImpl::CreateNewWindow(
     AddWebContentsDestructionObserver(new_contents_impl);
   }
 
--- a/patches/chromium/cherry-pick-c1cda70a433a.patch
+++ b/patches/chromium/cherry-pick-c1cda70a433a.patch
@@ -1,31 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Mike Wasserman <msw@chromium.org>
-Date: Thu, 21 Dec 2023 22:33:05 +0000
-Subject: Speculative fix for UAF in
- content::WebContentsImpl::ExitFullscreenMode
-
-Bug: 1506535, 854815
-Change-Id: Iace64d63f8cea2dbfbc761ad233db42451ec101c
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5146875
-Commit-Queue: John Abd-El-Malek <jam@chromium.org>
-Auto-Submit: Mike Wasserman <msw@chromium.org>
-Reviewed-by: John Abd-El-Malek <jam@chromium.org>
-Cr-Commit-Position: refs/heads/main@{#1240353}
-
-diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
-index a92c42ea05d680d435f6f69d9882e85537c995ec..e49ccf4ffc115a78abceeddd7f452aeeb5c6a917 100644
--- a/content/browser/web_contents/web_contents_impl.cc
-+++ b/content/browser/web_contents/web_contents_impl.cc
-@@ -3888,7 +3888,12 @@ void WebContentsImpl::ExitFullscreenMode(bool will_cause_resize) {
-   }
- 
-   if (delegate_) {
-+    // This may spin the message loop and destroy this object crbug.com/1506535
-+    base::WeakPtr<WebContentsImpl> weak_ptr = weak_factory_.GetWeakPtr();
-     delegate_->ExitFullscreenModeForTab(this);
-+    if (!weak_ptr) {
-+      return;
-+    }
- 
-     if (keyboard_lock_widget_) {
-       delegate_->CancelKeyboardLockRequest(this);
--- a/patches/chromium/chore_provide_iswebcontentscreationoverridden_with_full_params.patch
+++ b/patches/chromium/chore_provide_iswebcontentscreationoverridden_with_full_params.patch
@@ -218,10 +218,10 @@ index 46924048ef26310b25d8ce7dd370c086193cf7ea..28a2b8c99b2cf32bb283ef1474b536ab
   void AddNewContents(content::WebContents* source,
                       std::unique_ptr<content::WebContents> new_contents,
 diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
-index 744f3757ab2e7bcf517ddae6f5023ac52822a06a..d36306fc177824701ddde81dbd399e77230b1c48 100644
+index dc413782fc0e7f33011e80a2357d6eba75a6903a..702fa31c9e95d83cbd856f6592050835cd27ccd2 100644
 --- a/content/browser/web_contents/web_contents_impl.cc
 +++ b/content/browser/web_contents/web_contents_impl.cc
-@@ -4393,8 +4393,7 @@ FrameTree* WebContentsImpl::CreateNewWindow(
+@@ -4398,8 +4398,7 @@ FrameTree* WebContentsImpl::CreateNewWindow(
 
   if (delegate_ && delegate_->IsWebContentsCreationOverridden(
                        source_site_instance, params.window_container_type,
--- a/patches/chromium/fix_handle_no_top_level_aura_window_in_webcontentsimpl.patch
+++ b/patches/chromium/fix_handle_no_top_level_aura_window_in_webcontentsimpl.patch
@@ -14,10 +14,10 @@ can potentially be upstreamed but it's likely that the better fix for this
 is to update our OSR code which is several years outdated.

 diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
-index e02f82ba9fb3b1359c19bd71c0bd94cd46a5ed5e..a92c42ea05d680d435f6f69d9882e85537c995ec 100644
+index 3ade9312a09494dece3935cc87c56bf464d28399..e49ccf4ffc115a78abceeddd7f452aeeb5c6a917 100644
 --- a/content/browser/web_contents/web_contents_impl.cc
 +++ b/content/browser/web_contents/web_contents_impl.cc
-@@ -3996,7 +3996,7 @@ void WebContentsImpl::Restore() {
+@@ -4001,7 +4001,7 @@ void WebContentsImpl::Restore() {
 ui::WindowShowState WebContentsImpl::GetWindowShowState() {
 #if defined(USE_AURA)
   aura::Window* window = GetTopLevelNativeWindow();
--- a/patches/chromium/fix_on-screen-keyboard_hides_on_input_blur_in_webview.patch
+++ b/patches/chromium/fix_on-screen-keyboard_hides_on_input_blur_in_webview.patch
@@ -45,10 +45,10 @@ index 1dfd9c071a41482e0d35257b28522e5b37702f25..41a09e9470dfa5797c69d02fc9b4f5e6
   // RenderFrameMetadataProvider::Observer implementation.
   void OnRenderFrameMetadataChangedBeforeActivation(
 diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
-index 9d5e099d981f3cd9dde4a07c071a63e6459bd311..e02f82ba9fb3b1359c19bd71c0bd94cd46a5ed5e 100644
+index 5f7f36a4b77fda73dc77cde23a8671c89a1f2b78..3ade9312a09494dece3935cc87c56bf464d28399 100644
 --- a/content/browser/web_contents/web_contents_impl.cc
 +++ b/content/browser/web_contents/web_contents_impl.cc
-@@ -8649,7 +8649,7 @@ void WebContentsImpl::OnFocusedElementChangedInFrame(
+@@ -8654,7 +8654,7 @@ void WebContentsImpl::OnFocusedElementChangedInFrame(
                         "WebContentsImpl::OnFocusedElementChangedInFrame",
                         "render_frame_host", frame);
   RenderWidgetHostViewBase* root_view =
--- a/patches/chromium/refactor_expose_cursor_changes_to_the_webcontentsobserver.patch
+++ b/patches/chromium/refactor_expose_cursor_changes_to_the_webcontentsobserver.patch
@@ -44,10 +44,10 @@ index 895f5126806b557c853f163fe69459ea929f11a4..b4ead2f5f2f813c23cd5eddae3d38052
 
 void RenderWidgetHostImpl::ShowContextMenuAtPoint(
 diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
-index daeece42f6fe4e57ca3f88ff7b5d9d0a1c142b9f..744f3757ab2e7bcf517ddae6f5023ac52822a06a 100644
+index 910ea0d1e11e1dc3deb660b322b67bf223735822..dc413782fc0e7f33011e80a2357d6eba75a6903a 100644
 --- a/content/browser/web_contents/web_contents_impl.cc
 +++ b/content/browser/web_contents/web_contents_impl.cc
-@@ -5110,6 +5110,11 @@ TextInputManager* WebContentsImpl::GetTextInputManager() {
+@@ -5115,6 +5115,11 @@ TextInputManager* WebContentsImpl::GetTextInputManager() {
   return text_input_manager_.get();
 }
 
--- a/patches/chromium/web_contents.patch
+++ b/patches/chromium/web_contents.patch
@@ -9,7 +9,7 @@ is needed for OSR.
 Originally landed in https://github.com/electron/libchromiumcontent/pull/226.

 diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
-index d36306fc177824701ddde81dbd399e77230b1c48..75f4e92f5cf99e044c4584d5dad7251fe3e9a547 100644
+index 702fa31c9e95d83cbd856f6592050835cd27ccd2..e77956577ca4749e96bfc0908d3094bb21094631 100644
 --- a/content/browser/web_contents/web_contents_impl.cc
 +++ b/content/browser/web_contents/web_contents_impl.cc
@@ -3448,6 +3448,13 @@ void WebContentsImpl::Init(const WebContents::CreateParams& params,
--- a/patches/chromium/webview_fullscreen.patch
+++ b/patches/chromium/webview_fullscreen.patch
@@ -37,7 +37,7 @@ index 390866ca02889c9c7dc58561f32d2e195fc700a8..f1510ce378fe9aef9d58a943c0ab3173
   if (had_fullscreen_token && !GetView()->HasFocus())
     GetView()->Focus();
 diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
-index 75f4e92f5cf99e044c4584d5dad7251fe3e9a547..9d5e099d981f3cd9dde4a07c071a63e6459bd311 100644
+index e77956577ca4749e96bfc0908d3094bb21094631..5f7f36a4b77fda73dc77cde23a8671c89a1f2b78 100644
 --- a/content/browser/web_contents/web_contents_impl.cc
 +++ b/content/browser/web_contents/web_contents_impl.cc
@@ -3702,21 +3702,25 @@ KeyboardEventProcessingResult WebContentsImpl::PreHandleKeyboardEvent(
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@@ -2,6 +2,3 @@ build_gn.patch
 do_not_export_private_v8_symbols_on_windows.patch
 fix_build_deprecated_attribute_for_older_msvc_versions.patch
 chore_allow_customizing_microtask_policy_per_context.patch
-cherry-pick-389ea9be7d68.patch
-cherry-pick-46cb67e3b296.patch
-cherry-pick-78dd4b31847a.patch
--- a/patches/v8/cherry-pick-389ea9be7d68.patch
+++ b/patches/v8/cherry-pick-389ea9be7d68.patch
@@ -1,335 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Toon Verwaest <verwaest@chromium.org>
-Date: Thu, 11 Jan 2024 10:47:17 +0100
-Subject: Drop fast last-property deletion
-
-This interacts badly with other optimizations and isn't particularly
-common.
-
-Bug: chromium:1517354
-Change-Id: I7adb51a8fc0ec47eaeb911ca2a4cbc517088e416
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5185340
-Commit-Queue: Leszek Swirski <leszeks@chromium.org>
-Reviewed-by: Leszek Swirski <leszeks@chromium.org>
-Auto-Submit: Toon Verwaest <verwaest@chromium.org>
-Commit-Queue: Toon Verwaest <verwaest@chromium.org>
-Cr-Commit-Position: refs/heads/main@{#91782}
-
-diff --git a/src/runtime/runtime-object.cc b/src/runtime/runtime-object.cc
-index 94af9625f372c09b6cf10aead05f71832c274a6b..87b20def865db3cd1f50e35c70f8aedf226bdede 100644
--- a/src/runtime/runtime-object.cc
-+++ b/src/runtime/runtime-object.cc
-@@ -71,186 +71,10 @@ MaybeHandle<Object> Runtime::HasProperty(Isolate* isolate,
-   return ReadOnlyRoots(isolate).boolean_value_handle(maybe.FromJust());
- }
- 
-namespace {
-
-// This function sets the sentinel value in a deleted field. Thes sentinel has
-// to look like a proper standalone object because the slack tracking may
-// complete at any time. For this reason we use the filler map word.
-// If V8_MAP_PACKING is enabled, then the filler map word is a packed filler
-// map. Otherwise, the filler map word is the same as the filler map.
-inline void ClearField(Isolate* isolate, Tagged<JSObject> object,
-                       FieldIndex index) {
-  if (index.is_inobject()) {
-    MapWord filler_map_word =
-        ReadOnlyRoots(isolate).one_pointer_filler_map_word();
-#ifndef V8_MAP_PACKING
-    DCHECK_EQ(filler_map_word.ToMap(),
-              ReadOnlyRoots(isolate).one_pointer_filler_map());
-#endif
-    int offset = index.offset();
-    TaggedField<MapWord>::Release_Store(object, offset, filler_map_word);
-  } else {
-    object->property_array()->set(
-        index.outobject_array_index(),
-        ReadOnlyRoots(isolate).one_pointer_filler_map());
-  }
-}
-
-void GeneralizeAllTransitionsToFieldAsMutable(Isolate* isolate, Handle<Map> map,
-                                              Handle<Name> name) {
-  InternalIndex descriptor(map->NumberOfOwnDescriptors());
-
-  Handle<Map> target_maps[kPropertyAttributesCombinationsCount];
-  int target_maps_count = 0;
-
-  // Collect all outgoing field transitions.
