Bump v13.6.1

Co-authored-by: Milan Burda <milan.burda@gmail.com>

ELECTRON_VERSION

@@ -1 +1 @@
-13.2.3
+13.6.1

chromium_src/BUILD.gn

@@ -66,8 +66,11 @@ static_library("chrome") {
       "//chrome/browser/extensions/global_shortcut_listener_win.cc",
       "//chrome/browser/extensions/global_shortcut_listener_win.h",
       "//chrome/browser/icon_loader_win.cc",
+      "//chrome/browser/ui/frame/window_frame_util.h",
+      "//chrome/browser/ui/view_ids.h",
       "//chrome/browser/win/chrome_process_finder.cc",
       "//chrome/browser/win/chrome_process_finder.h",
+      "//chrome/browser/win/titlebar_config.h",
       "//chrome/child/v8_crashpad_support_win.cc",
       "//chrome/child/v8_crashpad_support_win.h",
     ]
@@ -347,17 +350,13 @@ source_set("plugins") {
   sources += [
     "//chrome/renderer/pepper/chrome_renderer_pepper_host_factory.cc",
     "//chrome/renderer/pepper/chrome_renderer_pepper_host_factory.h",
+    "//chrome/renderer/pepper/pepper_flash_font_file_host.cc",
+    "//chrome/renderer/pepper/pepper_flash_font_file_host.h",
     "//chrome/renderer/pepper/pepper_shared_memory_message_filter.cc",
     "//chrome/renderer/pepper/pepper_shared_memory_message_filter.h",
   ]
   if (enable_pdf_viewer) {
-    sources += [
-      "//chrome/renderer/pepper/pepper_flash_font_file_host.cc",
-      "//chrome/renderer/pepper/pepper_flash_font_file_host.h",
-    ]
-    if (enable_pdf_viewer) {
-      deps += [ "//components/pdf/renderer" ]
-    }
+    deps += [ "//components/pdf/renderer" ]
   }
   deps += [
     "//components/strings",

docs/api/auto-updater.md

@@ -43,7 +43,7 @@ The installer generated with Squirrel will create a shortcut icon with an
 same ID for your app with `app.setAppUserModelId` API, otherwise Windows will
 not be able to pin your app properly in task bar.
 
-Unlike Squirrel.Mac, Windows can host updates on S3 or any other static file host.
+Like Squirrel.Mac, Windows can host updates on S3 or any other static file host.
 You can read the documents of [Squirrel.Windows][squirrel-windows] to get more details
 about how Squirrel.Windows works.
 

docs/api/browser-window.md

@@ -213,16 +213,13 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
     * `followWindow` - The backdrop should automatically appear active when the window is active, and inactive when it is not. This is the default.
     * `active` - The backdrop should always appear active.
     * `inactive` - The backdrop should always appear inactive.
-  * `titleBarStyle` String (optional) - The style of window title bar.
+  * `titleBarStyle` String (optional) _macOS_ _Windows_ - The style of window title bar.
     Default is `default`. Possible values are:
-    * `default` - Results in the standard gray opaque Mac title
-      bar.
-    * `hidden` - Results in a hidden title bar and a full size content window, yet
-      the title bar still has the standard window controls ("traffic lights") in
-      the top left.
-    * `hiddenInset` - Results in a hidden title bar with an alternative look
+    * `default` - Results in the standard title bar for macOS or Windows respectively.
+    * `hidden` - Results in a hidden title bar and a full size content window. On macOS, the window still has the standard window controls (“traffic lights”) in the top left. On Windows, when combined with `titleBarOverlay: true` it will activate the Window Controls Overlay (see `titleBarOverlay` for more information), otherwise no window controls will be shown.
+    * `hiddenInset` - Only on macOS, results in a hidden title bar with an alternative look
       where the traffic light buttons are slightly more inset from the window edge.
-    * `customButtonsOnHover` - Results in a hidden title bar and a full size
+    * `customButtonsOnHover` - Only on macOS, results in a hidden title bar and a full size
       content window, the traffic light buttons will display when being hovered
       over in the top left of the window.  **Note:** This option is currently
       experimental.
@@ -403,6 +400,7 @@ It creates a new `BrowserWindow` with native properties as set by the `options`.
       contain the layout of the document—without requiring scrolling. Enabling
       this will cause the `preferred-size-changed` event to be emitted on the
       `WebContents` when the preferred size changes. Default is `false`.
+  * `titleBarOverlay` [OverlayOptions](structures/overlay-options.md) | Boolean (optional) -  When using a frameless window in conjuction with `win.setWindowButtonVisibility(true)` on macOS or using a `titleBarStyle` so that the standard window controls ("traffic lights" on macOS) are visible, this property enables the Window Controls Overlay [JavaScript APIs][overlay-javascript-apis] and [CSS Environment Variables][overlay-css-env-vars]. Specifying `true` will result in an overlay with default system colors. Default is `false`.  On Windows, the [OverlayOptions](structures/overlay-options.md) can be used instead of a boolean to specify colors for the overlay.
 
 When setting minimum or maximum window size with `minWidth`/`maxWidth`/
 `minHeight`/`maxHeight`, it only constrains the users. It won't prevent you from
@@ -985,7 +983,7 @@ the player itself we would call this function with arguments of 16/9 and
 are within the content view--only that they exist. Sum any extra width and
 height areas you have within the overall content view.
 
-The aspect ratio is not respected when window is resized programmingly with
+The aspect ratio is not respected when window is resized programmatically with
 APIs like `win.setSize`.
 
 #### `win.setBackgroundColor(backgroundColor)`
@@ -1689,7 +1687,7 @@ current window into a top-level window.
 
 #### `win.getParentWindow()`
 
-Returns `BrowserWindow` - The parent window.
+Returns `BrowserWindow | null` - The parent window or `null` if there is no parent.
 
 #### `win.getChildWindows()`
 
@@ -1809,3 +1807,5 @@ removed in future Electron releases.
 [window-levels]: https://developer.apple.com/documentation/appkit/nswindow/level
 [chrome-content-scripts]: https://developer.chrome.com/extensions/content_scripts#execution-environment
 [event-emitter]: https://nodejs.org/api/events.html#events_class_eventemitter
+[overlay-javascript-apis]: https://github.com/WICG/window-controls-overlay/blob/main/explainer.md#javascript-apis
+[overlay-css-env-vars]: https://github.com/WICG/window-controls-overlay/blob/main/explainer.md#css-environment-variables

docs/api/frameless-window.md

@@ -18,17 +18,17 @@ const win = new BrowserWindow({ width: 800, height: 600, frame: false })
 win.show()
 ```
 
-### Alternatives on macOS
+### Alternatives
 
-There's an alternative way to specify a chromeless window.
+There's an alternative way to specify a chromeless window on macOS and Windows.
 Instead of setting `frame` to `false` which disables both the titlebar and window controls,
 you may want to have the title bar hidden and your content extend to the full window size,
-yet still preserve the window controls ("traffic lights") for standard window actions.
+yet still preserve the window controls ("traffic lights" on macOS) for standard window actions.
 You can do so by specifying the `titleBarStyle` option:
 
 #### `hidden`
 
-Results in a hidden title bar and a full size content window, yet the title bar still has the standard window controls (“traffic lights”) in the top left.
+Results in a hidden title bar and a full size content window. On macOS, the title bar still has the standard window controls (“traffic lights”) in the top left.
 
 ```javascript
 const { BrowserWindow } = require('electron')
@@ -36,6 +36,8 @@ const win = new BrowserWindow({ titleBarStyle: 'hidden' })
 win.show()
 ```
 
+### Alternatives on macOS
+
 #### `hiddenInset`
 
 Results in a hidden title bar with an alternative look where the traffic light buttons are slightly more inset from the window edge.
@@ -61,6 +63,35 @@ const win = new BrowserWindow({ titleBarStyle: 'customButtonsOnHover', frame: fa
 win.show()
 ```
 
+## Windows Control Overlay
+
+When using a frameless window in conjuction with `win.setWindowButtonVisibility(true)` on macOS, using one of the `titleBarStyle`s as described above so
+that the traffic lights are visible, or using `titleBarStyle: hidden` on Windows, you can access the Window Controls Overlay [JavaScript APIs][overlay-javascript-apis] and
+[CSS Environment Variables][overlay-css-env-vars] by setting the `titleBarOverlay` option to true. Specifying `true` will result in an overlay with default system colors.
+
+On Windows, you can also specify the color of the overlay and its symbols by setting `titleBarOverlay` to an object with the options `color` and `symbolColor`. If an option is not specified, the color will default to its system color for the window control buttons:
+
+```javascript
+const { BrowserWindow } = require('electron')
+const win = new BrowserWindow({
+  titleBarStyle: 'hidden',
+  titleBarOverlay: true
+})
+win.show()
+```
+
+```javascript
+const { BrowserWindow } = require('electron')
+const win = new BrowserWindow({
+  titleBarStyle: 'hidden',
+  titleBarOverlay: {
+    color: '#2f3241',
+    symbolColor: '#74b1be'
+  }
+})
+win.show()
+```
+
 ## Transparent window
 
 By setting the `transparent` option to `true`, you can also make the frameless
@@ -186,3 +217,5 @@ behave correctly on all platforms you should never use a custom context menu on
 draggable areas.
 
 [ignore-mouse-events]: browser-window.md#winsetignoremouseeventsignore-options
+[overlay-javascript-apis]: https://github.com/WICG/window-controls-overlay/blob/main/explainer.md#javascript-apis
+[overlay-css-env-vars]: https://github.com/WICG/window-controls-overlay/blob/main/explainer.md#css-environment-variables

docs/api/session.md

@@ -506,6 +506,7 @@ win.webContents.session.setCertificateVerifyProc((request, callback) => {
     * `permissionGranted` Boolean - Allow or deny the permission.
   * `details` Object - Some properties are only available on certain permission types.
     * `externalURL` String (optional) - The url of the `openExternal` request.
+    * `securityOrigin` String (optional) - The security origin of the `media` request.
     * `mediaTypes` String[] (optional) - The types of media access being requested, elements can be `video`
       or `audio`
     * `requestingUrl` String - The last URL the requesting frame loaded

docs/api/structures/overlay-options.md

@@ -0,0 +1,4 @@
+# OverlayOptions Object
+
+* `color` String (optional) _Windows_ - The CSS color of the Window Controls Overlay when enabled. Default is the system color.
+* `symbolColor` String (optional) _Windows_ - The CSS color of the symbols on the Window Controls Overlay when enabled. Default is the system color.

docs/api/web-contents.md

@@ -45,6 +45,26 @@ returns `null`.
 Returns `WebContents` | undefined - A WebContents instance with the given ID, or
 `undefined` if there is no WebContents associated with the given ID.
 
+### `webContents.fromDevToolsTargetId(targetId)`
+
+* `targetId` String - The Chrome DevTools Protocol [TargetID](https://chromedevtools.github.io/devtools-protocol/tot/Target/#type-TargetID) associated with the WebContents instance.
+
+Returns `WebContents` | undefined - A WebContents instance with the given TargetID, or
+`undefined` if there is no WebContents associated with the given TargetID.
+
+When communicating with the [Chrome DevTools Protocol](https://chromedevtools.github.io/devtools-protocol/),
+it can be useful to lookup a WebContents instance based on its assigned TargetID.
+
+```js
+async function lookupTargetId (browserWindow) {
+  const wc = browserWindow.webContents
+  await wc.debugger.attach('1.3')
+  const { targetInfo } = await wc.debugger.sendCommand('Target.getTargetInfo')
+  const { targetId } = targetInfo
+  const targetWebContents = await webContents.fromDevToolsTargetId(targetId)
+}
+```
+
 ## Class: WebContents
 
 > Render and control the contents of a BrowserWindow instance.

docs/api/webview-tag.md

@@ -151,12 +151,16 @@ browser plugins. Plugins are disabled by default.
 ### `preload`
 
 ```html
+<!-- from a file -->
 <webview src="https://www.github.com/" preload="./test.js"></webview>
+<!-- or if you want to load from an asar archive -->
+<webview src="https://www.github.com/" preload="./app.asar/test.js"></webview>
 ```
 
 A `String` that specifies a script that will be loaded before other scripts run in the guest
-page. The protocol of script's URL must be either `file:` or `asar:`, because it
-will be loaded by `require` in guest page under the hood.
+page. The protocol of script's URL must be `file:` (even when using `asar:` archives) because
+it will be loaded by Node's `require` under the hood, which treats `asar:` archives as virtual
+directories.
 
 When the guest page doesn't have node integration this script will still have
 access to all Node APIs, but global objects injected by Node will be deleted
@@ -1000,3 +1004,78 @@ Emitted when DevTools is focused / opened.
 
 [runtime-enabled-features]: https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/runtime_enabled_features.json5?l=70
 [chrome-webview]: https://developer.chrome.com/docs/extensions/reference/webviewTag/
+
+### Event: 'context-menu'
+
+Returns:
+
+* `params` Object
+  * `x` Integer - x coordinate.
+  * `y` Integer - y coordinate.
+  * `linkURL` String - URL of the link that encloses the node the context menu
+    was invoked on.
+  * `linkText` String - Text associated with the link. May be an empty
+    string if the contents of the link are an image.
+  * `pageURL` String - URL of the top level page that the context menu was
+    invoked on.
+  * `frameURL` String - URL of the subframe that the context menu was invoked
+    on.
+  * `srcURL` String - Source URL for the element that the context menu
+    was invoked on. Elements with source URLs are images, audio and video.
+  * `mediaType` String - Type of the node the context menu was invoked on. Can
+    be `none`, `image`, `audio`, `video`, `canvas`, `file` or `plugin`.
+  * `hasImageContents` Boolean - Whether the context menu was invoked on an image
+    which has non-empty contents.
+  * `isEditable` Boolean - Whether the context is editable.
+  * `selectionText` String - Text of the selection that the context menu was
+    invoked on.
+  * `titleText` String - Title text of the selection that the context menu was
+    invoked on.
+  * `altText` String - Alt text of the selection that the context menu was
+    invoked on.
+  * `suggestedFilename` String - Suggested filename to be used when saving file through 'Save
+    Link As' option of context menu.
+  * `selectionRect` [Rectangle](structures/rectangle.md) - Rect representing the coordinates in the document space of the selection.
+  * `selectionStartOffset` Number - Start position of the selection text.
+  * `referrerPolicy` [Referrer](structures/referrer.md) - The referrer policy of the frame on which the menu is invoked.
+  * `misspelledWord` String - The misspelled word under the cursor, if any.
+  * `dictionarySuggestions` String[] - An array of suggested words to show the
+    user to replace the `misspelledWord`.  Only available if there is a misspelled
+    word and spellchecker is enabled.
+  * `frameCharset` String - The character encoding of the frame on which the
+    menu was invoked.
+  * `inputFieldType` String - If the context menu was invoked on an input
+    field, the type of that field. Possible values are `none`, `plainText`,
+    `password`, `other`.
+  * `spellcheckEnabled` Boolean - If the context is editable, whether or not spellchecking is enabled.
+  * `menuSourceType` String - Input source that invoked the context menu.
+    Can be `none`, `mouse`, `keyboard`, `touch`, `touchMenu`, `longPress`, `longTap`, `touchHandle`, `stylus`, `adjustSelection`, or `adjustSelectionReset`.
+  * `mediaFlags` Object - The flags for the media element the context menu was
+    invoked on.
+    * `inError` Boolean - Whether the media element has crashed.
+    * `isPaused` Boolean - Whether the media element is paused.
+    * `isMuted` Boolean - Whether the media element is muted.
+    * `hasAudio` Boolean - Whether the media element has audio.
+    * `isLooping` Boolean - Whether the media element is looping.
+    * `isControlsVisible` Boolean - Whether the media element's controls are
+      visible.
+    * `canToggleControls` Boolean - Whether the media element's controls are
+      toggleable.
+    * `canPrint` Boolean - Whether the media element can be printed.
+    * `canSave` Boolean - Whether or not the media element can be downloaded.
+    * `canShowPictureInPicture` Boolean - Whether the media element can show picture-in-picture.
+    * `isShowingPictureInPicture` Boolean - Whether the media element is currently showing picture-in-picture.
+    * `canRotate` Boolean - Whether the media element can be rotated.
+    * `canLoop` Boolean - Whether the media element can be looped.
+  * `editFlags` Object - These flags indicate whether the renderer believes it
+    is able to perform the corresponding action.
+    * `canUndo` Boolean - Whether the renderer believes it can undo.
+    * `canRedo` Boolean - Whether the renderer believes it can redo.
+    * `canCut` Boolean - Whether the renderer believes it can cut.
+    * `canCopy` Boolean - Whether the renderer believes it can copy.
+    * `canPaste` Boolean - Whether the renderer believes it can paste.
+    * `canDelete` Boolean - Whether the renderer believes it can delete.
+    * `canSelectAll` Boolean - Whether the renderer believes it can select all.
+    * `canEditRichly` Boolean - Whether the renderer believes it can edit text richly.
+
+Emitted when there is a new context menu that needs to be handled.

docs/development/debugging-instructions-macos.md

@@ -26,7 +26,9 @@ you prefer a graphical interface.
 * **.lldbinit**: Create or edit `~/.lldbinit` to allow Chromium code to be properly source-mapped.
 
    ```text
-   command script import ~/electron/src/tools/lldb/lldbinit.py
+   # e.g: ['~/electron/src/tools/lldb']
+   script sys.path[:0] = ['<...path/to/electron/src/tools/lldb>']
+   script import lldbinit
    ```
 
 ## Attaching to and Debugging Electron

docs/tutorial/code-signing.md

@@ -88,14 +88,15 @@ without meaning any harm:
   <dict>
     <key>com.apple.security.cs.allow-jit</key>
     <true/>
-    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-    <true/>
     <key>com.apple.security.cs.debugger</key>
     <true/>
   </dict>
 </plist>
 ```
 
+Note that up until Electron 12, the `com.apple.security.cs.allow-unsigned-executable-memory` entitlement was required
+as well. However, it should not be used anymore if it can be avoided.
+
 To see all of this in action, check out Electron Fiddle's source code,
 [especially its `electron-forge` configuration
 file](https://github.com/electron/fiddle/blob/master/forge.config.js).
@@ -165,14 +166,15 @@ without meaning any harm:
   <dict>
     <key>com.apple.security.cs.allow-jit</key>
     <true/>
-    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-    <true/>
     <key>com.apple.security.cs.debugger</key>
     <true/>
   </dict>
 </plist>
 ```
 
+Up until Electron 12, the `com.apple.security.cs.allow-unsigned-executable-memory` entitlement was required
+as well. However, it should not be used anymore if it can be avoided.
+
 ## Mac App Store
 
 See the [Mac App Store Guide].

