Bump v12.1.0

* chore: cherry-pick fix for 1234770 from v8 (#30586)

* chore: cherry-pick fix for 1234770 from v8

* chore: update patches

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>

* Update .patches

* chore: update patches

Co-authored-by: Cheng Zhao <zcbenz@gmail.com>
Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>

.circleci/config.yml

@@ -79,7 +79,7 @@ executors:
 # Build machines configs.
 docker-image: &docker-image
   docker:
-    - image: electron.azurecr.io/build:4cec2c5ab66765caa724e37bae2bffb9b29722a5
+    - image: electron.azurecr.io/build:d818f06a9b1540c7fd38f75ad5a2c493dd6843b6
 
 machine-linux-medium: &machine-linux-medium
   <<: *docker-image

ELECTRON_VERSION

@@ -1 +1 @@
-12.0.16
+12.1.0

build/npm-run.py

@@ -21,6 +21,6 @@ except subprocess.CalledProcessError as e:
         + "' failed with code '"
         + str(e.returncode)
         + "':\n"
-        + e.output
+        + e.output.decode('utf8')
     )
     sys.exit(e.returncode)

chromium_src/BUILD.gn

@@ -139,6 +139,8 @@ static_library("chrome") {
 
   if (enable_color_chooser) {
     sources += [
+      "//chrome/browser/devtools/devtools_eye_dropper.cc",
+      "//chrome/browser/devtools/devtools_eye_dropper.h",
       "//chrome/browser/platform_util.cc",
       "//chrome/browser/platform_util.h",
       "//chrome/browser/ui/browser_dialogs.h",

docs/api/webview-tag.md

@@ -842,6 +842,19 @@ this purpose.
 
 Calling `event.preventDefault()` does __NOT__ have any effect.
 
+### Event: 'did-start-navigation'
+
+Returns:
+
+* `url` String
+* `isInPlace` Boolean
+* `isMainFrame` Boolean
+* `frameProcessId` Integer
+* `frameRoutingId` Integer
+
+Emitted when any frame (including main) starts navigating. `isInPlace` will be
+`true` for in-page navigations.
+
 ### Event: 'did-navigate'
 
 Returns:
@@ -854,6 +867,23 @@ This event is not emitted for in-page navigations, such as clicking anchor links
 or updating the `window.location.hash`. Use `did-navigate-in-page` event for
 this purpose.
 
+### Event: 'did-frame-navigate'
+
+Returns:
+
+* `url` String
+* `httpResponseCode` Integer - -1 for non HTTP navigations
+* `httpStatusText` String - empty for non HTTP navigations,
+* `isMainFrame` Boolean
+* `frameProcessId` Integer
+* `frameRoutingId` Integer
+
+Emitted when any frame navigation is done.
+
+This event is not emitted for in-page navigations, such as clicking anchor links
+or updating the `window.location.hash`. Use `did-navigate-in-page` event for
+this purpose.
+
 ### Event: 'did-navigate-in-page'
 
 Returns:

lib/browser/rpc-server.ts

@@ -1,6 +1,6 @@
 import { app } from 'electron/main';
 import type { WebContents } from 'electron/main';
-import { clipboard, nativeImage } from 'electron/common';
+import { clipboard } from 'electron/common';
 import * as fs from 'fs';
 import { ipcMainInternal } from '@electron/internal/browser/ipc-main-internal';
 import * as ipcMainUtils from '@electron/internal/browser/ipc-main-internal-utils';
@@ -113,7 +113,3 @@ ipcMainUtils.handleSync(IPC_MESSAGES.BROWSER_SANDBOX_LOAD, async function (event
 ipcMainInternal.on(IPC_MESSAGES.BROWSER_PRELOAD_ERROR, function (event, preloadPath: string, error: Error) {
   event.sender.emit('preload-error', event, preloadPath, error);
 });
-
-ipcMainInternal.handle(IPC_MESSAGES.NATIVE_IMAGE_CREATE_THUMBNAIL_FROM_PATH, async (_, path: string, size: Electron.Size) => {
-  return typeUtils.serialize(await nativeImage.createThumbnailFromPath(path, size));
-});

lib/common/ipc-messages.ts

@@ -39,5 +39,4 @@ export const enum IPC_MESSAGES {
   INSPECTOR_SELECT_FILE = 'INSPECTOR_SELECT_FILE',
 
   DESKTOP_CAPTURER_GET_SOURCES = 'DESKTOP_CAPTURER_GET_SOURCES',
-  NATIVE_IMAGE_CREATE_THUMBNAIL_FROM_PATH = 'NATIVE_IMAGE_CREATE_THUMBNAIL_FROM_PATH',
 }

lib/renderer/api/native-image.ts

@@ -1,11 +1,3 @@
-import { ipcRendererInternal } from '@electron/internal/renderer/ipc-renderer-internal';
-import { deserialize } from '@electron/internal/common/type-utils';
-import { IPC_MESSAGES } from '@electron/internal/common/ipc-messages';
-
 const { nativeImage } = process._linkedBinding('electron_common_native_image');
 
-nativeImage.createThumbnailFromPath = async (path: string, size: Electron.Size) => {
-  return deserialize(await ipcRendererInternal.invoke(IPC_MESSAGES.NATIVE_IMAGE_CREATE_THUMBNAIL_FROM_PATH, path, size));
-};
-
 export default nativeImage;

package.json

@@ -1,6 +1,6 @@
 {
   "name": "electron",
-  "version": "12.0.16",
+  "version": "12.1.0",
   "repository": "https://github.com/electron/electron",
   "description": "Build cross platform desktop apps with JavaScript, HTML, and CSS",
   "devDependencies": {

patches/angle/.patches

@@ -1,2 +1,4 @@
 d3d11_skip_blits_if_there_is_no_intersection_of_dest_areas.patch
 cherry-pick-3d4f87ab5b9b.patch
+cherry-pick-d8cb996.patch
+cherry-pick-1fb846c.patch

patches/angle/cherry-pick-1fb846c.patch

@@ -0,0 +1,90 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alexey Knyazev <lexa.knyazev@gmail.com>
+Date: Tue, 3 Aug 2021 01:57:49 +0400
+Subject: Validate texStorage dimensions with compressed formats
+
+Bug: angleproject:6230
+Change-Id: I501ec1e6974bdc7e6731dcb88045edb0aa22b888
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3067329
+Commit-Queue: Alexey Knyazev <lexa.knyazev@gmail.com>
+Reviewed-by: Kenneth Russell <kbr@chromium.org>
+Reviewed-by: Jamie Madill <jmadill@chromium.org>
+
+diff --git a/src/libANGLE/validationES3.cpp b/src/libANGLE/validationES3.cpp
+index 1d93a066580818c7616fa66252e6465f6137aceb..3935c52a894c5584eef66bea34a8684176909358 100644
+--- a/src/libANGLE/validationES3.cpp
++++ b/src/libANGLE/validationES3.cpp
+@@ -1339,17 +1339,26 @@ bool ValidateES3TexStorageParametersBase(const Context *context,
+         return false;
+     }
+ 
+-    if (formatInfo.compressed && target == TextureType::Rectangle)
++    if (formatInfo.compressed)
+     {
+-        context->validationError(GL_INVALID_ENUM, kRectangleTextureCompressed);
+-        return false;
+-    }
++        if (target == TextureType::Rectangle)
++        {
++            context->validationError(GL_INVALID_ENUM, kRectangleTextureCompressed);
++            return false;
++        }
+ 
+-    if (formatInfo.compressed && target == TextureType::_3D)
+-    {
+-        if (!ValidateES3CompressedFormatForTexture3D(context, formatInfo.internalFormat))
++        if (target == TextureType::_3D)
+         {
+-            // Error already generated.
++            if (!ValidateES3CompressedFormatForTexture3D(context, formatInfo.internalFormat))
++            {
++                // Error already generated.
++                return false;
++            }
++        }
++
++        if (!ValidCompressedImageSize(context, formatInfo.internalFormat, 0, width, height, depth))
++        {
++            context->validationError(GL_INVALID_OPERATION, kInvalidCompressedImageSize);
+             return false;
+         }
+     }
+diff --git a/src/tests/gl_tests/SRGBTextureTest.cpp b/src/tests/gl_tests/SRGBTextureTest.cpp
+index 68fd9f7165ff237ed3c86a42be0b2a24dd9819c7..6c65740cb406e1c598dc41ff0e8998230a926883 100644
+--- a/src/tests/gl_tests/SRGBTextureTest.cpp
++++ b/src/tests/gl_tests/SRGBTextureTest.cpp
+@@ -340,7 +340,7 @@ TEST_P(SRGBTextureTestES3, SRGBOverrideFormats)
+     {
+         GLTexture tex;
+         glBindTexture(GL_TEXTURE_2D, tex.get());
+-        glTexStorage2D(GL_TEXTURE_2D, 1, format, 1, 1);
++        glTexStorage2D(GL_TEXTURE_2D, 1, format, 4, 4);
+         GLenum error = glGetError();
+         if (error == GL_INVALID_ENUM)
+         {
+diff --git a/src/tests/gl_tests/WebGLCompatibilityTest.cpp b/src/tests/gl_tests/WebGLCompatibilityTest.cpp
+index 89eb4d639a3853636524ad112a24f15d46fa1119..b9380bb10ad434acfc858c08db8a629db0bfaecf 100644
+--- a/src/tests/gl_tests/WebGLCompatibilityTest.cpp
++++ b/src/tests/gl_tests/WebGLCompatibilityTest.cpp
+@@ -5023,6 +5023,21 @@ void WebGLCompatibilityTest::testCompressedTexLevelDimension(GLenum format,
+     {
+         EXPECT_GL_ERROR(expectedError) << explanation;
+     }
++
++    if (level == 0 && width > 0 && getClientMajorVersion() >= 3)
++    {
++        GLTexture sourceTextureStorage;
++        glBindTexture(GL_TEXTURE_2D, sourceTextureStorage);
++        glTexStorage2D(GL_TEXTURE_2D, 1, format, width, height);
++        if (expectedError == 0)
++        {
++            EXPECT_GL_NO_ERROR() << explanation << " (texStorage)";
++        }
++        else
++        {
++            EXPECT_GL_ERROR(expectedError) << explanation << " (texStorage)";
++        }
++    }
+ }
+ 
+ void WebGLCompatibilityTest::testCompressedTexImage(GLenum format)