-  {
-    DisallowGarbageCollection no_gc;
-    TransitionsAccessor transitions(isolate, *map);
-    transitions.ForEachTransitionTo(
-        *name,
-        [&](Tagged<Map> target) {
-          DCHECK_EQ(descriptor, target->LastAdded());
-          DCHECK_EQ(*name, target->GetLastDescriptorName(isolate));
-          PropertyDetails details = target->GetLastDescriptorDetails(isolate);
-          // Currently, we track constness only for fields.
-          if (details.kind() == PropertyKind::kData &&
-              details.constness() == PropertyConstness::kConst) {
-            target_maps[target_maps_count++] = handle(target, isolate);
-          }
-          DCHECK_IMPLIES(details.kind() == PropertyKind::kAccessor,
-                         details.constness() == PropertyConstness::kConst);
-        },
-        &no_gc);
-    CHECK_LE(target_maps_count, kPropertyAttributesCombinationsCount);
-  }
-
-  for (int i = 0; i < target_maps_count; i++) {
-    Handle<Map> target = target_maps[i];
-    PropertyDetails details =
-        target->instance_descriptors(isolate)->GetDetails(descriptor);
-    Handle<FieldType> field_type(
-        target->instance_descriptors(isolate)->GetFieldType(descriptor),
-        isolate);
-    MapUpdater::GeneralizeField(isolate, target, descriptor,
-                                PropertyConstness::kMutable,
-                                details.representation(), field_type);
-    DCHECK_EQ(PropertyConstness::kMutable, target->instance_descriptors(isolate)
-                                               ->GetDetails(descriptor)
-                                               .constness());
-  }
-}
-
-bool DeleteObjectPropertyFast(Isolate* isolate, Handle<JSReceiver> receiver,
-                              Handle<Object> raw_key) {
-  // This implements a special case for fast property deletion: when the
-  // last property in an object is deleted, then instead of normalizing
-  // the properties, we can undo the last map transition, with a few
-  // prerequisites:
-  // (1) The receiver must be a regular object and the key a unique name.
-  Handle<Map> receiver_map(receiver->map(), isolate);
-  if (IsSpecialReceiverMap(*receiver_map)) return false;
-  DCHECK(IsJSObjectMap(*receiver_map));
-
-  if (!IsUniqueName(*raw_key)) return false;
-  Handle<Name> key = Handle<Name>::cast(raw_key);
-  // (2) The property to be deleted must be the last property.
-  int nof = receiver_map->NumberOfOwnDescriptors();
-  if (nof == 0) return false;
-  InternalIndex descriptor(nof - 1);
-  Handle<DescriptorArray> descriptors(
-      receiver_map->instance_descriptors(isolate), isolate);
-  if (descriptors->GetKey(descriptor) != *key) return false;
-  // (3) The property to be deleted must be deletable.
-  PropertyDetails details = descriptors->GetDetails(descriptor);
-  if (!details.IsConfigurable()) return false;
-  // (4) The map must have a back pointer.
-  Handle<Object> backpointer(receiver_map->GetBackPointer(), isolate);
-  if (!IsMap(*backpointer)) return false;
-  Handle<Map> parent_map = Handle<Map>::cast(backpointer);
-  // (5) The last transition must have been caused by adding a property
-  // (and not any kind of special transition).
-  if (parent_map->NumberOfOwnDescriptors() != nof - 1) return false;
-
-  // Preconditions successful. No more bailouts after this point.
-
-  // Zap the property to avoid keeping objects alive. Zapping is not necessary
-  // for properties stored in the descriptor array.