docs/tutorial/process-model.md

@@ -148,7 +148,9 @@ A preload script can be attached to the main process in the `BrowserWindow` cons
 const { BrowserWindow } = require('electron')
 //...
 const win = new BrowserWindow({
-  preload: 'path/to/preload.js'
+  webPreferences: {
+    preload: 'path/to/preload.js'
+  }
 })
 //...
 ```

electron_strings.grdp

@@ -1,5 +1,19 @@
 <?xml version="1.0" encoding="utf-8"?>
 <grit-part>
+  <!-- Windows Caption Buttons -->
+  <message name="IDS_APP_ACCNAME_CLOSE" desc="The accessible name for the Close button.">
+    Close
+  </message>
+  <message name="IDS_APP_ACCNAME_MINIMIZE" desc="The accessible name for the Minimize button.">
+    Minimize
+  </message>
+  <message name="IDS_APP_ACCNAME_MAXIMIZE" desc="The accessible name for the Maximize button.">
+    Maximize
+  </message>
+  <message name="IDS_APP_ACCNAME_RESTORE" desc="The accessible name for the Restore button.">
+    Restore
+  </message>
+
   <!-- Printing Service -->
   <message name="IDS_UTILITY_PROCESS_PRINTING_SERVICE_NAME" desc="The name of the utility process used for printing conversions.">
     Printing Service

filenames.auto.gni

@@ -101,6 +101,7 @@ auto_filenames = {
     "docs/api/structures/new-window-web-contents-event.md",
     "docs/api/structures/notification-action.md",
     "docs/api/structures/notification-response.md",
+    "docs/api/structures/overlay-options.md",
     "docs/api/structures/point.md",
     "docs/api/structures/post-body.md",
     "docs/api/structures/printer-info.md",

filenames.gni

@@ -90,6 +90,10 @@ filenames = {
     "shell/browser/ui/views/electron_views_delegate_win.cc",
     "shell/browser/ui/views/win_frame_view.cc",
     "shell/browser/ui/views/win_frame_view.h",
+    "shell/browser/ui/views/win_caption_button.cc",
+    "shell/browser/ui/views/win_caption_button.h",
+    "shell/browser/ui/views/win_caption_button_container.cc",
+    "shell/browser/ui/views/win_caption_button_container.h",
     "shell/browser/ui/win/dialog_thread.cc",
     "shell/browser/ui/win/dialog_thread.h",
     "shell/browser/ui/win/electron_desktop_native_widget_aura.cc",

lib/browser/api/web-contents.ts

@@ -541,6 +541,9 @@ WebContents.prototype._init = function () {
       ipcMainInternal.emit(channel, event, ...args);
     } else {
       addReplyToEvent(event);
+      if (this.listenerCount('ipc-message-sync') === 0 && ipcMain.listenerCount(channel) === 0) {
+        console.warn(`WebContents #${this.id} called ipcRenderer.sendSync() with '${channel}' channel without listeners.`);
+      }
       this.emit('ipc-message-sync', event, channel, ...args);
       ipcMain.emit(channel, event, ...args);
     }
@@ -723,6 +726,10 @@ export function fromId (id: string) {
   return binding.fromId(id);
 }
 
+export function fromDevToolsTargetId (targetId: string) {
+  return binding.fromDevToolsTargetId(targetId);
+}
+
 export function getFocusedWebContents () {
   let focused = null;
   for (const contents of binding.getAllWebContents()) {

lib/browser/rpc-server.ts

@@ -1,6 +1,6 @@
 import { app } from 'electron/main';
 import type { WebContents } from 'electron/main';
-import { clipboard, nativeImage } from 'electron/common';
+import { clipboard } from 'electron/common';
 import * as fs from 'fs';
 import { ipcMainInternal } from '@electron/internal/browser/ipc-main-internal';
 import * as ipcMainUtils from '@electron/internal/browser/ipc-main-internal-utils';
@@ -37,6 +37,10 @@ ipcMainInternal.handle(IPC_MESSAGES.BROWSER_GET_LAST_WEB_PREFERENCES, function (
   return event.sender.getLastWebPreferences();
 });
 
+ipcMainInternal.handle(IPC_MESSAGES.BROWSER_GET_PROCESS_MEMORY_INFO, function (event) {
+  return event.sender._getProcessMemoryInfo();
+});
+
 // Methods not listed in this set are called directly in the renderer process.
 const allowedClipboardMethods = (() => {
   switch (process.platform) {
@@ -119,7 +123,3 @@ ipcMainInternal.on(IPC_MESSAGES.NAVIGATION_CONTROLLER_LENGTH, function (event) {
 ipcMainInternal.on(IPC_MESSAGES.BROWSER_PRELOAD_ERROR, function (event, preloadPath: string, error: Error) {
   event.sender.emit('preload-error', event, preloadPath, error);
 });
-
-ipcMainInternal.handle(IPC_MESSAGES.NATIVE_IMAGE_CREATE_THUMBNAIL_FROM_PATH, async (_, path: string, size: Electron.Size) => {
-  return typeUtils.serialize(await nativeImage.createThumbnailFromPath(path, size));
-});

lib/common/ipc-messages.ts

@@ -4,6 +4,7 @@ export const enum IPC_MESSAGES {
   BROWSER_PRELOAD_ERROR = 'BROWSER_PRELOAD_ERROR',
   BROWSER_SANDBOX_LOAD = 'BROWSER_SANDBOX_LOAD',
   BROWSER_WINDOW_CLOSE = 'BROWSER_WINDOW_CLOSE',
+  BROWSER_GET_PROCESS_MEMORY_INFO = 'BROWSER_GET_PROCESS_MEMORY_INFO',
 
   GUEST_INSTANCE_VISIBILITY_CHANGE = 'GUEST_INSTANCE_VISIBILITY_CHANGE',
 
@@ -39,5 +40,4 @@ export const enum IPC_MESSAGES {
   INSPECTOR_SELECT_FILE = 'INSPECTOR_SELECT_FILE',
 
   DESKTOP_CAPTURER_GET_SOURCES = 'DESKTOP_CAPTURER_GET_SOURCES',
-  NATIVE_IMAGE_CREATE_THUMBNAIL_FROM_PATH = 'NATIVE_IMAGE_CREATE_THUMBNAIL_FROM_PATH',
 }

lib/renderer/api/native-image.ts

@@ -1,11 +1,3 @@
-import { ipcRendererInternal } from '@electron/internal/renderer/ipc-renderer-internal';
-import { deserialize } from '@electron/internal/common/type-utils';
-import { IPC_MESSAGES } from '@electron/internal/common/ipc-messages';
-
 const { nativeImage } = process._linkedBinding('electron_common_native_image');
 
-nativeImage.createThumbnailFromPath = async (path: string, size: Electron.Size) => {
-  return deserialize(await ipcRendererInternal.invoke(IPC_MESSAGES.NATIVE_IMAGE_CREATE_THUMBNAIL_FROM_PATH, path, size));
-};
-
 export default nativeImage;

lib/renderer/init.ts

@@ -1,5 +1,6 @@
 import * as path from 'path';
 import { IPC_MESSAGES } from '@electron/internal/common/ipc-messages';
+import type * as ipcRendererInternalModule from '@electron/internal/renderer/ipc-renderer-internal';
 
 const Module = require('module');
 
@@ -43,7 +44,7 @@ const v8Util = process._linkedBinding('electron_common_v8_util');
 const contextId = v8Util.getHiddenValue<string>(global, 'contextId');
 Object.defineProperty(process, 'contextId', { enumerable: true, value: contextId });
 
-const { ipcRendererInternal } = require('@electron/internal/renderer/ipc-renderer-internal');
+const { ipcRendererInternal } = require('@electron/internal/renderer/ipc-renderer-internal') as typeof ipcRendererInternalModule;
 const ipcRenderer = require('@electron/internal/renderer/api/ipc-renderer').default;
 
 v8Util.setHiddenValue(global, 'ipcNative', {
@@ -57,6 +58,10 @@ v8Util.setHiddenValue(global, 'ipcNative', {
   }
 });
 
+process.getProcessMemoryInfo = () => {
+  return ipcRendererInternal.invoke<Electron.ProcessMemoryInfo>(IPC_MESSAGES.BROWSER_GET_PROCESS_MEMORY_INFO);
+};
+
 // Use electron module after everything is ready.
 const { webFrameInit } = require('@electron/internal/renderer/web-frame-init');
 webFrameInit();

lib/renderer/security-warnings.ts

@@ -104,10 +104,14 @@ const warnAboutInsecureResources = function () {
     return;
   }
 
+  const isLocal = (url: URL): boolean =>
+    ['localhost', '127.0.0.1', '[::1]', ''].includes(url.hostname);
+  const isInsecure = (url: URL): boolean =>
+    ['http:', 'ftp:'].includes(url.protocol) && !isLocal(url);
+
   const resources = window.performance
     .getEntriesByType('resource')
-    .filter(({ name }) => /^(http|ftp):/gi.test(name || ''))
-    .filter(({ name }) => new URL(name).hostname !== 'localhost')
+    .filter(({ name }) => isInsecure(new URL(name)))
     .map(({ name }) => `- ${name}`)
     .join('\n');
 

lib/sandboxed_renderer/init.ts

@@ -2,6 +2,7 @@
 /* global binding */
 import * as events from 'events';
 import { IPC_MESSAGES } from '@electron/internal/common/ipc-messages';
+import type * as ipcRendererInternalModule from '@electron/internal/renderer/ipc-renderer-internal';
 
 const { EventEmitter } = events;
 
@@ -20,7 +21,7 @@ for (const prop of Object.keys(EventEmitter.prototype) as (keyof typeof process)
 }
 Object.setPrototypeOf(process, EventEmitter.prototype);
 
-const { ipcRendererInternal } = require('@electron/internal/renderer/ipc-renderer-internal');
+const { ipcRendererInternal } = require('@electron/internal/renderer/ipc-renderer-internal') as typeof ipcRendererInternalModule;
 const ipcRendererUtils = require('@electron/internal/renderer/ipc-renderer-internal-utils');
 
 const { preloadScripts, process: processProps } = ipcRendererUtils.invokeSync(IPC_MESSAGES.BROWSER_SANDBOX_LOAD);
@@ -80,6 +81,10 @@ Object.assign(preloadProcess, processProps);
 Object.assign(process, binding.process);
 Object.assign(process, processProps);
 
+process.getProcessMemoryInfo = preloadProcess.getProcessMemoryInfo = () => {
+  return ipcRendererInternal.invoke<Electron.ProcessMemoryInfo>(IPC_MESSAGES.BROWSER_GET_PROCESS_MEMORY_INFO);
+};
+
 Object.defineProperty(preloadProcess, 'noDeprecation', {
   get () {
     return process.noDeprecation;

package.json

@@ -1,6 +1,6 @@
 {
   "name": "electron",
-  "version": "13.2.3",
+  "version": "13.6.1",
   "repository": "https://github.com/electron/electron",
   "description": "Build cross platform desktop apps with JavaScript, HTML, and CSS",
   "devDependencies": {

patches/angle/.patches

@@ -1,2 +1,5 @@
 cherry-pick-d8cb996.patch
 cherry-pick-1fb846c.patch
+cherry-pick-72473550f6ff.patch
+webgl_make_unsuccessful_links_fail_subsequent_draw_calls.patch
+fix_integer_overflow_in_blocklayoutencoder.patch

patches/angle/cherry-pick-72473550f6ff.patch

@@ -0,0 +1,69 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jamie Madill <jmadill@chromium.org>
+Date: Wed, 1 Sep 2021 12:17:26 -0400
+Subject: D3D11: Fix overflow in GenerateInitialTextureData.
+
+Our use of unchecked math was causing OOB accesses with very large
+textures. Unfortunately it's not easy to make a passing test that
+reproduces this OOB access.
+
+Bug: chromium:1241036
+Change-Id: Icd2749f5b3116bb51390ce769fef22c49a11f307
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3136733
+Reviewed-by: Geoff Lang <geofflang@chromium.org>
+Commit-Queue: Jamie Madill <jmadill@chromium.org>
+(cherry picked from commit 794b13ce9f874d472729ebd69897bc7ab9340a4b)
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3149277
+Reviewed-by: Jamie Madill <jmadill@chromium.org>
+
+diff --git a/src/libANGLE/renderer/d3d/d3d11/renderer11_utils.cpp b/src/libANGLE/renderer/d3d/d3d11/renderer11_utils.cpp
+index 3915a89de6fd161fa72519d4b9b6e82db68c6c66..6d721bd6e72d21454a868965993d930fe138b58c 100644
+--- a/src/libANGLE/renderer/d3d/d3d11/renderer11_utils.cpp
++++ b/src/libANGLE/renderer/d3d/d3d11/renderer11_utils.cpp
+@@ -2181,28 +2181,35 @@ angle::Result GenerateInitialTextureData(
+     const d3d11::DXGIFormatSize &dxgiFormatInfo =
+         d3d11::GetDXGIFormatSizeInfo(d3dFormatInfo.texFormat);
+ 
+-    unsigned int rowPitch     = dxgiFormatInfo.pixelBytes * width;
+-    unsigned int depthPitch   = rowPitch * height;
+-    unsigned int maxImageSize = depthPitch * depth;
++    using CheckedSize        = angle::CheckedNumeric<size_t>;
++    CheckedSize rowPitch     = CheckedSize(dxgiFormatInfo.pixelBytes) * CheckedSize(width);
++    CheckedSize depthPitch   = rowPitch * CheckedSize(height);
++    CheckedSize maxImageSize = depthPitch * CheckedSize(depth);
++
++    Context11 *context11 = GetImplAs<Context11>(context);
++    ANGLE_CHECK_GL_ALLOC(context11, maxImageSize.IsValid());
+ 
+     angle::MemoryBuffer *scratchBuffer = nullptr;
+-    ANGLE_CHECK_GL_ALLOC(GetImplAs<Context11>(context),
+-                         context->getScratchBuffer(maxImageSize, &scratchBuffer));
++    ANGLE_CHECK_GL_ALLOC(context11,
++                         context->getScratchBuffer(maxImageSize.ValueOrDie(), &scratchBuffer));
+ 
+-    d3dFormatInfo.dataInitializerFunction(width, height, depth, scratchBuffer->data(), rowPitch,
+-                                          depthPitch);
++    d3dFormatInfo.dataInitializerFunction(width, height, depth, scratchBuffer->data(),
++                                          rowPitch.ValueOrDie(), depthPitch.ValueOrDie());
+ 
+     for (unsigned int i = 0; i < mipLevels; i++)
+     {
+         unsigned int mipWidth  = std::max(width >> i, 1U);
+         unsigned int mipHeight = std::max(height >> i, 1U);
+ 
+-        unsigned int mipRowPitch   = dxgiFormatInfo.pixelBytes * mipWidth;
+-        unsigned int mipDepthPitch = mipRowPitch * mipHeight;
++        using CheckedUINT         = angle::CheckedNumeric<UINT>;
++        CheckedUINT mipRowPitch   = CheckedUINT(dxgiFormatInfo.pixelBytes) * CheckedUINT(mipWidth);
++        CheckedUINT mipDepthPitch = mipRowPitch * CheckedUINT(mipHeight);
++
++        ANGLE_CHECK_GL_ALLOC(context11, mipRowPitch.IsValid() && mipDepthPitch.IsValid());
+ 
+         outSubresourceData->at(i).pSysMem          = scratchBuffer->data();
+-        outSubresourceData->at(i).SysMemPitch      = mipRowPitch;
+-        outSubresourceData->at(i).SysMemSlicePitch = mipDepthPitch;
++        outSubresourceData->at(i).SysMemPitch      = mipRowPitch.ValueOrDie();
++        outSubresourceData->at(i).SysMemSlicePitch = mipDepthPitch.ValueOrDie();
+     }
+ 
+     return angle::Result::Continue;

patches/angle/fix_integer_overflow_in_blocklayoutencoder.patch

@@ -0,0 +1,112 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alexis Hetu <sugoi@google.com>
+Date: Wed, 15 Sep 2021 13:40:28 -0400
+Subject: Fix integer overflow in BlockLayoutEncoder
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BlockLayoutEncoder::mCurrentOffset's computation had the
+possibility of causing integer overflows in multiple places,
+so this CL adds CheckedNumeric variables in a number of
+these occurrences in order to prevent integer overflows and
+causing issues.
+
+The issue in this case was an integer overflow causing the
+code in ValidateTypeSizeLimitations.cpp to use an invalid
+result from "layoutEncoder.getCurrentOffset()", which ended
+up compiling a shader which would later cause an OOM error.
+
+Bug: chromium:1248665
+Change-Id: I688d669f21c6dc2957e43bdf91f8f8f08180a6f7
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3163356
+Reviewed-by: Jamie Madill <jmadill@chromium.org>
+Reviewed-by: Kenneth Russell <kbr@chromium.org>
+Reviewed-by: Geoff Lang <geofflang@chromium.org>
+Commit-Queue: Alexis Hétu <sugoi@chromium.org>
+(cherry picked from commit 158ef351fc8b827c201e056a8ddba50fd4235671)
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3194392
+
+diff --git a/src/compiler/translator/blocklayout.cpp b/src/compiler/translator/blocklayout.cpp
+index 0539923bc75f5b88228dcb387c8aba4c701edc1b..1e6b143a1e1ee9a127b71685febd36416a8840f6 100644
+--- a/src/compiler/translator/blocklayout.cpp
++++ b/src/compiler/translator/blocklayout.cpp
+@@ -199,6 +199,13 @@ BlockMemberInfo BlockLayoutEncoder::encodeType(GLenum type,
+     return memberInfo;
+ }
+ 
++size_t BlockLayoutEncoder::getCurrentOffset() const
++{
++    angle::base::CheckedNumeric<size_t> checkedOffset(mCurrentOffset);
++    checkedOffset *= kBytesPerComponent;
++    return checkedOffset.ValueOrDefault(std::numeric_limits<size_t>::max());
++}
++
+ size_t BlockLayoutEncoder::getShaderVariableSize(const ShaderVariable &structVar, bool isRowMajor)
+ {
+     size_t currentOffset = mCurrentOffset;
+@@ -226,7 +233,13 @@ size_t BlockLayoutEncoder::GetBlockRegisterElement(const BlockMemberInfo &info)
+ 
+ void BlockLayoutEncoder::align(size_t baseAlignment)
+ {
+-    mCurrentOffset = rx::roundUp<size_t>(mCurrentOffset, baseAlignment);
++    angle::base::CheckedNumeric<size_t> checkedOffset(mCurrentOffset);
++    checkedOffset += baseAlignment;
++    checkedOffset -= 1;
++    angle::base::CheckedNumeric<size_t> checkedAlignmentOffset = checkedOffset;
++    checkedAlignmentOffset %= baseAlignment;
++    checkedOffset -= checkedAlignmentOffset.ValueOrDefault(std::numeric_limits<size_t>::max());
++    mCurrentOffset = checkedOffset.ValueOrDefault(std::numeric_limits<size_t>::max());
+ }
+ 
+ // StubBlockEncoder implementation.
+@@ -289,7 +302,7 @@ void Std140BlockEncoder::getBlockLayoutInfo(GLenum type,
+         baseAlignment              = ComponentAlignment(numComponents);
+     }
+ 
+-    mCurrentOffset = rx::roundUp(mCurrentOffset, baseAlignment);
++    align(baseAlignment);
+ 
+     *matrixStrideOut = matrixStride;
+     *arrayStrideOut  = arrayStride;
+@@ -303,16 +316,23 @@ void Std140BlockEncoder::advanceOffset(GLenum type,
+ {
+     if (!arraySizes.empty())
+     {
+-        mCurrentOffset += arrayStride * gl::ArraySizeProduct(arraySizes);
++        angle::base::CheckedNumeric<size_t> checkedOffset(arrayStride);
++        checkedOffset *= gl::ArraySizeProduct(arraySizes);
++        checkedOffset += mCurrentOffset;
++        mCurrentOffset = checkedOffset.ValueOrDefault(std::numeric_limits<size_t>::max());
+     }
+     else if (gl::IsMatrixType(type))
+     {
+-        const int numRegisters = gl::MatrixRegisterCount(type, isRowMajorMatrix);
+-        mCurrentOffset += matrixStride * numRegisters;
++        angle::base::CheckedNumeric<size_t> checkedOffset(matrixStride);
++        checkedOffset *= gl::MatrixRegisterCount(type, isRowMajorMatrix);
++        checkedOffset += mCurrentOffset;
++        mCurrentOffset = checkedOffset.ValueOrDefault(std::numeric_limits<size_t>::max());
+     }
+     else
+     {
+-        mCurrentOffset += gl::VariableComponentCount(type);
++        angle::base::CheckedNumeric<size_t> checkedOffset(mCurrentOffset);
++        checkedOffset += gl::VariableComponentCount(type);
++        mCurrentOffset = checkedOffset.ValueOrDefault(std::numeric_limits<size_t>::max());
+     }
+ }
+ 
+diff --git a/src/compiler/translator/blocklayout.h b/src/compiler/translator/blocklayout.h
+index 726d76fa178f77a978ff2c82ec20fb8f1ad03f0b..ff90a2487830b365697ce41d660a689857b75319 100644
+--- a/src/compiler/translator/blocklayout.h
++++ b/src/compiler/translator/blocklayout.h
+@@ -80,7 +80,7 @@ class BlockLayoutEncoder
+                                const std::vector<unsigned int> &arraySizes,
+                                bool isRowMajorMatrix);
+ 
+-    size_t getCurrentOffset() const { return mCurrentOffset * kBytesPerComponent; }
++    size_t getCurrentOffset() const;
+     size_t getShaderVariableSize(const ShaderVariable &structVar, bool isRowMajor);
+ 
+     // Called when entering/exiting a structure variable.

patches/angle/webgl_make_unsuccessful_links_fail_subsequent_draw_calls.patch

@@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jamie Madill <jmadill@chromium.org>
+Date: Fri, 3 Sep 2021 09:34:10 -0400
+Subject: WebGL: Make unsuccessful links fail subsequent draw calls.
+
+This protects against incomplete state updates during a failed
+link call that can interfere with draw calls.
+
+Bug: angleproject:6358
+Bug: chromium:1241123
+Change-Id: Ie892654c3a58c69d6e35ba3c41758ab6269d8193
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3140496
+Reviewed-by: Geoff Lang <geofflang@chromium.org>
+Commit-Queue: Yuly Novikov <ynovikov@chromium.org>
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/3152556
+Reviewed-by: Jamie Madill <jmadill@chromium.org>
+
+diff --git a/src/libANGLE/validationES.cpp b/src/libANGLE/validationES.cpp
+index 412b9aa0f1d75c40ce02522589c53e943d049228..7826233f206b2ae7b926cd2564c887c726b79930 100644
+--- a/src/libANGLE/validationES.cpp
++++ b/src/libANGLE/validationES.cpp
+@@ -3958,6 +3958,12 @@ const char *ValidateDrawStates(const Context *context)
+             {
+                 return kVertexBufferBoundForTransformFeedback;
+             }
++
++            // Validate that we are rendering with a linked program.
++            if (!program->isLinked())
++            {
++                return kProgramNotLinked;
++            }
+         }
+     }
+ 

patches/chromium/.patches

@@ -125,3 +125,40 @@ cherry-pick-ac9dc1235e28.patch
 cherry-pick-4ce2abc17078.patch
 cherry-pick-e2123a8e0943.patch
 cherry-pick-1227933.patch
+cherry-pick-1230767.patch
+cherry-pick-1231134.patch
+cherry-pick-1233564.patch
+cherry-pick-1234009.patch
+fix_media_key_usage_with_globalshortcuts.patch
+attach_to_correct_frame_in.patch
+merge_m92_speculative_fix_for_crash_in.patch
+cherry-pick-d727013bb543.patch
+pa_make_getusablesize_handle_nullptr_gracefully.patch
+dpwas_window_control_overlay_api_values_account_for_page_zoom_factor.patch
+reland_make_clientview_a_child_of_the_nonclientframeview.patch
+content-visibility_force_range_base_extent_when_computing_visual.patch
+cherry-pick-6215793f008f.patch
+cherry-pick-6048fcd52f42.patch
+contentindex_add_origin_checks_to_mojo_methods.patch
+m93_indexeddb_add_browser-side_checks_for_committing_transactions.patch
+m93_indexeddb_don_t_reportbadmessage_for_commit_calls.patch
+cherry-pick-8623d711677d.patch
+cherry-pick-ddc4cf156505.patch
+skip_webgl_conformance_programs_program-test_html_on_all_platforms.patch
+linux_sandbox_update_syscall_numbers_for_all_platforms.patch
+linux_sandbox_return_enosys_for_clone3.patch
+content-visibility_add_a_clipper_fix_for_content-visibility.patch
+kill_a_renderer_if_it_provides_an_unexpected_frameownerelementtype.patch
+m90-lts_backgroundfetch_check_whether_the_sw_id_is_valid_for.patch
+cherry-pick-096afc1c5428.patch
+cherry-pick-4e528a5a8d83.patch
+cherry-pick-3a5bafa35def.patch
+cherry-pick-b2c4e4dc21e5.patch
+check_direction_of_rtcencodedframes.patch
+cherry-pick-6a8a2098f9fa.patch
+speculative_fix_for_eye_dropper_getcolor_crash.patch
+mas_gate_private_enterprise_APIs
+cherry-pick-c69dddfe1cde.patch
+cherry-pick-8af66de55aad.patch
+move_networkstateobserver_from_document_to_window.patch
+cherry-pick-0894af410c4e.patch

patches/chromium/attach_to_correct_frame_in.patch

@@ -0,0 +1,353 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kevin McNee <mcnee@chromium.org>
+Date: Fri, 4 Jun 2021 22:52:55 +0000
+Subject: Attach to correct frame in
+ WebContentsImplBrowserTest.AttachNestedInnerWebContents
+
+This test attempts to attach an inner contents at the outer contents'
+main frame which is incorrect. This appears to have been done for
+testing convenience rather than being part of the repro case based on
+the comments on the CL that introduced it [1]. Indeed, the inner
+contents don't render with the test as is.
+
+We adjust the test, enforce the assumption of a subframe in
+|AttachInnerWebContents|, and remove a bail-out from a
+WebContentsObserver that was confused by this.
+
+Furthermore, in the corrected version of the test, we experience a bad
+cast on Mac and Android, but not Aura, as replacing the platform
+WebContentsView does not necessarily destroy the platform
+RenderWidgetHostView which is later assumed to be a
+RenderWidgetHostViewChildFrame. We now perform that destruction if
+needed.
+
+[1] https://chromium-review.googlesource.com/c/chromium/src/+/1498458/6#message-c6af19c82b27d707044a5c1cbbecf48f491bc1bd
+
+Bug: 1133361, 1208438, 1216595
+Change-Id: I4de002ab25726f1c05044c764156b69a15bdde41
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2895924
+Commit-Queue: Kevin McNee <mcnee@chromium.org>
+Reviewed-by: Chris Hamilton <chrisha@chromium.org>
+Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
+Reviewed-by: W. James MacLean <wjmaclean@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#889495}
+
+diff --git a/components/performance_manager/performance_manager_tab_helper.cc b/components/performance_manager/performance_manager_tab_helper.cc
+index 7b2672713e705060ea3d2100492f29d6aa4ad35b..7463423c065e0b74b65b41c2bcf80e9b2025d574 100644
+--- a/components/performance_manager/performance_manager_tab_helper.cc
++++ b/components/performance_manager/performance_manager_tab_helper.cc
+@@ -394,16 +394,7 @@ void PerformanceManagerTabHelper::InnerWebContentsAttached(
+     // severed.
+   }
+   DCHECK_NE(PageNode::OpenedType::kInvalid, opened_type);
+-  if (!frame) {
+-    DCHECK(!render_frame_host->IsRenderFrameCreated());
+-    DCHECK(!inner_web_contents->IsPortal());
+-    // TODO(crbug.com/1133361):
+-    // WebContentsImplBrowserTest.AttachNestedInnerWebContents calls
+-    // WebContents::AttachInnerWebContents without creating RenderFrame.
+-    // Removing this conditional once either the test is fixed or this function
+-    // is adjusted to handle the case without the render frame.
+-    return;
+-  }
++  DCHECK(frame);
+ 
+   PerformanceManagerImpl::CallOnGraphImpl(
+       FROM_HERE, base::BindOnce(&PageNodeImpl::SetOpenerFrameNodeAndOpenedType,
+diff --git a/content/browser/renderer_host/render_frame_host_impl.cc b/content/browser/renderer_host/render_frame_host_impl.cc
+index 4af3384ebbd000926a1f7606511fd6b94dc8aabe..29571b8ab59518fe93e35c1cc7f113e65ed39420 100644
+--- a/content/browser/renderer_host/render_frame_host_impl.cc
++++ b/content/browser/renderer_host/render_frame_host_impl.cc
+@@ -5714,11 +5714,10 @@ void RenderFrameHostImpl::AdoptPortal(const blink::PortalToken& portal_token,
+ 
+   // |frame_sink_id| should be set to the associated frame. See
+   // https://crbug.com/966119 for details.
+-  viz::FrameSinkId frame_sink_id =
+-      static_cast<RenderWidgetHostViewBase*>(proxy_host->frame_tree_node()
+-                                                 ->render_manager()
+-                                                 ->GetRenderWidgetHostView())
+-          ->GetFrameSinkId();
++  viz::FrameSinkId frame_sink_id = proxy_host->frame_tree_node()
++                                       ->render_manager()
++                                       ->GetRenderWidgetHostView()
++                                       ->GetFrameSinkId();
+   proxy_host->GetAssociatedRemoteFrame()->SetFrameSinkId(frame_sink_id);
+ 
+   std::move(callback).Run(
+diff --git a/content/browser/renderer_host/render_frame_host_manager.cc b/content/browser/renderer_host/render_frame_host_manager.cc
+index 74f9fe3a0a0de20d48bc8b2d397109381ea66481..ce524db677e36ca60f3f9be5493d974975eb82c5 100644
+--- a/content/browser/renderer_host/render_frame_host_manager.cc
++++ b/content/browser/renderer_host/render_frame_host_manager.cc
+@@ -43,6 +43,8 @@
+ #include "content/browser/renderer_host/render_view_host_factory.h"
+ #include "content/browser/renderer_host/render_view_host_impl.h"
+ #include "content/browser/renderer_host/render_widget_host_impl.h"
++#include "content/browser/renderer_host/render_widget_host_view_base.h"
++#include "content/browser/renderer_host/render_widget_host_view_child_frame.h"
+ #include "content/browser/site_instance_impl.h"
+ #include "content/browser/webui/web_ui_controller_factory_registry.h"
+ #include "content/common/content_navigation_policy.h"
+@@ -282,9 +284,11 @@ void RenderFrameHostManager::InitChild(
+       /*renderer_initiated_creation=*/false));
+ }
+ 
+-RenderWidgetHostView* RenderFrameHostManager::GetRenderWidgetHostView() const {
++RenderWidgetHostViewBase* RenderFrameHostManager::GetRenderWidgetHostView()
++    const {
+   if (render_frame_host_)
+-    return render_frame_host_->GetView();
++    return static_cast<RenderWidgetHostViewBase*>(
++        render_frame_host_->GetView());
+   return nullptr;
+ }
+ 
+@@ -2793,8 +2797,9 @@ void RenderFrameHostManager::SwapOuterDelegateFrame(
+ }
+ 
+ void RenderFrameHostManager::SetRWHViewForInnerContents(
+-    RenderWidgetHostView* child_rwhv) {
++    RenderWidgetHostViewChildFrame* child_rwhv) {
+   DCHECK(IsMainFrameForInnerDelegate());
++  DCHECK(GetProxyToOuterDelegate());
+   GetProxyToOuterDelegate()->SetChildRWHView(child_rwhv, nullptr);
+ }
+ 
+@@ -3400,8 +3405,11 @@ void RenderFrameHostManager::CommitPending(
+   // Note: We do this after unloading the old RFH because that may create
+   // the proxy we're looking for.
+   RenderFrameProxyHost* proxy_to_parent = GetProxyToParent();
+-  if (proxy_to_parent)
+-    proxy_to_parent->SetChildRWHView(new_view, old_size ? &*old_size : nullptr);
++  if (proxy_to_parent) {
++    proxy_to_parent->SetChildRWHView(
++        static_cast<RenderWidgetHostViewChildFrame*>(new_view),
++        old_size ? &*old_size : nullptr);
++  }
+ 
+   if (render_frame_host_->is_local_root()) {
+     // RenderFrames are created with a hidden RenderWidgetHost. When navigation
+diff --git a/content/browser/renderer_host/render_frame_host_manager.h b/content/browser/renderer_host/render_frame_host_manager.h
+index f4ff686226002e926190829a192993cb92ed0a3e..6ca00c16ac6031bb0357cf8a43e6b77e63455807 100644
+--- a/content/browser/renderer_host/render_frame_host_manager.h
++++ b/content/browser/renderer_host/render_frame_host_manager.h
+@@ -44,7 +44,8 @@ class RenderFrameHostManagerTest;
+ class RenderFrameProxyHost;
+ class RenderViewHost;
+ class RenderViewHostImpl;
+-class RenderWidgetHostView;
++class RenderWidgetHostViewBase;
++class RenderWidgetHostViewChildFrame;
+ class TestWebContents;
+ 
+ using PageBroadcastMethodCallback =
+@@ -196,7 +197,7 @@ class CONTENT_EXPORT RenderFrameHostManager
+ 
+   // Returns the view associated with the current RenderViewHost, or null if
+   // there is no current one.
+-  RenderWidgetHostView* GetRenderWidgetHostView() const;
++  RenderWidgetHostViewBase* GetRenderWidgetHostView() const;
+ 
+   // Returns whether this manager is a main frame and belongs to a FrameTreeNode
+   // that belongs to an inner WebContents.
+@@ -453,7 +454,7 @@ class CONTENT_EXPORT RenderFrameHostManager
+ 
+   // Sets the child RenderWidgetHostView for this frame, which must be part of
+   // an inner WebContents.
+-  void SetRWHViewForInnerContents(RenderWidgetHostView* child_rwhv);
++  void SetRWHViewForInnerContents(RenderWidgetHostViewChildFrame* child_rwhv);
+ 
+   // Returns the number of RenderFrameProxyHosts for this frame.
+   size_t GetProxyCount();
+diff --git a/content/browser/renderer_host/render_frame_proxy_host.cc b/content/browser/renderer_host/render_frame_proxy_host.cc
+index 54fa3b7a788de7f80a096badeac11a2b6f9b9771..343ea5e1821f55cdea16ae93a055302016d2198f 100644
+--- a/content/browser/renderer_host/render_frame_proxy_host.cc
++++ b/content/browser/renderer_host/render_frame_proxy_host.cc
+@@ -214,10 +214,9 @@ RenderFrameProxyHost::~RenderFrameProxyHost() {
+ }
+ 
+ void RenderFrameProxyHost::SetChildRWHView(
+-    RenderWidgetHostView* view,
++    RenderWidgetHostViewChildFrame* view,
+     const gfx::Size* initial_frame_size) {
+-  cross_process_frame_connector_->SetView(
+-      static_cast<RenderWidgetHostViewChildFrame*>(view));
++  cross_process_frame_connector_->SetView(view);
+   if (initial_frame_size)
+     cross_process_frame_connector_->SetLocalFrameSize(*initial_frame_size);
+ }
+@@ -226,13 +225,6 @@ RenderViewHostImpl* RenderFrameProxyHost::GetRenderViewHost() {
+   return render_view_host_.get();
+ }
+ 
+-RenderWidgetHostView* RenderFrameProxyHost::GetRenderWidgetHostView() {
+-  return frame_tree_node_->parent()
+-      ->frame_tree_node()
+-      ->render_manager()
+-      ->GetRenderWidgetHostView();
+-}
+-
+ bool RenderFrameProxyHost::Send(IPC::Message* msg) {
+   return GetAgentSchedulingGroup().Send(msg);
+ }
+diff --git a/content/browser/renderer_host/render_frame_proxy_host.h b/content/browser/renderer_host/render_frame_proxy_host.h
+index cd6c90f3b7f77de0df9de1228628cde8c4333b98..e414a1665d43cc773850b23b6fcd568f9baa494a 100644
+--- a/content/browser/renderer_host/render_frame_proxy_host.h
++++ b/content/browser/renderer_host/render_frame_proxy_host.h
+@@ -36,7 +36,7 @@ class CrossProcessFrameConnector;
+ class FrameTreeNode;
+ class RenderProcessHost;
+ class RenderViewHostImpl;
+-class RenderWidgetHostView;
++class RenderWidgetHostViewChildFrame;
+ 
+ // When a page's frames are rendered by multiple processes, each renderer has a
+ // full copy of the frame tree. It has full RenderFrames for the frames it is
+@@ -121,11 +121,10 @@ class CONTENT_EXPORT RenderFrameProxyHost
+   // the child frame will wait until the CrossProcessFrameConnector
+   // receives its size from the parent via FrameHostMsg_UpdateResizeParams
+   // before it begins parsing the content.
+-  void SetChildRWHView(RenderWidgetHostView* view,
++  void SetChildRWHView(RenderWidgetHostViewChildFrame* view,
+                        const gfx::Size* initial_frame_size);
+ 
+   RenderViewHostImpl* GetRenderViewHost();
+-  RenderWidgetHostView* GetRenderWidgetHostView();
+ 
+   // IPC::Sender
+   bool Send(IPC::Message* msg) override;
+diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
+index 14eadcb063b2b9d4734db3d6160f320ab26ffe04..ca51a8a45570fafc0dfe2b400cbb7172a9be632d 100644
+--- a/content/browser/web_contents/web_contents_impl.cc
++++ b/content/browser/web_contents/web_contents_impl.cc
+@@ -2164,6 +2164,7 @@ void WebContentsImpl::AttachInnerWebContents(
+   auto* render_frame_host_impl =
+       static_cast<RenderFrameHostImpl*>(render_frame_host);
+   DCHECK_EQ(&frame_tree_, render_frame_host_impl->frame_tree());
++  DCHECK(render_frame_host_impl->GetParent());
+ 
+   // Mark |render_frame_host_impl| as outer delegate frame.
+   render_frame_host_impl->SetIsOuterDelegateFrame(true);
+@@ -2184,6 +2185,16 @@ void WebContentsImpl::AttachInnerWebContents(
+       GetContentClient()->browser()->GetWebContentsViewDelegate(
+           inner_web_contents_impl),
+       &inner_web_contents_impl->render_view_host_delegate_view_);
++  // On platforms where destroying the WebContents' view does not also destroy
++  // the platform RenderWidgetHostView, we need to destroy it if it exists.
++  // TODO(mcnee): Should all platforms' WebContentsView destroy the platform
++  // RWHV?
++  if (RenderWidgetHostViewBase* prev_rwhv =
++          inner_render_manager->GetRenderWidgetHostView()) {
++    if (!prev_rwhv->IsRenderWidgetHostViewChildFrame()) {
++      prev_rwhv->Destroy();
++    }
++  }
+ 
+   // When the WebContents being initialized has an opener, the  browser side
+   // Render{View,Frame}Host must be initialized and the RenderWidgetHostView
+@@ -2330,8 +2341,11 @@ void WebContentsImpl::ReattachToOuterWebContentsFrame() {
+   auto* render_manager = GetRenderManager();
+   auto* parent_frame =
+       node_.OuterContentsFrameTreeNode()->current_frame_host()->GetParent();
++  auto* child_rwhv = render_manager->GetRenderWidgetHostView();
++  DCHECK(child_rwhv);
++  DCHECK(child_rwhv->IsRenderWidgetHostViewChildFrame());
+   render_manager->SetRWHViewForInnerContents(
+-      render_manager->GetRenderWidgetHostView());
++      static_cast<RenderWidgetHostViewChildFrame*>(child_rwhv));
+ 
+   RecursivelyRegisterFrameSinkIds();
+ 
+diff --git a/content/browser/web_contents/web_contents_impl_browsertest.cc b/content/browser/web_contents/web_contents_impl_browsertest.cc
+index cd32d333d2810fde1fc25c80b2bc443b04568c8d..2e75cbf168dbfa48d9f094ed84398197fd0487aa 100644
+--- a/content/browser/web_contents/web_contents_impl_browsertest.cc
++++ b/content/browser/web_contents/web_contents_impl_browsertest.cc
+@@ -3550,44 +3550,70 @@ IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, SetVisibilityBeforeLoad) {
+ IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest,
+                        AttachNestedInnerWebContents) {
+   ASSERT_TRUE(embedded_test_server()->Start());
+-  GURL main_url(embedded_test_server()->GetURL(
++  const GURL url_a(embedded_test_server()->GetURL(
+       "a.com", "/cross_site_iframe_factory.html?a(a)"));
+-  EXPECT_TRUE(NavigateToURL(shell(), main_url));
+-
++  const GURL url_b(embedded_test_server()->GetURL(
++      "b.com", "/cross_site_iframe_factory.html?b(b)"));
++  ASSERT_TRUE(NavigateToURL(shell(), url_a));
+   auto* root_web_contents =
+       static_cast<WebContentsImpl*>(shell()->web_contents());
+-  FrameTreeNode* root = root_web_contents->GetFrameTree()->root();
+-  ASSERT_EQ(1u, root->child_count());
+-  FrameTreeNode* child_to_replace = root->child_at(0);
+-  auto* child_to_replace_rfh = child_to_replace->current_frame_host();
+ 
++  // Create a child WebContents but don't attach it to the root contents yet.
+   WebContents::CreateParams inner_params(
+       root_web_contents->GetBrowserContext());
+-
+   std::unique_ptr<WebContents> child_contents_ptr =
+       WebContents::Create(inner_params);
+-  auto* child_rfh =
+-      static_cast<RenderFrameHostImpl*>(child_contents_ptr->GetMainFrame());
++  WebContents* child_contents = child_contents_ptr.get();
++  // Navigate the child to a page with a subframe, at which we will attach the
++  // grandchild.
++  ASSERT_TRUE(NavigateToURL(child_contents, url_b));
+ 
++  // Create and attach grandchild to child.
+   std::unique_ptr<WebContents> grandchild_contents_ptr =
+       WebContents::Create(inner_params);
+-
+-  // Attach grandchild to child.
+-  child_contents_ptr->AttachInnerWebContents(
+-      std::move(grandchild_contents_ptr), child_rfh, false /* is_full_page */);
++  WebContents* grandchild_contents = grandchild_contents_ptr.get();
++  RenderFrameHost* child_contents_subframe =
++      ChildFrameAt(child_contents->GetMainFrame(), 0);
++  ASSERT_TRUE(child_contents_subframe);
++  child_contents->AttachInnerWebContents(std::move(grandchild_contents_ptr),
++                                         child_contents_subframe,
++                                         false /* is_full_page */);
+ 
+   // At this point the child hasn't been attached to the root.
+-  EXPECT_EQ(1U, root_web_contents->GetInputEventRouter()
+-                    ->RegisteredViewCountForTesting());
++  {
++    auto* root_view = static_cast<RenderWidgetHostViewBase*>(
++        root_web_contents->GetRenderWidgetHostView());
++    ASSERT_TRUE(root_view);
++    auto* root_event_router = root_web_contents->GetInputEventRouter();
++    EXPECT_EQ(1U, root_event_router->RegisteredViewCountForTesting());
++    EXPECT_TRUE(root_event_router->IsViewInMap(root_view));
++  }
+ 
+   // Attach child+grandchild subtree to root.
++  RenderFrameHost* root_contents_subframe =
++      ChildFrameAt(root_web_contents->GetMainFrame(), 0);
++  ASSERT_TRUE(root_contents_subframe);
+   root_web_contents->AttachInnerWebContents(std::move(child_contents_ptr),
+-                                            child_to_replace_rfh,
++                                            root_contents_subframe,
+                                             false /* is_full_page */);
+ 
+   // Verify views registered for both child and grandchild.
+-  EXPECT_EQ(3U, root_web_contents->GetInputEventRouter()
+-                    ->RegisteredViewCountForTesting());
++  {
++    auto* root_view = static_cast<RenderWidgetHostViewBase*>(
++        root_web_contents->GetRenderWidgetHostView());
++    auto* child_view = static_cast<RenderWidgetHostViewBase*>(
++        child_contents->GetRenderWidgetHostView());
++    auto* grandchild_view = static_cast<RenderWidgetHostViewBase*>(
++        grandchild_contents->GetRenderWidgetHostView());
++    ASSERT_TRUE(root_view);
++    ASSERT_TRUE(child_view);
++    ASSERT_TRUE(grandchild_view);
++    auto* root_event_router = root_web_contents->GetInputEventRouter();
++    EXPECT_EQ(3U, root_event_router->RegisteredViewCountForTesting());
++    EXPECT_TRUE(root_event_router->IsViewInMap(root_view));
++    EXPECT_TRUE(root_event_router->IsViewInMap(child_view));
++    EXPECT_TRUE(root_event_router->IsViewInMap(grandchild_view));
++  }
+ }
+ 
+ IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest,

patches/chromium/check_direction_of_rtcencodedframes.patch

@@ -0,0 +1,174 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tony Herre <toprice@chromium.org>
+Date: Fri, 1 Oct 2021 19:18:45 +0000
+Subject: Check direction of RTCEncodedFrames
+
+Add a check to RTCEncodedVideoUnderlyingSink of the direction of the
+underlying webrtc frame, to make sure a web app doesn't take a received
+encoded frame and pass it into a sender insertable stream, which is as
+yet unsupported in WebRTC.
+
+Bug: 1247260
+Change-Id: I9ed5bd8b2bd5e5ee461f3b553f8a91f6cc2e9ed7
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3190473
+Commit-Queue: Tony Herre <toprice@chromium.org>
+Reviewed-by: Harald Alvestrand <hta@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#927323}
+
+diff --git a/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink.cc b/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink.cc
+index c390ab72418194cb10c3b0bc5a83b95de8dd19f6..775b837fee46836fd292b17ac8d80e4c83bd08a8 100644
+--- a/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink.cc
++++ b/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink.cc
+@@ -14,8 +14,10 @@ namespace blink {
+ 
+ RTCEncodedVideoUnderlyingSink::RTCEncodedVideoUnderlyingSink(
+     ScriptState* script_state,
+-    TransformerCallback transformer_callback)
+-    : transformer_callback_(std::move(transformer_callback)) {
++    TransformerCallback transformer_callback,
++    webrtc::TransformableFrameInterface::Direction expected_direction)
++    : transformer_callback_(std::move(transformer_callback)),
++      expected_direction_(expected_direction) {
+   DCHECK(transformer_callback_);
+ }
+ 
+@@ -53,6 +55,12 @@ ScriptPromise RTCEncodedVideoUnderlyingSink::write(
+     return ScriptPromise();
+   }
+ 
++  if (webrtc_frame->GetDirection() != expected_direction_) {
++    exception_state.ThrowDOMException(DOMExceptionCode::kOperationError,
++                                      "Invalid frame");
++    return ScriptPromise();
++  }
++
+   RTCEncodedVideoStreamTransformer* transformer = transformer_callback_.Run();
+   if (!transformer) {
+     exception_state.ThrowDOMException(DOMExceptionCode::kInvalidStateError,
+diff --git a/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink.h b/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink.h
+index dd1cad227eb7947dd0bf2ec7ba217956cb7a8787..8591fcc6eb1c78d0e107e4f097d3133d111ab959 100644
+--- a/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink.h
++++ b/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink.h
+@@ -7,6 +7,7 @@
+ 
+ #include "third_party/blink/renderer/core/streams/underlying_sink_base.h"
+ #include "third_party/blink/renderer/modules/modules_export.h"
++#include "third_party/webrtc/api/frame_transformer_interface.h"
+ 
+ namespace blink {
+ 
+@@ -18,7 +19,9 @@ class MODULES_EXPORT RTCEncodedVideoUnderlyingSink final
+  public:
+   using TransformerCallback =
+       base::RepeatingCallback<RTCEncodedVideoStreamTransformer*()>;
+-  RTCEncodedVideoUnderlyingSink(ScriptState*, TransformerCallback);
++  RTCEncodedVideoUnderlyingSink(ScriptState*,
++                                TransformerCallback,
++                                webrtc::TransformableFrameInterface::Direction);
+ 
+   // UnderlyingSinkBase
+   ScriptPromise start(ScriptState*,
+@@ -37,6 +40,7 @@ class MODULES_EXPORT RTCEncodedVideoUnderlyingSink final
+ 
+  private:
+   TransformerCallback transformer_callback_;
++  webrtc::TransformableFrameInterface::Direction expected_direction_;
+ };
+ 
+ }  // namespace blink
+diff --git a/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink_test.cc b/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink_test.cc