patches/angle/cherry-pick-d8cb996.patch

@@ -0,0 +1,300 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kenneth Russell <kbr@chromium.org>
+Date: Wed, 4 Aug 2021 18:15:51 -0700
+Subject: In WebGL, constrain base level of compressed textures.
+
+Enforce that if a mipmap level > 0 is specified for a compressed
+texture, that it implies that the size of the base level of the
+texture is a multiple of the format's block size.
+
+Makes the test changes in
+https://github.com/KhronosGroup/WebGL/pull/3304 largely pass. There
+are some needed follow-on fixes to that PR, and this CL changes a
+sub-test result in the existing S3TC and S3TC-sRGB tests which will
+need to be suppressed Chromium-side first.
+
+Bug: angleproject:6245
+Change-Id: I7723d7882091b78a353d8d273e80b819dd384021
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3072568
+Commit-Queue: Kenneth Russell <kbr@chromium.org>
+Reviewed-by: Jamie Madill <jmadill@chromium.org>
+Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
+
+diff --git a/src/libANGLE/validationES.cpp b/src/libANGLE/validationES.cpp
+index 74acb9e0c4d87c08478dd334a1b38124fab9f94f..4ed0ea4f47c89090d06f706199d32bb0f5b745b9 100644
+--- a/src/libANGLE/validationES.cpp
++++ b/src/libANGLE/validationES.cpp
+@@ -985,6 +985,15 @@ bool ValidCompressedDimension(GLsizei size, GLuint blockSize, GLint level)
+     return (level > 0) || (size % blockSize == 0);
+ }
+ 
++bool ValidCompressedBaseLevelForWebGL(GLsizei size, GLuint blockSize, GLint level)
++{
++    // Avoid C++ undefined behavior.
++    constexpr int maxValidShifts = 31;
++    if (level > maxValidShifts)
++        return false;
++    return ((size << level) % blockSize) == 0;
++}
++
+ bool ValidCompressedImageSize(const Context *context,
+                               GLenum internalFormat,
+                               GLint level,
+@@ -1005,11 +1014,27 @@ bool ValidCompressedImageSize(const Context *context,
+ 
+     if (CompressedTextureFormatRequiresExactSize(internalFormat))
+     {
+-        if (!ValidCompressedDimension(width, formatInfo.compressedBlockWidth, level) ||
+-            !ValidCompressedDimension(height, formatInfo.compressedBlockHeight, level) ||
+-            !ValidCompressedDimension(depth, formatInfo.compressedBlockDepth, level))
++        // In WebGL compatibility mode, enforce that the base level implied
++        // by the compressed texture's mip level would conform to the block
++        // size. This is more strict than the non-WebGL check.
++        if (context->getExtensions().webglCompatibility)
+         {
+-            return false;
++            if (!ValidCompressedBaseLevelForWebGL(width, formatInfo.compressedBlockWidth, level) ||
++                !ValidCompressedBaseLevelForWebGL(height, formatInfo.compressedBlockHeight,
++                                                  level) ||
++                !ValidCompressedBaseLevelForWebGL(depth, formatInfo.compressedBlockDepth, level))
++            {
++                return false;
++            }
++        }
++        else
++        {
++            if (!ValidCompressedDimension(width, formatInfo.compressedBlockWidth, level) ||
++                !ValidCompressedDimension(height, formatInfo.compressedBlockHeight, level) ||
++                !ValidCompressedDimension(depth, formatInfo.compressedBlockDepth, level))
++            {
++                return false;
++            }
+         }
+     }
+ 
+diff --git a/src/tests/gl_tests/WebGLCompatibilityTest.cpp b/src/tests/gl_tests/WebGLCompatibilityTest.cpp
+index bfa8f3066fa418c87477dd553e66a34b79974455..89eb4d639a3853636524ad112a24f15d46fa1119 100644
+--- a/src/tests/gl_tests/WebGLCompatibilityTest.cpp
++++ b/src/tests/gl_tests/WebGLCompatibilityTest.cpp
+@@ -296,6 +296,16 @@ void main()
+                                                    GLsizei blockSize,
+                                                    const std::string &extName,
+                                                    bool subImageAllowed);
++
++    GLint expectedByteLength(GLenum format, GLsizei width, GLsizei height);
++    void testCompressedTexLevelDimension(GLenum format,
++                                         GLint level,
++                                         GLsizei width,
++                                         GLsizei height,
++                                         GLsizei expectedByteLength,
++                                         GLenum expectedError,
++                                         const char *explanation);
++    void testCompressedTexImage(GLenum format);
+ };
+ 
+ class WebGL2CompatibilityTest : public WebGLCompatibilityTest
+@@ -3056,6 +3066,84 @@ TEST_P(WebGLCompatibilityTest, CompressedTextureS3TC)
+     ASSERT_GL_ERROR(GL_INVALID_OPERATION);
+ }
+ 
++// Test WebGL-specific constraints on sizes of S3TC textures' mipmap levels.
++TEST_P(WebGLCompatibilityTest, CompressedTexImageS3TC)
++{
++    const char *extensions[] = {
++        "GL_EXT_texture_compression_dxt1",
++        "GL_ANGLE_texture_compression_dxt3",
++        "GL_ANGLE_texture_compression_dxt5",
++    };
++
++    for (const char *extension : extensions)
++    {
++        if (IsGLExtensionRequestable(extension))
++        {
++            glRequestExtensionANGLE(extension);
++        }
++
++        ANGLE_SKIP_TEST_IF(!IsGLExtensionEnabled(extension));
++    }
++
++    // Ported from WebGL conformance suite:
++    // sdk/tests/conformance/extensions/s3tc-and-srgb.html
++    constexpr GLenum formats[] = {
++        GL_COMPRESSED_RGB_S3TC_DXT1_EXT,
++        GL_COMPRESSED_RGBA_S3TC_DXT1_EXT,
++        GL_COMPRESSED_RGBA_S3TC_DXT3_EXT,
++        GL_COMPRESSED_RGBA_S3TC_DXT5_EXT,
++    };
++
++    for (GLenum format : formats)
++    {
++        testCompressedTexImage(format);
++    }
++}
++
++// Test WebGL-specific constraints on sizes of RGTC textures' mipmap levels.
++TEST_P(WebGLCompatibilityTest, CompressedTexImageRGTC)
++{
++    if (IsGLExtensionRequestable("GL_EXT_texture_compression_rgtc"))
++    {
++        glRequestExtensionANGLE("GL_EXT_texture_compression_rgtc");
++    }
++
++    ANGLE_SKIP_TEST_IF(!IsGLExtensionEnabled("GL_EXT_texture_compression_rgtc"));
++
++    // Ported from WebGL conformance suite:
++    // sdk/tests/conformance/extensions/ext-texture-compression-rgtc.html
++    constexpr GLenum formats[] = {GL_COMPRESSED_RED_RGTC1_EXT, GL_COMPRESSED_SIGNED_RED_RGTC1_EXT,