-  if (details.location() == PropertyLocation::kField) {
-    DisallowGarbageCollection no_gc;
-
-    // Invalidate slots manually later in case we delete an in-object tagged
-    // property. In this case we might later store an untagged value in the
-    // recorded slot.
-    isolate->heap()->NotifyObjectLayoutChange(
-        *receiver, no_gc, InvalidateRecordedSlots::kNo,
-        InvalidateExternalPointerSlots::kNo);
-    FieldIndex index =
-        FieldIndex::ForPropertyIndex(*receiver_map, details.field_index());
-    // Special case deleting the last out-of object property.
-    if (!index.is_inobject() && index.outobject_array_index() == 0) {
-      DCHECK(!parent_map->HasOutOfObjectProperties());
-      // Clear out the properties backing store.
-      receiver->SetProperties(ReadOnlyRoots(isolate).empty_fixed_array());
-    } else {
-      ClearField(isolate, JSObject::cast(*receiver), index);
-      if (index.is_inobject()) {
-        // We need to clear the recorded slot in this case because in-object
-        // slack tracking might not be finished. This ensures that we don't
-        // have recorded slots in free space.
-        isolate->heap()->ClearRecordedSlot(*receiver,
-                                           receiver->RawField(index.offset()));
-      }
-    }
-  }
-  // If the {receiver_map} was marked stable before, then there could be
-  // optimized code that depends on the assumption that no object that
-  // reached this {receiver_map} transitions away from it without triggering
-  // the "deoptimize dependent code" mechanism.
-  receiver_map->NotifyLeafMapLayoutChange(isolate);
-  // Finally, perform the map rollback.
-  receiver->set_map(*parent_map, kReleaseStore);
-#if VERIFY_HEAP
-  if (v8_flags.verify_heap) {
-    receiver->HeapObjectVerify(isolate);
-    receiver->property_array()->PropertyArrayVerify(isolate);
-  }
-#endif
-
-  // If the {descriptor} was "const" so far, we need to update the
-  // {receiver_map} here, otherwise we could get the constants wrong, i.e.
-  //
-  //   o.x = 1;
-  //   [change o.x's attributes or reconfigure property kind]
-  //   delete o.x;
-  //   o.x = 2;
-  //
-  // could trick V8 into thinking that `o.x` is still 1 even after the second
-  // assignment.
-
-  // Step 1: Migrate object to an up-to-date shape.
-  if (parent_map->is_deprecated()) {
-    JSObject::MigrateInstance(isolate, Handle<JSObject>::cast(receiver));
-    parent_map = handle(receiver->map(), isolate);
-  }
-
-  // Step 2: Mark outgoing transitions from the up-to-date version of the
-  // parent_map to same property name of any kind or attributes as mutable.
-  // Also migrate object to the up-to-date map to make the object shapes
-  // converge sooner.
-  GeneralizeAllTransitionsToFieldAsMutable(isolate, parent_map, key);
-
-  return true;
-}
-
-}  // namespace
-
- Maybe<bool> Runtime::DeleteObjectProperty(Isolate* isolate,
-                                           Handle<JSReceiver> receiver,
-                                           Handle<Object> key,
-                                           LanguageMode language_mode) {
-  if (DeleteObjectPropertyFast(isolate, receiver, key)) return Just(true);
-
-   bool success = false;
-   PropertyKey lookup_key(isolate, key, &success);
-   if (!success) return Nothing<bool>();
-diff --git a/test/cctest/test-field-type-tracking.cc b/test/cctest/test-field-type-tracking.cc
-index 41500ea14a571d3a081c79ed10f0d37430df852c..65193aa2308764cdf64c1c75d5a8ada4e6315c30 100644
--- a/test/cctest/test-field-type-tracking.cc
-+++ b/test/cctest/test-field-type-tracking.cc
-@@ -3030,122 +3030,6 @@ TEST(RepresentationPredicatesAreInSync) {
-   }
- }
- 
-TEST(DeletePropertyGeneralizesConstness) {
-  CcTest::InitializeVM();
-  v8::HandleScope scope(CcTest::isolate());
-  Isolate* isolate = CcTest::i_isolate();
-  Handle<FieldType> any_type = FieldType::Any(isolate);
-
-  // Create a map with some properties.