+index 3f6d24941ad7a9e5c16f11bcdcffa91b2027c0db..9837fb0be84633c88fcf451cec8c276ca6e7c17c 100644
+--- a/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink_test.cc
++++ b/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_sink_test.cc
+@@ -75,11 +75,15 @@ class RTCEncodedVideoUnderlyingSinkTest : public testing::Test {
+     EXPECT_FALSE(transformer_.HasTransformedFrameSinkCallback(kSSRC));
+   }
+ 
+-  RTCEncodedVideoUnderlyingSink* CreateSink(ScriptState* script_state) {
++  RTCEncodedVideoUnderlyingSink* CreateSink(
++      ScriptState* script_state,
++      webrtc::TransformableFrameInterface::Direction expected_direction =
++          webrtc::TransformableFrameInterface::Direction::kSender) {
+     return MakeGarbageCollected<RTCEncodedVideoUnderlyingSink>(
+         script_state,
+         WTF::BindRepeating(&RTCEncodedVideoUnderlyingSinkTest::GetTransformer,
+-                           WTF::Unretained(this)));
++                           WTF::Unretained(this)),
++        expected_direction);
+   }
+ 
+   RTCEncodedVideoUnderlyingSink* CreateNullCallbackSink(
+@@ -87,15 +91,21 @@ class RTCEncodedVideoUnderlyingSinkTest : public testing::Test {
+     return MakeGarbageCollected<RTCEncodedVideoUnderlyingSink>(
+         script_state,
+         WTF::BindRepeating(
+-            []() -> RTCEncodedVideoStreamTransformer* { return nullptr; }));
++            []() -> RTCEncodedVideoStreamTransformer* { return nullptr; }),
++        webrtc::TransformableFrameInterface::Direction::kSender);
+   }
+ 
+   RTCEncodedVideoStreamTransformer* GetTransformer() { return &transformer_; }
+ 
+-  ScriptValue CreateEncodedVideoFrameChunk(ScriptState* script_state) {
++  ScriptValue CreateEncodedVideoFrameChunk(
++      ScriptState* script_state,
++      webrtc::TransformableFrameInterface::Direction direction =
++          webrtc::TransformableFrameInterface::Direction::kSender) {
+     auto mock_frame =
+         std::make_unique<NiceMock<webrtc::MockTransformableVideoFrame>>();
++
+     ON_CALL(*mock_frame.get(), GetSsrc).WillByDefault(Return(kSSRC));
++    ON_CALL(*mock_frame.get(), GetDirection).WillByDefault(Return(direction));
+     RTCEncodedVideoFrame* frame =
+         MakeGarbageCollected<RTCEncodedVideoFrame>(std::move(mock_frame));
+     return ScriptValue(script_state->GetIsolate(),
+@@ -176,4 +186,21 @@ TEST_F(RTCEncodedVideoUnderlyingSinkTest, WriteToNullCallbackSinkFails) {
+                              DOMExceptionCode::kInvalidStateError));
+ }
+ 
++TEST_F(RTCEncodedVideoUnderlyingSinkTest, WriteInvalidDirectionFails) {
++  V8TestingScope v8_scope;
++  ScriptState* script_state = v8_scope.GetScriptState();
++  auto* sink = CreateSink(
++      script_state, webrtc::TransformableFrameInterface::Direction::kSender);
++
++  // Write an encoded chunk with direction set to Receiver should fail as it
++  // doesn't match the expected direction of our sink.
++  DummyExceptionStateForTesting dummy_exception_state;
++  sink->write(script_state,
++              CreateEncodedVideoFrameChunk(
++                  script_state,
++                  webrtc::TransformableFrameInterface::Direction::kReceiver),
++              nullptr, dummy_exception_state);
++  EXPECT_TRUE(dummy_exception_state.HadException());
++}
++
+ }  // namespace blink
+diff --git a/third_party/blink/renderer/modules/peerconnection/rtc_rtp_receiver.cc b/third_party/blink/renderer/modules/peerconnection/rtc_rtp_receiver.cc
+index e654738739e18adc1937922dbb59f7f9214e651e..58cf45c9023510b4615cbebcaa3b3812481a54c3 100644
+--- a/third_party/blink/renderer/modules/peerconnection/rtc_rtp_receiver.cc
++++ b/third_party/blink/renderer/modules/peerconnection/rtc_rtp_receiver.cc
+@@ -506,7 +506,8 @@ void RTCRtpReceiver::InitializeEncodedVideoStreams(ScriptState* script_state) {
+                                       ->GetEncodedVideoStreamTransformer()
+                                 : nullptr;
+               },
+-              WrapWeakPersistent(this)));
++              WrapWeakPersistent(this)),
++          webrtc::TransformableFrameInterface::Direction::kReceiver);
+   // The high water mark for the stream is set to 1 so that the stream seems
+   // ready to write, but without queuing frames.
+   WritableStream* writable_stream =
+diff --git a/third_party/blink/renderer/modules/peerconnection/rtc_rtp_sender.cc b/third_party/blink/renderer/modules/peerconnection/rtc_rtp_sender.cc
+index 20c6325e5e7eb4e47a6324033704430ed53ea3c3..44ed2f520c88b5aa694383c749da57d6681cef9a 100644
+--- a/third_party/blink/renderer/modules/peerconnection/rtc_rtp_sender.cc
++++ b/third_party/blink/renderer/modules/peerconnection/rtc_rtp_sender.cc
+@@ -902,7 +902,8 @@ void RTCRtpSender::InitializeEncodedVideoStreams(ScriptState* script_state) {
+                                     ->GetEncodedVideoStreamTransformer()
+                               : nullptr;
+               },
+-              WrapWeakPersistent(this)));
++              WrapWeakPersistent(this)),
++          webrtc::TransformableFrameInterface::Direction::kSender);
+   // The high water mark for the stream is set to 1 so that the stream is
+   // ready to write, but without queuing frames.
+   WritableStream* writable_stream =

patches/chromium/cherry-pick-0894af410c4e.patch

@@ -0,0 +1,385 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Min Qin <qinmin@chromium.org>
+Date: Tue, 31 Aug 2021 23:03:03 +0000
+Subject: Quarantine save package items that's downloaded from network
+
+Currently quarantine is not performed for save page downloads. This CL
+fixes the issue.
+
+BUG=1243020, 811161
+
+Change-Id: I85d03cc324b0b90a45bd8b3429e4e9eec1aaf857
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3126709
+Reviewed-by: Xing Liu <xingliu@chromium.org>
+Commit-Queue: Min Qin <qinmin@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#917013}
+
+diff --git a/chrome/browser/download/save_page_browsertest.cc b/chrome/browser/download/save_page_browsertest.cc
+index b5e3997002f14208e84c0bab2f3fdee17a4962ef..ef21c3d4fc4c425666af4f6fbb6213fa8f79b002 100644
+--- a/chrome/browser/download/save_page_browsertest.cc
++++ b/chrome/browser/download/save_page_browsertest.cc
+@@ -49,6 +49,7 @@
+ #include "components/prefs/pref_member.h"
+ #include "components/prefs/pref_service.h"
+ #include "components/security_state/core/security_state.h"
++#include "components/services/quarantine/test_support.h"
+ #include "content/public/browser/download_manager.h"
+ #include "content/public/browser/notification_service.h"
+ #include "content/public/browser/notification_types.h"
+@@ -433,6 +434,10 @@ IN_PROC_BROWSER_TEST_F(SavePageBrowserTest, SaveFileURL) {
+   EXPECT_TRUE(base::PathExists(full_file_name));
+   EXPECT_FALSE(base::PathExists(dir));
+   EXPECT_TRUE(base::ContentsEqual(GetTestDirFile("text.txt"), full_file_name));
++#if defined(OS_WIN)
++  // Local file URL will not be quarantined.
++  EXPECT_FALSE(quarantine::IsFileQuarantined(full_file_name, GURL(), GURL()));
++#endif
+ }
+ 
+ IN_PROC_BROWSER_TEST_F(SavePageBrowserTest,
+@@ -936,6 +941,25 @@ IN_PROC_BROWSER_TEST_F(SavePageBrowserTest, SaveUnauthorizedResource) {
+   EXPECT_FALSE(base::PathExists(dir.AppendASCII("should-not-save.jpg")));
+ }
+ 
++#if defined(OS_WIN)
++// Save a file and confirm that the file is correctly quarantined.
++IN_PROC_BROWSER_TEST_F(SavePageBrowserTest, SaveURLQuarantine) {
++  GURL url = embedded_test_server()->GetURL("/save_page/text.txt");
++  ui_test_utils::NavigateToURL(browser(), url);
++
++  base::FilePath full_file_name, dir;
++  SaveCurrentTab(url, content::SAVE_PAGE_TYPE_AS_ONLY_HTML, "test", 1, &dir,
++                 &full_file_name);
++  ASSERT_FALSE(HasFailure());
++
++  base::ScopedAllowBlockingForTesting allow_blocking;
++  EXPECT_TRUE(base::PathExists(full_file_name));
++  EXPECT_FALSE(base::PathExists(dir));
++  EXPECT_TRUE(base::ContentsEqual(GetTestDirFile("text.txt"), full_file_name));
++  EXPECT_TRUE(quarantine::IsFileQuarantined(full_file_name, url, GURL()));
++}
++#endif
++
+ // Test suite that allows testing --site-per-process against cross-site frames.
+ // See http://dev.chromium.org/developers/design-documents/site-isolation.
+ class SavePageSitePerProcessBrowserTest : public SavePageBrowserTest {
+diff --git a/content/browser/download/download_manager_impl.h b/content/browser/download/download_manager_impl.h
+index 69fcf9abbe975ea35a2869f3601958e88aeb5951..0deb3b7c7781a37b47a5a04169ecd2e0ceaed4c8 100644
+--- a/content/browser/download/download_manager_impl.h
++++ b/content/browser/download/download_manager_impl.h
+@@ -170,6 +170,11 @@ class CONTENT_EXPORT DownloadManagerImpl
+       int frame_tree_node_id,
+       bool from_download_cross_origin_redirect);
+ 
++  // DownloadItemImplDelegate overrides.
++  download::QuarantineConnectionCallback GetQuarantineConnectionCallback()
++      override;
++  std::string GetApplicationClientIdForFileScanning() const override;
++
+  private:
+   using DownloadSet = std::set<download::DownloadItem*>;
+   using DownloadGuidMap =
+@@ -237,7 +242,6 @@ class CONTENT_EXPORT DownloadManagerImpl
+   bool ShouldOpenDownload(download::DownloadItemImpl* item,
+                           ShouldOpenDownloadCallback callback) override;
+   void CheckForFileRemoval(download::DownloadItemImpl* download_item) override;
+-  std::string GetApplicationClientIdForFileScanning() const override;
+   void ResumeInterruptedDownload(
+       std::unique_ptr<download::DownloadUrlParameters> params,
+       const GURL& site_url) override;
+@@ -249,8 +253,6 @@ class CONTENT_EXPORT DownloadManagerImpl
+   void ReportBytesWasted(download::DownloadItemImpl* download) override;
+   void BindWakeLockProvider(
+       mojo::PendingReceiver<device::mojom::WakeLockProvider> receiver) override;
+-  download::QuarantineConnectionCallback GetQuarantineConnectionCallback()
+-      override;
+   std::unique_ptr<download::DownloadItemRenameHandler>
+   GetRenameHandlerForDownload(
+       download::DownloadItemImpl* download_item) override;
+diff --git a/content/browser/download/save_file.cc b/content/browser/download/save_file.cc
+index 72331e60fca942820b39580cee5a1890340401ae..110f66250e9608426b26333203e93045f17e9f99 100644
+--- a/content/browser/download/save_file.cc
++++ b/content/browser/download/save_file.cc
+@@ -63,10 +63,15 @@ void SaveFile::Finish() {
+   file_.Finish();
+ }
+ 
+-void SaveFile::AnnotateWithSourceInformation() {
+-  // TODO(gbillock): If this method is called, it should set the
+-  // file_.SetClientGuid() method first.
+-  NOTREACHED();
++void SaveFile::AnnotateWithSourceInformation(
++    const std::string& client_guid,
++    const GURL& source_url,
++    const GURL& referrer_url,
++    mojo::PendingRemote<quarantine::mojom::Quarantine> remote_quarantine,
++    download::BaseFile::OnAnnotationDoneCallback on_annotation_done_callback) {
++  file_.AnnotateWithSourceInformation(client_guid, source_url, referrer_url,
++                                      std::move(remote_quarantine),
++                                      std::move(on_annotation_done_callback));
+ }
+ 
+ base::FilePath SaveFile::FullPath() const {
+diff --git a/content/browser/download/save_file.h b/content/browser/download/save_file.h
+index 688574b07f9374e75a25caaaa13bdb405aea7b0d..1893a0031f4c6642c6c806577da2246e55e49091 100644
+--- a/content/browser/download/save_file.h
++++ b/content/browser/download/save_file.h
+@@ -34,7 +34,12 @@ class SaveFile {
+   void Detach();
+   void Cancel();
+   void Finish();
+-  void AnnotateWithSourceInformation();
++  void AnnotateWithSourceInformation(
++      const std::string& client_guid,
++      const GURL& source_url,
++      const GURL& referrer_url,
++      mojo::PendingRemote<quarantine::mojom::Quarantine> remote_quarantine,
++      download::BaseFile::OnAnnotationDoneCallback on_annotation_done_callback);
+   base::FilePath FullPath() const;
+   bool InProgress() const;
+   int64_t BytesSoFar() const;
+diff --git a/content/browser/download/save_file_manager.cc b/content/browser/download/save_file_manager.cc
+index 91786d976f7f637d659468d0700a6c858284dd66..2489b47cf864af0ff184f9250208832c31496698 100644
+--- a/content/browser/download/save_file_manager.cc
++++ b/content/browser/download/save_file_manager.cc
+@@ -50,6 +50,7 @@ static SaveFileManager* g_save_file_manager = nullptr;
+ class SaveFileManager::SimpleURLLoaderHelper
+     : public network::SimpleURLLoaderStreamConsumer {
+  public:
++  using URLLoaderCompleteCallback = base::OnceCallback<void(bool success)>;
+   static std::unique_ptr<SimpleURLLoaderHelper> CreateAndStartDownload(
+       std::unique_ptr<network::ResourceRequest> resource_request,
+       SaveItemId save_item_id,
+@@ -58,11 +59,12 @@ class SaveFileManager::SimpleURLLoaderHelper
+       int render_frame_routing_id,
+       const net::NetworkTrafficAnnotationTag& annotation_tag,
+       network::mojom::URLLoaderFactory* url_loader_factory,
+-      SaveFileManager* save_file_manager) {
++      SaveFileManager* save_file_manager,
++      URLLoaderCompleteCallback on_complete_cb) {
+     return std::unique_ptr<SimpleURLLoaderHelper>(new SimpleURLLoaderHelper(
+         std::move(resource_request), save_item_id, save_package_id,
+         render_process_id, render_frame_routing_id, annotation_tag,
+-        url_loader_factory, save_file_manager));
++        url_loader_factory, save_file_manager, std::move(on_complete_cb)));
+   }
+ 
+   ~SimpleURLLoaderHelper() override = default;
+@@ -76,10 +78,12 @@ class SaveFileManager::SimpleURLLoaderHelper
+       int render_frame_routing_id,
+       const net::NetworkTrafficAnnotationTag& annotation_tag,
+       network::mojom::URLLoaderFactory* url_loader_factory,
+-      SaveFileManager* save_file_manager)
++      SaveFileManager* save_file_manager,
++      URLLoaderCompleteCallback on_complete_cb)
+       : save_file_manager_(save_file_manager),
+         save_item_id_(save_item_id),
+-        save_package_id_(save_package_id) {
++        save_package_id_(save_package_id),
++        on_complete_cb_(std::move(on_complete_cb)) {
+     GURL url = resource_request->url;
+     url_loader_ = network::SimpleURLLoader::Create(std::move(resource_request),
+                                                    annotation_tag);
+@@ -124,9 +128,7 @@ class SaveFileManager::SimpleURLLoaderHelper
+ 
+   void OnComplete(bool success) override {
+     download::GetDownloadTaskRunner()->PostTask(
+-        FROM_HERE,
+-        base::BindOnce(&SaveFileManager::SaveFinished, save_file_manager_,
+-                       save_item_id_, save_package_id_, success));
++        FROM_HERE, base::BindOnce(std::move(on_complete_cb_), success));
+   }
+ 
+   void OnRetry(base::OnceClosure start_retry) override {
+@@ -138,6 +140,7 @@ class SaveFileManager::SimpleURLLoaderHelper
+   SaveItemId save_item_id_;
+   SavePackageId save_package_id_;
+   std::unique_ptr<network::SimpleURLLoader> url_loader_;
++  URLLoaderCompleteCallback on_complete_cb_;
+ 
+   DISALLOW_COPY_AND_ASSIGN(SimpleURLLoaderHelper);
+ };
+@@ -188,17 +191,20 @@ SavePackage* SaveFileManager::LookupPackage(SaveItemId save_item_id) {
+ }
+ 
+ // Call from SavePackage for starting a saving job
+-void SaveFileManager::SaveURL(SaveItemId save_item_id,
+-                              const GURL& url,
+-                              const Referrer& referrer,
+-                              int render_process_host_id,
+-                              int render_view_routing_id,
+-                              int render_frame_routing_id,
+-                              SaveFileCreateInfo::SaveFileSource save_source,
+-                              const base::FilePath& file_full_path,
+-                              BrowserContext* context,
+-                              StoragePartition* storage_partition,
+-                              SavePackage* save_package) {
++void SaveFileManager::SaveURL(
++    SaveItemId save_item_id,
++    const GURL& url,
++    const Referrer& referrer,
++    int render_process_host_id,
++    int render_view_routing_id,
++    int render_frame_routing_id,
++    SaveFileCreateInfo::SaveFileSource save_source,
++    const base::FilePath& file_full_path,
++    BrowserContext* context,
++    StoragePartition* storage_partition,
++    SavePackage* save_package,
++    const std::string& client_guid,
++    mojo::PendingRemote<quarantine::mojom::Quarantine> remote_quarantine) {
+   DCHECK_CURRENTLY_ON(BrowserThread::UI);
+ 
+   // Insert started saving job to tracking list.
+@@ -285,11 +291,18 @@ void SaveFileManager::SaveURL(SaveItemId save_item_id,
+       factory = storage_partition->GetURLLoaderFactoryForBrowserProcess().get();
+     }
+ 
++    base::OnceCallback<void(bool /*success*/)> save_finished_cb =
++        base::BindOnce(&SaveFileManager::OnURLLoaderComplete, this,
++                       save_item_id, save_package->id(),
++                       context->IsOffTheRecord() ? GURL() : url,
++                       context->IsOffTheRecord() ? GURL() : referrer.url,
++                       client_guid, std::move(remote_quarantine));
++
+     url_loader_helpers_[save_item_id] =
+         SimpleURLLoaderHelper::CreateAndStartDownload(
+             std::move(request), save_item_id, save_package->id(),
+             render_process_host_id, render_frame_routing_id, traffic_annotation,
+-            factory, this);
++            factory, this, std::move(save_finished_cb));
+   } else {
+     // We manually start the save job.
+     auto info = std::make_unique<SaveFileCreateInfo>(
+@@ -344,6 +357,36 @@ void SaveFileManager::SendCancelRequest(SaveItemId save_item_id) {
+       base::BindOnce(&SaveFileManager::CancelSave, this, save_item_id));
+ }
+ 
++void SaveFileManager::OnURLLoaderComplete(
++    SaveItemId save_item_id,
++    SavePackageId save_package_id,
++    const GURL& url,
++    const GURL& referrer_url,
++    const std::string& client_guid,
++    mojo::PendingRemote<quarantine::mojom::Quarantine> remote_quarantine,
++    bool is_success) {
++  DCHECK(download::GetDownloadTaskRunner()->RunsTasksInCurrentSequence());
++  SaveFile* save_file = LookupSaveFile(save_item_id);
++  if (!is_success || !save_file) {
++    SaveFinished(save_item_id, save_package_id, is_success);
++    return;
++  }
++
++  save_file->AnnotateWithSourceInformation(
++      client_guid, url, referrer_url, std::move(remote_quarantine),
++      base::BindOnce(&SaveFileManager::OnQuarantineComplete, this, save_item_id,
++                     save_package_id));
++}
++
++void SaveFileManager::OnQuarantineComplete(
++    SaveItemId save_item_id,
++    SavePackageId save_package_id,
++    download::DownloadInterruptReason result) {
++  DCHECK(download::GetDownloadTaskRunner()->RunsTasksInCurrentSequence());
++  SaveFinished(save_item_id, save_package_id,
++               result == download::DOWNLOAD_INTERRUPT_REASON_NONE);
++}
++
+ // Notifications sent from the IO thread and run on the file thread:
+ 
+ // The IO thread created |info|, but the file thread (this method) uses it
+diff --git a/content/browser/download/save_file_manager.h b/content/browser/download/save_file_manager.h
+index 51eb63a9b189be388e4dff48e04644956e968345..0d4290b273ba4f150bc9a49418e54b709a601581 100644
+--- a/content/browser/download/save_file_manager.h
++++ b/content/browser/download/save_file_manager.h
+@@ -61,6 +61,8 @@
+ 
+ #include "base/macros.h"
+ #include "base/memory/ref_counted.h"
++#include "components/download/public/common/download_interrupt_reasons.h"
++#include "components/services/quarantine/quarantine.h"
+ #include "content/browser/download/save_types.h"
+ #include "content/common/content_export.h"
+ 
+@@ -90,17 +92,20 @@ class CONTENT_EXPORT SaveFileManager
+ 
+   // Saves the specified URL |url|. |save_package| must not be deleted before
+   // the call to RemoveSaveFile. Should be called on the UI thread,
+-  void SaveURL(SaveItemId save_item_id,
+-               const GURL& url,
+-               const Referrer& referrer,
+-               int render_process_host_id,
+-               int render_view_routing_id,
+-               int render_frame_routing_id,
+-               SaveFileCreateInfo::SaveFileSource save_source,
+-               const base::FilePath& file_full_path,
+-               BrowserContext* context,
+-               StoragePartition* storage_partition,
+-               SavePackage* save_package);
++  void SaveURL(
++      SaveItemId save_item_id,
++      const GURL& url,
++      const Referrer& referrer,
++      int render_process_host_id,
++      int render_view_routing_id,
++      int render_frame_routing_id,
++      SaveFileCreateInfo::SaveFileSource save_source,
++      const base::FilePath& file_full_path,
++      BrowserContext* context,
++      StoragePartition* storage_partition,
++      SavePackage* save_package,
++      const std::string& client_guid,
++      mojo::PendingRemote<quarantine::mojom::Quarantine> remote_quarantine);
+ 
+   // Notifications sent from the IO thread and run on the file thread:
+   void StartSave(std::unique_ptr<SaveFileCreateInfo> info);
+@@ -159,6 +164,21 @@ class CONTENT_EXPORT SaveFileManager
+   // Help function for sending notification of canceling specific request.
+   void SendCancelRequest(SaveItemId save_item_id);
+ 
++  // Called on the file thread when the URLLoader completes saving a SaveItem.
++  void OnURLLoaderComplete(
++      SaveItemId save_item_id,
++      SavePackageId save_package_id,
++      const GURL& url,
++      const GURL& referrer_url,
++      const std::string& client_guid,
++      mojo::PendingRemote<quarantine::mojom::Quarantine> remote_quarantine,
++      bool is_success);
++
++  // Called on the file thread when file quarantine finishes on a SaveItem.
++  void OnQuarantineComplete(SaveItemId save_item_id,
++                            SavePackageId save_package_id,
++                            download::DownloadInterruptReason result);
++
+   // Notifications sent from the file thread and run on the UI thread.
+ 
+   // Lookup the SaveManager for this WebContents' saving browser context and
+diff --git a/content/browser/download/save_package.cc b/content/browser/download/save_package.cc
+index 4ceea290dcc9b886fb2c65be4ff684854a0f131f..c4653492c8332201f1f6eeb2ce7dbd7fb20c7cc3 100644
+--- a/content/browser/download/save_package.cc
++++ b/content/browser/download/save_package.cc
+@@ -843,6 +843,12 @@ void SavePackage::SaveNextFile(bool process_all_remaining_items) {
+     RenderFrameHostImpl* requester_frame =
+         requester_frame_tree_node->current_frame_host();
+ 
++    mojo::PendingRemote<quarantine::mojom::Quarantine> quarantine;
++    auto quarantine_callback =
++        download_manager_->GetQuarantineConnectionCallback();
++    if (quarantine_callback)
++      quarantine_callback.Run(quarantine.InitWithNewPipeAndPassReceiver());
++
+     file_manager_->SaveURL(
+         save_item_ptr->id(), save_item_ptr->url(), save_item_ptr->referrer(),
+         requester_frame->GetProcess()->GetID(),
+@@ -854,8 +860,8 @@ void SavePackage::SaveNextFile(bool process_all_remaining_items) {
+             ->GetRenderViewHost()
+             ->GetProcess()
+             ->GetStoragePartition(),
+-        this);
+-
++        this, download_manager_->GetApplicationClientIdForFileScanning(),
++        std::move(quarantine));
+   } while (process_all_remaining_items && !waiting_item_queue_.empty());
+ }
+ 

patches/chromium/cherry-pick-096afc1c5428.patch

@@ -0,0 +1,106 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Rayan Kanso <rayankans@google.com>
+Date: Tue, 7 Sep 2021 20:14:30 +0000
+Subject: Use less-specific error codes for CORS-failing fetches
+
+(cherry picked from commit 26be5702dab1d98e4d4b076a73d4688d20c043be)
+
+Bug: 1245053
+Change-Id: If0343157a3ba41a6c946b5f7401a9d114f834779
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3135676
+Commit-Queue: Rayan Kanso <rayankans@chromium.org>
+Reviewed-by: Richard Knoll <knollr@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#918109}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3143786
+Commit-Queue: Richard Knoll <knollr@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4606@{#833}
+Cr-Branched-From: 35b0d5a9dc8362adfd44e2614f0d5b7402ef63d0-refs/heads/master@{#911515}
+
+diff --git a/content/browser/background_fetch/background_fetch_job_controller.cc b/content/browser/background_fetch/background_fetch_job_controller.cc
+index f424cadba0f42ce007c85a50b2bdb37a3a3a3499..0d08d1f744edd432c9615be811a60daff3b3c541 100644
+--- a/content/browser/background_fetch/background_fetch_job_controller.cc
++++ b/content/browser/background_fetch/background_fetch_job_controller.cc
+@@ -173,6 +173,8 @@ void BackgroundFetchJobController::DidStartRequest(
+   // TODO(crbug.com/884672): Stop the fetch if the cross origin filter fails.
+   BackgroundFetchCrossOriginFilter filter(registration_id_.origin(), *request);
+   request->set_can_populate_body(filter.CanPopulateBody());
++  if (!request->can_populate_body())
++    has_failed_cors_request_ = true;
+ }
+ 
+ void BackgroundFetchJobController::DidUpdateRequest(const std::string& guid,
+@@ -253,7 +255,14 @@ uint64_t BackgroundFetchJobController::GetInProgressUploadedBytes() {
+ 
+ void BackgroundFetchJobController::AbortFromDelegate(
+     BackgroundFetchFailureReason failure_reason) {
+-  failure_reason_ = failure_reason;
++  if (failure_reason == BackgroundFetchFailureReason::DOWNLOAD_TOTAL_EXCEEDED &&
++      has_failed_cors_request_) {
++    // Don't expose that the download total has been exceeded. Use a less
++    // specific error.
++    failure_reason_ = BackgroundFetchFailureReason::FETCH_ERROR;
++  } else {
++    failure_reason_ = failure_reason;
++  }
+ 
+   Finish(failure_reason_, base::DoNothing());
+ }
+diff --git a/content/browser/background_fetch/background_fetch_job_controller.h b/content/browser/background_fetch/background_fetch_job_controller.h
+index e635c86c1eb4237e2b107e3d6fae0242e99dcb4c..66a1c94e9dd79663fbc301c1c91918ef4ac67036 100644
+--- a/content/browser/background_fetch/background_fetch_job_controller.h
++++ b/content/browser/background_fetch/background_fetch_job_controller.h
+@@ -210,6 +210,10 @@ class CONTENT_EXPORT BackgroundFetchJobController
+   blink::mojom::BackgroundFetchFailureReason failure_reason_ =
+       blink::mojom::BackgroundFetchFailureReason::NONE;
+ 
++  // Whether one of the requests handled by the controller failed
++  // the CORS checks and should not have its response exposed.
++  bool has_failed_cors_request_ = false;
++
+   // Custom callback that runs after the controller is finished.
+   FinishedCallback finished_callback_;
+ 
+diff --git a/content/browser/background_fetch/background_fetch_job_controller_unittest.cc b/content/browser/background_fetch/background_fetch_job_controller_unittest.cc
+index ad9a31367250f90e5579525f42b8b1bde2eefbb1..eb0e8fc337061181d7764eb03bc420df12528c1a 100644
+--- a/content/browser/background_fetch/background_fetch_job_controller_unittest.cc
++++ b/content/browser/background_fetch/background_fetch_job_controller_unittest.cc
+@@ -433,6 +433,39 @@ TEST_F(BackgroundFetchJobControllerTest, Abort) {
+             GetCompletionStatus(registration_id));
+ }
+ 
++TEST_F(BackgroundFetchJobControllerTest, AbortDownloadExceededCrossOrigin) {
++  BackgroundFetchRegistrationId registration_id;
++
++  auto requests = CreateRegistrationForRequests(
++      &registration_id, {{GURL("https://example2.com/funny_cat.png"), "GET"}},
++      /* auto_complete_requests= */ true);
++
++  EXPECT_EQ(JobCompletionStatus::kRunning,
++            GetCompletionStatus(registration_id));
++
++  std::unique_ptr<BackgroundFetchJobController> controller =
++      CreateJobController(registration_id, requests.size());
++
++  controller->StartRequest(requests[0], base::DoNothing());
++
++  controller->DidStartRequest(
++      requests[0]->download_guid(),
++      std::make_unique<BackgroundFetchResponse>(
++          std::vector<GURL>{GURL("https://example2.com/funny_cat.png")},
++          nullptr));
++  EXPECT_FALSE(requests[0]->can_populate_body());
++
++  controller->AbortFromDelegate(
++      blink::mojom::BackgroundFetchFailureReason::DOWNLOAD_TOTAL_EXCEEDED);
++
++  base::RunLoop().RunUntilIdle();
++
++  EXPECT_EQ(JobCompletionStatus::kAborted,
++            GetCompletionStatus(registration_id));
++  EXPECT_EQ(finished_requests_[registration_id],
++            blink::mojom::BackgroundFetchFailureReason::FETCH_ERROR);
++}
++
+ TEST_F(BackgroundFetchJobControllerTest, Progress) {
+   BackgroundFetchRegistrationId registration_id;
+ 

patches/chromium/cherry-pick-1230767.patch

@@ -0,0 +1,115 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Harald Alvestrand <hta@chromium.org>
+Date: Tue, 10 Aug 2021 10:49:27 +0000
+Subject: Protect candidate better from garbage collection during negotiation.
+
+Includes a test that was reliably observed to produce an UAF on Linux
+when compiled with ASAN before the fix.
+
+Bug: chromium:1230767
+Change-Id: I02dd29332a6d00790dcace41b6584b96413ef6f4
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3057049
+Reviewed-by: Florent Castelli <orphis@chromium.org>
+Commit-Queue: Harald Alvestrand <hta@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#910244}
+
+diff --git a/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection_handler.cc b/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection_handler.cc
+index 9265e14be8f86d2f1a2d888a789c121ddb514e88..84a8825ec87bcd9f1c0d7c502034bfbc3bfcafd1 100644
+--- a/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection_handler.cc
++++ b/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection_handler.cc
+@@ -1629,7 +1629,8 @@ void RTCPeerConnectionHandler::AddICECandidate(
+        handler_weak_ptr = weak_factory_.GetWeakPtr(),
+        tracker_weak_ptr =
+            WrapCrossThreadWeakPersistent(peer_connection_tracker_.Get()),
+-       candidate, persistent_request = WrapCrossThreadPersistent(request),
++       persistent_candidate = WrapCrossThreadPersistent(candidate),
++       persistent_request = WrapCrossThreadPersistent(request),
+        callback_on_task_runner =
+            std::move(callback_on_task_runner)](webrtc::RTCError result) {
+         // Grab a snapshot of all the session descriptions. AddIceCandidate may
+@@ -1657,7 +1658,7 @@ void RTCPeerConnectionHandler::AddICECandidate(
+                 std::move(current_local_description),
+                 std::move(pending_remote_description),
+                 std::move(current_remote_description),
+-                WrapCrossThreadPersistent(candidate), std::move(result),
++                std::move(persistent_candidate), std::move(result),
+                 std::move(persistent_request)));
+       });
+ }
+diff --git a/third_party/blink/web_tests/fast/peerconnection/poc-123067.html b/third_party/blink/web_tests/fast/peerconnection/poc-123067.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..ff169f1d1e1333b9ccfcae7eaa833ec645779218
+--- /dev/null
++++ b/third_party/blink/web_tests/fast/peerconnection/poc-123067.html
+@@ -0,0 +1,71 @@
++<!DOCTYPE html>
++<html>
++
++  <head>
++    <script src="../../resources/testharness.js"></script>
++    <script src="../../resources/testharnessreport.js"></script>
++    <script src="../../resources/gc.js"></script>
++  </head>
++  <body>
++  <script>
++    'use strict';
++  promise_test(async t => {
++    const var_caller_1 = new RTCPeerConnection();
++    const var_callee_1 = new RTCPeerConnection();
++    var_caller_1.addTransceiver('audio');
++    const var_prom_1 = new Promise(resolve => {
++      var_caller_1.onicecandidate = e => resolve(e.candidate);
++    });
++    await var_caller_1.setLocalDescription(await var_caller_1.createOffer());
++    await var_callee_1.setRemoteDescription(var_caller_1.localDescription);
++    const candidate = await var_prom_1;
++    var arrProm = [];
++    gc();
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.setLocalDescription().then(() => {
++    })
++    var_callee_1.addIceCandidate(candidate).then(() => {
++    })
++    await Promise.all(arrProm);
++  }, 'Running this script does not cause an UAF');
++  </script>
++</head>
++
++<body></body>
++
++</html>

patches/chromium/cherry-pick-1231134.patch

@@ -0,0 +1,163 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Lei Zhang <thestig@chromium.org>
+Date: Tue, 10 Aug 2021 21:38:36 +0000
+Subject: Do more class validity checks in PrintViewManagerBase.
+
+PrintViewManagerBase runs a nested loop. In some situations,
+PrintViewManagerBase and related classes like PrintViewManager and
+PrintPreviewHandler can get deleted while the nested loop is running.
+When this happens, the nested loop exists to a PrintViewManagerBase
+that is no longer valid.
+
+Use base::WeakPtrs liberally to check for this condition and exit
+safely.
+
+(cherry picked from commit a2cb1fb333d2faacb2fe1380f8d2621b5ee6af7e)
+
+Bug: 1231134
+Change-Id: I21ec131574331ce973d22594c11e70088147e149
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3057880
+Reviewed-by: Alan Screen <awscreen@chromium.org>
+Commit-Queue: Lei Zhang <thestig@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#906269}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3086110
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Cr-Commit-Position: refs/branch-heads/4515@{#2024}
+Cr-Branched-From: 488fc70865ddaa05324ac00a54a6eb783b4bc41c-refs/heads/master@{#885287}
+
+diff --git a/chrome/browser/printing/print_view_manager.cc b/chrome/browser/printing/print_view_manager.cc
+index 26271f6689f1f887b82333d281f26012d2752d63..e73d0972b1b6d6db1fbb3825791e5b90146c2c5e 100644
+--- a/chrome/browser/printing/print_view_manager.cc
++++ b/chrome/browser/printing/print_view_manager.cc
+@@ -89,7 +89,11 @@ bool PrintViewManager::PrintForSystemDialogNow(
+   DCHECK(!on_print_dialog_shown_callback_);
+   on_print_dialog_shown_callback_ = std::move(dialog_shown_callback);
+   is_switching_to_system_dialog_ = true;
++
++  auto weak_this = weak_factory_.GetWeakPtr();
+   DisconnectFromCurrentPrintJob();
++  if (!weak_this)
++    return false;
+ 
+   // Don't print / print preview crashed tabs.
+   if (IsCrashed())
+diff --git a/chrome/browser/printing/print_view_manager.h b/chrome/browser/printing/print_view_manager.h
+index 8b2f150a1e6a042898cba14c971e1f80d04116ca..b5cba8a2dfb9021527e4cc5569635770e85949b3 100644
+--- a/chrome/browser/printing/print_view_manager.h
++++ b/chrome/browser/printing/print_view_manager.h
+@@ -128,6 +128,11 @@ class PrintViewManager : public PrintViewManagerBase,
+ 
+   WEB_CONTENTS_USER_DATA_KEY_DECL();
+ 
++  // Keep this last so that all weak pointers will be invalidated at the
++  // beginning of destruction. Note that PrintViewManagerBase has its own
++  // base::WeakPtrFactory as well, but PrintViewManager should use this one.
++  base::WeakPtrFactory<PrintViewManager> weak_factory_{this};
++
+   DISALLOW_COPY_AND_ASSIGN(PrintViewManager);
+ };
+ 
+diff --git a/chrome/browser/printing/print_view_manager_base.cc b/chrome/browser/printing/print_view_manager_base.cc
+index 3b6e1d2609af952fa825688833387518cafdb352..3ddd927654e0134c28a7f73c6ec30b0c1ffe5c49 100644
+--- a/chrome/browser/printing/print_view_manager_base.cc
++++ b/chrome/browser/printing/print_view_manager_base.cc
+@@ -370,7 +370,10 @@ bool PrintViewManagerBase::PrintNow(content::RenderFrameHost* rfh,
+                                     bool silent,
+                                     base::Value settings,
+                                     CompletionCallback callback)  {
++  auto weak_this = weak_ptr_factory_.GetWeakPtr();
+   DisconnectFromCurrentPrintJob();
++  if (!weak_this)
++    return false;
+ 
+   // Don't print / print preview crashed tabs.
+   if (IsCrashed())
+@@ -850,6 +853,8 @@ bool PrintViewManagerBase::RenderAllMissingPagesNow() {
+   // or in DidPrintDocument(). The check is done in
+   // ShouldQuitFromInnerMessageLoop().
+   // BLOCKS until all the pages are received. (Need to enable recursive task)
++  // WARNING: Do not do any work after RunInnerMessageLoop() returns, as `this`
++  // may have gone away.
+   if (!RunInnerMessageLoop()) {
+     // This function is always called from DisconnectFromCurrentPrintJob() so we
+     // know that the job will be stopped/canceled in any case.
+@@ -876,8 +881,11 @@ bool PrintViewManagerBase::CreateNewPrintJob(
+   DCHECK(query);
+ 
+   if (callback_.is_null()) {
++    auto weak_this = weak_ptr_factory_.GetWeakPtr();
+     // Disconnect the current |print_job_| only when calling window.print()
+     DisconnectFromCurrentPrintJob();
++    if (!weak_this)
++      return false;
+   }
+ 
+   // We can't print if there is no renderer.
+@@ -906,7 +914,10 @@ bool PrintViewManagerBase::CreateNewPrintJob(
+ void PrintViewManagerBase::DisconnectFromCurrentPrintJob() {
+   // Make sure all the necessary rendered page are done. Don't bother with the
+   // return value.
++  auto weak_this = weak_ptr_factory_.GetWeakPtr();
+   bool result = RenderAllMissingPagesNow();
++  if (!weak_this)
++    return;
+ 
+   // Verify that assertion.
+   if (print_job_ && print_job_->document() &&
+@@ -988,7 +999,10 @@ bool PrintViewManagerBase::RunInnerMessageLoop() {
+ 
+   quit_inner_loop_ = run_loop.QuitClosure();
+ 
++  auto weak_this = weak_ptr_factory_.GetWeakPtr();
+   run_loop.Run();
++  if (!weak_this)
++    return false;
+ 
+   // If the inner-loop quit closure is still set then we timed out.
+   bool success = !quit_inner_loop_;
+diff --git a/chrome/browser/printing/print_view_manager_base.h b/chrome/browser/printing/print_view_manager_base.h
+index ccb9808bdb334a78ed7b64dd3030caff52055ad6..b2ad5c1010b233e038cad9e2b5e39f3c0027d63e 100644
+--- a/chrome/browser/printing/print_view_manager_base.h
++++ b/chrome/browser/printing/print_view_manager_base.h
+@@ -122,6 +122,8 @@ class PrintViewManagerBase : public content::NotificationObserver,
+ 
+   // Makes sure the current print_job_ has all its data before continuing, and
+   // disconnect from it.
++  // WARNING: `this` may not be alive after DisconnectFromCurrentPrintJob()
++  // returns.
+   void DisconnectFromCurrentPrintJob();
+ 
+   // Manages the low-level talk to the printer.
+@@ -168,6 +170,7 @@ class PrintViewManagerBase : public content::NotificationObserver,
+   // Requests the RenderView to render all the missing pages for the print job.
+   // No-op if no print job is pending. Returns true if at least one page has
+   // been requested to the renderer.
++  // WARNING: `this` may not be alive after RenderAllMissingPagesNow() returns.
+   bool RenderAllMissingPagesNow();
+ 
+   // Checks that synchronization is correct with |print_job_| based on |cookie|.
+@@ -201,6 +204,7 @@ class PrintViewManagerBase : public content::NotificationObserver,
+   // while the blocking inner message loop is running. This is useful in cases
+   // where the RenderView is about to be destroyed while a printing job isn't
+   // finished.
++  // WARNING: `this` may not be alive after RunInnerMessageLoop() returns.
+   bool RunInnerMessageLoop();
+ 
+   // In the case of Scripted Printing, where the renderer is controlling the
+diff --git a/chrome/browser/ui/webui/print_preview/print_preview_handler.cc b/chrome/browser/ui/webui/print_preview/print_preview_handler.cc
+index 82a2ac9bc0e5d32438a6ec6bd500cae7da8739fe..fe8a580e2fc5dbb74a57bf8488888a9696ce0007 100644
+--- a/chrome/browser/ui/webui/print_preview/print_preview_handler.cc
++++ b/chrome/browser/ui/webui/print_preview/print_preview_handler.cc
+@@ -726,9 +726,12 @@ void PrintPreviewHandler::HandleShowSystemDialog(
+   if (!initiator)
+     return;
+ 
++  auto weak_this = weak_factory_.GetWeakPtr();
+   auto* print_view_manager = PrintViewManager::FromWebContents(initiator);
+   print_view_manager->PrintForSystemDialogNow(base::BindOnce(
+       &PrintPreviewHandler::ClosePreviewDialog, weak_factory_.GetWeakPtr()));
++  if (!weak_this)
++    return;
+ 
+   // Cancel the pending preview request if exists.
+   print_preview_ui()->OnCancelPendingPreviewRequest();

patches/chromium/cherry-pick-1233564.patch

@@ -0,0 +1,77 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hongchan Choi <hongchan@chromium.org>
+Date: Mon, 9 Aug 2021 18:43:22 +0000
+Subject: Protect HRTF database loader thread from access by different threads
+
+This patch add a new mutex locker around the HRTF database loader
+thread to ensure the safe exclusive access of the loader thread
+and the HRTF database.
+
+(cherry picked from commit 6811e850ee10847da16c4d5fdc0f845494586b65)
+
+Bug: 1233564
+Change-Id: Ie12b99ffe520d3747e34af387a37637a10aab38a
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3068260
+Auto-Submit: Hongchan Choi <hongchan@chromium.org>
+Commit-Queue: Kentaro Hara <haraken@chromium.org>
+Reviewed-by: Kentaro Hara <haraken@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#908269}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3082114
+Reviewed-by: Chris Mumford <cmumford@google.com>
+Commit-Queue: Hongchan Choi <hongchan@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4577@{#601}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/third_party/blink/renderer/platform/audio/hrtf_database_loader.cc b/third_party/blink/renderer/platform/audio/hrtf_database_loader.cc
+index 034ded03d11fa42f0d0f62c6a91f6e20ee5f93e1..01cb98a1116fe1eb6a13ff6345b6bdf4e136badc 100644
+--- a/third_party/blink/renderer/platform/audio/hrtf_database_loader.cc
++++ b/third_party/blink/renderer/platform/audio/hrtf_database_loader.cc
+@@ -86,6 +86,8 @@ void HRTFDatabaseLoader::LoadTask() {
+ void HRTFDatabaseLoader::LoadAsynchronously() {
+   DCHECK(IsMainThread());
+ 
++  MutexLocker locker(lock_);
++
+   // m_hrtfDatabase and m_thread should both be unset because this should be a
+   // new HRTFDatabaseLoader object that was just created by
+   // createAndLoadAsynchronouslyIfNecessary and because we haven't started
+@@ -122,6 +124,10 @@ void HRTFDatabaseLoader::CleanupTask(base::WaitableEvent* sync) {
+ }
+ 
+ void HRTFDatabaseLoader::WaitForLoaderThreadCompletion() {
++  // We can lock this because this is called from either the main thread or
++  // the offline audio rendering thread.
++  MutexLocker locker(lock_);
++
+   if (!thread_)
+     return;
+ 
+diff --git a/third_party/blink/renderer/platform/audio/hrtf_database_loader.h b/third_party/blink/renderer/platform/audio/hrtf_database_loader.h
+index 3ce476fa68e066d6faf40011e94203f0fb778e71..a94997b4f7e06f96018187967faa524d4acfd5f6 100644
+--- a/third_party/blink/renderer/platform/audio/hrtf_database_loader.h
++++ b/third_party/blink/renderer/platform/audio/hrtf_database_loader.h
+@@ -64,8 +64,8 @@ class PLATFORM_EXPORT HRTFDatabaseLoader final
+   // must be called from the audio thread.