++                                  GL_COMPRESSED_RED_GREEN_RGTC2_EXT,
++                                  GL_COMPRESSED_SIGNED_RED_GREEN_RGTC2_EXT};
++
++    for (GLenum format : formats)
++    {
++        testCompressedTexImage(format);
++    }
++}
++
++// Test WebGL-specific constraints on sizes of BPTC textures' mipmap levels.
++TEST_P(WebGLCompatibilityTest, CompressedTexImageBPTC)
++{
++    if (IsGLExtensionRequestable("GL_EXT_texture_compression_bptc"))
++    {
++        glRequestExtensionANGLE("GL_EXT_texture_compression_bptc");
++    }
++
++    ANGLE_SKIP_TEST_IF(!IsGLExtensionEnabled("GL_EXT_texture_compression_bptc"));
++
++    // Ported from WebGL conformance suite:
++    // sdk/tests/conformance/extensions/ext-texture-compression-bptc.html
++    constexpr GLenum formats[] = {
++        GL_COMPRESSED_RGBA_BPTC_UNORM_EXT, GL_COMPRESSED_SRGB_ALPHA_BPTC_UNORM_EXT,
++        GL_COMPRESSED_RGB_BPTC_SIGNED_FLOAT_EXT, GL_COMPRESSED_RGB_BPTC_UNSIGNED_FLOAT_EXT};
++
++    for (GLenum format : formats)
++    {
++        testCompressedTexImage(format);
++    }
++}
++
+ TEST_P(WebGLCompatibilityTest, L32FTextures)
+ {
+     constexpr float textureData[]   = {15.1f, 0.0f, 0.0f, 0.0f};
+@@ -4887,6 +4975,119 @@ void WebGLCompatibilityTest::validateCompressedTexImageExtensionFormat(GLenum fo
+     }
+ }
+ 
++GLint WebGLCompatibilityTest::expectedByteLength(GLenum format, GLsizei width, GLsizei height)
++{
++    switch (format)
++    {
++        case GL_COMPRESSED_RGB_S3TC_DXT1_EXT:
++        case GL_COMPRESSED_RGBA_S3TC_DXT1_EXT:
++        case GL_COMPRESSED_RED_RGTC1_EXT:
++        case GL_COMPRESSED_SIGNED_RED_RGTC1_EXT:
++            return ((width + 3) / 4) * ((height + 3) / 4) * 8;
++        case GL_COMPRESSED_RGBA_S3TC_DXT3_EXT:
++        case GL_COMPRESSED_RGBA_S3TC_DXT5_EXT:
++        case GL_COMPRESSED_RED_GREEN_RGTC2_EXT:
++        case GL_COMPRESSED_SIGNED_RED_GREEN_RGTC2_EXT:
++        case GL_COMPRESSED_RGBA_BPTC_UNORM_EXT:
++        case GL_COMPRESSED_SRGB_ALPHA_BPTC_UNORM_EXT:
++        case GL_COMPRESSED_RGB_BPTC_SIGNED_FLOAT_EXT:
++        case GL_COMPRESSED_RGB_BPTC_UNSIGNED_FLOAT_EXT:
++            return ((width + 3) / 4) * ((height + 3) / 4) * 16;
++    }
++
++    UNREACHABLE();
++    return 0;
++}
++
++void WebGLCompatibilityTest::testCompressedTexLevelDimension(GLenum format,
++                                                             GLint level,
++                                                             GLsizei width,
++                                                             GLsizei height,
++                                                             GLsizei expectedByteLength,
++                                                             GLenum expectedError,
++                                                             const char *explanation)
++{
++    std::vector<uint8_t> tempVector(expectedByteLength, 0);
++
++    EXPECT_GL_NO_ERROR();
++
++    GLTexture sourceTexture;
++    glBindTexture(GL_TEXTURE_2D, sourceTexture);
++    glCompressedTexImage2D(GL_TEXTURE_2D, level, format, width, height, 0, expectedByteLength,
++                           tempVector.data());
++    if (expectedError == 0)
++    {
++        EXPECT_GL_NO_ERROR() << explanation;
++    }
++    else
++    {
++        EXPECT_GL_ERROR(expectedError) << explanation;
++    }
++}
++
++void WebGLCompatibilityTest::testCompressedTexImage(GLenum format)
++{
++    struct TestCase
++    {
++        GLint level;
++        GLsizei width;
++        GLsizei height;
++        GLenum expectedError;
++        const char *explanation;
++    };
++
++    constexpr TestCase testCases[] = {
++        {0, 4, 3, GL_INVALID_OPERATION, "level is 0, height is not a multiple of 4"},
++        {0, 3, 4, GL_INVALID_OPERATION, "level is 0, width is not a multiple of 4"},
++        {0, 2, 2, GL_INVALID_OPERATION, "level is 0, width is not a multiple of 4"},
++        {0, 4, 4, GL_NO_ERROR, "is valid"},
++        {1, 1, 1, GL_INVALID_OPERATION, "implied base mip 2x2 is invalid"},
++        {1, 1, 2, GL_INVALID_OPERATION, "implied base mip 2x4 is invalid"},
++        {1, 2, 1, GL_INVALID_OPERATION, "implied base mip 4x2 is invalid"},
++        {1, 2, 2, GL_NO_ERROR, "implied base mip 4x4 is valid"},
++    };
++
++    constexpr TestCase webgl2TestCases[] = {
++        {0, 0, 0, GL_NO_ERROR, "0: 0x0 is valid"},
++        {0, 1, 1, GL_INVALID_OPERATION, "0: 1x1 is invalid"},
++        {0, 2, 2, GL_INVALID_OPERATION, "0: 2x2 is invalid"},
++        {0, 3, 3, GL_INVALID_OPERATION, "0: 3x3 is invalid"},
++        {0, 10, 10, GL_INVALID_OPERATION, "0: 10x10 is invalid"},
++        {0, 11, 11, GL_INVALID_OPERATION, "0: 11x11 is invalid"},
++        {0, 11, 12, GL_INVALID_OPERATION, "0: 11x12 is invalid"},
++        {0, 12, 11, GL_INVALID_OPERATION, "0: 12x11 is invalid"},
++        {0, 12, 12, GL_NO_ERROR, "0: 12x12 is valid"},
++        {1, 0, 0, GL_NO_ERROR, "1: 0x0 is valid"},
++        {1, 3, 3, GL_INVALID_OPERATION, "1: 3x3 is invalid"},
++        {1, 5, 5, GL_INVALID_OPERATION, "1: 5x5 is invalid"},
++        {1, 5, 6, GL_INVALID_OPERATION, "1: 5x6 is invalid"},
++        {1, 6, 5, GL_INVALID_OPERATION, "1: 6x5 is invalid"},
++        {1, 6, 6, GL_NO_ERROR, "1: 6x6 is valid"},
++        {2, 0, 0, GL_NO_ERROR, "2: 0x0 is valid"},
++        {2, 3, 3, GL_NO_ERROR, "2: 3x3 is valid"},
++        {3, 1, 3, GL_NO_ERROR, "3: 1x3 is valid"},
++        {3, 1, 1, GL_NO_ERROR, "3: 1x1 is valid"},
++        {2, 1, 3, GL_NO_ERROR, "implied base mip 4x12 is valid"},
++    };
++
++    for (const TestCase &test : testCases)
++    {
++        testCompressedTexLevelDimension(format, test.level, test.width, test.height,
++                                        expectedByteLength(format, test.width, test.height),
++                                        test.expectedError, test.explanation);
++    }
++
++    if (getClientMajorVersion() >= 3)
++    {
++        for (const TestCase &test : webgl2TestCases)
++        {
++            testCompressedTexLevelDimension(format, test.level, test.width, test.height,
++                                            expectedByteLength(format, test.width, test.height),
++                                            test.expectedError, test.explanation);
++        }
++    }
++}
++
+ // Test enabling GL_EXT_texture_compression_dxt1 for GL_COMPRESSED_RGB_S3TC_DXT1_EXT
+ TEST_P(WebGLCompatibilityTest, EnableCompressedTextureExtensionDXT1RGB)
+ {