-  Handle<Map> initial_map = Map::Create(isolate, kPropCount + 3);
-  Handle<Map> map = initial_map;
-  for (int i = 0; i < kPropCount; i++) {
-    Handle<String> name = CcTest::MakeName("prop", i);
-    map = Map::CopyWithField(isolate, map, name, any_type, NONE,
-                             PropertyConstness::kConst, Representation::Smi(),
-                             INSERT_TRANSITION)
-              .ToHandleChecked();
-  }
-  Handle<Map> parent_map = map;
-  CHECK(!map->is_deprecated());
-
-  Handle<String> name_x = CcTest::MakeString("x");
-  Handle<String> name_y = CcTest::MakeString("y");
-
-  map = Map::CopyWithField(isolate, parent_map, name_x, any_type, NONE,
-                           PropertyConstness::kConst, Representation::Smi(),
-                           INSERT_TRANSITION)
-            .ToHandleChecked();
-
-  // Create an object, initialize its properties and add a couple of clones.
-  Handle<JSObject> object1 = isolate->factory()->NewJSObjectFromMap(map);
-  for (int i = 0; i < kPropCount; i++) {
-    FieldIndex index = FieldIndex::ForDescriptor(*map, InternalIndex(i));
-    object1->FastPropertyAtPut(index, Smi::FromInt(i));
-  }
-  Handle<JSObject> object2 = isolate->factory()->CopyJSObject(object1);
-
-  CHECK(!map->is_deprecated());
-  CHECK(!parent_map->is_deprecated());
-
-  // Transition to Double must deprecate m1.
-  CHECK(!Representation::Smi().CanBeInPlaceChangedTo(Representation::Double()));
-
-  // Reconfigure one of the first properties to make the whole transition tree
-  // deprecated (including |parent_map| and |map|).
-  Handle<Map> new_map =
-      ReconfigureProperty(isolate, map, InternalIndex(0), PropertyKind::kData,
-                          NONE, Representation::Double(), any_type);
-  CHECK(map->is_deprecated());
-  CHECK(parent_map->is_deprecated());
-  CHECK(!new_map->is_deprecated());
-  // The "x" property is still kConst.
-  CHECK_EQ(new_map->GetLastDescriptorDetails(isolate).constness(),
-           PropertyConstness::kConst);
-
-  Handle<Map> new_parent_map = Map::Update(isolate, parent_map);
-  CHECK(!new_parent_map->is_deprecated());
-
-  // |new_parent_map| must have exactly one outgoing transition to |new_map|.
-  {
-    TransitionsAccessor ta(isolate, *new_parent_map);
-    CHECK_EQ(ta.NumberOfTransitions(), 1);
-    CHECK_EQ(ta.GetTarget(0), *new_map);
-  }
-
-  // Deletion of the property from |object1| must migrate it to |new_parent_map|
-  // which is an up-to-date version of the |parent_map|. The |new_map|'s "x"
-  // property should be marked as mutable.
-  CHECK_EQ(object1->map(isolate), *map);
-  CHECK(Runtime::DeleteObjectProperty(isolate, object1, name_x,
-                                      LanguageMode::kSloppy)
-            .ToChecked());
-  CHECK_EQ(object1->map(isolate), *new_parent_map);
-  CHECK_EQ(new_map->GetLastDescriptorDetails(isolate).constness(),
-           PropertyConstness::kMutable);
-
-  // Now add transitions to "x" and "y" properties from |new_parent_map|.