+   bool IsLoaded() { return Database(); }
+ 
+-  // waitForLoaderThreadCompletion() may be called more than once and is
+-  // thread-safe.
++  // May be called from both main and audio thread, and also can be called more
++  // than once.
+   void WaitForLoaderThreadCompletion();
+ 
+   // Returns the database or nullptr if the database doesn't yet exist.  Must
+@@ -87,11 +87,10 @@ class PLATFORM_EXPORT HRTFDatabaseLoader final
+   void LoadTask();
+   void CleanupTask(base::WaitableEvent*);
+ 
+-  // Holding a m_lock is required when accessing m_hrtfDatabase since we access
+-  // it from multiple threads.
++  // |lock_| MUST be held when accessing |hrtf_database_| or |thread_| because
++  // it can be accessed by multiple threads (e.g multiple AudioContexts).
+   Mutex lock_;
+   std::unique_ptr<HRTFDatabase> hrtf_database_;
+-
+   std::unique_ptr<Thread> thread_;
+ 
+   float database_sample_rate_;

patches/chromium/cherry-pick-1234009.patch

@@ -0,0 +1,138 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sam McNally <sammc@chromium.org>
+Date: Tue, 10 Aug 2021 02:14:43 +0000
+Subject: Defer looking up the WebContents for the directory confirmation
+ dialog.
+
+Look up the WebContents to use for the sensitive directory confirmation
+dialog immediately before it's used instead of before performing some
+blocking file access to determine whether it's necessary.
+
+(cherry picked from commit 18236a0db8341302120c60781ae3129e94fbaf1c)
+
+Bug: 1234009
+Change-Id: I5e00c7fa199b3da522e1fdb73242891d7f5f7423
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3063743
+Reviewed-by: Alex Danilo <adanilo@chromium.org>
+Reviewed-by: Ben Wells <benwells@chromium.org>
+Commit-Queue: Sam McNally <sammc@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#907467}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3083204
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Cr-Commit-Position: refs/branch-heads/4577@{#648}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/extensions/browser/api/file_system/file_system_api.cc b/extensions/browser/api/file_system/file_system_api.cc
+index e9023c877b7b35c0067642f05bc540858cbd7706..110f768c12d94fcfae0ac509fd0ce61c0e6049b8 100644
+--- a/extensions/browser/api/file_system/file_system_api.cc
++++ b/extensions/browser/api/file_system/file_system_api.cc
+@@ -197,6 +197,9 @@ void PassFileInfoToUIThread(FileInfoOptCallback callback,
+ content::WebContents* GetWebContentsForRenderFrameHost(
+     content::BrowserContext* browser_context,
+     content::RenderFrameHost* render_frame_host) {
++  if (!render_frame_host)
++    return nullptr;
++
+   content::WebContents* web_contents =
+       content::WebContents::FromRenderFrameHost(render_frame_host);
+   // Check if there is an app window associated with the web contents; if not,
+@@ -508,15 +511,6 @@ void FileSystemChooseEntryFunction::FilesSelected(
+   }
+ 
+   if (is_directory_) {
+-    // Get the WebContents for the app window to be the parent window of the
+-    // confirmation dialog if necessary.
+-    content::WebContents* const web_contents = GetWebContentsForRenderFrameHost(
+-        browser_context(), render_frame_host());
+-    if (!web_contents) {
+-      Respond(Error(kInvalidCallingPage));
+-      return;
+-    }
+-
+     DCHECK_EQ(paths.size(), 1u);
+     bool non_native_path = false;
+ #if BUILDFLAG(IS_CHROMEOS_ASH)
+@@ -530,7 +524,7 @@ void FileSystemChooseEntryFunction::FilesSelected(
+         FROM_HERE, {base::MayBlock(), base::TaskPriority::BEST_EFFORT},
+         base::BindOnce(
+             &FileSystemChooseEntryFunction::ConfirmDirectoryAccessAsync, this,
+-            non_native_path, paths, web_contents));
++            non_native_path, paths));
+     return;
+   }
+ 
+@@ -543,8 +537,7 @@ void FileSystemChooseEntryFunction::FileSelectionCanceled() {
+ 
+ void FileSystemChooseEntryFunction::ConfirmDirectoryAccessAsync(
+     bool non_native_path,
+-    const std::vector<base::FilePath>& paths,
+-    content::WebContents* web_contents) {
++    const std::vector<base::FilePath>& paths) {
+   const base::FilePath check_path =
+       non_native_path ? paths[0] : base::MakeAbsoluteFilePath(paths[0]);
+   if (check_path.empty()) {
+@@ -576,7 +569,7 @@ void FileSystemChooseEntryFunction::ConfirmDirectoryAccessAsync(
+         FROM_HERE,
+         base::BindOnce(
+             &FileSystemChooseEntryFunction::ConfirmSensitiveDirectoryAccess,
+-            this, paths, web_contents));
++            this, paths));
+     return;
+   }
+ 
+@@ -587,8 +580,7 @@ void FileSystemChooseEntryFunction::ConfirmDirectoryAccessAsync(
+ }
+ 
+ void FileSystemChooseEntryFunction::ConfirmSensitiveDirectoryAccess(
+-    const std::vector<base::FilePath>& paths,
+-    content::WebContents* web_contents) {
++    const std::vector<base::FilePath>& paths) {
+   if (ExtensionsBrowserClient::Get()->IsShuttingDown()) {
+     FileSelectionCanceled();
+     return;
+@@ -601,6 +593,13 @@ void FileSystemChooseEntryFunction::ConfirmSensitiveDirectoryAccess(
+     return;
+   }
+ 
++  content::WebContents* const web_contents =
++      GetWebContentsForRenderFrameHost(browser_context(), render_frame_host());
++  if (!web_contents) {
++    Respond(Error(kInvalidCallingPage));
++    return;
++  }
++
+   delegate->ConfirmSensitiveDirectoryAccess(
+       app_file_handler_util::HasFileSystemWritePermission(extension_.get()),
+       base::UTF8ToUTF16(extension_->name()), web_contents,
+diff --git a/extensions/browser/api/file_system/file_system_api.h b/extensions/browser/api/file_system/file_system_api.h
+index ae1588ce8536e4cee5474c3d4db370e95018c52e..0895a174a0dd1ba031fa358fe6451a1ebf198594 100644
+--- a/extensions/browser/api/file_system/file_system_api.h
++++ b/extensions/browser/api/file_system/file_system_api.h
+@@ -19,10 +19,6 @@
+ #include "extensions/common/api/file_system.h"
+ #include "ui/shell_dialogs/select_file_dialog.h"
+ 
+-namespace content {
+-class WebContents;
+-}  // namespace content
+-
+ namespace extensions {
+ class ExtensionPrefs;
+ 
+@@ -168,13 +164,12 @@ class FileSystemChooseEntryFunction : public FileSystemEntryFunction {
+   // directory. If so, calls ConfirmSensitiveDirectoryAccess. Otherwise, calls
+   // OnDirectoryAccessConfirmed.
+   void ConfirmDirectoryAccessAsync(bool non_native_path,
+-                                   const std::vector<base::FilePath>& paths,
+-                                   content::WebContents* web_contents);
++                                   const std::vector<base::FilePath>& paths);
+ 
+   // Shows a dialog to confirm whether the user wants to open the directory.
+   // Calls OnDirectoryAccessConfirmed or FileSelectionCanceled.
+-  void ConfirmSensitiveDirectoryAccess(const std::vector<base::FilePath>& paths,
+-                                       content::WebContents* web_contents);
++  void ConfirmSensitiveDirectoryAccess(
++      const std::vector<base::FilePath>& paths);
+ 
+   void OnDirectoryAccessConfirmed(const std::vector<base::FilePath>& paths);
+ 

patches/chromium/cherry-pick-3a5bafa35def.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alex Gough <ajgo@chromium.org>
+Date: Fri, 1 Oct 2021 23:30:09 +0000
+Subject: Tell clang not to devirtualize TargetServices
+
+Before this change in official builds a child process's delayed
+integrity level was not being set correctly. With this change
+renderers run at Untrusted IL as intended.
+
+(cherry picked from commit 19d2be5d47e0edc406ef7d93096f54009e47937f)
+
+Tests: https://bugs.chromium.org/p/chromium/issues/detail?id=1254631#c13
+Bug: 1254631
+Change-Id: I52c149cca3de5218033ed0f37d9f76782b9a6302
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3198382
+Reviewed-by: Will Harris <wfh@chromium.org>
+Commit-Queue: Will Harris <wfh@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#926934}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3200146
+Commit-Queue: Alex Gough <ajgo@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4606@{#1285}
+Cr-Branched-From: 35b0d5a9dc8362adfd44e2614f0d5b7402ef63d0-refs/heads/master@{#911515}
+
+diff --git a/sandbox/win/src/sandbox.h b/sandbox/win/src/sandbox.h
+index 9dfebfcc1721a2c2c34397666976e67b78812d7b..d4ab27f084aeb1b9db54eacf227250cf2364c4e2 100644
+--- a/sandbox/win/src/sandbox.h
++++ b/sandbox/win/src/sandbox.h
+@@ -140,7 +140,7 @@ class BrokerServices {
+ //   }
+ //
+ // For more information see the BrokerServices API documentation.
+-class TargetServices {
++class [[clang::lto_visibility_public]] TargetServices {
+  public:
+   // Initializes the target. Must call this function before any other.
+   // returns ALL_OK if successful. All other return values imply failure.

patches/chromium/cherry-pick-4e528a5a8d83.patch

@@ -0,0 +1,62 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Austin Sullivan <asully@chromium.org>
+Date: Wed, 15 Sep 2021 23:57:27 +0000
+Subject: FSA: Fix race condition in manager
+
+(cherry picked from commit 951339b41022b08a67ad94ba5960b05c84bf4cf2)
+
+Bug: 1248030
+Change-Id: I1ea819d1d6ac63ec8f400a45c893da49596235ef
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3154425
+Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
+Auto-Submit: Austin Sullivan <asully@chromium.org>
+Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#920376}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3160301
+Commit-Queue: Austin Sullivan <asully@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4606@{#1077}
+Cr-Branched-From: 35b0d5a9dc8362adfd44e2614f0d5b7402ef63d0-refs/heads/master@{#911515}
+
+diff --git a/content/browser/file_system_access/file_system_access_manager_impl.cc b/content/browser/file_system_access/file_system_access_manager_impl.cc
+index e58be73ae495dbc3c04802caf8fd163bcafaf992..a47eceba374b2c589fe8a0d007e4e1c803baab32 100644
+--- a/content/browser/file_system_access/file_system_access_manager_impl.cc
++++ b/content/browser/file_system_access/file_system_access_manager_impl.cc
+@@ -448,6 +448,11 @@ void FileSystemAccessManagerImpl::ResolveDefaultDirectory(
+                   std::move(callback))));
+ }
+ 
++void FileSystemAccessManagerImpl::Shutdown() {
++  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
++  permission_context_ = nullptr;
++}
++
+ void FileSystemAccessManagerImpl::SetDefaultPathAndShowPicker(
+     const BindingContext& context,
+     blink::mojom::FilePickerOptionsPtr options,
+diff --git a/content/browser/file_system_access/file_system_access_manager_impl.h b/content/browser/file_system_access/file_system_access_manager_impl.h
+index 4c9303aa11349f8de5181ca1dcd92f20f2b74a99..e06a3d347f2af5f62ade1fc70e8ad49ca878628f 100644
+--- a/content/browser/file_system_access/file_system_access_manager_impl.h
++++ b/content/browser/file_system_access/file_system_access_manager_impl.h
+@@ -257,6 +257,8 @@ class CONTENT_EXPORT FileSystemAccessManagerImpl
+       PathType path_type,
+       const base::FilePath& path);
+ 
++  void Shutdown();
++
+  private:
+   friend class FileSystemAccessFileHandleImpl;
+ 
+diff --git a/content/browser/storage_partition_impl.cc b/content/browser/storage_partition_impl.cc
+index 7ffcbd0ac22164d5e268f28e0e434a08e3eb120b..f851627cf33ac4bc2aa56eb3d7b21170eb5c0d16 100644
+--- a/content/browser/storage_partition_impl.cc
++++ b/content/browser/storage_partition_impl.cc
+@@ -1078,6 +1078,9 @@ StoragePartitionImpl::~StoragePartitionImpl() {
+                                   GetDatabaseTracker()));
+   }
+ 
++  if (GetFileSystemAccessManager())
++    GetFileSystemAccessManager()->Shutdown();
++
+   if (GetFileSystemContext())
+     GetFileSystemContext()->Shutdown();
+ 

patches/chromium/cherry-pick-6048fcd52f42.patch

@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Koji Ishii <kojii@chromium.org>
+Date: Thu, 9 Sep 2021 23:25:48 +0000
+Subject: Merge 4577: Apply list item quirks only when the nested list is
+ block-level
+
+This patch changes to apply quirks for a list-item occupying
+the whole line only if the nested list is block-level.
+
+When applying this quirks, list markers are handled like a
+regular child. r883403 crrev.com/c/2885398 changed to handle
+list markers at |NGBlockLayoutAlgorithm| to support NG block
+fragmentation. These two when combined causes the list marker
+not laid out if the nested list is not block-level.
+
+This may change some visual behaviors, but I think this is ok:
+a) This quirks is not in the quirks spec[1] and not
+   implemented in Gecko.
+b) The previous CL had a visual difference in this case in M92
+   but no reports so far.
+
+[1]: https://quirks.spec.whatwg.org/
+
+(cherry picked from commit 6f5d97da873f0e193a732fb7281d3484258aef6d)
+
+Bug: 1246932, 1206409
+Change-Id: Ia58a1b788313d3d9f221fd010cdd1a906551ab8b
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3145018
+Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
+Commit-Queue: Koji Ishii <kojii@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#919158}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3151681
+Auto-Submit: Koji Ishii <kojii@chromium.org>
+Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4577@{#1225}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/third_party/blink/renderer/core/layout/ng/list/layout_ng_outside_list_marker.cc b/third_party/blink/renderer/core/layout/ng/list/layout_ng_outside_list_marker.cc
+index 15a3c0a3018301e40d336c8893e987b491da66d3..9b7c0e075cb5a89108c22824c5522de26eb904da 100644
+--- a/third_party/blink/renderer/core/layout/ng/list/layout_ng_outside_list_marker.cc
++++ b/third_party/blink/renderer/core/layout/ng/list/layout_ng_outside_list_marker.cc
+@@ -26,8 +26,11 @@ bool LayoutNGOutsideListMarker::NeedsOccupyWholeLine() const {
+   if (!GetDocument().InQuirksMode())
+     return false;
+ 
++  // Apply the quirks when the next sibling is a block-level `<ul>` or `<ol>`.
+   LayoutObject* next_sibling = NextSibling();
+-  if (next_sibling && next_sibling->GetNode() &&
++  if (next_sibling && !next_sibling->IsInline() &&
++      !next_sibling->IsFloatingOrOutOfFlowPositioned() &&
++      next_sibling->GetNode() &&
+       (IsA<HTMLUListElement>(*next_sibling->GetNode()) ||
+        IsA<HTMLOListElement>(*next_sibling->GetNode())))
+     return true;
+diff --git a/third_party/blink/web_tests/external/wpt/quirks/crashtests/list-item-whole-line-quirks-crash.html b/third_party/blink/web_tests/external/wpt/quirks/crashtests/list-item-whole-line-quirks-crash.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..b91b09db0e37727e2d3a3e13ca2c7cae25b8d761
+--- /dev/null
++++ b/third_party/blink/web_tests/external/wpt/quirks/crashtests/list-item-whole-line-quirks-crash.html
+@@ -0,0 +1,5 @@
++<!-- quirks -->
++<div>a<ul><li><ul style='float: left'></ul></li></ul></div>
++<div>a<ul><li><ul style='position: absolute'></ul></li></ul></div>
++<div>a<ul><li><ul style='display: inline'></ul></li></ul></div>
++<div>a<ul><li><ul style='display: inline-block'></ul></li></ul></div>

patches/chromium/cherry-pick-6215793f008f.patch

@@ -0,0 +1,121 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Scott Violet <sky@chromium.org>
+Date: Wed, 8 Sep 2021 18:45:42 +0000
+Subject: compositor: fix bug in sending damage regions
+
+Specifically if a layer is added when sending damaged regions the
+iterator would be invalidated. This converts to iterating over the
+size.
+
+BUG=1242257
+TEST=CompositorTestWithMessageLoop.AddLayerDuringUpdateVisualState
+
+(cherry picked from commit 7c0b0577c3ac1060945b7d05ad69f0dec33479b4)
+
+Change-Id: I09f2bd34afce5d3c9402ef470f14923bbc76b8ae
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3140178
+Reviewed-by: Ian Vollick <vollick@chromium.org>
+Commit-Queue: Scott Violet <sky@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#917886}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3149110
+Commit-Queue: enne <enne@chromium.org>
+Auto-Submit: Scott Violet <sky@chromium.org>
+Reviewed-by: enne <enne@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4577@{#1206}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/ui/compositor/compositor.cc b/ui/compositor/compositor.cc
+index 34f84bbdc2c21e3f8b8085edaf3fcad86c584672..350efae9200e1646449902e201c985b09ad47e0d 100644
+--- a/ui/compositor/compositor.cc
++++ b/ui/compositor/compositor.cc
+@@ -653,8 +653,10 @@ void Compositor::BeginMainFrameNotExpectedUntil(base::TimeTicks time) {}
+ 
+ static void SendDamagedRectsRecursive(ui::Layer* layer) {
+   layer->SendDamagedRects();
+-  for (auto* child : layer->children())
+-    SendDamagedRectsRecursive(child);
++  // Iterate using the size for the case of mutation during sending damaged
++  // regions. https://crbug.com/1242257.
++  for (size_t i = 0; i < layer->children().size(); ++i)
++    SendDamagedRectsRecursive(layer->children()[i]);
+ }
+ 
+ void Compositor::UpdateLayerTreeHost() {
+diff --git a/ui/compositor/compositor_unittest.cc b/ui/compositor/compositor_unittest.cc
+index 7eaa8bbe4ab34e455c2afc67511c867a1d6d7e39..389b8630b4db323458aae65b61ef0b7d91a9797c 100644
+--- a/ui/compositor/compositor_unittest.cc
++++ b/ui/compositor/compositor_unittest.cc
+@@ -12,12 +12,14 @@
+ #include "base/test/test_mock_time_task_runner.h"
+ #include "base/threading/thread_task_runner_handle.h"
+ #include "base/time/time.h"
++#include "build/build_config.h"
+ #include "cc/metrics/frame_sequence_tracker.h"
+ #include "components/viz/common/surfaces/parent_local_surface_id_allocator.h"
+ #include "testing/gmock/include/gmock/gmock.h"
+ #include "testing/gtest/include/gtest/gtest.h"
+ #include "ui/compositor/compositor.h"
+ #include "ui/compositor/layer.h"
++#include "ui/compositor/layer_delegate.h"
+ #include "ui/compositor/test/draw_waiter_for_test.h"
+ #include "ui/compositor/test/in_process_context_factory.h"
+ #include "ui/compositor/test/test_context_factories.h"
+@@ -356,4 +358,58 @@ TEST_F(CompositorTestWithMessageLoop, MAYBE_CreateAndReleaseOutputSurface) {
+   compositor()->SetRootLayer(nullptr);
+ }
+ 
++class LayerDelegateThatAddsDuringUpdateVisualState : public LayerDelegate {
++ public:
++  explicit LayerDelegateThatAddsDuringUpdateVisualState(Layer* parent)
++      : parent_(parent) {}
++
++  bool update_visual_state_called() const {
++    return update_visual_state_called_;
++  }
++
++  // LayerDelegate:
++  void UpdateVisualState() override {
++    added_layers_.push_back(std::make_unique<Layer>(ui::LAYER_SOLID_COLOR));
++    parent_->Add(added_layers_.back().get());
++    update_visual_state_called_ = true;
++  }
++  void OnPaintLayer(const PaintContext& context) override {}
++  void OnDeviceScaleFactorChanged(float old_device_scale_factor,
++                                  float new_device_scale_factor) override {}
++
++ private:
++  Layer* parent_;
++  std::vector<std::unique_ptr<Layer>> added_layers_;
++  bool update_visual_state_called_ = false;
++};
++
++TEST_F(CompositorTestWithMessageLoop, AddLayerDuringUpdateVisualState) {
++  std::unique_ptr<Layer> root_layer =
++      std::make_unique<Layer>(ui::LAYER_SOLID_COLOR);
++  std::unique_ptr<Layer> child_layer =
++      std::make_unique<Layer>(ui::LAYER_TEXTURED);
++  std::unique_ptr<Layer> child_layer2 =
++      std::make_unique<Layer>(ui::LAYER_SOLID_COLOR);
++  LayerDelegateThatAddsDuringUpdateVisualState child_layer_delegate(
++      root_layer.get());
++  child_layer->set_delegate(&child_layer_delegate);
++  root_layer->Add(child_layer.get());
++  root_layer->Add(child_layer2.get());
++
++  viz::ParentLocalSurfaceIdAllocator allocator;
++  allocator.GenerateId();
++  root_layer->SetBounds(gfx::Rect(10, 10));
++  compositor()->SetRootLayer(root_layer.get());
++  compositor()->SetScaleAndSize(1.0f, gfx::Size(10, 10),
++                                allocator.GetCurrentLocalSurfaceId());
++  ASSERT_TRUE(compositor()->IsVisible());
++  compositor()->ScheduleDraw();
++  DrawWaiterForTest::WaitForCompositingEnded(compositor());
++  EXPECT_TRUE(child_layer_delegate.update_visual_state_called());
++  compositor()->SetRootLayer(nullptr);
++  child_layer2.reset();
++  child_layer.reset();
++  root_layer.reset();
++}
++
+ }  // namespace ui

patches/chromium/cherry-pick-6a8a2098f9fa.patch

@@ -0,0 +1,230 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Erik Chen <erikchen@chromium.org>
+Date: Wed, 29 Sep 2021 21:16:47 +0000
+Subject: Prevents non-browser processes from requesting memory dumps.
+
+This CL makes several changes:
+
+(1) Causes the browser to reset non-browser
+mojo::PendingReceiver<Coordinator>. This means that non-browser
+processes will never be able to use the Coordinator interface.
+
+(2) Add CHECKs to existing code to prevent non-browser processes from
+attempting to use the Coordinator interface.
+
+A code audit shows that all Coordinator usages should already only be
+from the browser process.
+
+Note that (2) is important since attempting to use an unbound interface
+will trigger a nullptr dereference, which is undefined behavior.
+
+(cherry picked from commit d9cc471e122e9a2391a68fa7cd72ea50587d8d97)
+
+Bug: 1251787
+Change-Id: Ifbe9610cc0e373edaaa60fad46b447e8bdb3ec04
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3174305
+Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
+Reviewed-by: ssid <ssid@chromium.org>
+Auto-Submit: Erik Chen <erikchen@chromium.org>
+Commit-Queue: Erik Chen <erikchen@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#923693}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3194811
+Reviewed-by: Avi Drissman <avi@chromium.org>
+Reviewed-by: Krishna Govind <govind@chromium.org>
+Commit-Queue: Krishna Govind <govind@chromium.org>
+Owners-Override: Krishna Govind <govind@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4606@{#1253}
+Cr-Branched-From: 35b0d5a9dc8362adfd44e2614f0d5b7402ef63d0-refs/heads/master@{#911515}
+
+diff --git a/content/browser/browser_child_process_host_impl.cc b/content/browser/browser_child_process_host_impl.cc
+index 562eb4c2e1341b9aeb77ce3cfaf6740fa4876a61..8d155fa573c5b67f282d43b6fc8bfc0b98cbfeb1 100644
+--- a/content/browser/browser_child_process_host_impl.cc
++++ b/content/browser/browser_child_process_host_impl.cc
+@@ -704,6 +704,9 @@ void BrowserChildProcessHostImpl::RegisterCoordinatorClient(
+     mojo::PendingReceiver<memory_instrumentation::mojom::Coordinator> receiver,
+     mojo::PendingRemote<memory_instrumentation::mojom::ClientProcess>
+         client_process) {
++  // Intentionally disallow non-browser processes from getting a Coordinator.
++  receiver.reset();
++
+   // The child process may have already terminated by the time this message is
+   // dispatched. We do nothing in that case.
+   if (!IsProcessLaunched())
+diff --git a/content/browser/renderer_host/render_process_host_impl.cc b/content/browser/renderer_host/render_process_host_impl.cc
+index c2341d7e2b4149c5a83676b237f4c21ba5e9798a..be4a24917f9c5f8cf6c7c68761b3a9873d9b35aa 100644
+--- a/content/browser/renderer_host/render_process_host_impl.cc
++++ b/content/browser/renderer_host/render_process_host_impl.cc
+@@ -2632,6 +2632,9 @@ void RenderProcessHostImpl::RegisterCoordinatorClient(
+     mojo::PendingReceiver<memory_instrumentation::mojom::Coordinator> receiver,
+     mojo::PendingRemote<memory_instrumentation::mojom::ClientProcess>
+         client_process) {
++  // Intentionally disallow non-browser processes from getting a Coordinator.
++  receiver.reset();
++
+   if (!GetProcess().IsValid()) {
+     // If the process dies before we get this message. we have no valid PID
+     // and there's nothing to register.
+diff --git a/services/resource_coordinator/memory_instrumentation/coordinator_impl.cc b/services/resource_coordinator/memory_instrumentation/coordinator_impl.cc
+index 77cd931b5fe94dc11440c1f67c17d653db11bbb1..c16affe3949505d6144d4c4db6ece453005d6fea 100644
+--- a/services/resource_coordinator/memory_instrumentation/coordinator_impl.cc
++++ b/services/resource_coordinator/memory_instrumentation/coordinator_impl.cc
+@@ -105,7 +105,8 @@ void CoordinatorImpl::RegisterClientProcess(
+     const base::Optional<std::string>& service_name) {
+   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+   mojo::Remote<mojom::ClientProcess> process(std::move(client_process));
+-  coordinator_receivers_.Add(this, std::move(receiver), process_id);
++  if (receiver.is_valid())
++    coordinator_receivers_.Add(this, std::move(receiver), process_id);
+   process.set_disconnect_handler(
+       base::BindOnce(&CoordinatorImpl::UnregisterClientProcess,
+                      base::Unretained(this), process_id));
+diff --git a/services/resource_coordinator/public/cpp/memory_instrumentation/client_process_impl.cc b/services/resource_coordinator/public/cpp/memory_instrumentation/client_process_impl.cc
+index ca0e8d8441a53fce370b375930b149a0b8dd6974..ae9ef93eafe0196c7a16743211f04eebe2c87d34 100644
+--- a/services/resource_coordinator/public/cpp/memory_instrumentation/client_process_impl.cc
++++ b/services/resource_coordinator/public/cpp/memory_instrumentation/client_process_impl.cc
+@@ -24,6 +24,11 @@ void ClientProcessImpl::CreateInstance(
+     mojo::PendingReceiver<mojom::ClientProcess> receiver,
+     mojo::PendingRemote<mojom::Coordinator> coordinator,
+     bool is_browser_process) {
++  // Intentionally disallow non-browser processes from ever holding a
++  // Coordinator.
++  if (!is_browser_process)
++    coordinator.reset();
++
+   static ClientProcessImpl* instance = nullptr;
+   if (!instance) {
+     instance = new ClientProcessImpl(
+@@ -39,10 +44,12 @@ ClientProcessImpl::ClientProcessImpl(
+     mojo::PendingRemote<mojom::Coordinator> coordinator,
+     bool is_browser_process,
+     bool initialize_memory_instrumentation)
+-    : receiver_(this, std::move(receiver)) {
++    : receiver_(this, std::move(receiver)),
++      is_browser_process_(is_browser_process) {
+   if (initialize_memory_instrumentation) {
+     // Initialize the public-facing MemoryInstrumentation helper.
+-    MemoryInstrumentation::CreateInstance(std::move(coordinator));
++    MemoryInstrumentation::CreateInstance(std::move(coordinator),
++                                          is_browser_process);
+   } else {
+     coordinator_.Bind(std::move(coordinator));
+   }
+@@ -109,6 +116,8 @@ void ClientProcessImpl::OnChromeMemoryDumpDone(
+ void ClientProcessImpl::RequestGlobalMemoryDump_NoCallback(
+     base::trace_event::MemoryDumpType dump_type,
+     base::trace_event::MemoryDumpLevelOfDetail level_of_detail) {
++  CHECK(is_browser_process_);
++
+   if (!task_runner_->RunsTasksInCurrentSequence()) {
+     task_runner_->PostTask(
+         FROM_HERE,
+diff --git a/services/resource_coordinator/public/cpp/memory_instrumentation/client_process_impl.h b/services/resource_coordinator/public/cpp/memory_instrumentation/client_process_impl.h
+index 6dd8c55823de34ccef4244036b4d4c8cda92f74a..8c2c20c449a2e3bf8c7465ccbc2fba6fd1cb402b 100644
+--- a/services/resource_coordinator/public/cpp/memory_instrumentation/client_process_impl.h
++++ b/services/resource_coordinator/public/cpp/memory_instrumentation/client_process_impl.h
+@@ -96,6 +96,9 @@ class COMPONENT_EXPORT(RESOURCE_COORDINATOR_PUBLIC_MEMORY_INSTRUMENTATION)
+   mojo::Remote<mojom::Coordinator> coordinator_;
+   scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
+ 
++  // Only browser process is allowed to request memory dumps.
++  const bool is_browser_process_;
++
+   // TODO(crbug.com/728199): The observer is only used to setup and tear down
+   // MemoryDumpManager in each process. Setting up MemoryDumpManager should
+   // be moved away from TracingObserver.
+diff --git a/services/resource_coordinator/public/cpp/memory_instrumentation/memory_instrumentation.cc b/services/resource_coordinator/public/cpp/memory_instrumentation/memory_instrumentation.cc
+index c81d5f83bf9e1ad5e7a77d7c187fa33bd02812d5..ec90ab9211ede586d441f40e3e2bc2c820658fb1 100644
+--- a/services/resource_coordinator/public/cpp/memory_instrumentation/memory_instrumentation.cc
++++ b/services/resource_coordinator/public/cpp/memory_instrumentation/memory_instrumentation.cc
+@@ -21,10 +21,11 @@ void WrapGlobalMemoryDump(
+ 
+ // static
+ void MemoryInstrumentation::CreateInstance(
+-    mojo::PendingRemote<memory_instrumentation::mojom::Coordinator>
+-        coordinator) {
++    mojo::PendingRemote<memory_instrumentation::mojom::Coordinator> coordinator,
++    bool is_browser_process) {
+   DCHECK(!g_instance);
+-  g_instance = new MemoryInstrumentation(std::move(coordinator));
++  g_instance =
++      new MemoryInstrumentation(std::move(coordinator), is_browser_process);
+ }
+ 
+ // static
+@@ -33,8 +34,10 @@ MemoryInstrumentation* MemoryInstrumentation::GetInstance() {
+ }
+ 
+ MemoryInstrumentation::MemoryInstrumentation(
+-    mojo::PendingRemote<memory_instrumentation::mojom::Coordinator> coordinator)
+-    : coordinator_(std::move(coordinator)) {}
++    mojo::PendingRemote<memory_instrumentation::mojom::Coordinator> coordinator,
++    bool is_browser_process)
++    : coordinator_(std::move(coordinator)),
++      is_browser_process_(is_browser_process) {}
+ 
+ MemoryInstrumentation::~MemoryInstrumentation() {
+   g_instance = nullptr;
+@@ -43,6 +46,7 @@ MemoryInstrumentation::~MemoryInstrumentation() {
+ void MemoryInstrumentation::RequestGlobalDump(
+     const std::vector<std::string>& allocator_dump_names,
+     RequestGlobalDumpCallback callback) {
++  CHECK(is_browser_process_);
+   coordinator_->RequestGlobalMemoryDump(
+       MemoryDumpType::SUMMARY_ONLY, MemoryDumpLevelOfDetail::BACKGROUND,
+       MemoryDumpDeterminism::NONE, allocator_dump_names,
+@@ -52,6 +56,7 @@ void MemoryInstrumentation::RequestGlobalDump(
+ void MemoryInstrumentation::RequestPrivateMemoryFootprint(
+     base::ProcessId pid,
+     RequestGlobalDumpCallback callback) {
++  CHECK(is_browser_process_);
+   coordinator_->RequestPrivateMemoryFootprint(
+       pid, base::BindOnce(&WrapGlobalMemoryDump, std::move(callback)));
+ }
+@@ -60,6 +65,7 @@ void MemoryInstrumentation::RequestGlobalDumpForPid(
+     base::ProcessId pid,
+     const std::vector<std::string>& allocator_dump_names,
+     RequestGlobalDumpCallback callback) {
++  CHECK(is_browser_process_);
+   coordinator_->RequestGlobalMemoryDumpForPid(
+       pid, allocator_dump_names,
+       base::BindOnce(&WrapGlobalMemoryDump, std::move(callback)));
+@@ -70,6 +76,7 @@ void MemoryInstrumentation::RequestGlobalDumpAndAppendToTrace(
+     MemoryDumpLevelOfDetail level_of_detail,
+     MemoryDumpDeterminism determinism,
+     RequestGlobalMemoryDumpAndAppendToTraceCallback callback) {
++  CHECK(is_browser_process_);
+   coordinator_->RequestGlobalMemoryDumpAndAppendToTrace(
+       dump_type, level_of_detail, determinism, std::move(callback));
+ }
+diff --git a/services/resource_coordinator/public/cpp/memory_instrumentation/memory_instrumentation.h b/services/resource_coordinator/public/cpp/memory_instrumentation/memory_instrumentation.h
+index 3264917890cc30179c4477657158fd359a9d1e01..72157b5345fb003452f67045e2b2c984e748958a 100644
+--- a/services/resource_coordinator/public/cpp/memory_instrumentation/memory_instrumentation.h
++++ b/services/resource_coordinator/public/cpp/memory_instrumentation/memory_instrumentation.h
+@@ -34,7 +34,8 @@ class COMPONENT_EXPORT(RESOURCE_COORDINATOR_PUBLIC_MEMORY_INSTRUMENTATION)
+ 
+   static void CreateInstance(
+       mojo::PendingRemote<memory_instrumentation::mojom::Coordinator>
+-          coordinator);
++          coordinator,
++      bool is_browser_process);
+   static MemoryInstrumentation* GetInstance();
+ 
+   // Retrieves a Coordinator interface to communicate with the service. This is
+@@ -100,12 +101,16 @@ class COMPONENT_EXPORT(RESOURCE_COORDINATOR_PUBLIC_MEMORY_INSTRUMENTATION)
+  private:
+   explicit MemoryInstrumentation(
+       mojo::PendingRemote<memory_instrumentation::mojom::Coordinator>
+-          coordinator);
++          coordinator,
++      bool is_browser_process);
+   ~MemoryInstrumentation();
+ 
+   const mojo::SharedRemote<memory_instrumentation::mojom::Coordinator>
+       coordinator_;
+ 
++  // Only browser process is allowed to request memory dumps.
++  const bool is_browser_process_;
++
+   DISALLOW_COPY_AND_ASSIGN(MemoryInstrumentation);
+ };
+ 

patches/chromium/cherry-pick-8623d711677d.patch

@@ -0,0 +1,274 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ian Kilpatrick <ikilpatrick@chromium.org>
+Date: Thu, 9 Sep 2021 23:20:48 +0000
+Subject: Remove limit from LayoutInline::SplitInlines.
+
+After 200 elements the code "gave up" causing the layout tree to be
+"strange".
+
+This caused a To<LayoutInline> to fail in the OOF code. Relaxing this
+To<> to a DynamicTo<> caused additional CHECKs / DCHECKs all over the
+place (not just in NG but in Legacy as well).
+
+This patch removes the limit at which we "give up". This may cause
+additional render hangs.
+
+However we currently have a project "block-in-inline" which will (for
+most cases) stop inline-splitting for occuring (except in legacy
+fallback).
+
+(cherry picked from commit bbd315efb49a4ae257509dd0f0d85c6b5906e0e4)
+
+(cherry picked from commit d760d2ae1d51c0b4fda87a0a3af4e7ed30d2ff4c)
+
+Bug: 1245786
+Change-Id: I5f1c4d6a4b81a8345974de40c0c50a27a839b7b4
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3140144
+Reviewed-by: Koji Ishii <kojii@chromium.org>
+Commit-Queue: Ian Kilpatrick <ikilpatrick@chromium.org>
+Cr-Original-Original-Commit-Position: refs/heads/main@{#917771}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3149698
+Cr-Original-Commit-Position: refs/branch-heads/4606@{#876}
+Cr-Original-Branched-From: 35b0d5a9dc8362adfd44e2614f0d5b7402ef63d0-refs/heads/master@{#911515}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3152301
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Cr-Commit-Position: refs/branch-heads/4577@{#1224}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/third_party/blink/renderer/core/layout/layout_inline.cc b/third_party/blink/renderer/core/layout/layout_inline.cc
+index e59adae1204e5ecb6e399f4fe0ca8a3642701717..d3fa773216bc507208fc6bde3e216e1b8bacf390 100644
+--- a/third_party/blink/renderer/core/layout/layout_inline.cc
++++ b/third_party/blink/renderer/core/layout/layout_inline.cc
+@@ -574,15 +574,13 @@ void LayoutInline::SplitInlines(LayoutBlockFlow* from_block,
+   // nest to a much greater depth (see bugzilla bug 13430) but for now we have a
+   // limit. This *will* result in incorrect rendering, but the alternative is to
+   // hang forever.
+-  const unsigned kCMaxSplitDepth = 200;
+   Vector<LayoutInline*> inlines_to_clone;
+   LayoutInline* top_most_inline = this;
+   for (LayoutObject* o = this; o != from_block; o = o->Parent()) {
+     if (o->IsLayoutNGInsideListMarker())
+       continue;
+     top_most_inline = To<LayoutInline>(o);
+-    if (inlines_to_clone.size() < kCMaxSplitDepth)
+-      inlines_to_clone.push_back(top_most_inline);
++    inlines_to_clone.push_back(top_most_inline);
+     // Keep walking up the chain to ensure |topMostInline| is a child of
+     // |fromBlock|, to avoid assertion failure when |fromBlock|'s children are
+     // moved to |toBlock| below.
+diff --git a/third_party/blink/web_tests/external/wpt/css/css-inline/inline-crash.html b/third_party/blink/web_tests/external/wpt/css/css-inline/inline-crash.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..65008f74ce6e0b4397a5b333099c692382d64353
+--- /dev/null
++++ b/third_party/blink/web_tests/external/wpt/css/css-inline/inline-crash.html
+@@ -0,0 +1,210 @@
++<!DOCTYPE html>
++<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=1245786">
++<style>
++  nav{ position: absolute; }
++  body > * { position: relative; }
++</style>
++<body>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<span>
++<div>
++<nav>

patches/chromium/cherry-pick-8af66de55aad.patch

@@ -0,0 +1,126 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Antonio Sartori <antoniosartori@chromium.org>
+Date: Tue, 24 Aug 2021 15:01:17 +0000
+Subject: Limit length of 'csp' attribute
+
+Most servers limit the length of request headers anywhere. 4Kb seems
+like a reasonable limit, which some popular http servers have by
+default, and which we already enforce for Referer
+(https://crrev.com/c/1595872).
+
+I would have liked the constant 4096 to be shared between //content
+and blink. This would have required putting it somewhere like in
+//services/network or in //third_party/blink/common, creating a new
+file for it. I thought it would be easier to avoid that for this
+change.
+
+It would be safer to not load the iframe document, or to impose some
+very strict CSP like "default-src 'none'", instead than just ignoring
+the 'csp' attribute if that's too long. However, ignoring is what we
+already do if the attribute contains illegal characters or does not
+match the CSP grammary or is not subsumed by the parent iframe's csp
+attribute. For this change, I believe it's better to stay consistent
+with that, and later change the CSPEE code to block loading in all
+those cases.
+
+Bug: 1233067
+Change-Id: Ie9cd3db82287a76892cca76a0bf0d4a1613a3055
+Fixed: 1233067
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3057048
+Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
+Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
+Reviewed-by: Mike West <mkwst@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#914730}
+
+diff --git a/content/browser/content_security_policy_browsertest.cc b/content/browser/content_security_policy_browsertest.cc
+index 1d0631955600449d142697ce68c474f1957eae75..f95fe16e3c3f8c8b6c603f7cd19dcdb915deacfa 100644
+--- a/content/browser/content_security_policy_browsertest.cc
++++ b/content/browser/content_security_policy_browsertest.cc
+@@ -225,4 +225,21 @@ IN_PROC_BROWSER_TEST_F(ContentSecurityPolicyBrowserTest, FileURLs) {
+   }
+ }
+ 
++// Test that a 'csp' attribute longer than 4096 bytes is ignored.
++IN_PROC_BROWSER_TEST_F(ContentSecurityPolicyBrowserTest, CSPAttributeTooLong) {
++  std::string long_csp_attribute = "script-src 'none' ";
++  long_csp_attribute.resize(4097, 'a');
++  std::string page = "data:text/html,<body><iframe csp=\"" +
++                     long_csp_attribute + "\"></iframe></body>";
++
++  GURL url(page);
++  WebContentsConsoleObserver console_observer(web_contents());
++  console_observer.SetPattern("'csp' attribute too long*");
++  EXPECT_TRUE(NavigateToURL(shell(), url));
++  console_observer.Wait();
++
++  EXPECT_EQ(current_frame_host()->child_count(), 1u);
++  EXPECT_FALSE(current_frame_host()->child_at(0)->csp_attribute());
++}
++
+ }  // namespace content
+diff --git a/content/browser/renderer_host/render_frame_host_impl.cc b/content/browser/renderer_host/render_frame_host_impl.cc
+index 39717e91a88f04d42b489b2217c67f65ee797b4c..db01f3ea0423d780763ba82e50725bb0a12e5018 100644
+--- a/content/browser/renderer_host/render_frame_host_impl.cc
++++ b/content/browser/renderer_host/render_frame_host_impl.cc
+@@ -837,9 +837,11 @@ enum class VerifyDidCommitParamsDifference {
+ };
+ 
+ bool ValidateCSPAttribute(const std::string& value) {
++  static const size_t kMaxLengthCSPAttribute = 4096;
+   if (!base::IsStringASCII(value))
+     return false;
+-  if (value.find('\n') != std::string::npos ||
++  if (value.length() > kMaxLengthCSPAttribute ||
++      value.find('\n') != std::string::npos ||
+       value.find('\r') != std::string::npos) {
+     return false;
+   }
+diff --git a/third_party/blink/renderer/core/html/html_iframe_element.cc b/third_party/blink/renderer/core/html/html_iframe_element.cc
+index 589580b9795f3908c4f5d978bd4366c98e52847a..40b8af83cdb2dc61b78628c223c0d95f7ec43d5b 100644
+--- a/third_party/blink/renderer/core/html/html_iframe_element.cc
++++ b/third_party/blink/renderer/core/html/html_iframe_element.cc
+@@ -207,16 +207,27 @@ void HTMLIFrameElement::ParseAttribute(
+       UpdateContainerPolicy();
+     }
+   } else if (name == html_names::kCspAttr) {
++    static const size_t kMaxLengthCSPAttribute = 4096;
+     if (value && (value.Contains('\n') || value.Contains('\r') ||
+                   !MatchesTheSerializedCSPGrammar(value.GetString()))) {
++      // TODO(antoniosartori): It would be safer to block loading iframes with
++      // invalid 'csp' attribute.
+       required_csp_ = g_null_atom;
+       GetDocument().AddConsoleMessage(MakeGarbageCollected<ConsoleMessage>(
+           mojom::blink::ConsoleMessageSource::kOther,
+           mojom::blink::ConsoleMessageLevel::kError,
+           "'csp' attribute is invalid: " + value));
+-      return;
+-    }
+-    if (required_csp_ != value) {
++    } else if (value && value.length() > kMaxLengthCSPAttribute) {
++      // TODO(antoniosartori): It would be safer to block loading iframes with
++      // invalid 'csp' attribute.
++      required_csp_ = g_null_atom;
++      GetDocument().AddConsoleMessage(MakeGarbageCollected<ConsoleMessage>(
++          mojom::blink::ConsoleMessageSource::kOther,
++          mojom::blink::ConsoleMessageLevel::kError,
++          String::Format("'csp' attribute too long. The max length for the "
++                         "'csp' attribute is %zu bytes.",
++                         kMaxLengthCSPAttribute)));
++    } else if (required_csp_ != value) {
+       required_csp_ = value;
+       CSPAttributeChanged();
+       UseCounter::Count(GetDocument(), WebFeature::kIFrameCSPAttribute);
+diff --git a/third_party/blink/web_tests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html b/third_party/blink/web_tests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html
+index a9ad787408786e594ccb554d2bd9186a9e8e7c1e..e0a31db8e28fb1a9d2884c7677597072d4badba2 100644
+--- a/third_party/blink/web_tests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html
++++ b/third_party/blink/web_tests/external/wpt/content-security-policy/embedded-enforcement/required_csp-header.html
+@@ -59,6 +59,9 @@
+       { "name": "Wrong and dangerous value of `csp` should not trigger sending Sec-Required-CSP Header - report-to present",
+         "csp": "script-src 'unsafe-inline'; report-to resources/dummy-report.php",
+         "expected": null },
++      { "name": "Sec-Required-CSP is not sent if `csp` attribute is longer than 4096 bytes",
++        "csp": "style-src " + Array.from(Array(2044).keys()).map(i => 'a').join(' '),
++        "expected":  null },
+     ];
+ 
+     tests.forEach(test => {

patches/chromium/cherry-pick-b2c4e4dc21e5.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Reilly Grant <reillyg@chromium.org>
+Date: Mon, 4 Oct 2021 23:02:19 +0000
+Subject: mojo: CHECK when array has too many elements to serialize
+
+This change turns an early return into a CHECK because the surrounding
+code expects memory allocation to succeed.
+
+(cherry picked from commit 588cb74f661269a5b2b69f52619c0f7a09867d6f)
+
+Bug: 1236318
+Change-Id: Ib11e0564fb0fa653cb50c82e1973c76ec0c9c725
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3139712