patches/chromium/.patches

@@ -144,3 +144,6 @@ cherry-pick-3feda0244490.patch
 cherry-pick-cd98d7c0dae9.patch
 replace_first_of_two_waitableevents_in_creditcardaccessmanager.patch
 cherry-pick-ac9dc1235e28.patch
+cherry-pick-4ce2abc17078.patch
+cherry-pick-e2123a8e0943.patch
+cherry-pick-1227933.patch

patches/chromium/cherry-pick-1227933.patch

@@ -0,0 +1,215 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Koji Ishii <kojii@chromium.org>
+Date: Mon, 26 Jul 2021 07:09:18 +0000
+Subject: Fix nested inline box fragmentation
+
+This patch fixes when nested inline boxes are fragmented in a
+line due to bidi reordering.
+
+Before this change, the fragmented boxes are appended to the
+end of |box_data_list_|. Then when |NGInlineLayoutStateStack::
+CreateBoxFragments| creates inline boxes in the ascending
+order of |box_data_list_|, it failed to add the fragmented
+boxes into their parent inline boxes.
+
+This is critical for out-of-flow positioned objects whose
+containing block is an inline box, because they expect to be
+propagated through all ancestor inline boxes.
+
+|UpdateBoxDataFragmentRange| is a little tricky by appending
+to a vector it is iterating. Changing it to insert to the
+correct position makes the function even trickier. This patch
+changes it to add fragmented boxes to a separate vector, and
+let later process |UpdateFragmentedBoxDataEdges| to merge the
+vector to |box_data_list_|.
+
+(cherry picked from commit 9c8a39c14a9c80556468593cddf436f5047a16ce)
+
+Bug: 1227933, 1229999
+Change-Id: I7edcd209e1fdac06bab01b16d660383e7e9c37bd
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3038308
+Commit-Queue: Koji Ishii <kojii@chromium.org>
+Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#903356}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3053212
+Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Auto-Submit: Koji Ishii <kojii@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4577@{#145}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/third_party/blink/renderer/core/layout/ng/inline/ng_inline_box_state.cc b/third_party/blink/renderer/core/layout/ng/inline/ng_inline_box_state.cc
+index b257014513cb881d4531694b86c05fd21edb6732..9a3f6f3af7839ebed24f7d8a32b7f95fba66cd9a 100644
+--- a/third_party/blink/renderer/core/layout/ng/inline/ng_inline_box_state.cc
++++ b/third_party/blink/renderer/core/layout/ng/inline/ng_inline_box_state.cc
+@@ -4,6 +4,7 @@
+ 
+ #include "third_party/blink/renderer/core/layout/ng/inline/ng_inline_box_state.h"
+ 
++#include "base/containers/adapters.h"
+ #include "third_party/blink/renderer/core/layout/geometry/logical_offset.h"
+ #include "third_party/blink/renderer/core/layout/geometry/logical_size.h"
+ #include "third_party/blink/renderer/core/layout/ng/inline/ng_inline_item_result.h"
+@@ -387,13 +388,14 @@ void NGInlineLayoutStateStack::UpdateAfterReorder(
+     box_data.fragment_start = box_data.fragment_end = 0;
+ 
+   // Scan children and update start/end from their box_data_index.
+-  unsigned box_count = box_data_list_.size();
++  Vector<BoxData> fragmented_boxes;
+   for (unsigned index = 0; index < line_box->size();)
+-    index = UpdateBoxDataFragmentRange(line_box, index);
++    index = UpdateBoxDataFragmentRange(line_box, index, &fragmented_boxes);
+ 
+-  // If any inline fragmentation due to BiDi reorder, adjust box edges.
+-  if (box_count != box_data_list_.size())
+-    UpdateFragmentedBoxDataEdges();
++  // If any inline fragmentation occurred due to BiDi reorder, append them and
++  // adjust box edges.
++  if (UNLIKELY(!fragmented_boxes.IsEmpty()))
++    UpdateFragmentedBoxDataEdges(&fragmented_boxes);
+ 
+ #if DCHECK_IS_ON()
+   // Check all BoxData have ranges.
+@@ -410,7 +412,8 @@ void NGInlineLayoutStateStack::UpdateAfterReorder(
+ 
+ unsigned NGInlineLayoutStateStack::UpdateBoxDataFragmentRange(
+     NGLogicalLineItems* line_box,
+-    unsigned index) {
++    unsigned index,
++    Vector<BoxData>* fragmented_boxes) {
+   // Find the first line box item that should create a box fragment.
+   for (; index < line_box->size(); index++) {
+     NGLogicalLineItem* start = &(*line_box)[index];
+@@ -438,7 +441,7 @@ unsigned NGInlineLayoutStateStack::UpdateBoxDataFragmentRange(
+       // It also changes other BoxData, but not the one we're dealing with here
+       // because the update is limited only when its |box_data_index| is lower.
+       while (end->box_data_index && end->box_data_index < box_data_index) {
+-        UpdateBoxDataFragmentRange(line_box, index);
++        UpdateBoxDataFragmentRange(line_box, index, fragmented_boxes);
+       }
+ 
+       if (box_data_index != end->box_data_index)
+@@ -453,14 +456,9 @@ unsigned NGInlineLayoutStateStack::UpdateBoxDataFragmentRange(
+     } else {
+       // This box is fragmented by BiDi reordering. Add a new BoxData for the
+       // fragmented range.
+-      box_data_list_[box_data_index - 1].fragmented_box_data_index =
+-          box_data_list_.size();
+-      // Do not use `emplace_back()` here because adding to |box_data_list_| may
+-      // reallocate the buffer, but the `BoxData` ctor must run before the
+-      // reallocation. Create a new instance and |push_back()| instead.
+-      BoxData fragmented_box_data(box_data_list_[box_data_index - 1],
+-                                  start_index, index);
+-      box_data_list_.push_back(fragmented_box_data);
++      BoxData& fragmented_box = fragmented_boxes->emplace_back(
++          box_data_list_[box_data_index - 1], start_index, index);
++      fragmented_box.fragmented_box_data_index = box_data_index;
+     }
+     // If this box has parent boxes, we need to process it again.
+     if (box_data_list_[box_data_index - 1].parent_box_data_index)
+@@ -470,7 +468,43 @@ unsigned NGInlineLayoutStateStack::UpdateBoxDataFragmentRange(
+   return index;
+ }
+ 
+-void NGInlineLayoutStateStack::UpdateFragmentedBoxDataEdges() {
++void NGInlineLayoutStateStack::UpdateFragmentedBoxDataEdges(
++    Vector<BoxData>* fragmented_boxes) {
++  DCHECK(!fragmented_boxes->IsEmpty());
++  // Append in the descending order of |fragmented_box_data_index| because the
++  // indices will change as boxes are inserted into |box_data_list_|.
++  std::sort(fragmented_boxes->begin(), fragmented_boxes->end(),
++            [](const BoxData& a, const BoxData& b) {
++              if (a.fragmented_box_data_index != b.fragmented_box_data_index) {
++                return a.fragmented_box_data_index <
++                       b.fragmented_box_data_index;
++              }
++              DCHECK_NE(a.fragment_start, b.fragment_start);
++              return a.fragment_start < b.fragment_start;
++            });
++  for (BoxData& fragmented_box : base::Reversed(*fragmented_boxes)) {
++    // Insert the fragmented box to right after the box it was fragmented from.
++    // The order in the |box_data_list_| is critical when propagating child
++    // fragment data such as OOF to ancestors.
++    const unsigned insert_at = fragmented_box.fragmented_box_data_index;
++    DCHECK_GT(insert_at, 0u);
++    fragmented_box.fragmented_box_data_index = 0;
++    box_data_list_.insert(insert_at, fragmented_box);
++
++    // Adjust box data indices by the insertion.
++    for (BoxData& box_data : box_data_list_) {
++      if (box_data.fragmented_box_data_index >= insert_at)
++        ++box_data.fragmented_box_data_index;
++    }
++
++    // Set the index of the last fragment to the original box. This is needed to
++    // update fragment edges.
++    const unsigned fragmented_from = insert_at - 1;
++    if (!box_data_list_[fragmented_from].fragmented_box_data_index)
++      box_data_list_[fragmented_from].fragmented_box_data_index = insert_at;
++  }
++
++  // Move the line-right edge to the last fragment.
+   for (BoxData& box_data : box_data_list_) {
+     if (box_data.fragmented_box_data_index)
+       box_data.UpdateFragmentEdges(box_data_list_);
+diff --git a/third_party/blink/renderer/core/layout/ng/inline/ng_inline_box_state.h b/third_party/blink/renderer/core/layout/ng/inline/ng_inline_box_state.h
+index 82ecfef8fe4d404d5713f0f67d83b38ecfbfca4c..9d079266efd7f2ccc43cef40d8d89e4fc6edda9e 100644
+--- a/third_party/blink/renderer/core/layout/ng/inline/ng_inline_box_state.h
++++ b/third_party/blink/renderer/core/layout/ng/inline/ng_inline_box_state.h
+@@ -156,17 +156,6 @@ class CORE_EXPORT NGInlineLayoutStateStack {
+   // reordering.
+   void UpdateAfterReorder(NGLogicalLineItems*);
+ 
+-  // Update start/end of the first BoxData found at |index|.
+-  //
+-  // If inline fragmentation is found, a new BoxData is added.
+-  //
+-  // Returns the index to process next. It should be given to the next call to
+-  // this function.
+-  unsigned UpdateBoxDataFragmentRange(NGLogicalLineItems*, unsigned index);
+-
+-  // Update edges of inline fragmented boxes.
+-  void UpdateFragmentedBoxDataEdges();
+-
+   // Compute inline positions of fragments and boxes.
+   LayoutUnit ComputeInlinePositions(NGLogicalLineItems*, LayoutUnit position);
+ 
+@@ -259,6 +248,19 @@ class CORE_EXPORT NGInlineLayoutStateStack {
+     scoped_refptr<const NGLayoutResult> CreateBoxFragment(NGLogicalLineItems*);
+   };
+ 
++  // Update start/end of the first BoxData found at |index|.
++  //
++  // If inline fragmentation is found, a new BoxData is added.
++  //
++  // Returns the index to process next. It should be given to the next call to
++  // this function.
++  unsigned UpdateBoxDataFragmentRange(NGLogicalLineItems*,
++                                      unsigned index,
++                                      Vector<BoxData>* fragmented_boxes);
++
++  // Update edges of inline fragmented boxes.
++  void UpdateFragmentedBoxDataEdges(Vector<BoxData>* fragmented_boxes);
++
+   Vector<NGInlineBoxState, 4> stack_;
+   Vector<BoxData, 4> box_data_list_;
+ 
+diff --git a/third_party/blink/web_tests/external/wpt/css/CSS2/text/crashtests/bidi-inline-fragment-oof-crash.html b/third_party/blink/web_tests/external/wpt/css/CSS2/text/crashtests/bidi-inline-fragment-oof-crash.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..b701d2b5688ace54aa99530c12fa8143f1e6a508
+--- /dev/null
++++ b/third_party/blink/web_tests/external/wpt/css/CSS2/text/crashtests/bidi-inline-fragment-oof-crash.html
+@@ -0,0 +1,13 @@
++<!DOCTYPE html>
++<link rel="author" href="mailto:mstensho@chromium.org">
++<link rel="help" href="https://crbug.com/1229999">
++<div style="direction:rtl; width:500px">
++  <span style="border:solid">
++    <span style="position:relative">
++      <div style="display:inline-block; width:1000%; height:10px"></div>
++      <span dir="ltr">
++        <div style="position:absolute"></div>
++      </span>
++    </span>
++  </span>
++</div>