-  std::vector<Handle<Map>> transitions;
-  Handle<Object> value = handle(Smi::FromInt(0), isolate);
-  for (int i = 0; i < kPropertyAttributesCombinationsCount; i++) {
-    auto attributes = PropertyAttributesFromInt(i);
-
-    Handle<Map> tmp;
-    // Add some transitions to "x" and "y".
-    tmp = Map::TransitionToDataProperty(isolate, new_parent_map, name_x, value,
-                                        attributes, PropertyConstness::kConst,
-                                        StoreOrigin::kNamed);
-    CHECK(!tmp->map(isolate)->is_dictionary_map());
-    transitions.push_back(tmp);
-
-    tmp = Map::TransitionToDataProperty(isolate, new_parent_map, name_y, value,
-                                        attributes, PropertyConstness::kConst,
-                                        StoreOrigin::kNamed);
-    CHECK(!tmp->map(isolate)->is_dictionary_map());
-    transitions.push_back(tmp);
-  }
-
-  // Deletion of the property from |object2| must migrate it to |new_parent_map|
-  // which is an up-to-date version of the |parent_map|.
-  // All outgoing transitions from |new_map| that add "x" must be marked as
-  // mutable, transitions to other properties must remain const.
-  CHECK_EQ(object2->map(isolate), *map);
-  CHECK(Runtime::DeleteObjectProperty(isolate, object2, name_x,
-                                      LanguageMode::kSloppy)
-            .ToChecked());
-  CHECK_EQ(object2->map(isolate), *new_parent_map);
-  for (Handle<Map> m : transitions) {
-    if (m->GetLastDescriptorName(isolate) == *name_x) {
-      CHECK_EQ(m->GetLastDescriptorDetails(isolate).constness(),
-               PropertyConstness::kMutable);
-
-    } else {
-      CHECK_EQ(m->GetLastDescriptorDetails(isolate).constness(),
-               PropertyConstness::kConst);
-    }
-  }
-}
-
- #define CHECK_SAME(object, rep, expected)                    \
-   CHECK_EQ(Object::FitsRepresentation(*object, rep, true),   \
-            Object::FitsRepresentation(*object, rep, false)); \
--- a/patches/v8/cherry-pick-46cb67e3b296.patch
+++ b/patches/v8/cherry-pick-46cb67e3b296.patch
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Dominik=20Inf=C3=BChr?= <dinfuehr@chromium.org>
-Date: Mon, 18 Dec 2023 09:15:00 +0100
-Subject: Install BytecodeArray last in SharedFunctionInfo
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Maglev assumes that when a SharedFunctionInfo has a BytecodeArray,
-then it should also have FeedbackMetadata. However, this may not
-hold with concurrent compilation when the SharedFunctionInfo is
-re-compiled after being flushed. Here the BytecodeArray was installed
-on the SFI before the FeedbackMetadata and a concurrent thread could
-observe the BytecodeArray but not the FeedbackMetadata.
-
-Drive-by: Reset the age field before setting the BytecodeArray as
-well. This ensures that the concurrent marker will not observe the
-old age for the new BytecodeArray.