+Commit-Queue: Reilly Grant <reillyg@chromium.org>
+Commit-Queue: Ken Rockot <rockot@google.com>
+Auto-Submit: Reilly Grant <reillyg@chromium.org>
+Reviewed-by: Ken Rockot <rockot@google.com>
+Cr-Original-Commit-Position: refs/heads/main@{#917908}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3203131
+Cr-Commit-Position: refs/branch-heads/4606@{#1301}
+Cr-Branched-From: 35b0d5a9dc8362adfd44e2614f0d5b7402ef63d0-refs/heads/master@{#911515}
+
+diff --git a/mojo/public/cpp/bindings/lib/message_fragment.h b/mojo/public/cpp/bindings/lib/message_fragment.h
+index 226c3644689fd10bfc47b4bd86f4d2cca58adbf1..b380da4131b538e185cc2e326bbe2f38c1810953 100644
+--- a/mojo/public/cpp/bindings/lib/message_fragment.h
++++ b/mojo/public/cpp/bindings/lib/message_fragment.h
+@@ -149,8 +149,7 @@ class MessageFragment<Array_Data<T>> {
+     static_assert(
+         std::numeric_limits<uint32_t>::max() > Traits::kMaxNumElements,
+         "Max num elements castable to 32bit");
+-    if (num_elements > Traits::kMaxNumElements)
+-      return;
++    CHECK_LE(num_elements, Traits::kMaxNumElements);
+ 
+     const uint32_t num_bytes =
+         Traits::GetStorageSize(static_cast<uint32_t>(num_elements));

patches/chromium/cherry-pick-c69dddfe1cde.patch

@@ -0,0 +1,122 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hongchan Choi <hongchan@chromium.org>
+Date: Mon, 11 Oct 2021 23:53:51 +0000
+Subject: Use zero when the starting value of exponential ramp is zero
+
+The calculation of an exponential curve is done by the specification:
+https://webaudio.github.io/web-audio-api/#dom-audioparam-exponentialramptovalueattime
+
+However, it missed a case where V0 (value1) is zero where it causes
+a NaN.
+
+(cherry picked from commit 4e2dcd84dc33f29b032b52e053726ab49e4d0b4d)
+
+Bug: 1253746,1240610
+Test: third_party/blink/web_tests/webaudio/AudioParam/exponential-ramp-crash-1253746.html
+Change-Id: Ib4a95f9298b4300705eda6a2eea64169de7cb002
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3205982
+Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
+Reviewed-by: Chrome Cunningham <chcunningham@chromium.org>
+Commit-Queue: Hongchan Choi <hongchan@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#928673}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3218139
+Reviewed-by: Hongchan Choi <hongchan@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4638@{#766}
+Cr-Branched-From: 159257cab5585bc8421abf347984bb32fdfe9eb9-refs/heads/main@{#920003}
+
+diff --git a/third_party/blink/renderer/modules/webaudio/audio_param_timeline.cc b/third_party/blink/renderer/modules/webaudio/audio_param_timeline.cc
+index cf863b343bce3d9c1707be784e01114b594c24f7..f6a0dc5e5cf097f684c0443137b720865601d19c 100644
+--- a/third_party/blink/renderer/modules/webaudio/audio_param_timeline.cc
++++ b/third_party/blink/renderer/modules/webaudio/audio_param_timeline.cc
+@@ -37,6 +37,7 @@
+ #include "third_party/blink/renderer/platform/bindings/exception_messages.h"
+ #include "third_party/blink/renderer/platform/bindings/exception_state.h"
+ #include "third_party/blink/renderer/platform/wtf/math_extras.h"
++#include "third_party/blink/renderer/platform/wtf/std_lib_extras.h"
+ #include "third_party/fdlibm/ieee754.h"
+ 
+ #if defined(ARCH_CPU_X86_FAMILY)
+@@ -133,7 +134,12 @@ float AudioParamTimeline::ExponentialRampAtTime(double t,
+                                                 double time1,
+                                                 float value2,
+                                                 double time2) {
+-  return value1 * fdlibm::pow(value2 / value1, (t - time1) / (time2 - time1));
++  DCHECK(!std::isnan(value1) && std::isfinite(value1));
++  DCHECK(!std::isnan(value2) && std::isfinite(value2));
++
++  return (value1 == 0.0f || std::signbit(value1) != std::signbit(value2))
++      ? value1
++      : value1 * fdlibm::pow(value2 / value1, (t - time1) / (time2 - time1));
+ }
+ 
+ // Compute the value of a set target event at time t with the given event
+@@ -998,6 +1004,8 @@ float AudioParamTimeline::ValuesForFrameRangeImpl(
+     std::tie(value2, time2, next_event_type) =
+         HandleCancelValues(event, next_event, value2, time2);
+ 
++    DCHECK(!std::isnan(value1));
++    DCHECK(!std::isnan(value2));
+     DCHECK_GE(time2, time1);
+ 
+     // |fillToEndFrame| is the exclusive upper bound of the last frame to be
+@@ -1057,7 +1065,6 @@ float AudioParamTimeline::ValuesForFrameRangeImpl(
+           value = event->Value();
+           write_index =
+               FillWithDefault(values, value, fill_to_frame, write_index);
+-
+           break;
+         }
+ 
+@@ -1400,6 +1407,7 @@ AudioParamTimeline::HandleCancelValues(const ParamEvent* current_event,
+               value2 = ExponentialRampAtTime(next_event->Time(), value1, time1,
+                                              saved_event->Value(),
+                                              saved_event->Time());
++              DCHECK(!std::isnan(value1));
+               break;
+             case ParamEvent::kSetValueCurve:
+             case ParamEvent::kSetValueCurveEnd:
+diff --git a/third_party/blink/web_tests/webaudio/AudioParam/exponential-ramp-crash-1253746.html b/third_party/blink/web_tests/webaudio/AudioParam/exponential-ramp-crash-1253746.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..85397c5cc6757ae1464a0cd6733283b6b60abeee
+--- /dev/null
++++ b/third_party/blink/web_tests/webaudio/AudioParam/exponential-ramp-crash-1253746.html
+@@ -0,0 +1,39 @@
++<!DOCTYPE html>
++<html>
++<head>
++  <title>
++    Test if a corner case crashes the exponential ramp.
++  </title>
++  <script src="../../resources/testharness.js"></script>
++  <script src="../../resources/testharnessreport.js"></script>
++</head>
++<body>
++  <script>
++    const t = async_test('exponential-ramp-crash');
++
++    const onload = () => {
++      const context = new OfflineAudioContext(2, 441000, 44100);
++      const source = new ConstantSourceNode(context);
++      const delay_node = context.createDelay(30);
++      delay_node.connect(context.destination);
++      // The time overlap between 4.1s and 4s caused a crash in M95:
++      // https://crbug.com/1253746
++      delay_node.delayTime.exponentialRampToValueAtTime(2, 4.1);
++      delay_node.delayTime.cancelAndHoldAtTime(4);
++      context.oncomplete = t.step_func_done(() => {
++        // The |delay_node.delayTime| value should be zero because it does not
++        // have the previous anchor value. Based on the specification, if the
++        // beginning of an expoential ramp is zero, the resulting value falls
++        // into zero. In this case, there was no value point before the
++        // exponential ramp, and having no value point is treated as a
++        // default value, which is zero for |delayTime|.
++        assert_equals(delay_node.delayTime.value, 0);
++        assert_equals(context.state, 'closed');
++      });
++      context.startRendering();
++    };
++
++    window.addEventListener('load', t.step_func(onload));
++  </script>
++</body>
++</html>

patches/chromium/cherry-pick-d727013bb543.patch

@@ -0,0 +1,85 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Henrik=20Bostr=C3=B6m?= <hbos@chromium.org>
+Date: Thu, 8 Jul 2021 12:16:10 +0000
+Subject: Fix UAF in VideoCaptureDeviceAVFoundation's dealloc.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Despite dealloc performing stopCapture prior to clearing variables like
+_sampleBufferTransformer, it appears possible for callbacks that are
+already running concurrently to be using these variables, resulting in
+rare use-after-free races. By grabbing the _lock, we avoid this issue.
+
+We also have to introduce a new lock, _destructionLock, to ensure |this|
+is not destroyed while -captureOutput is still running.
+
+Bug: chromium:1227228
+Change-Id: I8c2c4d9834ee995d3f4154fae13e262398e6f2e2
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3013796
+Reviewed-by: Evan Shrubsole <eshr@google.com>
+Reviewed-by: Ilya Nikolaevskiy <ilnik@chromium.org>
+Commit-Queue: Henrik Boström <hbos@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#899503}
+
+diff --git a/media/capture/video/mac/video_capture_device_avfoundation_mac.h b/media/capture/video/mac/video_capture_device_avfoundation_mac.h
+index 2e2b3f65bac58a29bfbae080baa2657c92791984..416984c16de161aa35f7783ceea4706427103980 100644
+--- a/media/capture/video/mac/video_capture_device_avfoundation_mac.h
++++ b/media/capture/video/mac/video_capture_device_avfoundation_mac.h
+@@ -95,6 +95,8 @@ CAPTURE_EXPORT
+   // Protects concurrent setting and using |frameReceiver_|. Note that the
+   // GUARDED_BY decoration below does not have any effect.
+   base::Lock _lock;
++  // Used to avoid UAF in -captureOutput.
++  base::Lock _destructionLock;
+   media::VideoCaptureDeviceAVFoundationFrameReceiver* _frameReceiver
+       GUARDED_BY(_lock);  // weak.
+   bool _capturedFirstFrame GUARDED_BY(_lock);
+diff --git a/media/capture/video/mac/video_capture_device_avfoundation_mac.mm b/media/capture/video/mac/video_capture_device_avfoundation_mac.mm
+index 1cc1bdbcec259cd6d2da14b2c120d895d3e3c7fe..93749e8e4d444cbf76f8e8a36c13ea6d71c6d9ba 100644
+--- a/media/capture/video/mac/video_capture_device_avfoundation_mac.mm
++++ b/media/capture/video/mac/video_capture_device_avfoundation_mac.mm
+@@ -187,12 +187,26 @@ - (id)initWithFrameReceiver:
+ }
+ 
+ - (void)dealloc {
+-  [self stopStillImageOutput];
+-  [self stopCapture];
+-  _sampleBufferTransformer.reset();
+-  _weakPtrFactoryForTakePhoto = nullptr;
+-  _mainThreadTaskRunner = nullptr;
+-  _sampleQueue.reset();
++  {
++    // To avoid races with concurrent callbacks, grab the lock before stopping
++    // capture and clearing all the variables.
++    base::AutoLock lock(_lock);
++    [self stopStillImageOutput];
++    [self stopCapture];
++    _frameReceiver = nullptr;
++    _sampleBufferTransformer.reset();
++    _weakPtrFactoryForTakePhoto = nullptr;
++    _mainThreadTaskRunner = nullptr;
++    _sampleQueue.reset();
++  }
++  {
++    // Ensures -captureOutput has finished before we continue the destruction
++    // steps. If -captureOutput grabbed the destruction lock before us this
++    // prevents UAF. If -captureOutput grabbed the destruction lock after us
++    // it will exit early because |_frameReceiver| is already null at this
++    // point.
++    base::AutoLock destructionLock(_destructionLock);
++  }
+   [super dealloc];
+ }
+ 
+@@ -889,7 +903,9 @@ - (void)captureOutput:(AVCaptureOutput*)captureOutput
+   VLOG(3) << __func__;
+ 
+   // Concurrent calls into |_frameReceiver| are not supported, so take |_lock|
+-  // before any of the subsequent paths.
++  // before any of the subsequent paths. The |_destructionLock| must be grabbed
++  // first to avoid races with -dealloc.
++  base::AutoLock destructionLock(_destructionLock);
+   base::AutoLock lock(_lock);
+   _capturedFrameSinceLastStallCheck = YES;
+   if (!_frameReceiver)

patches/chromium/cherry-pick-ddc4cf156505.patch

@@ -0,0 +1,336 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jiewei Qian <qjw@chromium.org>
+Date: Fri, 3 Sep 2021 04:38:53 +0000
+Subject: webui: make WebUIAllowlist and WebUIAllowlistProvider thread-safe
+
+This CL adds synchronization lock to WebUIAllowlist, and expose it as
+scoped_refptr, so it provides thread-safety when used in
+WebUIAllowlistProvider (per requirements of HostContentSettingsMap).
+
+(cherry picked from commit 56489e04b7c39e7b6d2b3fb33549d2657dad23a9)
+
+(cherry picked from commit 58eda7adb82e7fcc8001482334bfa6f9482aee78)
+
+Fixed: 1238178
+Change-Id: I4d8112f7792a7113b412af2eb67cbcef0bdcec1d
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3102499
+Commit-Queue: Jiewei Qian  <qjw@chromium.org>
+Reviewed-by: Christian Dullweber <dullweber@chromium.org>
+Reviewed-by: calamity <calamity@chromium.org>
+Reviewed-by: Victor Costan <pwnall@chromium.org>
+Cr-Original-Original-Commit-Position: refs/heads/main@{#914567}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115817
+Auto-Submit: Jiewei Qian  <qjw@chromium.org>
+Commit-Queue: calamity <calamity@chromium.org>
+Cr-Original-Commit-Position: refs/branch-heads/4606@{#340}
+Cr-Original-Branched-From: 35b0d5a9dc8362adfd44e2614f0d5b7402ef63d0-refs/heads/master@{#911515}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3141052
+Cr-Commit-Position: refs/branch-heads/4577@{#1170}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/ui/webui/webui_allowlist.cc b/ui/webui/webui_allowlist.cc
+index 525848a9d2f9baccc95b59581ad2aa53494c449e..cd231550094e410d26a5267427bcb578af451530 100644
+--- a/ui/webui/webui_allowlist.cc
++++ b/ui/webui/webui_allowlist.cc
+@@ -6,7 +6,11 @@
+ 
+ #include <memory>
+ 
++#include "base/memory/scoped_refptr.h"
++#include "base/sequence_checker.h"
++#include "base/supports_user_data.h"
+ #include "content/public/browser/browser_context.h"
++#include "content/public/browser/browser_thread.h"
+ #include "content/public/common/url_constants.h"
+ #include "ui/webui/webui_allowlist_provider.h"
+ #include "url/gurl.h"
+@@ -19,15 +23,27 @@ class AllowlistRuleIterator : public content_settings::RuleIterator {
+   using MapType = std::map<url::Origin, ContentSetting>;
+ 
+  public:
+-  explicit AllowlistRuleIterator(const MapType& map)
+-      : it_(map.cbegin()), end_(map.cend()) {}
++  // Hold a reference to `allowlist` to keep it alive during iteration.
++  explicit AllowlistRuleIterator(scoped_refptr<const WebUIAllowlist> allowlist,
++                                 const MapType& map,
++                                 std::unique_ptr<base::AutoLock> auto_lock)
++      : auto_lock_(std::move(auto_lock)),
++        allowlist_(std::move(allowlist)),
++        it_(map.cbegin()),
++        end_(map.cend()) {}
+   AllowlistRuleIterator(const AllowlistRuleIterator&) = delete;
+   void operator=(const AllowlistRuleIterator&) = delete;
+-  ~AllowlistRuleIterator() override = default;
++  ~AllowlistRuleIterator() override {
++    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
++  }
+ 
+-  bool HasNext() const override { return it_ != end_; }
++  bool HasNext() const override {
++    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
++    return it_ != end_;
++  }
+ 
+   content_settings::Rule Next() override {
++    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+     const auto& origin = it_->first;
+     const auto& setting = it_->second;
+     it_++;
+@@ -38,8 +54,18 @@ class AllowlistRuleIterator : public content_settings::RuleIterator {
+   }
+ 
+  private:
+-  MapType::const_iterator it_;
+-  const MapType::const_iterator end_;
++  const std::unique_ptr<base::AutoLock> auto_lock_;
++  const scoped_refptr<const WebUIAllowlist> allowlist_;
++
++  SEQUENCE_CHECKER(sequence_checker_);
++  MapType::const_iterator it_ GUARDED_BY_CONTEXT(sequence_checker_);
++  MapType::const_iterator end_ GUARDED_BY_CONTEXT(sequence_checker_);
++};
++
++struct WebUIAllowlistHolder : base::SupportsUserData::Data {
++  explicit WebUIAllowlistHolder(scoped_refptr<WebUIAllowlist> list)
++      : allow_list(std::move(list)) {}
++  const scoped_refptr<WebUIAllowlist> allow_list;
+ };
+ 
+ }  // namespace
+@@ -48,11 +74,14 @@ class AllowlistRuleIterator : public content_settings::RuleIterator {
+ WebUIAllowlist* WebUIAllowlist::GetOrCreate(
+     content::BrowserContext* browser_context) {
+   if (!browser_context->GetUserData(kWebUIAllowlistKeyName)) {
+-    browser_context->SetUserData(kWebUIAllowlistKeyName,
+-                                 std::make_unique<WebUIAllowlist>());
++    auto list = base::MakeRefCounted<WebUIAllowlist>();
++    browser_context->SetUserData(
++        kWebUIAllowlistKeyName,
++        std::make_unique<WebUIAllowlistHolder>(std::move(list)));
+   }
+-  return static_cast<WebUIAllowlist*>(
+-      browser_context->GetUserData(kWebUIAllowlistKeyName));
++  return static_cast<WebUIAllowlistHolder*>(
++             browser_context->GetUserData(kWebUIAllowlistKeyName))
++      ->allow_list.get();
+ }
+ 
+ WebUIAllowlist::WebUIAllowlist() = default;
+@@ -62,6 +91,9 @@ WebUIAllowlist::~WebUIAllowlist() = default;
+ void WebUIAllowlist::RegisterAutoGrantedPermission(const url::Origin& origin,
+                                                    ContentSettingsType type,
+                                                    ContentSetting setting) {
++  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
++  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
++
+   // It doesn't make sense to grant a default content setting.
+   DCHECK_NE(CONTENT_SETTING_DEFAULT, setting);
+ 
+@@ -70,13 +102,16 @@ void WebUIAllowlist::RegisterAutoGrantedPermission(const url::Origin& origin,
+   DCHECK(origin.scheme() == content::kChromeUIScheme ||
+          origin.scheme() == content::kChromeUIUntrustedScheme ||
+          origin.scheme() == content::kChromeDevToolsScheme);
++  {
++    base::AutoLock auto_lock(lock_);
+ 
+-  // If the same permission is already registered, do nothing. We don't want to
+-  // notify the provider of ContentSettingChange when it is unnecessary.
+-  if (permissions_[type][origin] == setting)
+-    return;
++    // If the same permission is already registered, do nothing. We don't want
++    // to notify the provider of ContentSettingChange when it is unnecessary.
++    if (permissions_[type][origin] == setting)
++      return;
+ 
+-  permissions_[type][origin] = setting;
++    permissions_[type][origin] = setting;
++  }
+ 
+   // Notify the provider. |provider_| can be nullptr if
+   // HostContentSettingsRegistry is shutting down i.e. when Chrome shuts down.
+@@ -92,25 +127,36 @@ void WebUIAllowlist::RegisterAutoGrantedPermission(const url::Origin& origin,
+ void WebUIAllowlist::RegisterAutoGrantedPermissions(
+     const url::Origin& origin,
+     std::initializer_list<ContentSettingsType> types) {
++  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
++  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
++
+   for (const ContentSettingsType& type : types)
+     RegisterAutoGrantedPermission(origin, type);
+ }
+ 
+ void WebUIAllowlist::SetWebUIAllowlistProvider(
+     WebUIAllowlistProvider* provider) {
++  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
++  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
++
+   provider_ = provider;
+ }
+ 
+ void WebUIAllowlist::ResetWebUIAllowlistProvider() {
++  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
++  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
++
+   provider_ = nullptr;
+ }
+ 
+ std::unique_ptr<content_settings::RuleIterator> WebUIAllowlist::GetRuleIterator(
+     ContentSettingsType content_type) const {
+-  const auto& type_to_origin_rules = permissions_.find(content_type);
+-  if (type_to_origin_rules != permissions_.cend()) {
+-    return std::make_unique<AllowlistRuleIterator>(
+-        type_to_origin_rules->second);
++  auto auto_lock_ = std::make_unique<base::AutoLock>(lock_);
++
++  auto permissions_it = permissions_.find(content_type);
++  if (permissions_it != permissions_.end()) {
++    return std::make_unique<AllowlistRuleIterator>(this, permissions_it->second,
++                                                   std::move(auto_lock_));
+   }
+ 
+   return nullptr;
+diff --git a/ui/webui/webui_allowlist.h b/ui/webui/webui_allowlist.h
+index b1623b89f5ed12416e71d5f1505d57b74073f764..9c6ab47b16a4fcc6478e6ad4672ce5c95166156f 100644
+--- a/ui/webui/webui_allowlist.h
++++ b/ui/webui/webui_allowlist.h
+@@ -8,7 +8,9 @@
+ #include <initializer_list>
+ #include <map>
+ 
+-#include "base/supports_user_data.h"
++#include "base/memory/ref_counted.h"
++#include "base/thread_annotations.h"
++#include "base/threading/thread_checker.h"
+ #include "components/content_settings/core/browser/content_settings_rule.h"
+ #include "components/content_settings/core/common/content_settings.h"
+ #include "components/content_settings/core/common/content_settings_types.h"
+@@ -23,14 +25,13 @@ class WebUIAllowlistProvider;
+ // list of origins and permissions to be auto-granted to WebUIs. This class is
+ // created before HostContentSettingsMap is registered and has the same lifetime
+ // as the profile it's attached to. It outlives WebUIAllowlistProvider.
+-class WebUIAllowlist : public base::SupportsUserData::Data {
++class WebUIAllowlist : public base::RefCountedThreadSafe<WebUIAllowlist> {
+  public:
+   static WebUIAllowlist* GetOrCreate(content::BrowserContext* browser_context);
+ 
+   WebUIAllowlist();
+   WebUIAllowlist(const WebUIAllowlist&) = delete;
+   void operator=(const WebUIAllowlist&) = delete;
+-  ~WebUIAllowlist() override;
+ 
+   // Register auto-granted |type| permission for |origin|.
+   //
+@@ -53,16 +54,29 @@ class WebUIAllowlist : public base::SupportsUserData::Data {
+       const url::Origin& origin,
+       std::initializer_list<ContentSettingsType> types);
+ 
++  // Returns a content_settings::RuleIterator, this method is thread-safe.
++  //
++  // This method acquires `lock_` and transfers it to the returned iterator.
++  // NO_THREAD_SAFETY_ANALYSIS because the analyzer doesn't recognize acquiring
++  // the lock in a unique_ptr.
+   std::unique_ptr<content_settings::RuleIterator> GetRuleIterator(
+-      ContentSettingsType content_type) const;
++      ContentSettingsType content_type) const NO_THREAD_SAFETY_ANALYSIS;
+ 
+   void SetWebUIAllowlistProvider(WebUIAllowlistProvider* provider);
+   void ResetWebUIAllowlistProvider();
+ 
+  private:
++  friend class base::RefCountedThreadSafe<WebUIAllowlist>;
++  ~WebUIAllowlist();
++
++  THREAD_CHECKER(thread_checker_);
++
++  mutable base::Lock lock_;
+   std::map<ContentSettingsType, std::map<url::Origin, ContentSetting>>
+-      permissions_;
+-  WebUIAllowlistProvider* provider_ = nullptr;
++      permissions_ GUARDED_BY(lock_);
++
++  WebUIAllowlistProvider* provider_ GUARDED_BY_CONTEXT(thread_checker_) =
++      nullptr;
+ };
+ 
+ #endif  // UI_WEBUI_WEBUI_ALLOWLIST_H_
+diff --git a/ui/webui/webui_allowlist_provider.cc b/ui/webui/webui_allowlist_provider.cc
+index 779e8022fce378d2a64c78e6e20c36202e9261ac..055a3cf3934ed43373a4a3fdd4166bd3c096e922 100644
+--- a/ui/webui/webui_allowlist_provider.cc
++++ b/ui/webui/webui_allowlist_provider.cc
+@@ -7,8 +7,9 @@
+ #include "components/content_settings/core/common/content_settings_pattern.h"
+ #include "ui/webui/webui_allowlist.h"
+ 
+-WebUIAllowlistProvider::WebUIAllowlistProvider(WebUIAllowlist* allowlist)
+-    : allowlist_(allowlist) {
++WebUIAllowlistProvider::WebUIAllowlistProvider(
++    scoped_refptr<WebUIAllowlist> allowlist)
++    : allowlist_(std::move(allowlist)) {
+   DCHECK(allowlist_);
+   allowlist_->SetWebUIAllowlistProvider(this);
+ }
+@@ -16,12 +17,8 @@ WebUIAllowlistProvider::WebUIAllowlistProvider(WebUIAllowlist* allowlist)
+ WebUIAllowlistProvider::~WebUIAllowlistProvider() = default;
+ 
+ std::unique_ptr<content_settings::RuleIterator>
+-WebUIAllowlistProvider::GetRuleIterator(
+-    ContentSettingsType content_type,
+-    bool incognito) const {
+-  if (!allowlist_)
+-    return nullptr;
+-
++WebUIAllowlistProvider::GetRuleIterator(ContentSettingsType content_type,
++                                        bool incognito) const {
+   return allowlist_->GetRuleIterator(content_type);
+ }
+ 
+@@ -48,7 +45,8 @@ void WebUIAllowlistProvider::ClearAllContentSettingsRules(
+ }
+ 
+ void WebUIAllowlistProvider::ShutdownOnUIThread() {
++  DCHECK(CalledOnValidThread());
++
+   RemoveAllObservers();
+   allowlist_->ResetWebUIAllowlistProvider();
+-  allowlist_ = nullptr;
+ }
+diff --git a/ui/webui/webui_allowlist_provider.h b/ui/webui/webui_allowlist_provider.h
+index 9f7f9776fd6e8212d3dbd196698b036f24f75f2e..c18f64e6f2051091f40504c2ba47feb62103aee3 100644
+--- a/ui/webui/webui_allowlist_provider.h
++++ b/ui/webui/webui_allowlist_provider.h
+@@ -5,6 +5,8 @@
+ #ifndef UI_WEBUI_WEBUI_ALLOWLIST_PROVIDER_H_
+ #define UI_WEBUI_WEBUI_ALLOWLIST_PROVIDER_H_
+ 
++#include "base/synchronization/lock.h"
++#include "base/thread_annotations.h"
+ #include "components/content_settings/core/browser/content_settings_observable_provider.h"
+ #include "components/content_settings/core/common/content_settings.h"
+ #include "ui/webui/webui_allowlist.h"
+@@ -15,8 +17,7 @@ class ContentSettingsPattern;
+ // permissions from the underlying WebUIAllowlist.
+ class WebUIAllowlistProvider : public content_settings::ObservableProvider {
+  public:
+-  // Note, |allowlist| must outlive this instance.
+-  explicit WebUIAllowlistProvider(WebUIAllowlist* allowlist);
++  explicit WebUIAllowlistProvider(scoped_refptr<WebUIAllowlist> allowlist);
+   WebUIAllowlistProvider(const WebUIAllowlistProvider&) = delete;
+   void operator=(const WebUIAllowlistProvider&) = delete;
+   ~WebUIAllowlistProvider() override;
+@@ -27,6 +28,7 @@ class WebUIAllowlistProvider : public content_settings::ObservableProvider {
+       ContentSettingsType content_type);
+ 
+   // content_settings::ObservableProvider:
++  // The following methods are thread-safe.
+   std::unique_ptr<content_settings::RuleIterator> GetRuleIterator(
+       ContentSettingsType content_type,
+       bool incognito) const override;
+@@ -40,7 +42,7 @@ class WebUIAllowlistProvider : public content_settings::ObservableProvider {
+   void ClearAllContentSettingsRules(ContentSettingsType content_type) override;
+ 
+  private:
+-  WebUIAllowlist* allowlist_;
++  const scoped_refptr<WebUIAllowlist> allowlist_;
+ };
+ 
+ #endif  // UI_WEBUI_WEBUI_ALLOWLIST_PROVIDER_H_

patches/chromium/content-visibility_add_a_clipper_fix_for_content-visibility.patch

@@ -0,0 +1,292 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vladimir Levin <vmpstr@chromium.org>
+Date: Tue, 14 Sep 2021 00:06:00 +0000
+Subject: content-visibility: Add a clipper fix for content-visibility.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch adds a few checks in the svg painting code which may access
+a content-visibility locked element via an svg reference.
+
+R=​fs@opera.com,jarhar@chromium.org
+
+(cherry picked from commit e0d8a4f20bf98bbda2dc58199fca5caf0add1b00)
+
+Bug: 1247196
+Change-Id: I4dcb4ef298fb8d51aa0ec1a3b3bc130cfb560791
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3149811
+Reviewed-by: Fredrik Söderquist <fs@opera.com>
+Reviewed-by: Joey Arhar <jarhar@chromium.org>
+Commit-Queue: vmpstr <vmpstr@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#920209}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3158958
+Commit-Queue: Joey Arhar <jarhar@chromium.org>
+Commit-Queue: Mason Freed <masonf@chromium.org>
+Auto-Submit: Joey Arhar <jarhar@chromium.org>
+Reviewed-by: Mason Freed <masonf@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4606@{#1011}
+Cr-Branched-From: 35b0d5a9dc8362adfd44e2614f0d5b7402ef63d0-refs/heads/master@{#911515}
+
+diff --git a/third_party/blink/renderer/core/layout/svg/layout_svg_container_test.cc b/third_party/blink/renderer/core/layout/svg/layout_svg_container_test.cc
+index 57e3540f9dc9419261ed7be84bd951df75380009..a625a03d0cc3e120e26f104d564db10ef78601e4 100644
+--- a/third_party/blink/renderer/core/layout/svg/layout_svg_container_test.cc
++++ b/third_party/blink/renderer/core/layout/svg/layout_svg_container_test.cc
+@@ -117,4 +117,34 @@ TEST_F(LayoutSVGContainerTest,
+   EXPECT_TRUE(use->SlowFirstChild()->TransformAffectsVectorEffect());
+ }
+ 
++TEST_F(LayoutSVGContainerTest, PatternWithContentVisibility) {
++  SetBodyInnerHTML(R"HTML(
++    <svg viewBox="0 0 230 100" xmlns="http://www.w3.org/2000/svg">
++      <defs>
++        <pattern id="pattern" viewBox="0,0,10,10" width="10%" height="10%">
++          <polygon id="polygon" points="0,0 2,5 0,10 5,8 10,10 8,5 10,0 5,2"/>
++        </pattern>
++      </defs>
++
++      <circle id="circle" cx="50"  cy="50" r="50" fill="url(#pattern)"/>
++    </svg>
++  )HTML");
++
++  auto* pattern = GetDocument().getElementById("pattern");
++  auto* polygon = GetDocument().getElementById("polygon");
++
++  pattern->setAttribute("style", "contain: strict; content-visibility: hidden");
++
++  UpdateAllLifecyclePhasesForTest();
++
++  polygon->setAttribute("points", "0,0 2,5 0,10");
++
++  // This shouldn't cause a DCHECK, even though the pattern needs layout because
++  // it's under a content-visibility: hidden subtree.
++  UpdateAllLifecyclePhasesForTest();
++
++  EXPECT_TRUE(pattern->GetLayoutObject()->NeedsLayout());
++  EXPECT_FALSE(pattern->GetLayoutObject()->SelfNeedsLayout());
++}
++
+ }  // namespace blink
+diff --git a/third_party/blink/renderer/core/layout/svg/layout_svg_resource_clipper.cc b/third_party/blink/renderer/core/layout/svg/layout_svg_resource_clipper.cc
+index dd4b65c4363b6ea8a55d1330520632f3b9500b03..64701599f77a61ae72eba564b2c243310b1a732e 100644
+--- a/third_party/blink/renderer/core/layout/svg/layout_svg_resource_clipper.cc
++++ b/third_party/blink/renderer/core/layout/svg/layout_svg_resource_clipper.cc
+@@ -22,6 +22,7 @@
+ 
+ #include "third_party/blink/renderer/core/layout/svg/layout_svg_resource_clipper.h"
+ 
++#include "third_party/blink/renderer/core/display_lock/display_lock_utilities.h"
+ #include "third_party/blink/renderer/core/dom/element_traversal.h"
+ #include "third_party/blink/renderer/core/layout/hit_test_result.h"
+ #include "third_party/blink/renderer/core/layout/layout_box_model_object.h"
+@@ -54,6 +55,8 @@ ClipStrategy DetermineClipStrategy(const SVGGraphicsElement& element) {
+   const LayoutObject* layout_object = element.GetLayoutObject();
+   if (!layout_object)
+     return ClipStrategy::kNone;
++  if (DisplayLockUtilities::LockedAncestorPreventingLayout(*layout_object))
++    return ClipStrategy::kNone;
+   const ComputedStyle& style = layout_object->StyleRef();
+   if (style.Display() == EDisplay::kNone ||
+       style.Visibility() != EVisibility::kVisible)
+@@ -74,8 +77,12 @@ ClipStrategy DetermineClipStrategy(const SVGElement& element) {
+   // (https://drafts.fxtf.org/css-masking/#ClipPathElement)
+   if (auto* svg_use_element = DynamicTo<SVGUseElement>(element)) {
+     const LayoutObject* use_layout_object = element.GetLayoutObject();
+-    if (!use_layout_object ||
+-        use_layout_object->StyleRef().Display() == EDisplay::kNone)
++    if (!use_layout_object)
++      return ClipStrategy::kNone;
++    if (DisplayLockUtilities::LockedAncestorPreventingLayout(
++            *use_layout_object))
++      return ClipStrategy::kNone;
++    if (use_layout_object->StyleRef().Display() == EDisplay::kNone)
+       return ClipStrategy::kNone;
+     const SVGGraphicsElement* shape_element =
+         svg_use_element->VisibleTargetGraphicsElementForClipping();
+@@ -270,7 +277,7 @@ bool LayoutSVGResourceClipper::HitTestClipContent(
+ FloatRect LayoutSVGResourceClipper::ResourceBoundingBox(
+     const FloatRect& reference_box) {
+   NOT_DESTROYED();
+-  DCHECK(!NeedsLayout());
++  DCHECK(!SelfNeedsLayout());
+ 
+   if (local_clip_bounds_.IsEmpty())
+     CalculateLocalClipBounds();
+diff --git a/third_party/blink/renderer/core/layout/svg/layout_svg_resource_masker.cc b/third_party/blink/renderer/core/layout/svg/layout_svg_resource_masker.cc
+index f8f04a77ec0160e42c1ddc4a8987dca530e7d995..8d7fb110b55610c92db40e879e0df509ffff1329 100644
+--- a/third_party/blink/renderer/core/layout/svg/layout_svg_resource_masker.cc
++++ b/third_party/blink/renderer/core/layout/svg/layout_svg_resource_masker.cc
+@@ -19,6 +19,7 @@
+ 
+ #include "third_party/blink/renderer/core/layout/svg/layout_svg_resource_masker.h"
+ 
++#include "third_party/blink/renderer/core/display_lock/display_lock_utilities.h"
+ #include "third_party/blink/renderer/core/dom/element_traversal.h"
+ #include "third_party/blink/renderer/core/layout/svg/svg_layout_support.h"
+ #include "third_party/blink/renderer/core/paint/svg_object_painter.h"
+@@ -64,7 +65,9 @@ sk_sp<const PaintRecord> LayoutSVGResourceMasker::CreatePaintRecord(
+   for (const SVGElement& child_element :
+        Traversal<SVGElement>::ChildrenOf(*GetElement())) {
+     const LayoutObject* layout_object = child_element.GetLayoutObject();
+-    if (!layout_object ||
++    if (!layout_object)
++      continue;
++    if (DisplayLockUtilities::LockedAncestorPreventingLayout(*layout_object) ||
+         layout_object->StyleRef().Display() == EDisplay::kNone)
+       continue;
+     SVGObjectPainter(*layout_object).PaintResourceSubtree(builder.Context());
+@@ -90,7 +93,7 @@ FloatRect LayoutSVGResourceMasker::ResourceBoundingBox(
+     const FloatRect& reference_box,
+     float reference_box_zoom) {
+   NOT_DESTROYED();
+-  DCHECK(!NeedsLayout());
++  DCHECK(!SelfNeedsLayout());
+   auto* mask_element = To<SVGMaskElement>(GetElement());
+   DCHECK(mask_element);
+ 
+diff --git a/third_party/blink/renderer/core/layout/svg/layout_svg_resource_pattern.cc b/third_party/blink/renderer/core/layout/svg/layout_svg_resource_pattern.cc
+index 1edd62a9f1089b8fa7889223319fbf859ef146bf..1750cff677a1aa910234b273a9640d34925f6912 100644
+--- a/third_party/blink/renderer/core/layout/svg/layout_svg_resource_pattern.cc
++++ b/third_party/blink/renderer/core/layout/svg/layout_svg_resource_pattern.cc
+@@ -24,6 +24,7 @@
+ #include <memory>
+ 
+ #include "base/memory/ptr_util.h"
++#include "third_party/blink/renderer/core/display_lock/display_lock_utilities.h"
+ #include "third_party/blink/renderer/core/layout/svg/svg_layout_support.h"
+ #include "third_party/blink/renderer/core/layout/svg/svg_resources.h"
+ #include "third_party/blink/renderer/core/paint/svg_object_painter.h"
+@@ -204,8 +205,20 @@ sk_sp<PaintRecord> LayoutSVGResourcePattern::AsPaintRecord(
+     content_transform = tile_transform;
+ 
+   FloatRect bounds(FloatPoint(), size);
++  PaintRecorder paint_recorder;
++  cc::PaintCanvas* canvas = paint_recorder.beginRecording(bounds);
++
++  auto* pattern_content_element = Attributes().PatternContentElement();
++  DCHECK(pattern_content_element);
++  // If the element or some of its ancestor prevents us from doing paint, we can
++  // early out. Note that any locked ancestor would prevent paint.
++  if (DisplayLockUtilities::NearestLockedInclusiveAncestor(
++          *pattern_content_element)) {
++    return paint_recorder.finishRecordingAsPicture();
++  }
++
+   const auto* pattern_layout_object = To<LayoutSVGResourceContainer>(
+-      Attributes().PatternContentElement()->GetLayoutObject());
++      pattern_content_element->GetLayoutObject());
+   DCHECK(pattern_layout_object);
+   DCHECK(!pattern_layout_object->NeedsLayout());
+ 
+@@ -215,8 +228,6 @@ sk_sp<PaintRecord> LayoutSVGResourcePattern::AsPaintRecord(
+   for (LayoutObject* child = pattern_layout_object->FirstChild(); child;
+        child = child->NextSibling())
+     SVGObjectPainter(*child).PaintResourceSubtree(builder.Context());
+-  PaintRecorder paint_recorder;
+-  cc::PaintCanvas* canvas = paint_recorder.beginRecording(bounds);
+   canvas->save();
+   canvas->concat(AffineTransformToSkMatrix(tile_transform));
+   builder.EndRecording(*canvas);
+diff --git a/third_party/blink/renderer/core/paint/clip_path_clipper.cc b/third_party/blink/renderer/core/paint/clip_path_clipper.cc
+index aeba6f798ef7e4d0a277f3ce3b3342fe220c0855..0aaba25ca2f91bbb13a88e9ee5f4bd7744ac9939 100644
+--- a/third_party/blink/renderer/core/paint/clip_path_clipper.cc
++++ b/third_party/blink/renderer/core/paint/clip_path_clipper.cc
+@@ -4,6 +4,7 @@
+ 
+ #include "third_party/blink/renderer/core/paint/clip_path_clipper.h"
+ 
++#include "third_party/blink/renderer/core/display_lock/display_lock_utilities.h"
+ #include "third_party/blink/renderer/core/layout/layout_box.h"
+ #include "third_party/blink/renderer/core/layout/layout_inline.h"
+ #include "third_party/blink/renderer/core/layout/svg/layout_svg_resource_clipper.h"
+@@ -40,10 +41,14 @@ LayoutSVGResourceClipper* ResolveElementReference(
+     return nullptr;
+   LayoutSVGResourceClipper* resource_clipper =
+       GetSVGResourceAsType(*client, reference_clip_path_operation);
+-  if (resource_clipper) {
+-    SECURITY_DCHECK(!resource_clipper->NeedsLayout());
+-    resource_clipper->ClearInvalidationMask();
+-  }
++  if (!resource_clipper)
++    return nullptr;
++
++  resource_clipper->ClearInvalidationMask();
++  if (DisplayLockUtilities::LockedAncestorPreventingLayout(*resource_clipper))
++    return nullptr;
++
++  SECURITY_DCHECK(!resource_clipper->SelfNeedsLayout());
+   return resource_clipper;
+ }
+ 
+diff --git a/third_party/blink/renderer/core/paint/svg_mask_painter.cc b/third_party/blink/renderer/core/paint/svg_mask_painter.cc
+index 72f23f43e38b19a6ba4a70637921f808dc5c29f1..893109d449b2b815a6cc6e01beabdb4cb66a39fe 100644
+--- a/third_party/blink/renderer/core/paint/svg_mask_painter.cc
++++ b/third_party/blink/renderer/core/paint/svg_mask_painter.cc
+@@ -4,6 +4,7 @@
+ 
+ #include "third_party/blink/renderer/core/paint/svg_mask_painter.h"
+ 
++#include "third_party/blink/renderer/core/display_lock/display_lock_utilities.h"
+ #include "third_party/blink/renderer/core/layout/svg/layout_svg_resource_masker.h"
+ #include "third_party/blink/renderer/core/layout/svg/svg_resources.h"
+ #include "third_party/blink/renderer/core/paint/object_paint_properties.h"
+@@ -46,7 +47,9 @@ void SVGMaskPainter::Paint(GraphicsContext& context,
+   auto* masker = GetSVGResourceAsType<LayoutSVGResourceMasker>(
+       *client, style.MaskerResource());
+   DCHECK(masker);
+-  SECURITY_DCHECK(!masker->NeedsLayout());
++  if (DisplayLockUtilities::LockedAncestorPreventingLayout(*masker))
++    return;
++  SECURITY_DCHECK(!masker->SelfNeedsLayout());
+   masker->ClearInvalidationMask();
+ 
+   FloatRect reference_box = SVGResources::ReferenceBoxForEffects(layout_object);
+diff --git a/third_party/blink/renderer/core/paint/svg_object_painter.cc b/third_party/blink/renderer/core/paint/svg_object_painter.cc
+index acd0c2d16230e7fcd62ee51a267468dfb7ca1b7c..c18ca5024108ad2680f3ec33bb4240d690dc5ae2 100644
+--- a/third_party/blink/renderer/core/paint/svg_object_painter.cc
++++ b/third_party/blink/renderer/core/paint/svg_object_painter.cc
+@@ -31,7 +31,7 @@ void CopyStateFromGraphicsContext(GraphicsContext& context, PaintFlags& flags) {
+ }  // namespace
+ 
+ void SVGObjectPainter::PaintResourceSubtree(GraphicsContext& context) {
+-  DCHECK(!layout_object_.NeedsLayout());
++  DCHECK(!layout_object_.SelfNeedsLayout());
+ 
+   PaintInfo info(context, CullRect::Infinite(), PaintPhase::kForeground,
+                  kGlobalPaintNormalPhase | kGlobalPaintFlattenCompositingLayers,
+diff --git a/third_party/blink/web_tests/external/wpt/css/css-contain/content-visibility/content-visibility-in-svg-000-crash.html b/third_party/blink/web_tests/external/wpt/css/css-contain/content-visibility/content-visibility-in-svg-000-crash.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..d1084f7216510386f159033e2f7b0e3966bd2758
+--- /dev/null
++++ b/third_party/blink/web_tests/external/wpt/css/css-contain/content-visibility/content-visibility-in-svg-000-crash.html
+@@ -0,0 +1,30 @@
++<!DOCTYPE html>
++<html class="test-wait">
++<link rel="author" title="Vladimir Levin" href="mailto:vmpstr@chromium.org">
++<link rel="help" href="https://crbug.com/1247196">
++<meta name="assert" content="Clip path with content-visibility does not cause an assert">
++
++<svg width="138">
++  <defs>
++    <clipPath id="snowglobe_clipPath">
++      <circle cx="34" />
++    </clipPath>
++  </defs>
++  <circle />
++  <g class="group-snow" clip-path="url(#snowglobe_clipPath)">
++    <g class="snowContainer">
++      <circle class="snow" />
++    </g>
++  </g>
++</svg>
++<script type="text/javascript">
++onload = () => {
++  var test0 = document.getElementById("snowglobe_clipPath");
++  test0.style.setProperty("content-visibility", "auto ", "important");
++  test0.innerHTML = "";
++  test0.offsetHeight;
++
++  requestAnimationFrame(() => document.documentElement.classList.remove('test-wait'));
++};
++</script>
++</html>

patches/chromium/content-visibility_force_range_base_extent_when_computing_visual.patch

@@ -0,0 +1,119 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Vladimir Levin <vmpstr@chromium.org>
+Date: Tue, 7 Sep 2021 21:32:03 +0000
+Subject: content-visibility: Force range base/extent when computing visual
+ selection.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some of the code that does visual selection ends up updating style and
+layout for node. This means that it will temporarily unlock c-v nodes
+and may cause a state rewind from layout clean to visual update pending.
+
+That's not an operation we support, verified by DCHECKs. So, instead
+we should unlock any c-v nodes prior to getting to layout clean.
+
+R=​chrishtr@chromium.org, yosin@chromium.org
+
+(cherry picked from commit 484bc1abffcdee33648695244c86daca15ab6539)
+
+Bug: 1237533
+Change-Id: Ib30036c4536bea3da2ae4fa54c19ad5684829597
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3114230
+Commit-Queue: Yoshifumi Inoue <yosin@chromium.org>
+Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
+Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#914631}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3145452
+Auto-Submit: vmpstr <vmpstr@chromium.org>
+Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4515@{#2115}
+Cr-Branched-From: 488fc70865ddaa05324ac00a54a6eb783b4bc41c-refs/heads/master@{#885287}
+
+diff --git a/third_party/blink/renderer/core/display_lock/display_lock_utilities.cc b/third_party/blink/renderer/core/display_lock/display_lock_utilities.cc
+index b751822d19f703984a4e65ef465667ac2f592533..715a830c65d39bd240a5d858674d428885538520 100644
+--- a/third_party/blink/renderer/core/display_lock/display_lock_utilities.cc
++++ b/third_party/blink/renderer/core/display_lock/display_lock_utilities.cc
+@@ -173,6 +173,9 @@ DisplayLockUtilities::ScopedForcedUpdate::Impl::Impl(const Node* node,
+   if (!RuntimeEnabledFeatures::CSSContentVisibilityEnabled())
+     return;
+ 
++  if (!node_)
++    return;
++
+   auto* owner_node = GetFrameOwnerNode(node);
+   if (owner_node)
+     parent_frame_impl_ = MakeGarbageCollected<Impl>(owner_node, true);
+@@ -215,6 +218,8 @@ DisplayLockUtilities::ScopedForcedUpdate::Impl::Impl(const Node* node,
+ }
+ 
+ void DisplayLockUtilities::ScopedForcedUpdate::Impl::Destroy() {
++  if (!node_)
++    return;
+   if (RuntimeEnabledFeatures::CSSContentVisibilityEnabled())
+     node_->GetDocument().GetDisplayLockDocumentState().EndNodeForcedScope(this);
+   if (parent_frame_impl_)
+diff --git a/third_party/blink/renderer/core/display_lock/display_lock_utilities.h b/third_party/blink/renderer/core/display_lock/display_lock_utilities.h
+index 6e6839e2c1222a6f05d89dca97e7513989476165..022ac073ca6eb92023014933f2f1d12d774f8a30 100644
+--- a/third_party/blink/renderer/core/display_lock/display_lock_utilities.h
++++ b/third_party/blink/renderer/core/display_lock/display_lock_utilities.h
+@@ -8,6 +8,7 @@
+ #include "third_party/blink/renderer/core/core_export.h"