patches/chromium/cherry-pick-4ce2abc17078.patch

@@ -0,0 +1,135 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robert Flack <flackr@chromium.org>
+Date: Fri, 30 Jul 2021 18:51:38 +0000
+Subject: Forbid script execution for entire lifecycle update
+
+We should not execute script during the lifecycle update except in cases where we we know it is safe to do so, either because we will rerun the lifecycle steps if anything is invalidated (resize observers, intersection observers) or because the script does not have access to invalidate the DOM (e.g. paint worklets).
+
+(cherry picked from commit a73237da91de8aa49aaa5d9479bae51cf387f090)
+
+Bug: 1196853
+Change-Id: Id1fdbbb25107cfdc6c234123f845406c28d32914
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2815619
+Reviewed-by: Stefan Zager <szager@chromium.org>
+Commit-Queue: Robert Flack <flackr@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#901110}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3058973
+Auto-Submit: Robert Flack <flackr@chromium.org>
+Commit-Queue: Stefan Zager <szager@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4472@{#1588}
+Cr-Branched-From: 3d60439cfb36485e76a1c5bb7f513d3721b20da1-refs/heads/master@{#870763}
+
+diff --git a/third_party/blink/renderer/core/exported/web_plugin_container_impl.cc b/third_party/blink/renderer/core/exported/web_plugin_container_impl.cc
+index d3512edd4cad7b7dafbb1c3a6da5cd45ea367e79..69f8e8a598a4aefef652e603f1590c702e288b59 100644
+--- a/third_party/blink/renderer/core/exported/web_plugin_container_impl.cc
++++ b/third_party/blink/renderer/core/exported/web_plugin_container_impl.cc
+@@ -96,6 +96,7 @@
+ #include "third_party/blink/renderer/core/script/classic_script.h"
+ #include "third_party/blink/renderer/core/scroll/scroll_animator_base.h"
+ #include "third_party/blink/renderer/core/scroll/scrollbar_theme.h"
++#include "third_party/blink/renderer/platform/bindings/script_forbidden_scope.h"
+ #include "third_party/blink/renderer/platform/exported/wrapped_resource_response.h"
+ #include "third_party/blink/renderer/platform/geometry/layout_rect.h"
+ #include "third_party/blink/renderer/platform/graphics/graphics_context.h"
+@@ -804,6 +805,8 @@ void WebPluginContainerImpl::Dispose() {
+   }
+ 
+   if (web_plugin_) {
++    // Plugins may execute script on being detached during the lifecycle update.
++    ScriptForbiddenScope::AllowUserAgentScript allow_script;
+     CHECK(web_plugin_->Container() == this);
+     web_plugin_->Destroy();
+     web_plugin_ = nullptr;
+diff --git a/third_party/blink/renderer/core/frame/local_frame_view.cc b/third_party/blink/renderer/core/frame/local_frame_view.cc
+index dd320dd900b7f556c9216c7faedc2ad35588b0d7..a9e724432440c05d1b3bb9863acb4345e07f77b4 100644
+--- a/third_party/blink/renderer/core/frame/local_frame_view.cc
++++ b/third_party/blink/renderer/core/frame/local_frame_view.cc
+@@ -2484,6 +2484,7 @@ bool LocalFrameView::UpdateLifecyclePhases(
+ 
+ void LocalFrameView::UpdateLifecyclePhasesInternal(
+     DocumentLifecycle::LifecycleState target_state) {
++  ScriptForbiddenScope forbid_script;
+   // RunScrollTimelineSteps must not run more than once.
+   bool should_run_scroll_timeline_steps = true;
+ 
+@@ -2564,6 +2565,10 @@ void LocalFrameView::UpdateLifecyclePhasesInternal(
+         continue;
+     }
+ 
++    // At this point in time, script is allowed to run as we will repeat the
++    // lifecycle update if anything is invalidated.
++    ScriptForbiddenScope::AllowUserAgentScript allow_script;
++
+     // ResizeObserver and post-layout IntersectionObserver observation
+     // deliveries may dirty style and layout. RunResizeObserverSteps will return
+     // true if any observer ran that may have dirtied style or layout;
+@@ -2816,6 +2821,7 @@ bool LocalFrameView::AnyFrameIsPrintingOrPaintingPreview() {
+ }
+ 
+ void LocalFrameView::RunPaintLifecyclePhase(PaintBenchmarkMode benchmark_mode) {
++  DCHECK(ScriptForbiddenScope::IsScriptForbidden());
+   TRACE_EVENT0("blink,benchmark", "LocalFrameView::RunPaintLifecyclePhase");
+   // While printing or capturing a paint preview of a document, the paint walk
+   // is done into a special canvas. There is no point doing a normal paint step
+@@ -2850,17 +2856,11 @@ void LocalFrameView::RunPaintLifecyclePhase(PaintBenchmarkMode benchmark_mode) {
+           for (PaintLayerScrollableArea* area : *animating_scrollable_areas)
+             area->UpdateCompositorScrollAnimations();
+         }
+-        {
+-          // Updating animations can notify ready promises which could mutate
+-          // the DOM. We should delay these until we have finished the lifecycle
+-          // update. https://crbug.com/1196781
+-          ScriptForbiddenScope forbid_script;
+-          frame_view.GetLayoutView()
+-              ->GetDocument()
+-              .GetDocumentAnimations()
+-              .UpdateAnimations(DocumentLifecycle::kPaintClean,
+-                                paint_artifact_compositor_.get());
+-        }
++        frame_view.GetLayoutView()
++          ->GetDocument()
++          .GetDocumentAnimations()
++          .UpdateAnimations(DocumentLifecycle::kPaintClean,
++                            paint_artifact_compositor_.get());
+         Document& document = frame_view.GetLayoutView()->GetDocument();
+         total_animations_count +=
+             document.GetDocumentAnimations().GetAnimationsCount();
+@@ -4454,6 +4454,7 @@ void LocalFrameView::RenderThrottlingStatusChanged() {
+     // so painting the tree should just clear the previous painted output.
+     DCHECK(!IsUpdatingLifecycle());
+     AllowThrottlingScope allow_throtting(*this);
++    ScriptForbiddenScope forbid_script;
+     RunPaintLifecyclePhase();
+   }
+ 
+@@ -4989,6 +4990,7 @@ void LocalFrameView::RunPaintBenchmark(int repeat_count,
+       // quantization when the time is very small.
+       base::LapTimer timer(kWarmupRuns, kTimeLimit, kTimeCheckInterval);
+       do {
++        ScriptForbiddenScope forbid_script;
+         RunPaintLifecyclePhase(mode);
+         timer.NextLap();
+       } while (!timer.HasTimeLimitExpired());
+diff --git a/third_party/blink/renderer/modules/csspaint/paint_worklet.cc b/third_party/blink/renderer/modules/csspaint/paint_worklet.cc
+index e6e0c5b909c4d073963bcbb074bfb091a6ccb83b..618e08fbb5157c06348feee5f0120bd28ed0bc44 100644
+--- a/third_party/blink/renderer/modules/csspaint/paint_worklet.cc
++++ b/third_party/blink/renderer/modules/csspaint/paint_worklet.cc
+@@ -17,6 +17,7 @@
+ #include "third_party/blink/renderer/modules/csspaint/paint_worklet_global_scope.h"
+ #include "third_party/blink/renderer/modules/csspaint/paint_worklet_id_generator.h"
+ #include "third_party/blink/renderer/modules/csspaint/paint_worklet_messaging_proxy.h"
++#include "third_party/blink/renderer/platform/bindings/script_forbidden_scope.h"
+ #include "third_party/blink/renderer/platform/graphics/paint_generated_image.h"
+ 
+ namespace blink {
+@@ -126,6 +127,10 @@ scoped_refptr<Image> PaintWorklet::Paint(const String& name,
+           layout_object.GetDocument(), layout_object.StyleRef(),
+           paint_definition->NativeInvalidationProperties(),
+           paint_definition->CustomInvalidationProperties());
++  // The PaintWorkletGlobalScope is sufficiently isolated that it is safe to
++  // run during the lifecycle update without concern for it causing
++  // invalidations to the lifecycle.
++  ScriptForbiddenScope::AllowUserAgentScript allow_script;
+   sk_sp<PaintRecord> paint_record = paint_definition->Paint(
+       container_size, zoom, style_map, data, device_scale_factor);
+   if (!paint_record)

patches/chromium/cherry-pick-e2123a8e0943.patch

@@ -0,0 +1,64 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tal Pressman <talp@chromium.org>
+Date: Wed, 21 Jul 2021 09:11:13 +0000
+Subject: Manually post task to bind FileUtilitiesHost.
+
+The FileUtilitiesHost binder is posted to a separate sequence, and the
+ServiceWorkerHost may be destroyed by the time the it runs, causing a
+UAF.
+This CL changes it so that, when we try to bind a new receiver, the
+host's worker_process_id() is obtained first (on the service worker's
+core thread) and then a task is posted to do the actual binding on a
+USER_VISIBLE task runner.
+
+Credit: This issue was first reported (with analysis) by
+soulchen8650@gmail.com.
+
+Bug: 1229298
+Change-Id: I6d5c05a830ba30f6cb98bf2df70a3df3333f3dd9
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3041006
+Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
+Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
+Commit-Queue: Tal Pressman <talp@google.com>
+Cr-Commit-Position: refs/heads/master@{#903832}
+
+diff --git a/content/browser/browser_interface_binders.cc b/content/browser/browser_interface_binders.cc
+index a45f9d3db09dbc4827c41c254b2b532968930e96..b6f69c1813fc9c66cc6a20205c02cb6e5d810fc5 100644
+--- a/content/browser/browser_interface_binders.cc
++++ b/content/browser/browser_interface_binders.cc
+@@ -367,10 +367,22 @@ void BindTextSuggestionHostForFrame(
+ }
+ #endif
+ 
++// Get the service worker's worker process ID and post a task to bind the
++// receiver on a USER_VISIBLE task runner.
++// This is necessary because:
++// - Binding the host itself and checking the ID on the task's thread may cause
++//   a UAF if the host has been deleted in the meantime.
++// - The process ID is not yet populated at the time `PopulateInterfaceBinders`
++//   is called.
+ void BindFileUtilitiesHost(
+-    const ServiceWorkerHost* host,
++    ServiceWorkerHost* host,
+     mojo::PendingReceiver<blink::mojom::FileUtilitiesHost> receiver) {
+-  FileUtilitiesHostImpl::Create(host->worker_process_id(), std::move(receiver));
++  auto task_runner = base::ThreadPool::CreateSequencedTaskRunner(
++      {base::MayBlock(), base::TaskPriority::USER_VISIBLE});
++  task_runner->PostTask(
++      FROM_HERE,
++      base::BindOnce(&FileUtilitiesHostImpl::Create, host->worker_process_id(),
++                     std::move(receiver)));
+ }
+ 
+ template <typename WorkerHost, typename Interface>
+@@ -1122,9 +1134,7 @@ void PopulateServiceWorkerBinders(ServiceWorkerHost* host,
+ 
+   // static binders
+   map->Add<blink::mojom::FileUtilitiesHost>(
+-      base::BindRepeating(&BindFileUtilitiesHost, host),
+-      base::ThreadPool::CreateSequencedTaskRunner(
+-          {base::MayBlock(), base::TaskPriority::USER_VISIBLE}));
++      base::BindRepeating(&BindFileUtilitiesHost, host));
+   map->Add<shape_detection::mojom::BarcodeDetectionProvider>(
+       base::BindRepeating(&BindBarcodeDetectionProvider));
+   map->Add<shape_detection::mojom::FaceDetectionProvider>(

patches/sqlite/.patches

@@ -1 +1,2 @@
 utf-8_q_when_20constructing_20the_20synthensized_20select_20sta.patch
+sqlite_fix_an_undefined-integer-overflow_problem_in_fts3_c.patch