-
-Bug: chromium:1507412
-Change-Id: I8855ed7ecc50c4a47d2c89043d62ac053858bc75
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5125960
-Reviewed-by: Leszek Swirski <leszeks@chromium.org>
-Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
-Cr-Commit-Position: refs/heads/main@{#91568}
-
-diff --git a/src/codegen/compiler.cc b/src/codegen/compiler.cc
-index 03860399e8b393cf315a507dbf5653381fc86d40..ff7360c10148657848440446e8d86bc4fcd51298 100644
--- a/src/codegen/compiler.cc
-+++ b/src/codegen/compiler.cc
-@@ -724,12 +724,12 @@ void InstallUnoptimizedCode(UnoptimizedCompilationInfo* compilation_info,
-     }
- #endif  // V8_ENABLE_WEBASSEMBLY
- 
-    shared_info->set_bytecode_array(*compilation_info->bytecode_array());
-    shared_info->set_age(0);
-
-     Handle<FeedbackMetadata> feedback_metadata = FeedbackMetadata::New(
-         isolate, compilation_info->feedback_vector_spec());
-     shared_info->set_feedback_metadata(*feedback_metadata, kReleaseStore);
-+
-+    shared_info->set_age(0);
-+    shared_info->set_bytecode_array(*compilation_info->bytecode_array());
-   } else {
- #if V8_ENABLE_WEBASSEMBLY
-     DCHECK(compilation_info->has_asm_wasm_data());
--- a/patches/v8/cherry-pick-78dd4b31847a.patch
+++ b/patches/v8/cherry-pick-78dd4b31847a.patch
@@ -1,27 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Leszek Swirski <leszeks@chromium.org>
-Date: Mon, 8 Jan 2024 11:13:58 +0100
-Subject: Fix allocation folding in derived constructors
-
-Bug: v8:7700
-Change-Id: Ia33724d39d1397c7d47c36d14071abce6ed4b0fc
-Fixed: chromium:1515930
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5173470
-Commit-Queue: Patrick Thier <pthier@chromium.org>
-Reviewed-by: Patrick Thier <pthier@chromium.org>
-Commit-Queue: Leszek Swirski <leszeks@chromium.org>
-Auto-Submit: Leszek Swirski <leszeks@chromium.org>
-Cr-Commit-Position: refs/heads/main@{#91709}
-
-diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
-index 2b660f5a8681a854b799d54761c425b04d1d0444..31c114481dee5bd171700acf321c79d941c6df98 100644
--- a/src/maglev/maglev-graph-builder.cc
-+++ b/src/maglev/maglev-graph-builder.cc
-@@ -5210,6 +5210,7 @@ bool MaglevGraphBuilder::TryBuildFindNonDefaultConstructorOrConstruct(
-           object = BuildAllocateFastObject(
-               FastObject(new_target_function->AsJSFunction(), zone(), broker()),
-               AllocationType::kYoung);
-+          ClearCurrentRawAllocation();
-         } else {
-           object = BuildCallBuiltin<Builtin::kFastNewObject>(
-               {GetConstant(current_function), new_target});
--- a/spec/lib/window-helpers.ts
+++ b/spec/lib/window-helpers.ts
@@ -29,13 +29,19 @@ export const closeWindow = async (
  await ensureWindowIsClosed(window);

  if (assertNotWindows) {
-    const windows = BrowserWindow.getAllWindows();
-    try {
-      expect(windows).to.have.lengthOf(0);
-    } finally {
-      for (const win of windows) {
-        await ensureWindowIsClosed(win);
-      }
+    let windows = BrowserWindow.getAllWindows();
+    if (windows.length > 0) {
+      setTimeout(async () => {
+        // Wait until next tick to assert that all windows have been closed.
+        windows = BrowserWindow.getAllWindows();
+        try {
+          expect(windows).to.have.lengthOf(0);
+        } finally {
+          for (const win of windows) {
+            await ensureWindowIsClosed(win);
+          }
+        }
+      });
    }
  }
 };
--- a/spec/node-spec.ts
+++ b/spec/node-spec.ts
@@ -928,16 +928,23 @@ describe('node feature', () => {
  });

  it('performs microtask checkpoint correctly', (done) => {
+    let timer : NodeJS.Timeout;
+    const listener = () => {
+      done(new Error('catch block is delayed to next tick'));
+    };
+
    const f3 = async () => {
      return new Promise((resolve, reject) => {
+        timer = setTimeout(listener);
        reject(new Error('oops'));
      });
    };

-    process.once('unhandledRejection', () => done('catch block is delayed to next tick'));
-
    setTimeout(() => {
-      f3().catch(() => done());
+      f3().catch(() => {
+        clearTimeout(timer);
+        done();
+      });
    });
  });
 });