+ #include "third_party/blink/renderer/core/display_lock/display_lock_context.h"
+ #include "third_party/blink/renderer/core/editing/ephemeral_range.h"
++#include "third_party/blink/renderer/core/editing/frame_selection.h"
+ #include "third_party/blink/renderer/platform/wtf/allocator/allocator.h"
+ 
+ namespace blink {
+@@ -51,6 +52,8 @@ class CORE_EXPORT DisplayLockUtilities {
+     friend void Document::EnsurePaintLocationDataValidForNode(
+         const Node* node,
+         DocumentUpdateReason reason);
++    friend VisibleSelection
++    FrameSelection::ComputeVisibleSelectionInDOMTreeDeprecated() const;
+ 
+     friend class DisplayLockContext;
+ 
+diff --git a/third_party/blink/renderer/core/editing/frame_selection.cc b/third_party/blink/renderer/core/editing/frame_selection.cc
+index d0133cc8da39300c4fc3b5ae225afd9e3aeceeca..f59557caeb9fa1bc460e199a7dae8d218d27c089 100644
+--- a/third_party/blink/renderer/core/editing/frame_selection.cc
++++ b/third_party/blink/renderer/core/editing/frame_selection.cc
+@@ -158,6 +158,10 @@ VisibleSelection FrameSelection::ComputeVisibleSelectionInDOMTreeDeprecated()
+     const {
+   // TODO(editing-dev): Hoist UpdateStyleAndLayout
+   // to caller. See http://crbug.com/590369 for more details.
++  DisplayLockUtilities::ScopedForcedUpdate base_scope(
++      GetSelectionInDOMTree().Base().AnchorNode());
++  DisplayLockUtilities::ScopedForcedUpdate extent_scope(
++      GetSelectionInDOMTree().Extent().AnchorNode());
+   GetDocument().UpdateStyleAndLayout(DocumentUpdateReason::kSelection);
+   return ComputeVisibleSelectionInDOMTree();
+ }
+diff --git a/third_party/blink/web_tests/external/wpt/css/css-contain/content-visibility/meter-selection-crash.html b/third_party/blink/web_tests/external/wpt/css/css-contain/content-visibility/meter-selection-crash.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..9edca97568e288c0231ac942eeadfe397ea9e00f
+--- /dev/null
++++ b/third_party/blink/web_tests/external/wpt/css/css-contain/content-visibility/meter-selection-crash.html
+@@ -0,0 +1,21 @@
++<!doctype HTML>
++<link rel=author href="mailto:vmpstr@chromium.org">
++<link rel="help" href="https://drafts.csswg.org/css-contain/#content-visibility">
++<meta name="assert" content="meter, iframe, and selection API should not crash">
++
++<style>
++* {
++  all: initial;
++  content-visibility: hidden;
++}
++</style>
++
++<meter></meter><iframe id="frame"></iframe>
++<script>
++function runTest() {
++  var range_beadc = window.getSelection();
++  var elem1 = document.getElementById("frame");
++  range_beadc.setBaseAndExtent(elem1, 0, document.getElementById("none"), 0);
++}
++onload = runTest;
++</script>

patches/chromium/contentindex_add_origin_checks_to_mojo_methods.patch

@@ -0,0 +1,214 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Rayan Kanso <rayankans@google.com>
+Date: Thu, 9 Sep 2021 11:16:13 +0000
+Subject: Add Origin checks to mojo methods.
+
+(cherry picked from commit 6ef569fd764a8e5f8fba4dcff830d460e406362b)
+
+Bug: 1244568
+Change-Id: I5a63a2e478577913a3b35154464c1808f7291f40
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3140385
+Reviewed-by: Richard Knoll <knollr@chromium.org>
+Commit-Queue: Rayan Kanso <rayankans@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#918606}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3149996
+Reviewed-by: Michael van Ouwerkerk <mvanouwerkerk@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4577@{#1220}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/content/browser/content_index/content_index_database.cc b/content/browser/content_index/content_index_database.cc
+index 2ce59c40e2d8e319b68d9df61a496606f4bf5bb6..438798fe658bf148c09a9bcf65c3b40dbf96325e 100644
+--- a/content/browser/content_index/content_index_database.cc
++++ b/content/browser/content_index/content_index_database.cc
+@@ -183,6 +183,11 @@ void ContentIndexDatabase::AddEntryOnCoreThread(
+     return;
+   }
+ 
++  if (!service_worker_registration->origin().IsSameOriginWith(origin)) {
++    std::move(callback).Run(blink::mojom::ContentIndexError::STORAGE_ERROR);
++    return;
++  }
++
+   auto serialized_icons = std::make_unique<proto::SerializedIcons>();
+   proto::SerializedIcons* serialized_icons_ptr = serialized_icons.get();
+ 
+@@ -284,6 +289,15 @@ void ContentIndexDatabase::DeleteEntryOnCoreThread(
+     blink::mojom::ContentIndexService::DeleteCallback callback) {
+   DCHECK_CURRENTLY_ON(ServiceWorkerContext::GetCoreThreadId());
+ 
++  scoped_refptr<ServiceWorkerRegistration> service_worker_registration =
++      service_worker_context_->GetLiveRegistration(
++          service_worker_registration_id);
++  if (!service_worker_registration ||
++      !service_worker_registration->origin().IsSameOriginWith(origin)) {
++    std::move(callback).Run(blink::mojom::ContentIndexError::STORAGE_ERROR);
++    return;
++  }
++
+   service_worker_context_->ClearRegistrationUserData(
+       service_worker_registration_id, {EntryKey(entry_id), IconsKey(entry_id)},
+       base::BindOnce(&ContentIndexDatabase::DidDeleteEntry,
+@@ -316,6 +330,7 @@ void ContentIndexDatabase::DidDeleteEntry(
+ 
+ void ContentIndexDatabase::GetDescriptions(
+     int64_t service_worker_registration_id,
++    const url::Origin& origin,
+     blink::mojom::ContentIndexService::GetDescriptionsCallback callback) {
+   DCHECK_CURRENTLY_ON(BrowserThread::UI);
+ 
+@@ -333,15 +348,26 @@ void ContentIndexDatabase::GetDescriptions(
+       FROM_HERE, ServiceWorkerContext::GetCoreThreadId(),
+       base::BindOnce(&ContentIndexDatabase::GetDescriptionsOnCoreThread,
+                      weak_ptr_factory_core_.GetWeakPtr(),
+-                     service_worker_registration_id,
++                     service_worker_registration_id, origin,
+                      std::move(wrapped_callback)));
+ }
+ 
+ void ContentIndexDatabase::GetDescriptionsOnCoreThread(
+     int64_t service_worker_registration_id,
++    const url::Origin& origin,
+     blink::mojom::ContentIndexService::GetDescriptionsCallback callback) {
+   DCHECK_CURRENTLY_ON(ServiceWorkerContext::GetCoreThreadId());
+ 
++  scoped_refptr<ServiceWorkerRegistration> service_worker_registration =
++      service_worker_context_->GetLiveRegistration(
++          service_worker_registration_id);
++  if (!service_worker_registration ||
++      !service_worker_registration->origin().IsSameOriginWith(origin)) {
++    std::move(callback).Run(blink::mojom::ContentIndexError::STORAGE_ERROR,
++                            /* descriptions= */ {});
++    return;
++  }
++
+   service_worker_context_->GetRegistrationUserDataByKeyPrefix(
+       service_worker_registration_id, kEntryPrefix,
+       base::BindOnce(&ContentIndexDatabase::DidGetDescriptions,
+diff --git a/content/browser/content_index/content_index_database.h b/content/browser/content_index/content_index_database.h
+index 89c23e8d3595a114c3a24530c8afd1e3a67b79a3..86a7830a72b25fc4a76575138e29284a2debba52 100644
+--- a/content/browser/content_index/content_index_database.h
++++ b/content/browser/content_index/content_index_database.h
+@@ -51,6 +51,7 @@ class CONTENT_EXPORT ContentIndexDatabase {
+ 
+   void GetDescriptions(
+       int64_t service_worker_registration_id,
++      const url::Origin& origin,
+       blink::mojom::ContentIndexService::GetDescriptionsCallback callback);
+ 
+   // Gets the icon for |description_id| and invokes |callback| on the UI
+@@ -95,6 +96,7 @@ class CONTENT_EXPORT ContentIndexDatabase {
+       blink::mojom::ContentIndexService::DeleteCallback callback);
+   void GetDescriptionsOnCoreThread(
+       int64_t service_worker_registration_id,
++      const url::Origin& origin,
+       blink::mojom::ContentIndexService::GetDescriptionsCallback callback);
+   void GetIconsOnCoreThread(int64_t service_worker_registration_id,
+                             const std::string& description_id,
+diff --git a/content/browser/content_index/content_index_database_unittest.cc b/content/browser/content_index/content_index_database_unittest.cc
+index 3787ffbff591410f90065b78fd5c177567e335b3..4058a334ee229c0e2bf58e78f3884e6ad910eb7e 100644
+--- a/content/browser/content_index/content_index_database_unittest.cc
++++ b/content/browser/content_index/content_index_database_unittest.cc
+@@ -114,7 +114,7 @@ class ContentIndexDatabaseTest : public ::testing::Test {
+ 
+   void SetUp() override {
+     // Register Service Worker.
+-    service_worker_registration_id_ = RegisterServiceWorker();
++    service_worker_registration_id_ = RegisterServiceWorker(origin_);
+     ASSERT_NE(service_worker_registration_id_,
+               blink::mojom::kInvalidServiceWorkerRegistrationId);
+     database_ = std::make_unique<ContentIndexDatabase>(
+@@ -164,7 +164,7 @@ class ContentIndexDatabaseTest : public ::testing::Test {
+     base::RunLoop run_loop;
+     std::vector<blink::mojom::ContentDescriptionPtr> descriptions;
+     database_->GetDescriptions(
+-        service_worker_registration_id_,
++        service_worker_registration_id_, origin_,
+         base::BindOnce(&GetDescriptionsCallback, run_loop.QuitClosure(),
+                        out_error, &descriptions));
+     run_loop.Run();
+@@ -222,6 +222,11 @@ class ContentIndexDatabaseTest : public ::testing::Test {
+     return service_worker_registration_id_;
+   }
+ 
++  void set_service_worker_registration_id(
++      int64_t service_worker_registration_id) {
++    service_worker_registration_id_ = service_worker_registration_id;
++  }
++
+   ContentIndexDatabase* database() { return database_.get(); }
+ 
+   BrowserTaskEnvironment& task_environment() { return task_environment_; }
+@@ -230,15 +235,14 @@ class ContentIndexDatabaseTest : public ::testing::Test {
+ 
+   GURL launch_url() { return origin_.GetURL(); }
+ 
+- private:
+-  int64_t RegisterServiceWorker() {
+-    GURL script_url(origin_.GetURL().spec() + "sw.js");
++  int64_t RegisterServiceWorker(const url::Origin& origin) {
++    GURL script_url(origin.GetURL().spec() + "sw.js");
+     int64_t service_worker_registration_id =
+         blink::mojom::kInvalidServiceWorkerRegistrationId;
+ 
+     {
+       blink::mojom::ServiceWorkerRegistrationOptions options;
+-      options.scope = origin_.GetURL();
++      options.scope = origin.GetURL();
+       base::RunLoop run_loop;
+       embedded_worker_test_helper_.context()->RegisterServiceWorker(
+           script_url, options, blink::mojom::FetchClientSettingsObject::New(),
+@@ -258,7 +262,7 @@ class ContentIndexDatabaseTest : public ::testing::Test {
+     {
+       base::RunLoop run_loop;
+       embedded_worker_test_helper_.context()->registry()->FindRegistrationForId(
+-          service_worker_registration_id, origin_,
++          service_worker_registration_id, origin,
+           base::BindOnce(&DidFindServiceWorkerRegistration,
+                          &service_worker_registration_,
+                          run_loop.QuitClosure()));
+@@ -276,6 +280,7 @@ class ContentIndexDatabaseTest : public ::testing::Test {
+     return service_worker_registration_id;
+   }
+ 
++ private:
+   BrowserTaskEnvironment task_environment_;  // Must be first member.
+   ContentIndexTestBrowserContext browser_context_;
+   url::Origin origin_ = url::Origin::Create(GURL("https://example.com"));
+@@ -314,6 +319,24 @@ TEST_F(ContentIndexDatabaseTest, DatabaseOperations) {
+   EXPECT_TRUE(descriptions[0]->Equals(*expected_description));
+ }
+ 
++TEST_F(ContentIndexDatabaseTest, DatabaseOperationsBadSWID) {
++  url::Origin other_origin = url::Origin::Create(GURL("https://other.com"));
++  int64_t other_service_worker_registration_id =
++      RegisterServiceWorker(other_origin);
++  ASSERT_NE(other_service_worker_registration_id,
++            blink::mojom::kInvalidServiceWorkerRegistrationId);
++  set_service_worker_registration_id(other_service_worker_registration_id);
++
++  blink::mojom::ContentIndexError error;
++  auto descriptions = GetDescriptions(&error);
++  EXPECT_TRUE(descriptions.empty());
++  EXPECT_EQ(error, blink::mojom::ContentIndexError::STORAGE_ERROR);
++
++  EXPECT_EQ(AddEntry(CreateDescription("id1")),
++            blink::mojom::ContentIndexError::STORAGE_ERROR);
++  EXPECT_EQ(DeleteEntry("id2"), blink::mojom::ContentIndexError::STORAGE_ERROR);
++}
++
+ TEST_F(ContentIndexDatabaseTest, AddDuplicateIdWillOverwrite) {
+   auto description1 = CreateDescription("id");
+   description1->title = "title1";
+diff --git a/content/browser/content_index/content_index_service_impl.cc b/content/browser/content_index/content_index_service_impl.cc
+index 81135e8b431d87ee371c0ca8912ee5dc93adfc17..73d54a16bb759156eb2869d2e8a6293f9cf0de0a 100644
+--- a/content/browser/content_index/content_index_service_impl.cc
++++ b/content/browser/content_index/content_index_service_impl.cc
+@@ -153,7 +153,7 @@ void ContentIndexServiceImpl::GetDescriptions(
+   DCHECK_CURRENTLY_ON(BrowserThread::UI);
+ 
+   content_index_context_->database().GetDescriptions(
+-      service_worker_registration_id, std::move(callback));
++      service_worker_registration_id, origin_, std::move(callback));
+ }
+ 
+ }  // namespace content

patches/chromium/dpwas_window_control_overlay_api_values_account_for_page_zoom_factor.patch

@@ -0,0 +1,701 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mike Jackson <mjackson@microsoft.com>
+Date: Wed, 9 Jun 2021 16:48:30 +0000
+Subject: dpwas: Window Control Overlay API values account for page zoom factor
+
+The overlay's bounding rect passed from the browser process
+to the render process doesn't take the page's zoom factor
+(browser zoom - Ctrl+/-) into account. The bounding rect is
+exposed via a JS API/Event and CSS environment variables, so
+we need to convert from Frame space coordinates to unzoomed
+CSS pixels. When calculating the new rect, ensure that we return
+a slightly larger rect if needed to avoid rendering contents
+smaller than the Window Control Overlay. e.g. If the height of
+the Window Control Overlay is 32, and page's zoom factor is 500%
+we will return a height of 7, instead of 6.
+
+LocalFrame is notified of page zoom change via
+SynchronizeVisualProperties, to ensure we are only computing this
+in a single pass, we also add the Window Control Overlay rect
+to the SynchronizeVisualProperties message.
+
+Manual testing:
+
+1) Enable 'Desktop PWA Window Controls Overlay' flags
+2) Install https://amandabaker.github.io/pwa/windowControlsOverlay-newCSSVars/index.html
+3) Toggle Window Control Overlay on
+4) Change zoom level for PWA via the 3 dots menu
+5) As you increase the zoom level, the values returned should decrease
+6) As you decrease the zoom level, the values returned should increase
+
+Screenshots:
+  100%: https://imgur.com/a/L4MV4RW
+   80%: https://imgur.com/a/xH79oZg
+  125%: https://imgur.com/a/CcqlkPV
+
+Explainer: https://github.com/WICG/window-controls-overlay/blob/master/explainer.md
+Design Doc: https://docs.google.com/document/d/1k0YL_-VMLIfjYCgJ2v6cMvuUv2qMKg4BgLI2tJ4qtyo/edit?usp=sharing
+I2P: https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/cper6nNLFRQ/hU91kfCWBQAJ
+
+Bug: 937121, 1213123
+Change-Id: I6744bb5a64b4021195734464b9a024e15277baa7
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2918946
+Commit-Queue: Mike Jackson <mjackson@microsoft.com>
+Reviewed-by: Daniel Cheng <dcheng@chromium.org>
+Reviewed-by: Avi Drissman <avi@chromium.org>
+Reviewed-by: danakj <danakj@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#890815}
+
+diff --git a/content/browser/renderer_host/render_widget_host_delegate.cc b/content/browser/renderer_host/render_widget_host_delegate.cc
+index 26c7a93644bb2b9f58817294265b80de33e9ef1b..3780835536c56f076831aadac63878133f21a0cd 100644
+--- a/content/browser/renderer_host/render_widget_host_delegate.cc
++++ b/content/browser/renderer_host/render_widget_host_delegate.cc
+@@ -91,6 +91,10 @@ blink::mojom::DisplayMode RenderWidgetHostDelegate::GetDisplayMode() const {
+   return blink::mojom::DisplayMode::kBrowser;
+ }
+ 
++gfx::Rect RenderWidgetHostDelegate::GetWindowsControlsOverlayRect() const {
++  return gfx::Rect();
++}
++
+ bool RenderWidgetHostDelegate::HasMouseLock(
+     RenderWidgetHostImpl* render_widget_host) {
+   return false;
+diff --git a/content/browser/renderer_host/render_widget_host_delegate.h b/content/browser/renderer_host/render_widget_host_delegate.h
+index 51bcc78ecd8f5f40e90a5e9077ac59b37c5c3e13..74d81a2a91ef515c3b89e2ceaa197b894c9fd9b7 100644
+--- a/content/browser/renderer_host/render_widget_host_delegate.h
++++ b/content/browser/renderer_host/render_widget_host_delegate.h
+@@ -215,6 +215,10 @@ class CONTENT_EXPORT RenderWidgetHostDelegate {
+   // to frame-based widgets. Other widgets are always kBrowser.
+   virtual blink::mojom::DisplayMode GetDisplayMode() const;
+ 
++  // Returns the Window Control Overlay rectangle. Only applies to an
++  // outermost main frame's widget. Other widgets always returns an empty rect.
++  virtual gfx::Rect GetWindowsControlsOverlayRect() const;
++
+   // Notification that the widget has lost capture.
+   virtual void LostCapture(RenderWidgetHostImpl* render_widget_host) {}
+ 
+diff --git a/content/browser/renderer_host/render_widget_host_impl.cc b/content/browser/renderer_host/render_widget_host_impl.cc
+index fc8916ac6dc76968e0cbd06877ffb80c95f3abf4..18f0ea3b8ea34f6287e92299ef147bccaedd302a 100644
+--- a/content/browser/renderer_host/render_widget_host_impl.cc
++++ b/content/browser/renderer_host/render_widget_host_impl.cc
+@@ -879,6 +879,8 @@ blink::VisualProperties RenderWidgetHostImpl::GetVisualProperties() {
+   auto& current_screen_info = visual_properties.screen_infos.mutable_current();
+ 
+   visual_properties.is_fullscreen_granted = delegate_->IsFullscreen();
++  visual_properties.window_controls_overlay_rect =
++      delegate_->GetWindowsControlsOverlayRect();
+ 
+   if (is_frame_widget)
+     visual_properties.display_mode = delegate_->GetDisplayMode();
+@@ -2659,7 +2661,9 @@ bool RenderWidgetHostImpl::StoredVisualPropertiesNeedsUpdate(
+          old_visual_properties->is_pinch_gesture_active !=
+              new_visual_properties.is_pinch_gesture_active ||
+          old_visual_properties->root_widget_window_segments !=
+-             new_visual_properties.root_widget_window_segments;
++             new_visual_properties.root_widget_window_segments ||
++         old_visual_properties->window_controls_overlay_rect !=
++             new_visual_properties.window_controls_overlay_rect;
+ }
+ 
+ void RenderWidgetHostImpl::AutoscrollStart(const gfx::PointF& position) {
+diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
+index ca51a8a45570fafc0dfe2b400cbb7172a9be632d..835a100a98882e3fff1e679ed596171ce865a653 100644
+--- a/content/browser/web_contents/web_contents_impl.cc
++++ b/content/browser/web_contents/web_contents_impl.cc
+@@ -7872,10 +7872,22 @@ gfx::Size WebContentsImpl::GetSize() {
+ 
+ #endif  // !defined(OS_MAC)
+ 
++gfx::Rect WebContentsImpl::GetWindowsControlsOverlayRect() const {
++  return window_controls_overlay_rect_;
++}
++
+ void WebContentsImpl::UpdateWindowControlsOverlay(
+     const gfx::Rect& bounding_rect) {
+-  GetMainFrame()->GetAssociatedLocalMainFrame()->UpdateWindowControlsOverlay(
+-      bounding_rect);
++  if (window_controls_overlay_rect_ == bounding_rect)
++    return;
++
++  window_controls_overlay_rect_ = bounding_rect;
++
++  // Updates to the |window_controls_overlay_rect_| are sent via
++  // the VisualProperties message.
++  if (RenderWidgetHost* render_widget_host =
++          GetMainFrame()->GetRenderWidgetHost())
++    render_widget_host->SynchronizeVisualProperties();
+ }
+ 
+ BrowserPluginEmbedder* WebContentsImpl::GetBrowserPluginEmbedder() const {
+diff --git a/content/browser/web_contents/web_contents_impl.h b/content/browser/web_contents/web_contents_impl.h
+index 17034e75d2ab5bd4e716e9c72277c77a53387808..3e32a9b4e17bb515066acaf014d1fe659cc83772 100644
+--- a/content/browser/web_contents/web_contents_impl.h
++++ b/content/browser/web_contents/web_contents_impl.h
+@@ -960,6 +960,7 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents,
+   bool IsWidgetForMainFrame(RenderWidgetHostImpl* render_widget_host) override;
+   bool IsShowingContextMenuOnPage() const override;
+   void DidChangeScreenOrientation() override;
++  gfx::Rect GetWindowsControlsOverlayRect() const override;
+ 
+   // RenderFrameHostManager::Delegate ------------------------------------------
+ 
+@@ -2091,6 +2092,12 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents,
+   // with OOPIF renderers.
+   blink::mojom::TextAutosizerPageInfo text_autosizer_page_info_;
+ 
++  // Stores the rect of the Windows Control Overlay, which contains system UX
++  // affordances (e.g. close), for installed desktop Progress Web Apps (PWAs),
++  // if the app specifies the 'window-controls-overlay' DisplayMode in its
++  // manifest. This is in frame space coordinates.
++  gfx::Rect window_controls_overlay_rect_;
++
+   // Observe native theme for changes to dark mode, preferred color scheme, and
+   // preferred contrast. Used to notify the renderer of preferred color scheme
+   // and preferred contrast changes.
+diff --git a/content/browser/web_contents/web_contents_impl_browsertest.cc b/content/browser/web_contents/web_contents_impl_browsertest.cc
+index 2e75cbf168dbfa48d9f094ed84398197fd0487aa..73dc93a8afd6fa1ff38e900590681e22d43f7ca4 100644
+--- a/content/browser/web_contents/web_contents_impl_browsertest.cc
++++ b/content/browser/web_contents/web_contents_impl_browsertest.cc
+@@ -43,6 +43,7 @@
+ #include "content/public/browser/back_forward_cache.h"
+ #include "content/public/browser/browser_thread.h"
+ #include "content/public/browser/file_select_listener.h"
++#include "content/public/browser/host_zoom_map.h"
+ #include "content/public/browser/invalidate_type.h"
+ #include "content/public/browser/javascript_dialog_manager.h"
+ #include "content/public/browser/load_notification_details.h"
+@@ -88,6 +89,7 @@
+ #include "testing/gmock/include/gmock/gmock.h"
+ #include "third_party/blink/public/common/client_hints/client_hints.h"
+ #include "third_party/blink/public/common/features.h"
++#include "third_party/blink/public/common/page/page_zoom.h"
+ #include "third_party/blink/public/mojom/frame/fullscreen.mojom.h"
+ #include "ui/base/clipboard/clipboard_format_type.h"
+ #include "url/gurl.h"
+@@ -4466,19 +4468,74 @@ class WebContentsImplBrowserTestWindowControlsOverlay
+   }
+ 
+   void ValidateTitlebarAreaCSSValue(const std::string& name,
+-                                    const std::string& expected_result) {
++                                    int expected_result) {
+     SCOPED_TRACE(name);
+-
+     EXPECT_EQ(
+         expected_result,
+         EvalJs(shell()->web_contents(),
+                JsReplace(
+-                   "(() => {const e = document.getElementById('target');const "
+-                   "style = window.getComputedStyle(e, null); return "
+-                   "style.getPropertyValue($1);})();",
++                   "(() => {"
++                   "const e = document.getElementById('target');"
++                   "const style = window.getComputedStyle(e, null);"
++                   "return Math.round(style.getPropertyValue($1).replace('px', "
++                   "''));"
++                   "})();",
+                    name)));
+   }
+ 
++
++  void ValidateWindowsControlOverlayState(WebContents* web_contents,
++                                          const gfx::Rect& expected_rect,
++                                          int css_fallback_value) {
++    EXPECT_EQ(!expected_rect.IsEmpty(),
++              EvalJs(web_contents, "navigator.windowControlsOverlay.visible"));
++    EXPECT_EQ(
++        expected_rect.x(),
++        EvalJs(web_contents,
++               "navigator.windowControlsOverlay.getBoundingClientRect().x"));
++    EXPECT_EQ(
++        expected_rect.y(),
++        EvalJs(web_contents,
++               "navigator.windowControlsOverlay.getBoundingClientRect().y"));
++    EXPECT_EQ(
++        expected_rect.width(),
++        EvalJs(
++            web_contents,
++            "navigator.windowControlsOverlay.getBoundingClientRect().width"));
++    EXPECT_EQ(
++        expected_rect.height(),
++        EvalJs(
++            web_contents,
++            "navigator.windowControlsOverlay.getBoundingClientRect().height"));
++
++    // When the overlay is not visible, the environment variables should be
++    // undefined, and the the fallback value should be used.
++    gfx::Rect css_rect = expected_rect;
++    if (css_rect.IsEmpty()) {
++      css_rect.SetRect(css_fallback_value, css_fallback_value,
++                       css_fallback_value, css_fallback_value);
++    }
++
++    ValidateTitlebarAreaCSSValue("left", css_rect.x());
++    ValidateTitlebarAreaCSSValue("top", css_rect.y());
++    ValidateTitlebarAreaCSSValue("width", css_rect.width());
++    ValidateTitlebarAreaCSSValue("height", css_rect.height());
++  }
++
++  void WaitForWindowControlsOverlayUpdate(
++      WebContents* web_contents,
++      const gfx::Rect& bounding_client_rect) {
++    EXPECT_TRUE(
++        ExecJs(web_contents->GetMainFrame(),
++               "navigator.windowControlsOverlay.ongeometrychange = (e) => {"
++               "  document.title = 'ongeometrychange'"
++               "}"));
++
++    web_contents->UpdateWindowControlsOverlay(bounding_client_rect);
++    TitleWatcher title_watcher(web_contents, u"ongeometrychange");
++    ignore_result(title_watcher.WaitAndGetTitle());
++  }
++
+  private:
+   base::test::ScopedFeatureList scoped_feature_list_;
+ };
+@@ -4500,24 +4557,12 @@ IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTestWindowControlsOverlay,
+   // empty.
+   int empty_rect_value = 0;
+ 
+-  EXPECT_EQ(false,
+-            EvalJs(web_contents, "navigator.windowControlsOverlay.visible"));
+-  EXPECT_EQ(
+-      empty_rect_value,
+-      EvalJs(web_contents,
+-             "navigator.windowControlsOverlay.getBoundingClientRect().x"));
+-  EXPECT_EQ(
+-      empty_rect_value,
+-      EvalJs(web_contents,
+-             "navigator.windowControlsOverlay.getBoundingClientRect().y"));
+-  EXPECT_EQ(
+-      empty_rect_value,
+-      EvalJs(web_contents,
+-             "navigator.windowControlsOverlay.getBoundingClientRect().width"));
+-  EXPECT_EQ(
+-      empty_rect_value,
+-      EvalJs(web_contents,
+-             "navigator.windowControlsOverlay.getBoundingClientRect().height"));
++
++  // Update bounds and ensure that JS APIs and CSS variables are updated.
++  gfx::Rect bounding_client_rect(1, 2, 3, 4);
++  WaitForWindowControlsOverlayUpdate(web_contents, bounding_client_rect);
++  ValidateWindowsControlOverlayState(web_contents, bounding_client_rect, 50);
++}
+ 
+   // When the overlay is not visble, the environment variables should be
+   // undefined, and the the fallback value of 50px should be used.
+@@ -4535,31 +4580,15 @@ IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTestWindowControlsOverlay,
+   gfx::Rect bounding_client_rect =
+       gfx::Rect(new_x, new_y, new_width, new_height);
+ 
+-  web_contents->UpdateWindowControlsOverlay(bounding_client_rect);
+-
+-  EXPECT_EQ(true,
+-            EvalJs(web_contents, "navigator.windowControlsOverlay.visible"));
+-  EXPECT_EQ(
+-      new_x,
+-      EvalJs(web_contents,
+-             "navigator.windowControlsOverlay.getBoundingClientRect().x"));
+-  EXPECT_EQ(
+-      new_y,
+-      EvalJs(web_contents,
+-             "navigator.windowControlsOverlay.getBoundingClientRect().y"));
+-  EXPECT_EQ(
+-      new_width,
+-      EvalJs(web_contents,
+-             "navigator.windowControlsOverlay.getBoundingClientRect().width"));
+-  EXPECT_EQ(
+-      new_height,
+-      EvalJs(web_contents,
+-             "navigator.windowControlsOverlay.getBoundingClientRect().height"));
+-
+-  ValidateTitlebarAreaCSSValue("left", "1px");
+-  ValidateTitlebarAreaCSSValue("top", "2px");
+-  ValidateTitlebarAreaCSSValue("width", "3px");
+-  ValidateTitlebarAreaCSSValue("height", "4px");
++  // Update bounds and ensure that JS APIs and CSS variables are updated.
++  gfx::Rect bounding_client_rect(0, 0, 100, 32);
++  WaitForWindowControlsOverlayUpdate(web_contents, bounding_client_rect);
++  ValidateWindowsControlOverlayState(web_contents, bounding_client_rect, 55);
++
++  // Now toggle Windows Controls Overlay off.
++  gfx::Rect empty_rect;
++  WaitForWindowControlsOverlayUpdate(web_contents, empty_rect);
++  ValidateWindowsControlOverlayState(web_contents, empty_rect, 55);
+ }
+ 
+ IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTestWindowControlsOverlay,
+@@ -4568,14 +4597,16 @@ IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTestWindowControlsOverlay,
+ 
+   GURL url(url::kAboutBlankURL);
+   EXPECT_TRUE(NavigateToURL(shell(), url));
+-  EXPECT_TRUE(ExecuteScript(
+-      web_contents->GetMainFrame(),
+-      "geometrychangeCount = 0;"
+-      "navigator.windowControlsOverlay.ongeometrychange = (e) => {"
+-      "  geometrychangeCount++;"
+-      "  rect = e.boundingRect;"
+-      "  visible = e.visible;"
+-      "}"));
++
++  EXPECT_TRUE(
++      ExecJs(web_contents->GetMainFrame(),
++             "geometrychangeCount = 0;"
++             "navigator.windowControlsOverlay.ongeometrychange = (e) => {"
++             "  geometrychangeCount++;"
++             "  rect = e.boundingRect;"
++             "  visible = e.visible;"
++             "  document.title = 'ongeometrychange' + geometrychangeCount"
++             "}"));
+ 
+   WaitForLoadStop(web_contents);
+ 
+@@ -4584,23 +4615,107 @@ IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTestWindowControlsOverlay,
+   EXPECT_EQ(0, EvalJs(web_contents, "geometrychangeCount"));
+ 
+   // Information about the bounds should be updated.
+-  const int x = 2;
+-  const int y = 2;
+-  const int width = 2;
+-  const int height = 2;
+-
+-  gfx::Rect bounding_client_rect = gfx::Rect(x, y, width, height);
+-
++  gfx::Rect bounding_client_rect = gfx::Rect(2, 3, 4, 5);
+   web_contents->UpdateWindowControlsOverlay(bounding_client_rect);
++  TitleWatcher title_watcher(web_contents, u"ongeometrychange1");
++  ignore_result(title_watcher.WaitAndGetTitle());
+ 
+   // Expect the "geometrychange" event to have fired once.
+   EXPECT_EQ(1, EvalJs(web_contents, "geometrychangeCount"));
+ 
+   // Validate the event payload.
+   EXPECT_EQ(true, EvalJs(web_contents, "visible"));
+-  EXPECT_EQ(x, EvalJs(web_contents, "rect.x;"));
+-  EXPECT_EQ(y, EvalJs(web_contents, "rect.y"));
+-  EXPECT_EQ(width, EvalJs(web_contents, "rect.width"));
+-  EXPECT_EQ(height, EvalJs(web_contents, "rect.height"));
++  EXPECT_EQ(bounding_client_rect.x(), EvalJs(web_contents, "rect.x;"));
++  EXPECT_EQ(bounding_client_rect.y(), EvalJs(web_contents, "rect.y"));
++  EXPECT_EQ(bounding_client_rect.width(), EvalJs(web_contents, "rect.width"));
++  EXPECT_EQ(bounding_client_rect.height(), EvalJs(web_contents, "rect.height"));
++}
++
++#if !defined(OS_ANDROID)
++IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTestWindowControlsOverlay,
++                       ValidatePageScaleChangesInfoAndFiresEvent) {
++  auto* web_contents = shell()->web_contents();
++  GURL url(
++      R"(data:text/html,<body><div id=target style="position=absolute;
++      left: env(titlebar-area-x, 60px);
++      top: env(titlebar-area-y, 60px);
++      width: env(titlebar-area-width, 60px);
++      height: env(titlebar-area-height, 60px);"></div></body>)");
++
++  EXPECT_TRUE(NavigateToURL(shell(), url));
++  WaitForLoadStop(web_contents);
++
++  gfx::Rect bounding_client_rect = gfx::Rect(5, 10, 15, 20);
++  WaitForWindowControlsOverlayUpdate(web_contents, bounding_client_rect);
++
++  // Update zoom level, confirm the "geometrychange" event is fired,
++  // and CSS variables are updated
++  EXPECT_TRUE(
++      ExecJs(web_contents->GetMainFrame(),
++             "geometrychangeCount = 0;"
++             "navigator.windowControlsOverlay.ongeometrychange = (e) => {"
++             "  geometrychangeCount++;"
++             "  rect = e.boundingRect;"
++             "  visible = e.visible;"
++             "  document.title = 'ongeometrychangefromzoomlevel'"
++             "}"));
++  content::HostZoomMap::SetZoomLevel(web_contents, 1.5);
++  TitleWatcher title_watcher(web_contents, u"ongeometrychangefromzoomlevel");
++  ignore_result(title_watcher.WaitAndGetTitle());
++
++  // Validate the event payload.
++  double zoom_factor = blink::PageZoomLevelToZoomFactor(
++      content::HostZoomMap::GetZoomLevel(web_contents));
++  gfx::Rect scaled_rect =
++      gfx::ScaleToEnclosingRectSafe(bounding_client_rect, 1.0f / zoom_factor);
++
++  EXPECT_EQ(true, EvalJs(web_contents, "visible"));
++  EXPECT_EQ(scaled_rect.x(), EvalJs(web_contents, "rect.x"));
++  EXPECT_EQ(scaled_rect.y(), EvalJs(web_contents, "rect.y"));
++  EXPECT_EQ(scaled_rect.width(), EvalJs(web_contents, "rect.width"));
++  EXPECT_EQ(scaled_rect.height(), EvalJs(web_contents, "rect.height"));
++  ValidateWindowsControlOverlayState(web_contents, scaled_rect, 60);
++}
++#endif
++
++class WebContentsImplBrowserTestWindowControlsOverlayNonOneDeviceScaleFactor
++    : public WebContentsImplBrowserTestWindowControlsOverlay {
++ public:
++  void SetUp() override {
++#if defined(OS_MAC)
++    // Device scale factor on MacOSX is always an integer.
++    EnablePixelOutput(2.0f);
++#else
++    EnablePixelOutput(1.25f);
++#endif
++    WebContentsImplBrowserTestWindowControlsOverlay::SetUp();
++  }
++};
++
++IN_PROC_BROWSER_TEST_F(
++    WebContentsImplBrowserTestWindowControlsOverlayNonOneDeviceScaleFactor,
++    ValidateScaledCorrectly) {
++  auto* web_contents = shell()->web_contents();
++  GURL url(
++      R"(data:text/html,<body><div id=target style="position=absolute;
++      left: env(titlebar-area-x, 70px);
++      top: env(titlebar-area-y, 70px);
++      width: env(titlebar-area-width, 70px);
++      height: env(titlebar-area-height, 70px);"></div></body>)");
++
++  EXPECT_TRUE(NavigateToURL(shell(), url));
++  WaitForLoadStop(web_contents);
++#if defined(OS_MAC)
++  // Device scale factor on MacOSX is always an integer.
++  ASSERT_EQ(2.0f,
++            web_contents->GetRenderWidgetHostView()->GetDeviceScaleFactor());
++#else
++  ASSERT_EQ(1.25f,
++            web_contents->GetRenderWidgetHostView()->GetDeviceScaleFactor());
++#endif
++
++  gfx::Rect bounding_client_rect = gfx::Rect(5, 10, 15, 20);
++  WaitForWindowControlsOverlayUpdate(web_contents, bounding_client_rect);
++  ValidateWindowsControlOverlayState(web_contents, bounding_client_rect, 70);
+ }
+ }  // namespace content
+diff --git a/third_party/blink/common/widget/visual_properties.cc b/third_party/blink/common/widget/visual_properties.cc
+index 433ca5954c9f316905f289948ab2e4ebe66b7833..55932091bafe8959c855529d49b9f66cd6e386f0 100644
+--- a/third_party/blink/common/widget/visual_properties.cc
++++ b/third_party/blink/common/widget/visual_properties.cc
+@@ -33,7 +33,8 @@ bool VisualProperties::operator==(const VisualProperties& other) const {
+          page_scale_factor == other.page_scale_factor &&
+          compositing_scale_factor == other.compositing_scale_factor &&
+          root_widget_window_segments == other.root_widget_window_segments &&
+-         is_pinch_gesture_active == other.is_pinch_gesture_active;
++         is_pinch_gesture_active == other.is_pinch_gesture_active &&
++         window_controls_overlay_rect == other.window_controls_overlay_rect;
+ }
+ 
+ bool VisualProperties::operator!=(const VisualProperties& other) const {
+diff --git a/third_party/blink/common/widget/visual_properties_mojom_traits.cc b/third_party/blink/common/widget/visual_properties_mojom_traits.cc
+index d378def431a2643de08951ff861b68868b1d7250..262eec364918a668a2f5e65af2044c24d3380aa7 100644
+--- a/third_party/blink/common/widget/visual_properties_mojom_traits.cc
++++ b/third_party/blink/common/widget/visual_properties_mojom_traits.cc
+@@ -24,6 +24,7 @@ bool StructTraits<
+       !data.ReadBrowserControlsParams(&out->browser_controls_params) ||
+       !data.ReadLocalSurfaceId(&out->local_surface_id) ||
+       !data.ReadRootWidgetWindowSegments(&out->root_widget_window_segments) ||
++      !data.ReadWindowControlsOverlayRect(&out->window_controls_overlay_rect) ||
+       data.page_scale_factor() <= 0 || data.compositing_scale_factor() <= 0)
+     return false;
+   out->auto_resize_enabled = data.auto_resize_enabled();
+diff --git a/third_party/blink/public/common/widget/visual_properties.h b/third_party/blink/public/common/widget/visual_properties.h
+index 3c16c86e704558b40e00b40264a4d7018d89fb5e..e020adae74d1f061bbbfc5bc10e8a40a69f93410 100644
+--- a/third_party/blink/public/common/widget/visual_properties.h
++++ b/third_party/blink/public/common/widget/visual_properties.h
+@@ -129,6 +129,13 @@ struct BLINK_COMMON_EXPORT VisualProperties {
+   // main frame's renderer, and needs to be shared with subframes.
+   bool is_pinch_gesture_active = false;
+ 
++  // The rect of the Windows Control Overlay, which contains system UX
++  // affordances (e.g. close), for installed desktop Progress Web Apps (PWAs),
++  // if the app specifies the 'window-controls-overlay' DisplayMode in its
++  // manifest. This is only valid and to be consumed by the outermost main
++  // frame.
++  gfx::Rect window_controls_overlay_rect;
++
+   VisualProperties();
+   VisualProperties(const VisualProperties& other);
+   ~VisualProperties();
+diff --git a/third_party/blink/public/common/widget/visual_properties_mojom_traits.h b/third_party/blink/public/common/widget/visual_properties_mojom_traits.h
+index f6634310fd17acc7299db892d68aea770578a0f1..8d7ab89e5d434e4098a55c6b78d06bfb6f3faa29 100644
+--- a/third_party/blink/public/common/widget/visual_properties_mojom_traits.h
++++ b/third_party/blink/public/common/widget/visual_properties_mojom_traits.h
+@@ -97,6 +97,11 @@ struct BLINK_COMMON_EXPORT StructTraits<blink::mojom::VisualPropertiesDataView,
+     return r.is_pinch_gesture_active;
+   }
+ 
++  static const gfx::Rect& window_controls_overlay_rect(
++      const blink::VisualProperties& r) {
++    return r.window_controls_overlay_rect;
++  }
++
+   static bool Read(blink::mojom::VisualPropertiesDataView r,
+                    blink::VisualProperties* out);
+ };
+diff --git a/third_party/blink/public/mojom/frame/frame.mojom b/third_party/blink/public/mojom/frame/frame.mojom
+index add4a22fe76818d5fa7c124f85a781da387ba3f4..cbbbdfd799135d8c86f9f2eecd558771627991f2 100644
+--- a/third_party/blink/public/mojom/frame/frame.mojom
++++ b/third_party/blink/public/mojom/frame/frame.mojom
+@@ -1116,10 +1116,6 @@ interface LocalMainFrame {
+   UpdateBrowserControlsState(cc.mojom.BrowserControlsState constraints,
+                              cc.mojom.BrowserControlsState current,
+                              bool animate);
+-
+-  // Notify renderer that the window controls overlay has changed size or
+-  // visibility.
+-  UpdateWindowControlsOverlay(gfx.mojom.Rect window_controls_overlay_rect);
+ };
+ 
+ // Implemented in Blink, this interface defines remote main-frame-specific
+diff --git a/third_party/blink/public/mojom/widget/visual_properties.mojom b/third_party/blink/public/mojom/widget/visual_properties.mojom
+index b2fe7bf659bcfdc183e57ad7c4e45f1c422a246f..43a4874cfae908754c476a508544154e1088634e 100644
+--- a/third_party/blink/public/mojom/widget/visual_properties.mojom
++++ b/third_party/blink/public/mojom/widget/visual_properties.mojom
+@@ -92,4 +92,12 @@ struct VisualProperties {
+   // Indicates whether a pinch gesture is currently active. Originates in the
+   // main frame's renderer, and needs to be shared with subframes.
+   bool is_pinch_gesture_active;
++
++  // The rect of the Windows Control Overlay, which contains system UX
++  // affordances (e.g. close), for installed desktop Progress Web Apps (PWAs),
++  // if the app specifies the 'window-controls-overlay' DisplayMode in its
++  // manifest. This is only valid and to be consumed by the outermost main
++  // frame.
++  gfx.mojom.Rect window_controls_overlay_rect;
++
+ };
+diff --git a/third_party/blink/renderer/core/frame/local_frame.cc b/third_party/blink/renderer/core/frame/local_frame.cc
+index d6cf1cbb0beb65f0003051f67d5fa5b723c77a74..5f991049ea325368543d134cbe95614625b30004 100644
+--- a/third_party/blink/renderer/core/frame/local_frame.cc
++++ b/third_party/blink/renderer/core/frame/local_frame.cc
+@@ -2930,31 +2930,71 @@ void LocalFrame::UpdateBrowserControlsState(
+ }
+ 
+ void LocalFrame::UpdateWindowControlsOverlay(
+-    const gfx::Rect& window_controls_overlay_rect) {
++
++    const gfx::Rect& bounding_rect_in_dips) {
++  if (!RuntimeEnabledFeatures::WebAppWindowControlsOverlayEnabled(nullptr))
++    return;
++
++  // The rect passed to us from content is in DIP screen space, relative to the
++  // main frame, and needs to move to CSS space. This doesn't take the page's
++  // zoom factor into account so we must scale by the inverse of the page zoom
++  // in order to get correct CSS space coordinates. Note that when
++  // use-zoom-for-dsf is enabled, WindowToViewportScalar will be the true device
++  // scale factor, and PageZoomFactor will be the combination of the device
++  // scale factor and the zoom percent of the page. It is preferable to compute
++  // a rect that is slightly larger than one that would render smaller than the
++  // window control overlay.
++  LocalFrame& local_frame_root = LocalFrameRoot();
++  const float window_to_viewport_factor =
++      GetPage()->GetChromeClient().WindowToViewportScalar(&local_frame_root,
++                                                          1.0f);
++  const float zoom_factor = local_frame_root.PageZoomFactor();
++  const float scale_factor = zoom_factor / window_to_viewport_factor;
++  gfx::Rect window_controls_overlay_rect =
++      gfx::ScaleToEnclosingRectSafe(bounding_rect_in_dips, 1.0f / scale_factor);
++
++  bool fire_event =
++      (window_controls_overlay_rect != window_controls_overlay_rect_);
++
+   is_window_controls_overlay_visible_ = !window_controls_overlay_rect.IsEmpty();
+   window_controls_overlay_rect_ = window_controls_overlay_rect;
+ 
+   DocumentStyleEnvironmentVariables& vars =
+       GetDocument()->GetStyleEngine().EnsureEnvironmentVariables();
+-  vars.SetVariable(
+-      UADefinedVariable::kTitlebarAreaX,
+-      StyleEnvironmentVariables::FormatPx(window_controls_overlay_rect_.x()));
+-  vars.SetVariable(
+-      UADefinedVariable::kTitlebarAreaY,
+-      StyleEnvironmentVariables::FormatPx(window_controls_overlay_rect_.y()));
+-  vars.SetVariable(UADefinedVariable::kTitlebarAreaWidth,
+-                   StyleEnvironmentVariables::FormatPx(
+-                       window_controls_overlay_rect_.width()));
+-  vars.SetVariable(UADefinedVariable::kTitlebarAreaHeight,
+-                   StyleEnvironmentVariables::FormatPx(