patches/sqlite/sqlite_fix_an_undefined-integer-overflow_problem_in_fts3_c.patch

@@ -0,0 +1,157 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darwin Huang <huangdarwin@chromium.org>
+Date: Wed, 19 May 2021 14:13:15 -0700
+Subject: sqlite: Fix an undefined-integer-overflow problem in fts3.c.
+
+Original change: https://sqlite.org/src/info/a0bf931bd712037e
+
+Bug: 1204066
+Change-Id: I34704f1cfe36672d10065f4103c91fb4f35d3895
+
+diff --git a/amalgamation/sqlite3.c b/amalgamation/sqlite3.c
+index d19e25f98d37686a7fd1bfefe4bd044575abf5d4..175c55f86fa02cbe443b53f656519879f9192765 100644
+--- a/amalgamation/sqlite3.c
++++ b/amalgamation/sqlite3.c
+@@ -169123,7 +169123,7 @@ static int fts3ScanInteriorNode(
+   char *zBuffer = 0;              /* Buffer to load terms into */
+   i64 nAlloc = 0;                 /* Size of allocated buffer */
+   int isFirstTerm = 1;            /* True when processing first term on page */
+-  sqlite3_int64 iChild;           /* Block id of child node to descend to */
++  u64 iChild;                     /* Block id of child node to descend to */
+   int nBuffer = 0;                /* Total term size */
+ 
+   /* Skip over the 'height' varint that occurs at the start of every
+@@ -169139,8 +169139,8 @@ static int fts3ScanInteriorNode(
+   ** table, then there are always 20 bytes of zeroed padding following the
+   ** nNode bytes of content (see sqlite3Fts3ReadBlock() for details).
+   */
+-  zCsr += sqlite3Fts3GetVarint(zCsr, &iChild);
+-  zCsr += sqlite3Fts3GetVarint(zCsr, &iChild);
++  zCsr += sqlite3Fts3GetVarintU(zCsr, &iChild);
++  zCsr += sqlite3Fts3GetVarintU(zCsr, &iChild);
+   if( zCsr>zEnd ){
+     return FTS_CORRUPT_VTAB;
+   }
+@@ -169193,20 +169193,20 @@ static int fts3ScanInteriorNode(
+     */
+     cmp = memcmp(zTerm, zBuffer, (nBuffer>nTerm ? nTerm : nBuffer));
+     if( piFirst && (cmp<0 || (cmp==0 && nBuffer>nTerm)) ){
+-      *piFirst = iChild;
++      *piFirst = (i64)iChild;
+       piFirst = 0;
+     }
+ 
+     if( piLast && cmp<0 ){
+-      *piLast = iChild;
++      *piLast = (i64)iChild;
+       piLast = 0;
+     }
+ 
+     iChild++;
+   };
+ 
+-  if( piFirst ) *piFirst = iChild;
+-  if( piLast ) *piLast = iChild;
++  if( piFirst ) *piFirst = (i64)iChild;
++  if( piLast ) *piLast = (i64)iChild;
+ 
+  finish_scan:
+   sqlite3_free(zBuffer);
+diff --git a/amalgamation_dev/sqlite3.c b/amalgamation_dev/sqlite3.c
+index f4c985513fb7cac3930fe9706ddfc5c440dd3e85..c3ec02ed9124d59ee008548491b2b30e996472ef 100644
+--- a/amalgamation_dev/sqlite3.c
++++ b/amalgamation_dev/sqlite3.c
+@@ -169636,7 +169636,7 @@ static int fts3ScanInteriorNode(
+   char *zBuffer = 0;              /* Buffer to load terms into */
+   i64 nAlloc = 0;                 /* Size of allocated buffer */
+   int isFirstTerm = 1;            /* True when processing first term on page */
+-  sqlite3_int64 iChild;           /* Block id of child node to descend to */
++  u64 iChild;                     /* Block id of child node to descend to */
+   int nBuffer = 0;                /* Total term size */
+ 
+   /* Skip over the 'height' varint that occurs at the start of every
+@@ -169652,8 +169652,8 @@ static int fts3ScanInteriorNode(
+   ** table, then there are always 20 bytes of zeroed padding following the
+   ** nNode bytes of content (see sqlite3Fts3ReadBlock() for details).
+   */
+-  zCsr += sqlite3Fts3GetVarint(zCsr, &iChild);
+-  zCsr += sqlite3Fts3GetVarint(zCsr, &iChild);
++  zCsr += sqlite3Fts3GetVarintU(zCsr, &iChild);
++  zCsr += sqlite3Fts3GetVarintU(zCsr, &iChild);
+   if( zCsr>zEnd ){
+     return FTS_CORRUPT_VTAB;
+   }
+@@ -169706,20 +169706,20 @@ static int fts3ScanInteriorNode(
+     */
+     cmp = memcmp(zTerm, zBuffer, (nBuffer>nTerm ? nTerm : nBuffer));
+     if( piFirst && (cmp<0 || (cmp==0 && nBuffer>nTerm)) ){
+-      *piFirst = iChild;
++      *piFirst = (i64)iChild;
+       piFirst = 0;
+     }
+ 
+     if( piLast && cmp<0 ){
+-      *piLast = iChild;
++      *piLast = (i64)iChild;
+       piLast = 0;
+     }
+ 
+     iChild++;
+   };
+ 
+-  if( piFirst ) *piFirst = iChild;
+-  if( piLast ) *piLast = iChild;
++  if( piFirst ) *piFirst = (i64)iChild;
++  if( piLast ) *piLast = (i64)iChild;
+ 
+  finish_scan:
+   sqlite3_free(zBuffer);
+diff --git a/ext/fts3/fts3.c b/ext/fts3/fts3.c
+index 79dc5c88ceacb823d16889bd36250597361d6186..62b31373c3c3e9b61b3e1daae8d87d9393779b61 100644
+--- a/ext/fts3/fts3.c
++++ b/ext/fts3/fts3.c
+@@ -1897,7 +1897,7 @@ static int fts3ScanInteriorNode(
+   char *zBuffer = 0;              /* Buffer to load terms into */
+   i64 nAlloc = 0;                 /* Size of allocated buffer */
+   int isFirstTerm = 1;            /* True when processing first term on page */
+-  sqlite3_int64 iChild;           /* Block id of child node to descend to */
++  u64 iChild;                     /* Block id of child node to descend to */
+   int nBuffer = 0;                /* Total term size */
+ 
+   /* Skip over the 'height' varint that occurs at the start of every 
+@@ -1913,8 +1913,8 @@ static int fts3ScanInteriorNode(
+   ** table, then there are always 20 bytes of zeroed padding following the
+   ** nNode bytes of content (see sqlite3Fts3ReadBlock() for details).
+   */
+-  zCsr += sqlite3Fts3GetVarint(zCsr, &iChild);
+-  zCsr += sqlite3Fts3GetVarint(zCsr, &iChild);
++  zCsr += sqlite3Fts3GetVarintU(zCsr, &iChild);
++  zCsr += sqlite3Fts3GetVarintU(zCsr, &iChild);
+   if( zCsr>zEnd ){
+     return FTS_CORRUPT_VTAB;
+   }
+@@ -1967,20 +1967,20 @@ static int fts3ScanInteriorNode(
+     */
+     cmp = memcmp(zTerm, zBuffer, (nBuffer>nTerm ? nTerm : nBuffer));
+     if( piFirst && (cmp<0 || (cmp==0 && nBuffer>nTerm)) ){
+-      *piFirst = iChild;
++      *piFirst = (i64)iChild;
+       piFirst = 0;
+     }
+ 
+     if( piLast && cmp<0 ){
+-      *piLast = iChild;
++      *piLast = (i64)iChild;
+       piLast = 0;
+     }
+ 
+     iChild++;
+   };
+ 
+-  if( piFirst ) *piFirst = iChild;
+-  if( piLast ) *piLast = iChild;
++  if( piFirst ) *piFirst = (i64)iChild;
++  if( piLast ) *piLast = (i64)iChild;
+ 
+  finish_scan:
+   sqlite3_free(zBuffer);

patches/v8/.patches

@@ -26,3 +26,5 @@ cherry-pick-b9ad6a864c79.patch
 cherry-pick-50de6a8ddad9.patch
 cherry-pick-e76178b896f2.patch
 merged_compiler_fix_a_bug_in.patch
+cherry-pick-1234770.patch
+cherry-pick-1234764.patch

patches/v8/cherry-pick-1234764.patch

@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Georg Neis <neis@chromium.org>
+Date: Tue, 10 Aug 2021 09:29:33 +0200
+Subject: Merged: [compiler] Harden
+ JSCallReducer::ReduceArrayIteratorPrototypeNext
+
+Revision: 65b20a0e65e1078f5dd230a5203e231bec790ab4
+
+BUG=chromium:1234764
+NOTRY=true
+NOPRESUBMIT=true
+NOTREECHECKS=true
+R=vahl@chromium.org
+
+Change-Id: I45faf253695011092de144c8e29bafac5337adec
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3084363
+Reviewed-by: Lutz Vahl <vahl@chromium.org>
+Commit-Queue: Georg Neis <neis@chromium.org>
+Cr-Commit-Position: refs/branch-heads/9.2@{#53}
+Cr-Branched-From: 51238348f95a1f5e0acc321efac7942d18a687a2-refs/heads/9.2.230@{#1}
+Cr-Branched-From: 587a04f02ab0487d194b55a7137dc2045e071597-refs/heads/master@{#74656}
+
+diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc
+index 2c7b6788953092ffb3cf6fa75501dcbb02dce581..56f0ca99e252e715c9792222f95397950a451149 100644
+--- a/src/compiler/js-call-reducer.cc
++++ b/src/compiler/js-call-reducer.cc
+@@ -5854,11 +5854,12 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
+   Node* etrue = effect;
+   Node* if_true = graph()->NewNode(common()->IfTrue(), branch);
+   {
+-    // We know that the {index} is range of the {length} now.
++    // This extra check exists to refine the type of {index} but also to break
++    // an exploitation technique that abuses typer mismatches.
+     index = etrue = graph()->NewNode(
+-        common()->TypeGuard(
+-            Type::Range(0.0, length_access.type.Max() - 1.0, graph()->zone())),
+-        index, etrue, if_true);
++        simplified()->CheckBounds(p.feedback(),
++                                  CheckBoundsFlag::kAbortOnOutOfBounds),
++        index, length, etrue, if_true);
+ 
+     done_true = jsgraph()->FalseConstant();
+     if (iteration_kind == IterationKind::kKeys) {

patches/v8/cherry-pick-1234770.patch

@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Georg Neis <neis@chromium.org>
+Date: Mon, 9 Aug 2021 09:57:12 +0200
+Subject: Merged: [compiler] Fix a bug in MachineOperatorReducer's
+ BitfieldCheck
+
+Revision: 574ca6b71c6160d38b5fcf4b8e133bc7f6ba2387
+
+BUG=chromium:1234770
+NOTRY=true
+NOPRESUBMIT=true
+NOTREECHECKS=true
+R=nicohartmann@chromium.org
+
+Change-Id: I15af5a94e89b54c2a540442c3544ed459b832e0a
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3080564
+Reviewed-by: Lutz Vahl <vahl@chromium.org>
+Commit-Queue: Georg Neis <neis@chromium.org>
+Cr-Commit-Position: refs/branch-heads/9.3@{#21}
+Cr-Branched-From: 7744dce208a555494e4a33e24fadc71ea20b3895-refs/heads/9.3.345@{#1}
+Cr-Branched-From: 4b6b4cabf3b6a20cdfda72b369df49f3311c4344-refs/heads/master@{#75728}
+
+diff --git a/src/compiler/machine-operator-reducer.cc b/src/compiler/machine-operator-reducer.cc
+index 918caaf8fd446750d9d4c38350b3af2f25c9a91f..facfadc3ca99f9d2a554f17b577a3833a9974470 100644
+--- a/src/compiler/machine-operator-reducer.cc
++++ b/src/compiler/machine-operator-reducer.cc
+@@ -1706,11 +1706,21 @@ Reduction MachineOperatorReducer::ReduceWordNAnd(Node* node) {
+ namespace {
+ 
+ // Represents an operation of the form `(source & mask) == masked_value`.
++// where each bit set in masked_value also has to be set in mask.
+ struct BitfieldCheck {
+-  Node* source;
+-  uint32_t mask;
+-  uint32_t masked_value;
+-  bool truncate_from_64_bit;
++  Node* const source;
++  uint32_t const mask;
++  uint32_t const masked_value;
++  bool const truncate_from_64_bit;
++
++  BitfieldCheck(Node* source, uint32_t mask, uint32_t masked_value,
++                bool truncate_from_64_bit)
++      : source(source),
++        mask(mask),
++        masked_value(masked_value),
++        truncate_from_64_bit(truncate_from_64_bit) {
++    CHECK_EQ(masked_value & ~mask, 0);
++  }
+ 
+   static base::Optional<BitfieldCheck> Detect(Node* node) {
+     // There are two patterns to check for here:
+@@ -1725,14 +1735,16 @@ struct BitfieldCheck {
+       if (eq.left().IsWord32And()) {
+         Uint32BinopMatcher mand(eq.left().node());
+         if (mand.right().HasResolvedValue() && eq.right().HasResolvedValue()) {
+-          BitfieldCheck result{mand.left().node(), mand.right().ResolvedValue(),
+-                               eq.right().ResolvedValue(), false};
++          uint32_t mask = mand.right().ResolvedValue();
++          uint32_t masked_value = eq.right().ResolvedValue();
++          if ((masked_value & ~mask) != 0) return {};
+           if (mand.left().IsTruncateInt64ToInt32()) {
+-            result.truncate_from_64_bit = true;
+-            result.source =
+-                NodeProperties::GetValueInput(mand.left().node(), 0);
++            return BitfieldCheck(
++                NodeProperties::GetValueInput(mand.left().node(), 0), mask,
++                masked_value, true);
++          } else {
++            return BitfieldCheck(mand.left().node(), mask, masked_value, false);
+           }
+-          return result;
+         }
+       }
+     } else {

script/node-disabled-tests.json

@@ -14,6 +14,8 @@
   "parallel/test-child-process-fork-exec-path",
   "parallel/test-cli-node-print-help",
   "parallel/test-code-cache",
+  "parallel/test-cluster-bind-privileged-port",
+  "parallel/test-cluster-shared-handle-bind-privileged-port",
   "parallel/test-crypto",
   "parallel/test-crypto-aes-wrap",
   "parallel/test-crypto-authenticated",

script/release/release-artifact-cleanup.js

@@ -26,6 +26,7 @@ function getLastBumpCommit (tag) {
 async function revertBumpCommit (tag) {
   const branch = await getCurrentBranch();
   const commitToRevert = getLastBumpCommit(tag).hash;
+  await GitProcess.exec(['pull', '--rebase']);
   await GitProcess.exec(['revert', commitToRevert], ELECTRON_DIR);
   const pushDetails = await GitProcess.exec(['push', 'origin', `HEAD:${branch}`, '--follow-tags'], ELECTRON_DIR);
   if (pushDetails.exitCode === 0) {

shell/browser/api/electron_api_menu.cc

@@ -236,7 +236,7 @@ base::string16 Menu::GetToolTipAt(int index) const {
   return model_->GetToolTipAt(index);
 }
 
-#ifdef DCHECK_IS_ON
+#if DCHECK_IS_ON()
 base::string16 Menu::GetAcceleratorTextAtForTesting(int index) const {
   ui::Accelerator accelerator;
   model_->GetAcceleratorAtWithParams(index, true, &accelerator);
@@ -297,7 +297,7 @@ v8::Local<v8::ObjectTemplate> Menu::FillObjectTemplate(
       .SetMethod("isVisibleAt", &Menu::IsVisibleAt)
       .SetMethod("popupAt", &Menu::PopupAt)
       .SetMethod("closePopupAt", &Menu::ClosePopupAt)
-#ifdef DCHECK_IS_ON
+#if DCHECK_IS_ON()
       .SetMethod("getAcceleratorTextAt", &Menu::GetAcceleratorTextAtForTesting)
 #endif
       .Build();

shell/browser/api/electron_api_menu.h

@@ -78,7 +78,7 @@ class Menu : public gin::Wrappable<Menu>,
                        int positioning_item,
                        base::OnceClosure callback) = 0;
   virtual void ClosePopupAt(int32_t window_id) = 0;
-#ifdef DCHECK_IS_ON
+#if DCHECK_IS_ON()
   virtual base::string16 GetAcceleratorTextAtForTesting(int index) const;
 #endif
 

shell/browser/api/electron_api_menu_mac.h

@@ -35,7 +35,7 @@ class MenuMac : public Menu {
                  int positioning_item,
                  base::OnceClosure callback);
   void ClosePopupAt(int32_t window_id) override;
-#ifdef DCHECK_IS_ON
+#if DCHECK_IS_ON()
   base::string16 GetAcceleratorTextAtForTesting(int index) const override;
 #endif
 

shell/browser/api/electron_api_menu_mac.mm

@@ -127,7 +127,7 @@ void MenuMac::ClosePopupAt(int32_t window_id) {
                                                    std::move(close_popup));
 }
 
-#ifdef DCHECK_IS_ON
+#if DCHECK_IS_ON()
 base::string16 MenuMac::GetAcceleratorTextAtForTesting(int index) const {
   // A least effort to get the real shortcut text of NSMenuItem, the code does
   // not need to be perfect since it is test only.

shell/browser/api/electron_api_web_contents.cc

@@ -1230,31 +1230,29 @@ void WebContents::OnEnterFullscreenModeForTab(
     content::RenderFrameHost* requesting_frame,
     const blink::mojom::FullscreenOptions& options,
     bool allowed) {
-  if (!allowed)
-    return;
-  if (!owner_window_)
+  if (!allowed || !owner_window_)
     return;
+
   auto* source = content::WebContents::FromRenderFrameHost(requesting_frame);
   if (IsFullscreenForTabOrPending(source)) {
     DCHECK_EQ(fullscreen_frame_, source->GetFocusedFrame());
     return;
   }
+
   SetHtmlApiFullscreen(true);
-  owner_window_->NotifyWindowEnterHtmlFullScreen();
 
   if (native_fullscreen_) {
     // Explicitly trigger a view resize, as the size is not actually changing if
     // the browser is fullscreened, too.
     source->GetRenderViewHost()->GetWidget()->SynchronizeVisualProperties();
   }
-  Emit("enter-html-full-screen");
 }
 
 void WebContents::ExitFullscreenModeForTab(content::WebContents* source) {
   if (!owner_window_)
     return;
+
   SetHtmlApiFullscreen(false);
-  owner_window_->NotifyWindowLeaveHtmlFullScreen();
 
   if (native_fullscreen_) {
     // Explicitly trigger a view resize, as the size is not actually changing if
@@ -1262,7 +1260,6 @@ void WebContents::ExitFullscreenModeForTab(content::WebContents* source) {
     // `chrome/browser/ui/exclusive_access/fullscreen_controller.cc`.
     source->GetRenderViewHost()->GetWidget()->SynchronizeVisualProperties();
   }
-  Emit("leave-html-full-screen");
 }
 
 void WebContents::RendererUnresponsive(
@@ -3467,6 +3464,30 @@ void WebContents::DevToolsSearchInPath(int request_id,
                           file_system_path));
 }
 