+-                       window_controls_overlay_rect_.height()));
+-
+-  auto* window_controls_overlay =
+-      WindowControlsOverlay::FromIfExists(*DomWindow()->navigator());
+-
+-  if (window_controls_overlay) {
+-    window_controls_overlay->WindowControlsOverlayChanged(
+-        window_controls_overlay_rect);
++
++  if (is_window_controls_overlay_visible_) {
++    vars.SetVariable(
++        UADefinedVariable::kTitlebarAreaX,
++        StyleEnvironmentVariables::FormatPx(window_controls_overlay_rect_.x()));
++    vars.SetVariable(
++        UADefinedVariable::kTitlebarAreaY,
++        StyleEnvironmentVariables::FormatPx(window_controls_overlay_rect_.y()));
++    vars.SetVariable(UADefinedVariable::kTitlebarAreaWidth,
++                     StyleEnvironmentVariables::FormatPx(
++                         window_controls_overlay_rect_.width()));
++    vars.SetVariable(UADefinedVariable::kTitlebarAreaHeight,
++                     StyleEnvironmentVariables::FormatPx(
++                         window_controls_overlay_rect_.height()));
++  } else {
++    const UADefinedVariable vars_to_remove[] = {
++        UADefinedVariable::kTitlebarAreaX,
++        UADefinedVariable::kTitlebarAreaY,
++        UADefinedVariable::kTitlebarAreaWidth,
++        UADefinedVariable::kTitlebarAreaHeight,
++    };
++    for (auto var_to_remove : vars_to_remove) {
++      vars.RemoveVariable(StyleEnvironmentVariables::GetVariableName(var_to_remove));
++    }
++  }
++
++  if (fire_event) {
++    auto* window_controls_overlay =
++        WindowControlsOverlay::FromIfExists(*DomWindow()->navigator());
++
++    if (window_controls_overlay) {
++      window_controls_overlay->WindowControlsOverlayChanged(
++          window_controls_overlay_rect_);
++    }
+   }
+ }
+ 
+diff --git a/third_party/blink/renderer/core/frame/local_frame.h b/third_party/blink/renderer/core/frame/local_frame.h
+index 38ad1f729ffc7416ae56c771f5b518fb63520c08..d725460b26f25ca5746126f76efdfc8722943492 100644
+--- a/third_party/blink/renderer/core/frame/local_frame.h
++++ b/third_party/blink/renderer/core/frame/local_frame.h
+@@ -732,8 +732,7 @@ class CORE_EXPORT LocalFrame final
+   void UpdateBrowserControlsState(cc::BrowserControlsState constraints,
+                                   cc::BrowserControlsState current,
+                                   bool animate) override;
+-  void UpdateWindowControlsOverlay(
+-      const gfx::Rect& window_controls_overlay_rect) override;
++  void UpdateWindowControlsOverlay(const gfx::Rect& bounding_rect_in_dips);
+ 
+   // mojom::FullscreenVideoElementHandler implementation:
+   void RequestFullscreenVideoElement() final;
+diff --git a/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc b/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc
+index 1f13dc8bce4a41b96bb2bfce776d6b55500db5b6..d33496ce445cb2af4b21cdd23bdc011d6214b352 100644
+--- a/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc
++++ b/third_party/blink/renderer/core/frame/web_frame_widget_impl.cc
+@@ -1516,6 +1516,10 @@ void WebFrameWidgetImpl::ApplyVisualPropertiesSizing(
+               widget_base_->VisibleViewportSizeInDIPs()),
+           visual_properties.browser_controls_params);
+     }
++
++    LocalRootImpl()->GetFrame()->UpdateWindowControlsOverlay(
++        visual_properties.window_controls_overlay_rect);
++
+   } else {
+     // Widgets in a WebView's frame tree without a local main frame
+     // set the size of the WebView to be the |visible_viewport_size|, in order
+diff --git a/third_party/blink/tools/blinkpy/presubmit/audit_non_blink_usage.py b/third_party/blink/tools/blinkpy/presubmit/audit_non_blink_usage.py
+index 2816268f68d8910b11c5b6ea6d0c2a1a92bd2e1a..ac95c2f8e18081cca7a2c14899c9d7a9444fa565 100755
+--- a/third_party/blink/tools/blinkpy/presubmit/audit_non_blink_usage.py
++++ b/third_party/blink/tools/blinkpy/presubmit/audit_non_blink_usage.py
+@@ -279,6 +279,7 @@ _CONFIG = [
+             'gfx::RectF',
+             'gfx::RRectF',
+             'gfx::ScaleToCeiledSize',
++            'gfx::ScaleToEnclosingRectSafe',
+             'gfx::ScaleVector2d',
+             'gfx::Size',
+             'gfx::SizeF',

patches/chromium/fix_media_key_usage_with_globalshortcuts.patch

@@ -0,0 +1,125 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shelley Vohr <shelley.vohr@gmail.com>
+Date: Mon, 16 Aug 2021 17:55:32 +0200
+Subject: fix: media key usage with globalShortcuts
+
+This patch enables media keys to work properly with Electron's globalShortcut
+module. Chromium's default usage of RemoteCommandCenterDelegate on macOS falls
+down into MPRemoteCommandCenter, which makes it such that an app will not
+receive remote control events until it begins playing audio. This runs
+counter to the design of globalShortcuts, and so we need to instead
+use `ui::MediaKeysListener`.
+
+diff --git a/chrome/browser/extensions/global_shortcut_listener.cc b/chrome/browser/extensions/global_shortcut_listener.cc
+index bc009606d01469125052e68a9cdc82aaa697c764..ff18043cb07d748a49adea9874517fb29e3e7f9f 100644
+--- a/chrome/browser/extensions/global_shortcut_listener.cc
++++ b/chrome/browser/extensions/global_shortcut_listener.cc
+@@ -7,6 +7,7 @@
+ #include "base/check.h"
+ #include "base/notreached.h"
+ #include "content/public/browser/browser_thread.h"
++#include "content/public/browser/media_keys_listener_manager.h"
+ #include "ui/base/accelerators/accelerator.h"
+ 
+ using content::BrowserThread;
+@@ -66,6 +67,22 @@ void GlobalShortcutListener::UnregisterAccelerator(
+     StopListening();
+ }
+ 
++// static
++void GlobalShortcutListener::SetShouldUseInternalMediaKeyHandling(bool should_use) {
++  if (content::MediaKeysListenerManager::
++            IsMediaKeysListenerManagerEnabled()) {
++    content::MediaKeysListenerManager* media_keys_listener_manager =
++        content::MediaKeysListenerManager::GetInstance();
++    DCHECK(media_keys_listener_manager);
++
++    if (should_use) {
++      media_keys_listener_manager->EnableInternalMediaKeyHandling();
++    } else {
++      media_keys_listener_manager->DisableInternalMediaKeyHandling();
++    }
++  }
++}
++
+ void GlobalShortcutListener::UnregisterAccelerators(Observer* observer) {
+   CHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+   if (IsShortcutHandlingSuspended())
+diff --git a/chrome/browser/extensions/global_shortcut_listener.h b/chrome/browser/extensions/global_shortcut_listener.h
+index 9aec54a3263d24491d24013a80b719dfc834ecd4..001a6cb2a5eb701351fa924109b43fab6f30748d 100644
+--- a/chrome/browser/extensions/global_shortcut_listener.h
++++ b/chrome/browser/extensions/global_shortcut_listener.h
+@@ -31,6 +31,8 @@ class GlobalShortcutListener {
+ 
+   static GlobalShortcutListener* GetInstance();
+ 
++  static void SetShouldUseInternalMediaKeyHandling(bool should_use);
++
+   // Register an observer for when a certain |accelerator| is struck. Returns
+   // true if register successfully, or false if 1) the specificied |accelerator|
+   // has been registered by another caller or other native applications, or
+diff --git a/content/browser/media/media_keys_listener_manager_impl.cc b/content/browser/media/media_keys_listener_manager_impl.cc
+index 5938f75742b793868638e693a9a8c8dc686dfc46..1263d679a5174beb960265989c370dd4a58ae7b4 100644
+--- a/content/browser/media/media_keys_listener_manager_impl.cc
++++ b/content/browser/media/media_keys_listener_manager_impl.cc
+@@ -231,18 +231,24 @@ void MediaKeysListenerManagerImpl::StartListeningForMediaKeysIfNecessary() {
+       media::AudioManager::GetGlobalAppName());
+ #endif
+ 
+-  if (system_media_controls_) {
+-    system_media_controls_->AddObserver(this);
+-    system_media_controls_notifier_ =
+-        std::make_unique<SystemMediaControlsNotifier>(
+-            system_media_controls_.get());
+-  } else {
+-    // If we can't access system media controls, then directly listen for media
+-    // key keypresses instead.
++  // This is required for proper functioning of MediaMetadata.
++  system_media_controls_->AddObserver(this);
++  system_media_controls_notifier_ =
++      std::make_unique<SystemMediaControlsNotifier>(
++          system_media_controls_.get());
++
++  // Directly listen for media key keypresses when using GlobalShortcuts.
++#if defined(OS_MACOS)
++  auto scope = media_key_handling_enabled_ ?
++    ui::MediaKeysListener::Scope::kGlobal :
++    ui::MediaKeysListener::Scope::kGlobalRequiresAccessibility;
+     media_keys_listener_ = ui::MediaKeysListener::Create(
+-        this, ui::MediaKeysListener::Scope::kGlobal);
+-    DCHECK(media_keys_listener_);
+-  }
++      this, scope);
++#else
++  media_keys_listener_ = ui::MediaKeysListener::Create(
++    this, ui::MediaKeysListener::Scope::kGlobal);
++#endif
++  DCHECK(media_keys_listener_);
+ 
+   EnsureAuxiliaryServices();
+ }
+diff --git a/ui/base/accelerators/media_keys_listener.h b/ui/base/accelerators/media_keys_listener.h
+index c2b03328c0e508995bdc135031500783f500ceba..1b6b14dc2999c99445cef6ffc04d49a7c1728a54 100644
+--- a/ui/base/accelerators/media_keys_listener.h
++++ b/ui/base/accelerators/media_keys_listener.h
+@@ -20,6 +20,7 @@ class Accelerator;
+ class COMPONENT_EXPORT(UI_BASE) MediaKeysListener {
+  public:
+   enum class Scope {
++    kGlobalRequiresAccessibility, // Listener works whenever application in focus or not but requires accessibility permissions on macOS
+     kGlobal,   // Listener works whenever application in focus or not.
+     kFocused,  // Listener only works whan application has focus.
+   };
+diff --git a/ui/base/accelerators/media_keys_listener_win.cc b/ui/base/accelerators/media_keys_listener_win.cc
+index 6c63a88cbb13cfcc9a8ba652554839275ae1ee04..1643eafc094dce77e4ba8752cd02e1ae6c488b56 100644
+--- a/ui/base/accelerators/media_keys_listener_win.cc
++++ b/ui/base/accelerators/media_keys_listener_win.cc
+@@ -13,7 +13,7 @@ std::unique_ptr<MediaKeysListener> MediaKeysListener::Create(
+     MediaKeysListener::Scope scope) {
+   DCHECK(delegate);
+ 
+-  if (scope == Scope::kGlobal) {
++  if (scope == Scope::kGlobal || scope == Scope::kGlobalRequiresAccessibility) {
+     // We should never have more than one global media keys listener.
+     if (!GlobalMediaKeysListenerWin::has_instance())
+       return std::make_unique<GlobalMediaKeysListenerWin>(delegate);

patches/chromium/kill_a_renderer_if_it_provides_an_unexpected_frameownerelementtype.patch

@@ -0,0 +1,72 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jorge Lucangeli Obes <jorgelo@chromium.org>
+Date: Wed, 22 Sep 2021 20:27:54 +0000
+Subject: Kill a renderer if it provides an unexpected FrameOwnerElementType
+
+(Merge to M93.)
+
+Portals and MPArch based Fenced Frames are not created as normal
+subframes.
+
+(cherry picked from commit beebc8aec0f8f9e627e69ad67ef311903924b384)
+
+Bug: 1251727
+Change-Id: I81326d2caf2038aec2f77cf577161a24bb9b65b2
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3174272
+Commit-Queue: Kevin McNee <mcnee@chromium.org>
+Commit-Queue: Adrian Taylor <adetaylor@chromium.org>
+Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#923644}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3174713
+Auto-Submit: Jorge Lucangeli Obes <jorgelo@chromium.org>
+Reviewed-by: Dominic Farolino <dom@chromium.org>
+Reviewed-by: Kevin McNee <mcnee@chromium.org>
+Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4577@{#1266}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/content/browser/bad_message.h b/content/browser/bad_message.h
+index e198d661c711dc648a4e4c2249e0a60f69c406da..d1821c863d998cb010d8f5d12c12d79b18075a9d 100644
+--- a/content/browser/bad_message.h
++++ b/content/browser/bad_message.h
+@@ -269,6 +269,8 @@ enum BadMessageReason {
+   PAYMENTS_WITHOUT_PERMISSION = 241,
+   WEB_BUNDLE_INVALID_NAVIGATION_URL = 242,
+   WCI_INVALID_DOWNLOAD_IMAGE_RESULT = 243,
++  FARI_LOGOUT_BAD_ENDPOINT = 250,
++  RFH_CHILD_FRAME_UNEXPECTED_OWNER_ELEMENT_TYPE = 251,
+ 
+   // Please add new elements here. The naming convention is abbreviated class
+   // name (e.g. RenderFrameHost becomes RFH) plus a unique description of the
+diff --git a/content/browser/renderer_host/render_frame_host_impl.cc b/content/browser/renderer_host/render_frame_host_impl.cc
+index 29571b8ab59518fe93e35c1cc7f113e65ed39420..39717e91a88f04d42b489b2217c67f65ee797b4c 100644
+--- a/content/browser/renderer_host/render_frame_host_impl.cc
++++ b/content/browser/renderer_host/render_frame_host_impl.cc
+@@ -2771,6 +2771,14 @@ void RenderFrameHostImpl::OnCreateChildFrame(
+     // is invalid.
+     bad_message::ReceivedBadMessage(
+         GetProcess(), bad_message::RFH_CHILD_FRAME_NEEDS_OWNER_ELEMENT_TYPE);
++    return;
++  }
++  if (owner_type == blink::mojom::FrameOwnerElementType::kPortal) {
++    // Portals are not created through this child frame code path.
++    bad_message::ReceivedBadMessage(
++        GetProcess(),
++        bad_message::RFH_CHILD_FRAME_UNEXPECTED_OWNER_ELEMENT_TYPE);
++    return;
+   }
+ 
+   DCHECK(devtools_frame_token);
+diff --git a/tools/metrics/histograms/enums.xml b/tools/metrics/histograms/enums.xml
+index ed247042e6c0e2bb2b63bf102622f7bfd6ea9ac4..d6dd81a4af0fb71b0ab6b410bfb20737dfdbdbf9 100644
+--- a/tools/metrics/histograms/enums.xml
++++ b/tools/metrics/histograms/enums.xml
+@@ -7224,6 +7224,8 @@ Called by update_bad_message_reasons.py.-->
+   <int value="241" label="PAYMENTS_WITHOUT_PERMISSION"/>
+   <int value="242" label="WEB_BUNDLE_INVALID_NAVIGATION_URL"/>
+   <int value="243" label="WCI_INVALID_DOWNLOAD_IMAGE_RESULT"/>
++  <int value="250" label="FARI_LOGOUT_BAD_ENDPOINT"/>
++  <int value="251" label="RFH_CHILD_FRAME_UNEXPECTED_OWNER_ELEMENT_TYPE"/>
+ </enum>
+ 
+ <enum name="BadMessageReasonExtensions">

patches/chromium/linux_sandbox_return_enosys_for_clone3.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Matthew Denton <mpdenton@chromium.org>
+Date: Thu, 3 Jun 2021 20:06:13 +0000
+Subject: Linux sandbox: return ENOSYS for clone3
+
+Because clone3 uses a pointer argument rather than a flags argument, we
+cannot examine the contents with seccomp, which is essential to
+preventing sandboxed processes from starting other processes. So, we
+won't be able to support clone3 in Chromium. This CL modifies the
+BPF policy to return ENOSYS for clone3 so glibc always uses the fallback
+to clone.
+
+Bug: 1213452
+Change-Id: I7c7c585a319e0264eac5b1ebee1a45be2d782303
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2936184
+Reviewed-by: Robert Sesek <rsesek@chromium.org>
+Commit-Queue: Matthew Denton <mpdenton@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#888980}
+
+diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+index 05c39f0f564e3fc67abcf9941094b67be3257771..086c56a2be46120767db716b5e4376d68bd00581 100644
+--- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
++++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+@@ -178,6 +178,12 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
+     return RestrictCloneToThreadsAndEPERMFork();
+   }
+ 
++  // clone3 takes a pointer argument which we cannot examine, so return ENOSYS
++  // to force the libc to use clone. See https://crbug.com/1213452.
++  if (sysno == __NR_clone3) {
++    return Error(ENOSYS);
++  }
++
+   if (sysno == __NR_fcntl)
+     return RestrictFcntlCommands();
+ 

patches/chromium/linux_sandbox_update_syscall_numbers_for_all_platforms.patch

@@ -0,0 +1,437 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Matthew Denton <mpdenton@chromium.org>
+Date: Thu, 3 Jun 2021 19:02:10 +0000
+Subject: Linux sandbox: update syscall numbers for all platforms.
+
+This includes clone3 and the landlock system calls.
+
+Bug: 1213452
+Change-Id: Iaf14a7c9d455c7a22ad179b13541a60dcabaac09
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2934620
+Auto-Submit: Matthew Denton <mpdenton@chromium.org>
+Commit-Queue: Robert Sesek <rsesek@chromium.org>
+Reviewed-by: Robert Sesek <rsesek@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#888958}
+
+diff --git a/sandbox/linux/system_headers/arm64_linux_syscalls.h b/sandbox/linux/system_headers/arm64_linux_syscalls.h
+index a242c18c84213edb2f17443cb5a3e437add9d4c2..ab86b36353c22330241b0fc9b9be904490212313 100644
+--- a/sandbox/linux/system_headers/arm64_linux_syscalls.h
++++ b/sandbox/linux/system_headers/arm64_linux_syscalls.h
+@@ -1119,4 +1119,100 @@
+ #define __NR_rseq 293
+ #endif
+ 
++#if !defined(__NR_kexec_file_load)
++#define __NR_kexec_file_load 294
++#endif
++
++#if !defined(__NR_pidfd_send_signal)
++#define __NR_pidfd_send_signal 424
++#endif
++
++#if !defined(__NR_io_uring_setup)
++#define __NR_io_uring_setup 425
++#endif
++
++#if !defined(__NR_io_uring_enter)
++#define __NR_io_uring_enter 426
++#endif
++
++#if !defined(__NR_io_uring_register)
++#define __NR_io_uring_register 427
++#endif
++
++#if !defined(__NR_open_tree)
++#define __NR_open_tree 428
++#endif
++
++#if !defined(__NR_move_mount)
++#define __NR_move_mount 429
++#endif
++
++#if !defined(__NR_fsopen)
++#define __NR_fsopen 430
++#endif
++
++#if !defined(__NR_fsconfig)
++#define __NR_fsconfig 431
++#endif
++
++#if !defined(__NR_fsmount)
++#define __NR_fsmount 432
++#endif
++
++#if !defined(__NR_fspick)
++#define __NR_fspick 433
++#endif
++
++#if !defined(__NR_pidfd_open)
++#define __NR_pidfd_open 434
++#endif
++
++#if !defined(__NR_clone3)
++#define __NR_clone3 435
++#endif
++
++#if !defined(__NR_close_range)
++#define __NR_close_range 436
++#endif
++
++#if !defined(__NR_openat2)
++#define __NR_openat2 437
++#endif
++
++#if !defined(__NR_pidfd_getfd)
++#define __NR_pidfd_getfd 438
++#endif
++
++#if !defined(__NR_faccessat2)
++#define __NR_faccessat2 439
++#endif
++
++#if !defined(__NR_process_madvise)
++#define __NR_process_madvise 440
++#endif
++
++#if !defined(__NR_epoll_pwait2)
++#define __NR_epoll_pwait2 441
++#endif
++
++#if !defined(__NR_mount_setattr)
++#define __NR_mount_setattr 442
++#endif
++
++#if !defined(__NR_quotactl_path)
++#define __NR_quotactl_path 443
++#endif
++
++#if !defined(__NR_landlock_create_ruleset)
++#define __NR_landlock_create_ruleset 444
++#endif
++
++#if !defined(__NR_landlock_add_rule)
++#define __NR_landlock_add_rule 445
++#endif
++
++#if !defined(__NR_landlock_restrict_self)
++#define __NR_landlock_restrict_self 446
++#endif
++
+ #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_ARM64_LINUX_SYSCALLS_H_
+diff --git a/sandbox/linux/system_headers/arm_linux_syscalls.h b/sandbox/linux/system_headers/arm_linux_syscalls.h
+index 85da6f41c669969f43734ffbc9b50ddffb553066..9c44368a8eeaa5e755856af446229662287db927 100644
+--- a/sandbox/linux/system_headers/arm_linux_syscalls.h
++++ b/sandbox/linux/system_headers/arm_linux_syscalls.h
+@@ -1605,6 +1605,18 @@
+ #define __NR_mount_setattr (__NR_SYSCALL_BASE + 442)
+ #endif
+ 
++#if !defined(__NR_landlock_create_ruleset)
++#define __NR_landlock_create_ruleset (__NR_SYSCALL_BASE + 444)
++#endif
++
++#if !defined(__NR_landlock_add_rule)
++#define __NR_landlock_add_rule (__NR_SYSCALL_BASE + 445)
++#endif
++
++#if !defined(__NR_landlock_restrict_self)
++#define __NR_landlock_restrict_self (__NR_SYSCALL_BASE + 446)
++#endif
++
+ // ARM private syscalls.
+ #if !defined(__ARM_NR_BASE)
+ #define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
+diff --git a/sandbox/linux/system_headers/mips64_linux_syscalls.h b/sandbox/linux/system_headers/mips64_linux_syscalls.h
+index ec75815a8424f94da18ea5fd5b419b1704ef4bfe..ae7cb48f57cc9b4cabca5ab28481780658bb8847 100644
+--- a/sandbox/linux/system_headers/mips64_linux_syscalls.h
++++ b/sandbox/linux/system_headers/mips64_linux_syscalls.h
+@@ -1271,4 +1271,148 @@
+ #define __NR_memfd_create (__NR_Linux + 314)
+ #endif
+ 
++#if !defined(__NR_bpf)
++#define __NR_bpf (__NR_Linux + 315)
++#endif
++
++#if !defined(__NR_execveat)
++#define __NR_execveat (__NR_Linux + 316)
++#endif
++
++#if !defined(__NR_userfaultfd)
++#define __NR_userfaultfd (__NR_Linux + 317)
++#endif
++
++#if !defined(__NR_membarrier)
++#define __NR_membarrier (__NR_Linux + 318)
++#endif
++
++#if !defined(__NR_mlock2)
++#define __NR_mlock2 (__NR_Linux + 319)
++#endif
++
++#if !defined(__NR_copy_file_range)
++#define __NR_copy_file_range (__NR_Linux + 320)
++#endif
++
++#if !defined(__NR_preadv2)
++#define __NR_preadv2 (__NR_Linux + 321)
++#endif
++
++#if !defined(__NR_pwritev2)
++#define __NR_pwritev2 (__NR_Linux + 322)
++#endif
++
++#if !defined(__NR_pkey_mprotect)
++#define __NR_pkey_mprotect (__NR_Linux + 323)
++#endif
++
++#if !defined(__NR_pkey_alloc)
++#define __NR_pkey_alloc (__NR_Linux + 324)
++#endif
++
++#if !defined(__NR_pkey_free)
++#define __NR_pkey_free (__NR_Linux + 325)
++#endif
++
++#if !defined(__NR_statx)
++#define __NR_statx (__NR_Linux + 326)
++#endif
++
++#if !defined(__NR_rseq)
++#define __NR_rseq (__NR_Linux + 327)
++#endif
++
++#if !defined(__NR_io_pgetevents)
++#define __NR_io_pgetevents (__NR_Linux + 328)
++#endif
++
++#if !defined(__NR_pidfd_send_signal)
++#define __NR_pidfd_send_signal (__NR_Linux + 424)
++#endif
++
++#if !defined(__NR_io_uring_setup)
++#define __NR_io_uring_setup (__NR_Linux + 425)
++#endif
++
++#if !defined(__NR_io_uring_enter)
++#define __NR_io_uring_enter (__NR_Linux + 426)
++#endif
++
++#if !defined(__NR_io_uring_register)
++#define __NR_io_uring_register (__NR_Linux + 427)
++#endif
++
++#if !defined(__NR_open_tree)
++#define __NR_open_tree (__NR_Linux + 428)
++#endif
++
++#if !defined(__NR_move_mount)
++#define __NR_move_mount (__NR_Linux + 429)
++#endif
++
++#if !defined(__NR_fsopen)
++#define __NR_fsopen (__NR_Linux + 430)
++#endif
++
++#if !defined(__NR_fsconfig)
++#define __NR_fsconfig (__NR_Linux + 431)
++#endif
++
++#if !defined(__NR_fsmount)
++#define __NR_fsmount (__NR_Linux + 432)
++#endif
++
++#if !defined(__NR_fspick)
++#define __NR_fspick (__NR_Linux + 433)
++#endif
++
++#if !defined(__NR_pidfd_open)
++#define __NR_pidfd_open (__NR_Linux + 434)
++#endif
++
++#if !defined(__NR_clone3)
++#define __NR_clone3 (__NR_Linux + 435)
++#endif
++
++#if !defined(__NR_close_range)
++#define __NR_close_range (__NR_Linux + 436)
++#endif
++
++#if !defined(__NR_openat2)
++#define __NR_openat2 (__NR_Linux + 437)
++#endif
++
++#if !defined(__NR_pidfd_getfd)
++#define __NR_pidfd_getfd (__NR_Linux + 438)
++#endif
++
++#if !defined(__NR_faccessat2)
++#define __NR_faccessat2 (__NR_Linux + 439)
++#endif
++
++#if !defined(__NR_process_madvise)
++#define __NR_process_madvise (__NR_Linux + 440)
++#endif
++
++#if !defined(__NR_epoll_pwait2)
++#define __NR_epoll_pwait2 (__NR_Linux + 441)
++#endif
++
++#if !defined(__NR_mount_setattr)
++#define __NR_mount_setattr (__NR_Linux + 442)
++#endif
++
++#if !defined(__NR_landlock_create_ruleset)
++#define __NR_landlock_create_ruleset (__NR_Linux + 444)
++#endif
++
++#if !defined(__NR_landlock_add_rule)
++#define __NR_landlock_add_rule (__NR_Linux + 445)
++#endif
++
++#if !defined(__NR_landlock_restrict_self)
++#define __NR_landlock_restrict_self (__NR_Linux + 446)
++#endif
++
+ #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS64_LINUX_SYSCALLS_H_
+diff --git a/sandbox/linux/system_headers/mips_linux_syscalls.h b/sandbox/linux/system_headers/mips_linux_syscalls.h
+index 50d9ea11bfa48e8aff37b6c81214c4e72cb9fe5b..093778288bbbeb35305eac5ac1a1cfcd6e67c1dc 100644
+--- a/sandbox/linux/system_headers/mips_linux_syscalls.h
++++ b/sandbox/linux/system_headers/mips_linux_syscalls.h
+@@ -1685,4 +1685,16 @@
+ #define __NR_mount_setattr (__NR_Linux + 442)
+ #endif
+ 
++#if !defined(__NR_landlock_create_ruleset)
++#define __NR_landlock_create_ruleset (__NR_Linux + 444)
++#endif
++
++#if !defined(__NR_landlock_add_rule)
++#define __NR_landlock_add_rule (__NR_Linux + 445)
++#endif
++
++#if !defined(__NR_landlock_restrict_self)
++#define __NR_landlock_restrict_self (__NR_Linux + 446)
++#endif
++
+ #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_MIPS_LINUX_SYSCALLS_H_
+diff --git a/sandbox/linux/system_headers/x86_32_linux_syscalls.h b/sandbox/linux/system_headers/x86_32_linux_syscalls.h
+index 1720edb18103f93d009f5745ebda7fd52b7eba26..2c81a9301381812f4625d2a8b70d703c12a2df0f 100644
+--- a/sandbox/linux/system_headers/x86_32_linux_syscalls.h
++++ b/sandbox/linux/system_headers/x86_32_linux_syscalls.h
+@@ -1738,5 +1738,17 @@
+ #define __NR_mount_setattr 442
+ #endif
+ 
++#if !defined(__NR_landlock_create_ruleset)
++#define __NR_landlock_create_ruleset 444
++#endif
++
++#if !defined(__NR_landlock_add_rule)
++#define __NR_landlock_add_rule 445
++#endif
++
++#if !defined(__NR_landlock_restrict_self)
++#define __NR_landlock_restrict_self 446
++#endif
++
+ #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_
+ 
+diff --git a/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/sandbox/linux/system_headers/x86_64_linux_syscalls.h
+index b0ae0a2edf6fd60f6f67440e6c2f32a9b9d33af0..e618c6237b068c5bcb85f03f24deccd6fcecf30b 100644
+--- a/sandbox/linux/system_headers/x86_64_linux_syscalls.h
++++ b/sandbox/linux/system_headers/x86_64_linux_syscalls.h
+@@ -1350,5 +1350,93 @@
+ #define __NR_rseq 334
+ #endif
+ 
++#if !defined(__NR_pidfd_send_signal)
++#define __NR_pidfd_send_signal 424
++#endif
++
++#if !defined(__NR_io_uring_setup)
++#define __NR_io_uring_setup 425
++#endif
++
++#if !defined(__NR_io_uring_enter)
++#define __NR_io_uring_enter 426
++#endif
++
++#if !defined(__NR_io_uring_register)
++#define __NR_io_uring_register 427
++#endif
++
++#if !defined(__NR_open_tree)
++#define __NR_open_tree 428
++#endif
++
++#if !defined(__NR_move_mount)
++#define __NR_move_mount 429
++#endif
++
++#if !defined(__NR_fsopen)
++#define __NR_fsopen 430
++#endif
++
++#if !defined(__NR_fsconfig)
++#define __NR_fsconfig 431
++#endif
++
++#if !defined(__NR_fsmount)
++#define __NR_fsmount 432
++#endif
++
++#if !defined(__NR_fspick)
++#define __NR_fspick 433
++#endif
++
++#if !defined(__NR_pidfd_open)
++#define __NR_pidfd_open 434
++#endif
++
++#if !defined(__NR_clone3)
++#define __NR_clone3 435
++#endif
++
++#if !defined(__NR_close_range)
++#define __NR_close_range 436
++#endif
++
++#if !defined(__NR_openat2)
++#define __NR_openat2 437
++#endif
++
++#if !defined(__NR_pidfd_getfd)
++#define __NR_pidfd_getfd 438
++#endif
++
++#if !defined(__NR_faccessat2)
++#define __NR_faccessat2 439
++#endif
++
++#if !defined(__NR_process_madvise)
++#define __NR_process_madvise 440
++#endif
++
++#if !defined(__NR_epoll_pwait2)
++#define __NR_epoll_pwait2 441
++#endif
++
++#if !defined(__NR_mount_setattr)
++#define __NR_mount_setattr 442
++#endif
++
++#if !defined(__NR_landlock_create_ruleset)
++#define __NR_landlock_create_ruleset 444
++#endif
++
++#if !defined(__NR_landlock_add_rule)
++#define __NR_landlock_add_rule 445
++#endif
++
++#if !defined(__NR_landlock_restrict_self)
++#define __NR_landlock_restrict_self 446
++#endif
++
+ #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
+ 

patches/chromium/m90-lts_backgroundfetch_check_whether_the_sw_id_is_valid_for.patch

@@ -0,0 +1,119 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zakhar Voit <voit@google.com>
+Date: Wed, 29 Sep 2021 14:24:18 +0000
+Subject: Check whether the SW ID is valid for GetIds().
+
+M90-LTS merge conflicts solved by using origin instead of storage key
+because the storage key migration happened after M90.
+
+(cherry picked from commit d97b8b86be732448cbc57b47f6b46547c9866df3)
+
+Bug: 1243622
+Change-Id: I93a40db0e71c7a087d279653e741800015232d7f
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3135479
+Reviewed-by: Richard Knoll <knollr@chromium.org>
+Commit-Queue: Rayan Kanso <rayankans@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#917314}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3190253
+Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
+Owners-Override: Victor-Gabriel Savu <vsavu@google.com>
+Commit-Queue: Zakhar Voit <voit@google.com>
+Cr-Commit-Position: refs/branch-heads/4430@{#1627}
+Cr-Branched-From: e5ce7dc4f7518237b3d9bb93cccca35d25216cbe-refs/heads/master@{#857950}
+
+diff --git a/content/browser/background_fetch/background_fetch_service_unittest.cc b/content/browser/background_fetch/background_fetch_service_unittest.cc
+index 6f9c4e466cbec3fa76dc68ac921ec27a9d5ab88b..bbab50e4f4771596cadba107bafe4a5ca0e55c72 100644
+--- a/content/browser/background_fetch/background_fetch_service_unittest.cc
++++ b/content/browser/background_fetch/background_fetch_service_unittest.cc
+@@ -1088,12 +1088,8 @@ TEST_F(BackgroundFetchServiceTest, GetDeveloperIds) {
+     std::vector<std::string> developer_ids;
+ 
+     GetDeveloperIds(service_worker_registration_id, &error, &developer_ids);
+-    ASSERT_EQ(error, blink::mojom::BackgroundFetchError::NONE);
+-
+-    // TODO(crbug.com/850076): The Storage Worker Database access is not
+-    // checking the origin. In a non-test environment this won't happen since a
+-    // ServiceWorker registration ID is tied to the origin.
+-    ASSERT_EQ(developer_ids.size(), 2u);
++    EXPECT_EQ(error, blink::mojom::BackgroundFetchError::STORAGE_ERROR);
++    EXPECT_TRUE(developer_ids.empty());
+   }
+ 
+   // Verify that using the wrong service worker id does not return developer ids
+@@ -1107,9 +1103,8 @@ TEST_F(BackgroundFetchServiceTest, GetDeveloperIds) {
+ 
+     GetDeveloperIds(bogus_service_worker_registration_id, &error,
+                     &developer_ids);
+-    ASSERT_EQ(error, blink::mojom::BackgroundFetchError::NONE);
+-
+-    ASSERT_EQ(developer_ids.size(), 0u);
++    EXPECT_EQ(error, blink::mojom::BackgroundFetchError::STORAGE_ERROR);
++    EXPECT_TRUE(developer_ids.empty());
+   }
+ }
+ 
+diff --git a/content/browser/background_fetch/storage/get_developer_ids_task.cc b/content/browser/background_fetch/storage/get_developer_ids_task.cc
+index 57114a79379a605105d10633e2658103cb5af2aa..53b9062c2d7da82b48d36d6d9eb8af01262b2dd0 100644
+--- a/content/browser/background_fetch/storage/get_developer_ids_task.cc
++++ b/content/browser/background_fetch/storage/get_developer_ids_task.cc
+@@ -9,6 +9,7 @@
+ #include "base/bind.h"
+ #include "content/browser/background_fetch/storage/database_helpers.h"
+ #include "content/browser/service_worker/service_worker_context_wrapper.h"
++#include "content/browser/service_worker/service_worker_registration.h"
+ 
+ namespace content {
+ namespace background_fetch {
+@@ -26,6 +27,28 @@ GetDeveloperIdsTask::GetDeveloperIdsTask(
+ GetDeveloperIdsTask::~GetDeveloperIdsTask() = default;
+ 
+ void GetDeveloperIdsTask::Start() {
++  service_worker_context()->FindReadyRegistrationForIdOnly(
++      service_worker_registration_id_,
++      base::BindOnce(&GetDeveloperIdsTask::DidGetServiceWorkerRegistration,
++                     weak_factory_.GetWeakPtr()));
++}
++
++void GetDeveloperIdsTask::DidGetServiceWorkerRegistration(
++    blink::ServiceWorkerStatusCode status,
++    scoped_refptr<ServiceWorkerRegistration> registration) {
++  if (ToDatabaseStatus(status) != DatabaseStatus::kOk || !registration) {
++    SetStorageErrorAndFinish(
++        BackgroundFetchStorageError::kServiceWorkerStorageError);
++    return;
++  }
++
++  // TODO(crbug.com/1199077): Move this check into the SW context.
++  if (registration->origin() != origin_) {
++    SetStorageErrorAndFinish(
++        BackgroundFetchStorageError::kServiceWorkerStorageError);
++    return;
++  }
++
+   service_worker_context()->GetRegistrationUserKeysAndDataByKeyPrefix(
+       service_worker_registration_id_, {kActiveRegistrationUniqueIdKeyPrefix},
+       base::BindOnce(&GetDeveloperIdsTask::DidGetUniqueIds,
+diff --git a/content/browser/background_fetch/storage/get_developer_ids_task.h b/content/browser/background_fetch/storage/get_developer_ids_task.h
+index abdcda4b819ae5479d44f9cffcd93cb45c479841..ceef2219ba706aee0e8c355f97aec1c4e3e01fa2 100644
+--- a/content/browser/background_fetch/storage/get_developer_ids_task.h
++++ b/content/browser/background_fetch/storage/get_developer_ids_task.h
+@@ -16,6 +16,9 @@
+ #include "url/origin.h"
+ 
+ namespace content {
++
++class ServiceWorkerRegistration;
++
+ namespace background_fetch {
+ 
+ // Gets the developer ids for all active registrations - registrations that have
+@@ -34,6 +37,9 @@ class GetDeveloperIdsTask : public DatabaseTask {
+   void Start() override;
+ 
+  private:
++  void DidGetServiceWorkerRegistration(
++      blink::ServiceWorkerStatusCode status,
++      scoped_refptr<ServiceWorkerRegistration> registration);
+   void DidGetUniqueIds(
+       blink::ServiceWorkerStatusCode status,
+       const base::flat_map<std::string, std::string>& data_map);

patches/chromium/m93_indexeddb_add_browser-side_checks_for_committing_transactions.patch

@@ -0,0 +1,290 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Marijn Kruisselbrink <mek@chromium.org>
+Date: Fri, 10 Sep 2021 21:31:17 +0000
+Subject: M93: [IndexedDB] Add browser-side checks for committing transactions.
+
+No new IPCs should come in for a transaction after it starts committing.
+This CL adds browser-side checks in addition to the existing
+renderer-side checks for this.
+
+(cherry picked from commit ec3ddd67bae4c491ec1faba7be7cc988c425506c)
+
+Bug: 1247766
+Change-Id: If9d69d5a0320bfd3b615446710358dd439074795
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3149409
+Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
+Reviewed-by: Joshua Bell <jsbell@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#919898}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3154684
+Auto-Submit: Victor Costan <pwnall@chromium.org>
+Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Cr-Commit-Position: refs/branch-heads/4577@{#1234}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/content/browser/indexed_db/database_impl.cc b/content/browser/indexed_db/database_impl.cc
+index d6ee1e0e10530785da57ca32dce62f4ab488893f..037345a2f626936acdbf60c824aef10d21e893ea 100644
+--- a/content/browser/indexed_db/database_impl.cc
++++ b/content/browser/indexed_db/database_impl.cc
+@@ -87,6 +87,13 @@ void DatabaseImpl::RenameObjectStore(int64_t transaction_id,
+     return;
+   }
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "RenameObjectStore was called after committing or aborting the "
++        "transaction");
++    return;
++  }
++
+   transaction->ScheduleTask(
+       blink::mojom::IDBTaskType::Preemptive,
+       BindWeakOperation(&IndexedDBDatabase::RenameObjectStoreOperation,
+@@ -175,6 +182,12 @@ void DatabaseImpl::Get(int64_t transaction_id,
+     return;
+   }
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "Get was called after committing or aborting the transaction");
++    return;
++  }
++
+   blink::mojom::IDBDatabase::GetCallback aborting_callback =
+       CreateCallbackAbortOnDestruct<blink::mojom::IDBDatabase::GetCallback,
+                                     blink::mojom::IDBDatabaseGetResultPtr>(
+@@ -225,6 +238,12 @@ void DatabaseImpl::GetAll(int64_t transaction_id,
+     return;
+   }
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "GetAll was called after committing or aborting the transaction");
++    return;
++  }
++
+   // Hypothetically, this could pass the receiver to the callback immediately.
+   // However, for result ordering issues, we need to PostTask to mimic
+   // all of the other operations.
+@@ -264,6 +283,12 @@ void DatabaseImpl::SetIndexKeys(
+     return;
+   }
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "SetIndexKeys was called after committing or aborting the transaction");
++    return;
++  }
++
+   transaction->ScheduleTask(
+       blink::mojom::IDBTaskType::Preemptive,
+       BindWeakOperation(&IndexedDBDatabase::SetIndexKeysOperation,
+@@ -290,6 +315,13 @@ void DatabaseImpl::SetIndexesReady(int64_t transaction_id,
+     return;
+   }
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "SetIndexesReady was called after committing or aborting the "
++        "transaction");
++    return;
++  }
++
+   transaction->ScheduleTask(
+       blink::mojom::IDBTaskType::Preemptive,
+       BindWeakOperation(&IndexedDBDatabase::SetIndexesReadyOperation,
+@@ -327,6 +359,12 @@ void DatabaseImpl::OpenCursor(
+     return;
+   }
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "OpenCursor was called after committing or aborting the transaction");
++    return;
++  }
++
+   blink::mojom::IDBDatabase::OpenCursorCallback aborting_callback =
+       CreateCallbackAbortOnDestruct<
+           blink::mojom::IDBDatabase::OpenCursorCallback,
+@@ -376,6 +414,12 @@ void DatabaseImpl::Count(
+   if (!transaction)
+     return;
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "Count was called after committing or aborting the transaction");
++    return;
++  }
++
+   transaction->ScheduleTask(BindWeakOperation(
+       &IndexedDBDatabase::CountOperation, connection_->database()->AsWeakPtr(),
+       object_store_id, index_id,
+@@ -401,6 +445,12 @@ void DatabaseImpl::DeleteRange(
+   if (!transaction)
+     return;
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "DeleteRange was called after committing or aborting the transaction");
++    return;
++  }
++
+   transaction->ScheduleTask(BindWeakOperation(
+       &IndexedDBDatabase::DeleteRangeOperation,
+       connection_->database()->AsWeakPtr(), object_store_id,
+@@ -424,6 +474,13 @@ void DatabaseImpl::GetKeyGeneratorCurrentNumber(
+   if (!transaction)
+     return;
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "GetKeyGeneratorCurrentNumber was called after committing or aborting "
++        "the transaction");
++    return;
++  }
++
+   transaction->ScheduleTask(BindWeakOperation(
+       &IndexedDBDatabase::GetKeyGeneratorCurrentNumberOperation,
+       connection_->database()->AsWeakPtr(), object_store_id,
+@@ -447,6 +504,12 @@ void DatabaseImpl::Clear(
+   if (!transaction)
+     return;
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "Clear was called after committing or aborting the transaction");
++    return;
++  }
++
+   transaction->ScheduleTask(BindWeakOperation(
+       &IndexedDBDatabase::ClearOperation, connection_->database()->AsWeakPtr(),
+       object_store_id, std::move(callbacks)));
+@@ -474,6 +537,12 @@ void DatabaseImpl::CreateIndex(int64_t transaction_id,
+     return;
+   }
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "CreateIndex was called after committing or aborting the transaction");
++    return;
++  }
++
+   transaction->ScheduleTask(
+       blink::mojom::IDBTaskType::Preemptive,
+       BindWeakOperation(&IndexedDBDatabase::CreateIndexOperation,
+@@ -499,6 +568,12 @@ void DatabaseImpl::DeleteIndex(int64_t transaction_id,
+     return;
+   }
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "DeleteIndex was called after committing or aborting the transaction");
++    return;
++  }
++
+   transaction->ScheduleTask(BindWeakOperation(
+       &IndexedDBDatabase::DeleteIndexOperation,
+       connection_->database()->AsWeakPtr(), object_store_id, index_id));
+@@ -523,6 +598,12 @@ void DatabaseImpl::RenameIndex(int64_t transaction_id,
+     return;
+   }
+ 
++  if (!transaction->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "RenameIndex was called after committing or aborting the transaction");
++    return;
++  }
++
+   transaction->ScheduleTask(
+       BindWeakOperation(&IndexedDBDatabase::RenameIndexOperation,
+                         connection_->database()->AsWeakPtr(), object_store_id,
+diff --git a/content/browser/indexed_db/indexed_db_transaction.h b/content/browser/indexed_db/indexed_db_transaction.h
+index 6acdd5db56dedeffdd613b04784045d25345aaf7..7536d35f00a4bd71d5f9a604448a5913bc48d156 100644
+--- a/content/browser/indexed_db/indexed_db_transaction.h
++++ b/content/browser/indexed_db/indexed_db_transaction.h
+@@ -67,6 +67,14 @@ class CONTENT_EXPORT IndexedDBTransaction {
+   // Signals the transaction for commit.
+   void SetCommitFlag();
+ 
++  // Returns false if the transaction has been signalled to commit, is in the
++  // process of committing, or finished committing or was aborted. Essentially
++  // when this returns false no tasks should be scheduled that try to modify
++  // the transaction.
++  bool IsAcceptingRequests() {
++    return !is_commit_pending_ && state_ != COMMITTING && state_ != FINISHED;
++  }
++
+   // This transaction is ultimately backed by a LevelDBScope. Aborting a
+   // transaction rolls back the LevelDBScopes, which (if LevelDBScopes is in
+   // single-sequence mode) can fail. This returns the result of that rollback,
+diff --git a/content/browser/indexed_db/transaction_impl.cc b/content/browser/indexed_db/transaction_impl.cc
+index 1abde1c7848ddc6ba40f1541a039088ff2848373..88227f763720c55cc3bfe0d8e226cb1246863068 100644
+--- a/content/browser/indexed_db/transaction_impl.cc
++++ b/content/browser/indexed_db/transaction_impl.cc
+@@ -57,6 +57,13 @@ void TransactionImpl::CreateObjectStore(int64_t object_store_id,
+     return;
+   }
+ 
++  if (!transaction_->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "CreateObjectStore was called after committing or aborting the "
++        "transaction");
++    return;
++  }
++
+   IndexedDBConnection* connection = transaction_->connection();
+   if (!connection->IsConnected())
+     return;
+@@ -79,6 +86,13 @@ void TransactionImpl::DeleteObjectStore(int64_t object_store_id) {
+     return;
+   }
+ 
++  if (!transaction_->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "DeleteObjectStore was called after committing or aborting the "
++        "transaction");
++    return;
++  }
++
+   IndexedDBConnection* connection = transaction_->connection();
+   if (!connection->IsConnected())
+     return;
+@@ -111,6 +125,12 @@ void TransactionImpl::Put(
+     return;
+   }
+ 
++  if (!transaction_->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "Put was called after committing or aborting the transaction");
++    return;
++  }
++
+   IndexedDBConnection* connection = transaction_->connection();
+   if (!connection->IsConnected()) {
+     IndexedDBDatabaseError error(blink::mojom::IDBException::kUnknownError,
+@@ -170,6 +190,12 @@ void TransactionImpl::PutAll(int64_t object_store_id,
+     return;
+   }
+ 
++  if (!transaction_->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "PutAll was called after committing or aborting the transaction");
++    return;
++  }
++
+   std::vector<std::vector<IndexedDBExternalObject>> external_objects_per_put(
+       puts.size());
+   for (size_t i = 0; i < puts.size(); i++) {
+@@ -268,6 +294,12 @@ void TransactionImpl::Commit(int64_t num_errors_handled) {
+   if (!transaction_)
+     return;
+ 
++  if (!transaction_->IsAcceptingRequests()) {
++    mojo::ReportBadMessage(
++        "Commit was called after committing or aborting the transaction");
++    return;
++  }
++
+   IndexedDBConnection* connection = transaction_->connection();
+   if (!connection->IsConnected())
+     return;

patches/chromium/m93_indexeddb_don_t_reportbadmessage_for_commit_calls.patch

@@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Victor Costan <pwnall@chromium.org>
+Date: Fri, 10 Sep 2021 22:37:26 +0000