+void WebContents::DevToolsSetEyeDropperActive(bool active) {
+  auto* web_contents = GetWebContents();
+  if (!web_contents)
+    return;
+
+  if (active) {
+    eye_dropper_ = std::make_unique<DevToolsEyeDropper>(
+        web_contents, base::BindRepeating(&WebContents::ColorPickedInEyeDropper,
+                                          base::Unretained(this)));
+  } else {
+    eye_dropper_.reset();
+  }
+}
+
+void WebContents::ColorPickedInEyeDropper(int r, int g, int b, int a) {
+  base::DictionaryValue color;
+  color.SetInteger("r", r);
+  color.SetInteger("g", g);
+  color.SetInteger("b", b);
+  color.SetInteger("a", a);
+  inspectable_web_contents_->CallClientFunction(
+      "DevToolsAPI.eyeDropperPickedColor", &color, nullptr, nullptr);
+}
+
 #if defined(TOOLKIT_VIEWS) && !defined(OS_MAC)
 gfx::ImageSkia WebContents::GetDevToolsWindowIcon() {
   if (!owner_window())
@@ -3561,7 +3582,7 @@ void WebContents::SetHtmlApiFullscreen(bool enter_fullscreen) {
 }
 
 void WebContents::UpdateHtmlApiFullscreen(bool fullscreen) {
-  if (fullscreen == html_fullscreen_)
+  if (fullscreen == is_html_fullscreen())
     return;
 
   html_fullscreen_ = fullscreen;
@@ -3572,11 +3593,19 @@ void WebContents::UpdateHtmlApiFullscreen(bool fullscreen) {
       ->GetWidget()
       ->SynchronizeVisualProperties();
 
-  // The embedder WebContents is spearated from the frame tree of webview, so
+  // The embedder WebContents is separated from the frame tree of webview, so
   // we must manually sync their fullscreen states.
   if (embedder_)
     embedder_->SetHtmlApiFullscreen(fullscreen);
 
+  if (fullscreen) {
+    Emit("enter-html-full-screen");
+    owner_window_->NotifyWindowEnterHtmlFullScreen();
+  } else {
+    Emit("leave-html-full-screen");
+    owner_window_->NotifyWindowLeaveHtmlFullScreen();
+  }
+
   // Make sure all child webviews quit html fullscreen.
   if (!fullscreen && !IsGuest()) {
     auto* manager = WebViewManager::GetWebViewManager(web_contents());

shell/browser/api/electron_api_web_contents.h

@@ -14,6 +14,7 @@
 #include "base/memory/weak_ptr.h"
 #include "base/observer_list.h"
 #include "base/observer_list_types.h"
+#include "chrome/browser/devtools/devtools_eye_dropper.h"
 #include "chrome/browser/devtools/devtools_file_system_indexer.h"
 #include "content/common/cursors/webcursor.h"
 #include "content/common/frame.mojom.h"
@@ -665,6 +666,7 @@ class WebContents : public gin::Wrappable<WebContents>,
   void DevToolsSearchInPath(int request_id,
                             const std::string& file_system_path,
                             const std::string& query) override;
+  void DevToolsSetEyeDropperActive(bool active) override;
 
   // InspectableWebContentsViewDelegate:
 #if defined(TOOLKIT_VIEWS) && !defined(OS_MAC)
@@ -678,6 +680,8 @@ class WebContents : public gin::Wrappable<WebContents>,
   // Destroy the managed InspectableWebContents object.
   void ResetManagedWebContents(bool async);
 
+  void ColorPickedInEyeDropper(int r, int g, int b, int a);
+
   // DevTools index event callbacks.
   void OnDevToolsIndexingWorkCalculated(int request_id,
                                         const std::string& file_system_path,
@@ -749,6 +753,8 @@ class WebContents : public gin::Wrappable<WebContents>,
 
   scoped_refptr<DevToolsFileSystemIndexer> devtools_file_system_indexer_;
 
+  std::unique_ptr<DevToolsEyeDropper> eye_dropper_;
+
   ElectronBrowserContext* browser_context_;
 
   // The stored InspectableWebContents object.

shell/browser/resources/win/electron.rc

@@ -50,8 +50,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 12,0,16,0
- PRODUCTVERSION 12,0,16,0
+ FILEVERSION 12,1,0,0
+ PRODUCTVERSION 12,1,0,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -68,12 +68,12 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "GitHub, Inc."
             VALUE "FileDescription", "Electron"
-            VALUE "FileVersion", "12.0.16"
+            VALUE "FileVersion", "12.1.0"
             VALUE "InternalName", "electron.exe"
             VALUE "LegalCopyright", "Copyright (C) 2015 GitHub, Inc. All rights reserved."
             VALUE "OriginalFilename", "electron.exe"
             VALUE "ProductName", "Electron"
-            VALUE "ProductVersion", "12.0.16"
+            VALUE "ProductVersion", "12.1.0"
             VALUE "SquirrelAwareVersion", "1"
         END
     END

shell/browser/ui/inspectable_web_contents.cc

@@ -787,7 +787,10 @@ void InspectableWebContents::SearchInPath(int request_id,
 void InspectableWebContents::SetWhitelistedShortcuts(
     const std::string& message) {}
 
-void InspectableWebContents::SetEyeDropperActive(bool active) {}
+void InspectableWebContents::SetEyeDropperActive(bool active) {
+  if (delegate_)
+    delegate_->DevToolsSetEyeDropperActive(active);
+}
 void InspectableWebContents::ShowCertificateViewer(
     const std::string& cert_chain) {}
 

shell/browser/ui/inspectable_web_contents_delegate.h

@@ -35,6 +35,7 @@ class InspectableWebContentsDelegate {
   virtual void DevToolsSearchInPath(int request_id,
                                     const std::string& file_system_path,
                                     const std::string& query) {}
+  virtual void DevToolsSetEyeDropperActive(bool active) {}
 };
 
 }  // namespace electron

shell/common/api/electron_api_native_image_win.cc

@@ -12,6 +12,7 @@
 #include <string>
 #include <vector>
 
+#include "base/win/scoped_com_initializer.h"
 #include "shell/common/gin_converters/image_converter.h"
 #include "shell/common/gin_helper/promise.h"
 #include "shell/common/skia_util.h"
@@ -26,6 +27,8 @@ v8::Local<v8::Promise> NativeImage::CreateThumbnailFromPath(
     v8::Isolate* isolate,
     const base::FilePath& path,
     const gfx::Size& size) {
+  base::win::ScopedCOMInitializer scoped_com_initializer;
+
   gin_helper::Promise<gfx::Image> promise(isolate);
   v8::Local<v8::Promise> handle = promise.GetHandle();
   HRESULT hr;

shell/common/api/electron_api_v8_util.cc

@@ -107,7 +107,7 @@ bool IsSameOrigin(const GURL& l, const GURL& r) {
   return url::Origin::Create(l).IsSameOriginWith(url::Origin::Create(r));
 }
 
-#ifdef DCHECK_IS_ON
+#if DCHECK_IS_ON()
 std::vector<v8::Global<v8::Value>> weakly_tracked_values;
 
 void WeaklyTrackValue(v8::Isolate* isolate, v8::Local<v8::Value> value) {
@@ -157,7 +157,7 @@ void Initialize(v8::Local<v8::Object> exports,
   dict.SetMethod("requestGarbageCollectionForTesting",
                  &RequestGarbageCollectionForTesting);
   dict.SetMethod("isSameOrigin", &IsSameOrigin);
-#ifdef DCHECK_IS_ON
+#if DCHECK_IS_ON()
   dict.SetMethod("triggerFatalErrorForTesting", &TriggerFatalErrorForTesting);
   dict.SetMethod("getWeaklyTrackedValues", &GetWeaklyTrackedValues);
   dict.SetMethod("clearWeaklyTrackedValues", &ClearWeaklyTrackedValues);

shell/renderer/api/electron_api_context_bridge.cc

@@ -678,7 +678,7 @@ void Initialize(v8::Local<v8::Object> exports,
                  &electron::api::OverrideGlobalPropertyFromIsolatedWorld);
   dict.SetMethod("_isCalledFromMainWorld",
                  &electron::api::IsCalledFromMainWorld);
-#ifdef DCHECK_IS_ON
+#if DCHECK_IS_ON()
   dict.Set("_isDebug", true);
 #endif
 }

spec-main/webview-spec.ts

@@ -458,6 +458,34 @@ describe('<webview> tag', function () {
       await delay(0);
       expect(w.isFullScreen()).to.be.false();
     });
+
+    it('pressing ESC should emit the leave-html-full-screen event', async () => {
+      const w = new BrowserWindow({
+        show: false,
+        webPreferences: {
+          webviewTag: true,
+          nodeIntegration: true,
+          contextIsolation: false
+        }
+      });
+
+      const didAttachWebview = emittedOnce(w.webContents, 'did-attach-webview');
+      w.loadFile(path.join(fixtures, 'pages', 'webview-did-attach-event.html'));
+
+      const [, webContents] = await didAttachWebview;
+
+      const enterFSWindow = emittedOnce(w, 'enter-html-full-screen');
+      const enterFSWebview = emittedOnce(webContents, 'enter-html-full-screen');
+      await webContents.executeJavaScript('document.getElementById("div").requestFullscreen()', true);
+      await enterFSWindow;
+      await enterFSWebview;
+
+      const leaveFSWindow = emittedOnce(w, 'leave-html-full-screen');
+      const leaveFSWebview = emittedOnce(webContents, 'leave-html-full-screen');
+      webContents.sendInputEvent({ type: 'keyDown', keyCode: 'Escape' });
+      await leaveFSWindow;
+      await leaveFSWebview;
+    });
   });
 
   describe('nativeWindowOpen option', () => {

spec/fixtures/pages/a.html

@@ -3,6 +3,7 @@
 <link rel="icon" type="image/png" href="http://test.com/favicon.png"/>
 <meta http-equiv="content-security-policy" content="script-src 'self' 'unsafe-inline'" />
 <body>
+<div id="div">Hello World</div>
 <script type="text/javascript" charset="utf-8">
   console.log('a');
   document.title = "test"