+Subject: M93: [IndexedDB] Don't ReportBadMessage for Commit calls.
+
+We do seem to be getting commit calls quite a lot even after a
+transaction has already started to be committed or aborted, so for now
+just avoid killing the renderer until we figure out where these calls
+are coming from.
+
+(cherry picked from commit f9bf7be854ed80a792953e94dd56e1269a5bbe98)
+
+Bug: 1247766
+Change-Id: If7a4d4b12574c894addddbfcaf336295bd90e0a3
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3154398
+Reviewed-by: Daniel Murphy <dmurph@chromium.org>
+Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#920304}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3154726
+Commit-Queue: Victor Costan <pwnall@chromium.org>
+Reviewed-by: enne <enne@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4577@{#1235}
+Cr-Branched-From: 761ddde228655e313424edec06497d0c56b0f3c4-refs/heads/master@{#902210}
+
+diff --git a/content/browser/indexed_db/transaction_impl.cc b/content/browser/indexed_db/transaction_impl.cc
+index 88227f763720c55cc3bfe0d8e226cb1246863068..b0b19dd059d96320b4411f32d54d1d85ceb405ac 100644
+--- a/content/browser/indexed_db/transaction_impl.cc
++++ b/content/browser/indexed_db/transaction_impl.cc
+@@ -295,8 +295,8 @@ void TransactionImpl::Commit(int64_t num_errors_handled) {
+     return;
+ 
+   if (!transaction_->IsAcceptingRequests()) {
+-    mojo::ReportBadMessage(
+-        "Commit was called after committing or aborting the transaction");
++    // This really shouldn't be happening, but seems to be happening anyway. So
++    // rather than killing the renderer, simply ignore the request.
+     return;
+   }
+ 

patches/chromium/mas_gate_private_enterprise_APIs

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: VerteDinde <khammond@slack-corp.com>
+Date: Tue, 19 Oct 2021 16:56:25 -0700
+Subject: fix: mas gate private enterprise APIs
+
+Beginning in Electron 15.2.0, Chromium moved several formerly public
+APIs into the AreDeviceAndUserJoinedToDomain method. Using these APIs
+in a MAS build will result in rejection from the Apple Store. This
+patch gates those APIs to non-MAS builds to comply with Apple
+Store requirements, and returns the default state for MAS builds.
+
+diff --git a/base/enterprise_util_mac.mm b/base/enterprise_util_mac.mm
+index 3ebcca94d7a9916b371eb7571e1ec4ba8ec3dcad..58b7de2b2a4c3223c64d275da888ae812fee26f9 100644
+--- a/base/enterprise_util_mac.mm
++++ b/base/enterprise_util_mac.mm
+@@ -154,6 +154,10 @@ MacDeviceManagementStateNew IsDeviceRegisteredWithManagementNew() {
+ 
+ DeviceUserDomainJoinState AreDeviceAndUserJoinedToDomain() {
+   DeviceUserDomainJoinState state{false, false};
++#if defined(MAS_BUILD)
++  return state;
++}
++#else
+ 
+   @autoreleasepool {
+     ODSession* session = [ODSession defaultSession];
+@@ -256,5 +260,6 @@ DeviceUserDomainJoinState AreDeviceAndUserJoinedToDomain() {
+ 
+   return state;
+ }
++#endif
+ 
+ }  // namespace base

patches/chromium/merge_m92_speculative_fix_for_crash_in.patch

@@ -0,0 +1,527 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Clark DuVall <cduvall@chromium.org>
+Date: Fri, 20 Aug 2021 00:52:03 +0000
+Subject: Speculative fix for crash in URLLoader::OnBeforeSendHeadersComplete
+
+I wasn't able to reproduce the crash, but this should prevent crashing
+when accessing an invalid pointer for the HttpRequestHeaders. Instead of
+passing a raw pointer, OnBeforeStartTransaction will now take optional
+headers in the callback to modify the extra headers. If the job has been
+destroyed, the callback will not be run since it was bound with a
+WeakPtr to the job.
+
+(cherry picked from commit c06b3928469bfd0e0a9fa6045b95a7be70ef393f)
+
+Bug: 1221047
+Change-Id: I93d5838b778e7283f7043fd2c841844941f52a85
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3042975
+Commit-Queue: Clark DuVall <cduvall@chromium.org>
+Reviewed-by: Matt Mueller <mattm@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#905539}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3108058
+Auto-Submit: Clark DuVall <cduvall@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4515@{#2070}
+Cr-Branched-From: 488fc70865ddaa05324ac00a54a6eb783b4bc41c-refs/heads/master@{#885287}
+
+diff --git a/net/base/network_delegate.cc b/net/base/network_delegate.cc
+index e8a345b195cb282da8472d8776f474db38938d07..4345802376a414c2d497a52861554dfddf6926c2 100644
+--- a/net/base/network_delegate.cc
++++ b/net/base/network_delegate.cc
+@@ -35,14 +35,13 @@ int NetworkDelegate::NotifyBeforeURLRequest(URLRequest* request,
+ 
+ int NetworkDelegate::NotifyBeforeStartTransaction(
+     URLRequest* request,
+-    CompletionOnceCallback callback,
+-    HttpRequestHeaders* headers) {
++    const HttpRequestHeaders& headers,
++    OnBeforeStartTransactionCallback callback) {
+   TRACE_EVENT0(NetTracingCategory(),
+                "NetworkDelegate::NotifyBeforeStartTransation");
+   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+-  DCHECK(headers);
+   DCHECK(!callback.is_null());
+-  return OnBeforeStartTransaction(request, std::move(callback), headers);
++  return OnBeforeStartTransaction(request, headers, std::move(callback));
+ }
+ 
+ int NetworkDelegate::NotifyHeadersReceived(
+diff --git a/net/base/network_delegate.h b/net/base/network_delegate.h
+index f93f91c0bd3af2b213314106838b3c318f9a67e4..8f35b2096b04b76a23a9ec8e6928af21c543d8b2 100644
+--- a/net/base/network_delegate.h
++++ b/net/base/network_delegate.h
+@@ -55,9 +55,11 @@ class NET_EXPORT NetworkDelegate {
+   int NotifyBeforeURLRequest(URLRequest* request,
+                              CompletionOnceCallback callback,
+                              GURL* new_url);
++  using OnBeforeStartTransactionCallback =
++      base::OnceCallback<void(int, const base::Optional<HttpRequestHeaders>&)>;
+   int NotifyBeforeStartTransaction(URLRequest* request,
+-                                   CompletionOnceCallback callback,
+-                                   HttpRequestHeaders* headers);
++                                   const HttpRequestHeaders& headers,
++                                   OnBeforeStartTransactionCallback callback);
+   int NotifyHeadersReceived(
+       URLRequest* request,
+       CompletionOnceCallback callback,
+@@ -132,7 +134,8 @@ class NET_EXPORT NetworkDelegate {
+                                  GURL* new_url) = 0;
+ 
+   // Called right before the network transaction starts. Allows the delegate to
+-  // read/write |headers| before they get sent out.
++  // read |headers| and modify them by passing a new copy to |callback| before
++  // they get sent out.
+   //
+   // Returns OK to continue with the request, ERR_IO_PENDING if the result is
+   // not ready yet, and any other status code to cancel the request. If
+@@ -141,11 +144,11 @@ class NET_EXPORT NetworkDelegate {
+   // or OnCompleted. Once cancelled, |request| and |headers| become invalid and
+   // |callback| may not be called.
+   //
+-  // The default implementation returns OK (continue with request) without
+-  // modifying |headers|.
+-  virtual int OnBeforeStartTransaction(URLRequest* request,
+-                                       CompletionOnceCallback callback,
+-                                       HttpRequestHeaders* headers) = 0;
++  // The default implementation returns OK (continue with request).
++  virtual int OnBeforeStartTransaction(
++      URLRequest* request,
++      const HttpRequestHeaders& headers,
++      OnBeforeStartTransactionCallback callback) = 0;
+ 
+   // Called for HTTP requests when the headers have been received.
+   // |original_response_headers| contains the headers as received over the
+diff --git a/net/base/network_delegate_impl.cc b/net/base/network_delegate_impl.cc
+index b944aae5f8dcb8f0db31e8cb4efa98318372be58..e0553d34432fc7cb7ea3f6446cd76fedb7e2e51c 100644
+--- a/net/base/network_delegate_impl.cc
++++ b/net/base/network_delegate_impl.cc
+@@ -16,8 +16,8 @@ int NetworkDelegateImpl::OnBeforeURLRequest(URLRequest* request,
+ 
+ int NetworkDelegateImpl::OnBeforeStartTransaction(
+     URLRequest* request,
+-    CompletionOnceCallback callback,
+-    HttpRequestHeaders* headers) {
++    const HttpRequestHeaders& headers,
++    OnBeforeStartTransactionCallback callback) {
+   return OK;
+ }
+ 
+diff --git a/net/base/network_delegate_impl.h b/net/base/network_delegate_impl.h
+index 5c33624ee828d785fcf34d66285c15e9ccab8b6c..08355f46f8120a880dd904fb7b33654db1e60c80 100644
+--- a/net/base/network_delegate_impl.h
++++ b/net/base/network_delegate_impl.h
+@@ -39,9 +39,10 @@ class NET_EXPORT NetworkDelegateImpl : public NetworkDelegate {
+                          CompletionOnceCallback callback,
+                          GURL* new_url) override;
+ 
+-  int OnBeforeStartTransaction(URLRequest* request,
+-                               CompletionOnceCallback callback,
+-                               HttpRequestHeaders* headers) override;
++  int OnBeforeStartTransaction(
++      URLRequest* request,
++      const HttpRequestHeaders& headers,
++      OnBeforeStartTransactionCallback callback) override;
+ 
+   int OnHeadersReceived(
+       URLRequest* request,
+diff --git a/net/proxy_resolution/network_delegate_error_observer_unittest.cc b/net/proxy_resolution/network_delegate_error_observer_unittest.cc
+index bd3ce6bbbea98fa3b62f2ca11e8895a7b6887559..542f57cb8f019cc6f5d13910353de12c295519ac 100644
+--- a/net/proxy_resolution/network_delegate_error_observer_unittest.cc
++++ b/net/proxy_resolution/network_delegate_error_observer_unittest.cc
+@@ -35,9 +35,10 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
+                          GURL* new_url) override {
+     return OK;
+   }
+-  int OnBeforeStartTransaction(URLRequest* request,
+-                               CompletionOnceCallback callback,
+-                               HttpRequestHeaders* headers) override {
++  int OnBeforeStartTransaction(
++      URLRequest* request,
++      const HttpRequestHeaders& headers,
++      OnBeforeStartTransactionCallback callback) override {
+     return OK;
+   }
+   int OnHeadersReceived(
+diff --git a/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc b/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc
+index 786c6709addd276a6452b46a0de758668fb8c648..1e2b05b15cc7a70965cd3824369e93bc13e7c78d 100644
+--- a/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc
++++ b/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc
+@@ -146,9 +146,10 @@ class BasicNetworkDelegate : public NetworkDelegateImpl {
+     return OK;
+   }
+ 
+-  int OnBeforeStartTransaction(URLRequest* request,
+-                               CompletionOnceCallback callback,
+-                               HttpRequestHeaders* headers) override {
++  int OnBeforeStartTransaction(
++      URLRequest* request,
++      const HttpRequestHeaders& headers,
++      OnBeforeStartTransactionCallback callback) override {
+     return OK;
+   }
+ 
+diff --git a/net/url_request/url_request_context_builder.cc b/net/url_request/url_request_context_builder.cc
+index 8773ed5a1b193e03b573ea7d6ffdc370a12a217f..9dd042ff4b910e9e8a17ce90f1de3cf7b0a87e79 100644
+--- a/net/url_request/url_request_context_builder.cc
++++ b/net/url_request/url_request_context_builder.cc
+@@ -80,9 +80,10 @@ class BasicNetworkDelegate : public NetworkDelegateImpl {
+     return OK;
+   }
+ 
+-  int OnBeforeStartTransaction(URLRequest* request,
+-                               CompletionOnceCallback callback,
+-                               HttpRequestHeaders* headers) override {
++  int OnBeforeStartTransaction(
++      URLRequest* request,
++      const HttpRequestHeaders& headers,
++      OnBeforeStartTransactionCallback callback) override {
+     return OK;
+   }
+ 
+diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
+index 393b89a5624a3ad3e4fe76be62eb1698839bad96..680f38a72bd9eb237b0641d82aa307c1d2202fa8 100644
+--- a/net/url_request/url_request_http_job.cc
++++ b/net/url_request/url_request_http_job.cc
+@@ -381,15 +381,10 @@ void URLRequestHttpJob::StartTransaction() {
+   if (network_delegate) {
+     OnCallToDelegate(
+         NetLogEventType::NETWORK_DELEGATE_BEFORE_START_TRANSACTION);
+-    // The NetworkDelegate must watch for OnRequestDestroyed and not modify
+-    // |extra_headers| after it's called.
+-    // TODO(mattm): change the API to remove the out-params and take the
+-    // results as params of the callback.
+     int rv = network_delegate->NotifyBeforeStartTransaction(
+-        request_,
++        request_, request_info_.extra_headers,
+         base::BindOnce(&URLRequestHttpJob::NotifyBeforeStartTransactionCallback,
+-                       weak_factory_.GetWeakPtr()),
+-        &request_info_.extra_headers);
++                       weak_factory_.GetWeakPtr()));
+     // If an extension blocks the request, we rely on the callback to
+     // MaybeStartTransactionInternal().
+     if (rv == ERR_IO_PENDING)
+@@ -400,10 +395,14 @@ void URLRequestHttpJob::StartTransaction() {
+   StartTransactionInternal();
+ }
+ 
+-void URLRequestHttpJob::NotifyBeforeStartTransactionCallback(int result) {
++void URLRequestHttpJob::NotifyBeforeStartTransactionCallback(
++    int result,
++    const base::Optional<HttpRequestHeaders>& headers) {
+   // The request should not have been cancelled or have already completed.
+   DCHECK(!is_done());
+ 
++  if (headers)
++    request_info_.extra_headers = headers.value();
+   MaybeStartTransactionInternal(result);
+ }
+ 
+diff --git a/net/url_request/url_request_http_job.h b/net/url_request/url_request_http_job.h
+index 4b09404d87fd6109b6f7dfb67ee66bf43f59c2e4..ada9591ff4b57edcf05302243096b129afd3eed9 100644
+--- a/net/url_request/url_request_http_job.h
++++ b/net/url_request/url_request_http_job.h
+@@ -123,7 +123,9 @@ class NET_EXPORT_PRIVATE URLRequestHttpJob : public URLRequestJob {
+   void OnHeadersReceivedCallback(int result);
+   void OnStartCompleted(int result);
+   void OnReadCompleted(int result);
+-  void NotifyBeforeStartTransactionCallback(int result);
++  void NotifyBeforeStartTransactionCallback(
++      int result,
++      const base::Optional<HttpRequestHeaders>& headers);
+   // This just forwards the call to URLRequestJob::NotifyConnected().
+   // We need it because that method is protected and cannot be bound in a
+   // callback in this class.
+diff --git a/net/url_request/url_request_test_util.cc b/net/url_request/url_request_test_util.cc
+index 6ec09da926d87b8edb833afa3cef233ba96ccda0..4e60f98bbffa3d22ddb65d3e6736fb71b5333d62 100644
+--- a/net/url_request/url_request_test_util.cc
++++ b/net/url_request/url_request_test_util.cc
+@@ -450,8 +450,8 @@ int TestNetworkDelegate::OnBeforeURLRequest(URLRequest* request,
+ 
+ int TestNetworkDelegate::OnBeforeStartTransaction(
+     URLRequest* request,
+-    CompletionOnceCallback callback,
+-    HttpRequestHeaders* headers) {
++    const HttpRequestHeaders& headers,
++    OnBeforeStartTransactionCallback callback) {
+   if (before_start_transaction_fails_)
+     return ERR_FAILED;
+ 
+diff --git a/net/url_request/url_request_test_util.h b/net/url_request/url_request_test_util.h
+index 4fffcb55df0c4dfc71a05c1bcc2f5e9c99cba920..765218450a9fbf39ce783088021c3df14282dc75 100644
+--- a/net/url_request/url_request_test_util.h
++++ b/net/url_request/url_request_test_util.h
+@@ -347,9 +347,10 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
+   int OnBeforeURLRequest(URLRequest* request,
+                          CompletionOnceCallback callback,
+                          GURL* new_url) override;
+-  int OnBeforeStartTransaction(URLRequest* request,
+-                               CompletionOnceCallback callback,
+-                               HttpRequestHeaders* headers) override;
++  int OnBeforeStartTransaction(
++      URLRequest* request,
++      const HttpRequestHeaders& headers,
++      OnBeforeStartTransactionCallback callback) override;
+   int OnHeadersReceived(
+       URLRequest* request,
+       CompletionOnceCallback callback,
+diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
+index 4b694307e4b8ba56fe03b8a03051bf24225440f2..897937fc200d4df939d48c23ee721f03de514780 100644
+--- a/net/url_request/url_request_unittest.cc
++++ b/net/url_request/url_request_unittest.cc
+@@ -444,9 +444,10 @@ class BlockingNetworkDelegate : public TestNetworkDelegate {
+                          CompletionOnceCallback callback,
+                          GURL* new_url) override;
+ 
+-  int OnBeforeStartTransaction(URLRequest* request,
+-                               CompletionOnceCallback callback,
+-                               HttpRequestHeaders* headers) override;
++  int OnBeforeStartTransaction(
++      URLRequest* request,
++      const HttpRequestHeaders& headers,
++      OnBeforeStartTransactionCallback callback) override;
+ 
+   int OnHeadersReceived(
+       URLRequest* request,
+@@ -545,13 +546,19 @@ int BlockingNetworkDelegate::OnBeforeURLRequest(URLRequest* request,
+ 
+ int BlockingNetworkDelegate::OnBeforeStartTransaction(
+     URLRequest* request,
+-    CompletionOnceCallback callback,
+-    HttpRequestHeaders* headers) {
++    const HttpRequestHeaders& headers,
++    OnBeforeStartTransactionCallback callback) {
+   // TestNetworkDelegate always completes synchronously.
+   CHECK_NE(ERR_IO_PENDING, TestNetworkDelegate::OnBeforeStartTransaction(
+-                               request, base::NullCallback(), headers));
++                               request, headers, base::NullCallback()));
+ 
+-  return MaybeBlockStage(ON_BEFORE_SEND_HEADERS, std::move(callback));
++  return MaybeBlockStage(
++      ON_BEFORE_SEND_HEADERS,
++      base::BindOnce(
++          [](OnBeforeStartTransactionCallback callback, int result) {
++            std::move(callback).Run(result, absl::nullopt);
++          },
++          std::move(callback)));
+ }
+ 
+ int BlockingNetworkDelegate::OnHeadersReceived(
+@@ -4876,13 +4883,19 @@ class AsyncLoggingNetworkDelegate : public TestNetworkDelegate {
+     return RunCallbackAsynchronously(request, std::move(callback));
+   }
+ 
+-  int OnBeforeStartTransaction(URLRequest* request,
+-                               CompletionOnceCallback callback,
+-                               HttpRequestHeaders* headers) override {
++  int OnBeforeStartTransaction(
++      URLRequest* request,
++      const HttpRequestHeaders& headers,
++      OnBeforeStartTransactionCallback callback) override {
+     // TestNetworkDelegate always completes synchronously.
+     CHECK_NE(ERR_IO_PENDING, TestNetworkDelegate::OnBeforeStartTransaction(
+-                                 request, base::NullCallback(), headers));
+-    return RunCallbackAsynchronously(request, std::move(callback));
++                                 request, headers, base::NullCallback()));
++    return RunCallbackAsynchronously(
++        request, base::BindOnce(
++                     [](OnBeforeStartTransactionCallback callback, int result) {
++                       std::move(callback).Run(result, absl::nullopt);
++                     },
++                     std::move(callback)));
+   }
+ 
+   int OnHeadersReceived(
+diff --git a/services/network/network_service_network_delegate.cc b/services/network/network_service_network_delegate.cc
+index cd21d0ece5ae07225126f889dd84daecee728a3a..098fd068de46cb6213f2d75bf14f17baa4ff8ae4 100644
+--- a/services/network/network_service_network_delegate.cc
++++ b/services/network/network_service_network_delegate.cc
+@@ -103,16 +103,16 @@ int NetworkServiceNetworkDelegate::OnBeforeURLRequest(
+ 
+ int NetworkServiceNetworkDelegate::OnBeforeStartTransaction(
+     net::URLRequest* request,
+-    net::CompletionOnceCallback callback,
+-    net::HttpRequestHeaders* headers) {
++    const net::HttpRequestHeaders& headers,
++    OnBeforeStartTransactionCallback callback) {
+   URLLoader* url_loader = URLLoader::ForRequest(*request);
+   if (url_loader)
+-    return url_loader->OnBeforeStartTransaction(std::move(callback), headers);
++    return url_loader->OnBeforeStartTransaction(headers, std::move(callback));
+ 
+ #if !defined(OS_IOS)
+   WebSocket* web_socket = WebSocket::ForRequest(*request);
+   if (web_socket)
+-    return web_socket->OnBeforeStartTransaction(std::move(callback), headers);
++    return web_socket->OnBeforeStartTransaction(headers, std::move(callback));
+ #endif  // !defined(OS_IOS)
+ 
+   return net::OK;
+diff --git a/services/network/network_service_network_delegate.h b/services/network/network_service_network_delegate.h
+index 1e81d8ec2cde1d8e710adc8c447d325bb104421f..76d53dfc914162cfff72d2ee8aeabee8f9879e5a 100644
+--- a/services/network/network_service_network_delegate.h
++++ b/services/network/network_service_network_delegate.h
+@@ -38,9 +38,10 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkServiceNetworkDelegate
+   int OnBeforeURLRequest(net::URLRequest* request,
+                          net::CompletionOnceCallback callback,
+                          GURL* new_url) override;
+-  int OnBeforeStartTransaction(net::URLRequest* request,
+-                               net::CompletionOnceCallback callback,
+-                               net::HttpRequestHeaders* headers) override;
++  int OnBeforeStartTransaction(
++      net::URLRequest* request,
++      const net::HttpRequestHeaders& headers,
++      OnBeforeStartTransactionCallback callback) override;
+   int OnHeadersReceived(
+       net::URLRequest* request,
+       net::CompletionOnceCallback callback,
+diff --git a/services/network/url_loader.cc b/services/network/url_loader.cc
+index 6f0cb6f4ed60b7043febc4e940523cc8863566c5..2360f5a0ce03543134e3aea583c92115226b0029 100644
+--- a/services/network/url_loader.cc
++++ b/services/network/url_loader.cc
+@@ -1655,13 +1655,14 @@ void URLLoader::OnReadCompleted(net::URLRequest* url_request, int bytes_read) {
+   // |this| may have been deleted.
+ }
+ 
+-int URLLoader::OnBeforeStartTransaction(net::CompletionOnceCallback callback,
+-                                        net::HttpRequestHeaders* headers) {
++int URLLoader::OnBeforeStartTransaction(
++    const net::HttpRequestHeaders& headers,
++    net::NetworkDelegate::OnBeforeStartTransactionCallback callback) {
+   if (header_client_) {
+     header_client_->OnBeforeSendHeaders(
+-        *headers, base::BindOnce(&URLLoader::OnBeforeSendHeadersComplete,
+-                                 weak_ptr_factory_.GetWeakPtr(),
+-                                 std::move(callback), headers));
++        headers,
++        base::BindOnce(&URLLoader::OnBeforeSendHeadersComplete,
++                       weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
+     return net::ERR_IO_PENDING;
+   }
+   return net::OK;
+@@ -2029,13 +2030,10 @@ void URLLoader::ResumeStart() {
+ }
+ 
+ void URLLoader::OnBeforeSendHeadersComplete(
+-    net::CompletionOnceCallback callback,
+-    net::HttpRequestHeaders* out_headers,
++    net::NetworkDelegate::OnBeforeStartTransactionCallback callback,
+     int result,
+     const base::Optional<net::HttpRequestHeaders>& headers) {
+-  if (headers)
+-    *out_headers = headers.value();
+-  std::move(callback).Run(result);
++  std::move(callback).Run(result, headers);
+ }
+ 
+ void URLLoader::OnHeadersReceivedComplete(
+diff --git a/services/network/url_loader.h b/services/network/url_loader.h
+index 00976c56702ed3e77505438344b214ce134e8a4f..ec1ebdc3ea1af904343c42d31b1afcca435d20f8 100644
+--- a/services/network/url_loader.h
++++ b/services/network/url_loader.h
+@@ -24,6 +24,7 @@
+ #include "mojo/public/cpp/system/data_pipe.h"
+ #include "mojo/public/cpp/system/simple_watcher.h"
+ #include "net/base/load_states.h"
++#include "net/base/network_delegate.h"
+ #include "net/http/http_raw_request_headers.h"
+ #include "net/traffic_annotation/network_traffic_annotation.h"
+ #include "net/url_request/url_request.h"
+@@ -172,8 +173,9 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) URLLoader
+ 
+   // These methods are called by the network delegate to forward these events to
+   // the |header_client_|.
+-  int OnBeforeStartTransaction(net::CompletionOnceCallback callback,
+-                               net::HttpRequestHeaders* headers);
++  int OnBeforeStartTransaction(
++      const net::HttpRequestHeaders& headers,
++      net::NetworkDelegate::OnBeforeStartTransactionCallback callback);
+   int OnHeadersReceived(
+       net::CompletionOnceCallback callback,
+       const net::HttpResponseHeaders* original_response_headers,
+@@ -342,8 +344,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) URLLoader
+   void RecordBodyReadFromNetBeforePausedIfNeeded();
+   void ResumeStart();
+   void OnBeforeSendHeadersComplete(
+-      net::CompletionOnceCallback callback,
+-      net::HttpRequestHeaders* out_headers,
++      net::NetworkDelegate::OnBeforeStartTransactionCallback callback,
+       int result,
+       const base::Optional<net::HttpRequestHeaders>& headers);
+   void OnHeadersReceivedComplete(
+diff --git a/services/network/websocket.cc b/services/network/websocket.cc
+index 8b73bc115c96d404b6ca538a62a34789272d282b..0b8e554c2b1823d83ed493e52e3bfc75ebcacdbd 100644
+--- a/services/network/websocket.cc
++++ b/services/network/websocket.cc
+@@ -537,13 +537,14 @@ bool WebSocket::AllowCookies(const GURL& url) const {
+              url, site_for_cookies_) == net::OK;
+ }
+ 
+-int WebSocket::OnBeforeStartTransaction(net::CompletionOnceCallback callback,
+-                                        net::HttpRequestHeaders* headers) {
++int WebSocket::OnBeforeStartTransaction(
++    const net::HttpRequestHeaders& headers,
++    net::NetworkDelegate::OnBeforeStartTransactionCallback callback) {
+   if (header_client_) {
+     header_client_->OnBeforeSendHeaders(
+-        *headers, base::BindOnce(&WebSocket::OnBeforeSendHeadersComplete,
+-                                 weak_ptr_factory_.GetWeakPtr(),
+-                                 std::move(callback), headers));
++        headers,
++        base::BindOnce(&WebSocket::OnBeforeSendHeadersComplete,
++                       weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
+     return net::ERR_IO_PENDING;
+   }
+   return net::OK;
+@@ -840,17 +841,14 @@ void WebSocket::OnAuthRequiredComplete(
+ }
+ 
+ void WebSocket::OnBeforeSendHeadersComplete(
+-    net::CompletionOnceCallback callback,
+-    net::HttpRequestHeaders* out_headers,
++    net::NetworkDelegate::OnBeforeStartTransactionCallback callback,
+     int result,
+     const base::Optional<net::HttpRequestHeaders>& headers) {
+   if (!channel_) {
+     // Something happened before the OnBeforeSendHeaders response arrives.
+     return;
+   }
+-  if (headers)
+-    *out_headers = headers.value();
+-  std::move(callback).Run(result);
++  std::move(callback).Run(result, headers);
+ }
+ 
+ void WebSocket::OnHeadersReceivedComplete(
+diff --git a/services/network/websocket.h b/services/network/websocket.h
+index 2b0c877a4175ccd664e927359301637949b20f1d..4557b7eb7e410e95fb2722362ae70b708bee3d2a 100644
+--- a/services/network/websocket.h
++++ b/services/network/websocket.h
+@@ -22,6 +22,7 @@
+ #include "base/types/strong_alias.h"
+ #include "mojo/public/cpp/bindings/receiver.h"
+ #include "mojo/public/cpp/bindings/remote.h"
++#include "net/base/network_delegate.h"
+ #include "net/traffic_annotation/network_traffic_annotation.h"
+ #include "net/websockets/websocket_event_interface.h"
+ #include "services/network/network_service.h"
+@@ -88,8 +89,9 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) WebSocket : public mojom::WebSocket {
+ 
+   // These methods are called by the network delegate to forward these events to
+   // the |header_client_|.
+-  int OnBeforeStartTransaction(net::CompletionOnceCallback callback,
+-                               net::HttpRequestHeaders* headers);
++  int OnBeforeStartTransaction(
++      const net::HttpRequestHeaders& headers,
++      net::NetworkDelegate::OnBeforeStartTransactionCallback callback);
+   int OnHeadersReceived(
+       net::CompletionOnceCallback callback,
+       const net::HttpResponseHeaders* original_response_headers,
+@@ -148,8 +150,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) WebSocket : public mojom::WebSocket {
+       base::OnceCallback<void(const net::AuthCredentials*)> callback,
+       const base::Optional<net::AuthCredentials>& credential);
+   void OnBeforeSendHeadersComplete(
+-      net::CompletionOnceCallback callback,
+-      net::HttpRequestHeaders* out_headers,
++      net::NetworkDelegate::OnBeforeStartTransactionCallback callback,
+       int result,
+       const base::Optional<net::HttpRequestHeaders>& headers);
+   void OnHeadersReceivedComplete(

patches/chromium/move_networkstateobserver_from_document_to_window.patch

@@ -0,0 +1,222 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Adam Rice <ricea@chromium.org>
+Date: Thu, 30 Sep 2021 13:35:07 +0000
+Subject: Move NetworkStateObserver from document to window
+
+Previously NetworkStateObserver was a nested class of Document. Make it
+a nested class of LocalDOMWindow instead, since they have the same
+lifetime and it fires "online" and "offline" events at the window, not
+the document.
+
+BUG=1206928
+
+(cherry picked from commit af84d38b5cf5ee24f432ae8273bc2dad1e075f0e)
+
+Change-Id: I2a1080915cf56cfa47eae65594fe6edcc8c2130a
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3167550
+Reviewed-by: Kentaro Hara <haraken@chromium.org>
+Commit-Queue: Adam Rice <ricea@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#922429}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3196231
+Cr-Commit-Position: refs/branch-heads/4638@{#476}
+Cr-Branched-From: 159257cab5585bc8421abf347984bb32fdfe9eb9-refs/heads/main@{#920003}
+
+diff --git a/third_party/blink/renderer/core/dom/document.cc b/third_party/blink/renderer/core/dom/document.cc
+index ef5f685998311169352b0bb3065ad6e00f1fe720..e2b94dabe76aa5cd042a9384d5f2a464cf0fa1a4 100644
+--- a/third_party/blink/renderer/core/dom/document.cc
++++ b/third_party/blink/renderer/core/dom/document.cc
+@@ -324,7 +324,6 @@
+ #include "third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h"
+ #include "third_party/blink/renderer/platform/network/content_security_policy_parsers.h"
+ #include "third_party/blink/renderer/platform/network/http_parsers.h"
+-#include "third_party/blink/renderer/platform/network/network_state_notifier.h"
+ #include "third_party/blink/renderer/platform/runtime_enabled_features.h"
+ #include "third_party/blink/renderer/platform/scheduler/public/event_loop.h"
+ #include "third_party/blink/renderer/platform/scheduler/public/frame_or_worker_scheduler.h"
+@@ -578,43 +577,6 @@ uint64_t Document::global_tree_version_ = 0;
+ 
+ static bool g_threaded_parsing_enabled_for_testing = true;
+ 
+-class Document::NetworkStateObserver final
+-    : public GarbageCollected<Document::NetworkStateObserver>,
+-      public NetworkStateNotifier::NetworkStateObserver,
+-      public ExecutionContextLifecycleObserver {
+- public:
+-  explicit NetworkStateObserver(ExecutionContext* context)
+-      : ExecutionContextLifecycleObserver(context) {
+-    online_observer_handle_ = GetNetworkStateNotifier().AddOnLineObserver(
+-        this, GetExecutionContext()->GetTaskRunner(TaskType::kNetworking));
+-  }
+-
+-  void OnLineStateChange(bool on_line) override {
+-    AtomicString event_name =
+-        on_line ? event_type_names::kOnline : event_type_names::kOffline;
+-    auto* window = To<LocalDOMWindow>(GetExecutionContext());
+-    window->DispatchEvent(*Event::Create(event_name));
+-    probe::NetworkStateChanged(window->GetFrame(), on_line);
+-  }
+-
+-  void ContextDestroyed() override {
+-    UnregisterAsObserver(GetExecutionContext());
+-  }
+-
+-  void UnregisterAsObserver(ExecutionContext* context) {
+-    DCHECK(context);
+-    online_observer_handle_ = nullptr;
+-  }
+-
+-  void Trace(Visitor* visitor) const override {
+-    ExecutionContextLifecycleObserver::Trace(visitor);
+-  }
+-
+- private:
+-  std::unique_ptr<NetworkStateNotifier::NetworkStateObserverHandle>
+-      online_observer_handle_;
+-};
+-
+ ExplicitlySetAttrElementsMap* Document::GetExplicitlySetAttrElementsMap(
+     Element* element) {
+   DCHECK(element);
+@@ -2948,12 +2910,6 @@ void Document::Initialize() {
+ 
+   if (View())
+     View()->DidAttachDocument();
+-
+-  // Observer(s) should not be initialized until the document is initialized /
+-  // attached to a frame. Otherwise
+-  // ExecutionContextLifecycleObserver::contextDestroyed wouldn't be fired.
+-  network_state_observer_ =
+-      MakeGarbageCollected<NetworkStateObserver>(GetExecutionContext());
+ }
+ 
+ void Document::Shutdown() {
+@@ -8163,7 +8119,6 @@ void Document::Trace(Visitor* visitor) const {
+   visitor->Trace(intersection_observer_controller_);
+   visitor->Trace(snap_coordinator_);
+   visitor->Trace(property_registry_);
+-  visitor->Trace(network_state_observer_);
+   visitor->Trace(policy_);
+   visitor->Trace(slot_assignment_engine_);
+   visitor->Trace(viewport_data_);
+diff --git a/third_party/blink/renderer/core/dom/document.h b/third_party/blink/renderer/core/dom/document.h
+index 83fb7a47c2a1abbe69b4f2136f5dbb745e283b08..c4c6ea6ff33516f9690a4d8121ce83797203b399 100644
+--- a/third_party/blink/renderer/core/dom/document.h
++++ b/third_party/blink/renderer/core/dom/document.h
+@@ -1720,7 +1720,6 @@ class CORE_EXPORT Document : public ContainerNode,
+                            BeforeMatchExpandedHiddenMatchableUkm);
+   FRIEND_TEST_ALL_PREFIXES(TextFinderSimTest,
+                            BeforeMatchExpandedHiddenMatchableUkmNoHandler);
+-  class NetworkStateObserver;
+ 
+   friend class AXContext;
+   void AddAXContext(AXContext*);
+@@ -2113,8 +2112,6 @@ class CORE_EXPORT Document : public ContainerNode,
+ 
+   TaskHandle sensitive_input_edited_task_;
+ 
+-  Member<NetworkStateObserver> network_state_observer_;
+-
+   // |ukm_recorder_| and |source_id_| will allow objects that are part of
+   // the document to record UKM.
+   std::unique_ptr<ukm::UkmRecorder> ukm_recorder_;
+diff --git a/third_party/blink/renderer/core/frame/local_dom_window.cc b/third_party/blink/renderer/core/frame/local_dom_window.cc
+index 45a5e1ca7d1010da894968c7e786e2ab7072fae2..3b64833fe561f96a76987938c79e2c901ba4b7fc 100644
+--- a/third_party/blink/renderer/core/frame/local_dom_window.cc
++++ b/third_party/blink/renderer/core/frame/local_dom_window.cc
+@@ -127,6 +127,7 @@
+ #include "third_party/blink/renderer/platform/bindings/script_state.h"
+ #include "third_party/blink/renderer/platform/heap/heap.h"
+ #include "third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h"
++#include "third_party/blink/renderer/platform/network/network_state_notifier.h"
+ #include "third_party/blink/renderer/platform/scheduler/public/dummy_schedulers.h"
+ #include "third_party/blink/renderer/platform/scheduler/public/post_cross_thread_task.h"
+ #include "third_party/blink/renderer/platform/timer.h"
+@@ -162,6 +163,38 @@ bool ShouldRecordPostMessageIncomingFrameUkmEvent(
+ 
+ }  // namespace
+ 
++class LocalDOMWindow::NetworkStateObserver final
++    : public GarbageCollected<LocalDOMWindow::NetworkStateObserver>,
++      public NetworkStateNotifier::NetworkStateObserver,
++      public ExecutionContextLifecycleObserver {
++ public:
++  explicit NetworkStateObserver(ExecutionContext* context)
++      : ExecutionContextLifecycleObserver(context) {}
++
++  void Initialize() {
++    online_observer_handle_ = GetNetworkStateNotifier().AddOnLineObserver(
++        this, GetExecutionContext()->GetTaskRunner(TaskType::kNetworking));
++  }
++
++  void OnLineStateChange(bool on_line) override {
++    AtomicString event_name =
++        on_line ? event_type_names::kOnline : event_type_names::kOffline;
++    auto* window = To<LocalDOMWindow>(GetExecutionContext());
++    window->DispatchEvent(*Event::Create(event_name));
++    probe::NetworkStateChanged(window->GetFrame(), on_line);
++  }
++
++  void ContextDestroyed() override { online_observer_handle_ = nullptr; }
++
++  void Trace(Visitor* visitor) const override {
++    ExecutionContextLifecycleObserver::Trace(visitor);
++  }
++
++ private:
++  std::unique_ptr<NetworkStateNotifier::NetworkStateObserverHandle>
++      online_observer_handle_;
++};
++
+ LocalDOMWindow::LocalDOMWindow(LocalFrame& frame, WindowAgent* agent)
+     : DOMWindow(frame),
+       ExecutionContext(V8PerIsolateData::MainThreadIsolate(), agent),
+@@ -179,7 +212,9 @@ LocalDOMWindow::LocalDOMWindow(LocalFrame& frame, WindowAgent* agent)
+       isolated_world_csp_map_(
+           MakeGarbageCollected<
+               HeapHashMap<int, Member<ContentSecurityPolicy>>>()),
+-      token_(frame.GetLocalFrameToken()) {}
++      token_(frame.GetLocalFrameToken()),
++      network_state_observer_(
++          MakeGarbageCollected<NetworkStateObserver>(this)) {}
+ 
+ void LocalDOMWindow::BindContentSecurityPolicy() {
+   DCHECK(!GetContentSecurityPolicy()->IsBound());
+@@ -189,6 +224,7 @@ void LocalDOMWindow::BindContentSecurityPolicy() {
+ 
+ void LocalDOMWindow::Initialize() {
+   GetAgent()->AttachContext(this);
++  network_state_observer_->Initialize();
+ }
+ 
+ void LocalDOMWindow::ResetWindowAgent(WindowAgent* agent) {
+@@ -2072,6 +2108,7 @@ void LocalDOMWindow::Trace(Visitor* visitor) const {
+   visitor->Trace(spell_checker_);
+   visitor->Trace(text_suggestion_controller_);
+   visitor->Trace(isolated_world_csp_map_);
++  visitor->Trace(network_state_observer_);
+   DOMWindow::Trace(visitor);
+   ExecutionContext::Trace(visitor);
+   Supplementable<LocalDOMWindow>::Trace(visitor);
+diff --git a/third_party/blink/renderer/core/frame/local_dom_window.h b/third_party/blink/renderer/core/frame/local_dom_window.h
+index e9da1b27a55982266d910e8c90d9f22d975915c9..a0ea2c1f2fc40888336e24f3b6e4b0b83142eaf0 100644
+--- a/third_party/blink/renderer/core/frame/local_dom_window.h
++++ b/third_party/blink/renderer/core/frame/local_dom_window.h
+@@ -437,6 +437,8 @@ class CORE_EXPORT LocalDOMWindow final : public DOMWindow,
+                            LocalDOMWindow* source) override;
+ 
+  private:
++  class NetworkStateObserver;
++
+   // Intentionally private to prevent redundant checks when the type is
+   // already LocalDOMWindow.
+   bool IsLocalDOMWindow() const override { return true; }
+@@ -535,6 +537,9 @@ class CORE_EXPORT LocalDOMWindow final : public DOMWindow,
+   // this UKM is logged.
+   // TODO(crbug.com/1112491): Remove when no longer needed.
+   Deque<ukm::SourceId> post_message_ukm_recorded_source_ids_;
++
++  // Fire "online" and "offline" events.
++  Member<NetworkStateObserver> network_state_observer_;
+ };
+ 
+ template <>

patches/chromium/pa_make_getusablesize_handle_nullptr_gracefully.patch

@@ -0,0 +1,50 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Bartek Nowierski <bartekn@chromium.org>
+Date: Thu, 29 Jul 2021 10:38:19 +0000
+Subject: Make GetUsableSize() handle nullptr gracefully
+
+malloc_usable_size() is expected to not crush on NULL and return 0.
+
+(cherry picked from commit 61e16c92ff24bb71b9b7309a9d6d470ee91738bc)
+
+Bug: 1221442
+Change-Id: I6a3b90dcf3a8ad18114c206d87b98f60d5f50eb1
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3042177
+Commit-Queue: Bartek Nowierski <bartekn@chromium.org>
+Commit-Queue: Kentaro Hara <haraken@chromium.org>
+Auto-Submit: Bartek Nowierski <bartekn@chromium.org>
+Reviewed-by: Kentaro Hara <haraken@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#903900}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3060345
+Cr-Commit-Position: refs/branch-heads/4515@{#1905}
+Cr-Branched-From: 488fc70865ddaa05324ac00a54a6eb783b4bc41c-refs/heads/master@{#885287}
+
+diff --git a/base/allocator/partition_allocator/partition_alloc_unittest.cc b/base/allocator/partition_allocator/partition_alloc_unittest.cc
+index bb6faf759ed9829c7fa644a09521674d89898abc..d494f02d4e9db705823e92c670fb4d352ad7f8ea 100644
+--- a/base/allocator/partition_allocator/partition_alloc_unittest.cc
++++ b/base/allocator/partition_allocator/partition_alloc_unittest.cc
+@@ -2752,6 +2752,10 @@ TEST_F(PartitionAllocTest, OptimizedGetSlotNumber) {
+   }
+ }
+ 
++TEST_F(PartitionAllocTest, GetUsableSizeNull) {
++  EXPECT_EQ(0ULL, PartitionRoot<ThreadSafe>::GetUsableSize(nullptr));
++}
++
+ TEST_F(PartitionAllocTest, GetUsableSize) {
+   size_t delta = SystemPageSize() + 1;
+   for (size_t size = 1; size <= kMinDirectMappedDownsize; size += delta) {
+diff --git a/base/allocator/partition_allocator/partition_root.h b/base/allocator/partition_allocator/partition_root.h
+index 742ac8937c495811e0694157ca49b35afe4a06d3..de427e66bfb3c910bf7fbc638feff61b4d3ed418 100644
+--- a/base/allocator/partition_allocator/partition_root.h
++++ b/base/allocator/partition_allocator/partition_root.h
+@@ -1164,6 +1164,9 @@ ALWAYS_INLINE bool PartitionRoot<thread_safe>::TryRecommitSystemPagesForData(
+ // PartitionAlloc's internal data. Used as malloc_usable_size.
+ template <bool thread_safe>
+ ALWAYS_INLINE size_t PartitionRoot<thread_safe>::GetUsableSize(void* ptr) {
++  // malloc_usable_size() is expected to handle NULL gracefully and return 0.
++  if (!ptr)
++    return 0;
+   auto* slot_span = SlotSpan::FromSlotInnerPtr(ptr);
+   auto* root = FromSlotSpan(slot_span);
+   return slot_span->GetUsableSize(root);

patches/chromium/skip_webgl_conformance_programs_program-test_html_on_all_platforms.patch

@@ -0,0 +1,55 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Yuly Novikov <ynovikov@chromium.org>
+Date: Thu, 9 Sep 2021 20:00:43 +0000
+Subject: Skip WebGL conformance/programs/program-test.html on all platforms
+
+To unblock ANGLE CL http://crrev.com/c/3140496, which modifies behaviour
+to make it an error to draw after the current program fails to re-link.
+
+(cherry picked from commit 8ef1e4544ed5214608039d969940347d8f98e543)
+
+Bug: 1241123
+Bug: angleproject:6358
+Change-Id: I40a1f4843f902533745cc9527379def9d777a578
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3140226
+Auto-Submit: Yuly Novikov <ynovikov@chromium.org>
+Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Cr-Original-Commit-Position: refs/heads/main@{#918281}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3150594
+Auto-Submit: Jamie Madill <jmadill@chromium.org>
+Commit-Queue: Yuly Novikov <ynovikov@chromium.org>
+Reviewed-by: Yuly Novikov <ynovikov@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4515@{#2117}
+Cr-Branched-From: 488fc70865ddaa05324ac00a54a6eb783b4bc41c-refs/heads/master@{#885287}
+
+diff --git a/content/test/gpu/gpu_tests/test_expectations/webgl2_conformance_expectations.txt b/content/test/gpu/gpu_tests/test_expectations/webgl2_conformance_expectations.txt
+index 597fb2319f2994f993821033d4a5751f376443e6..69b8eac78f12345d843d9e603f3fcbf62ad42a58 100644
+--- a/content/test/gpu/gpu_tests/test_expectations/webgl2_conformance_expectations.txt
++++ b/content/test/gpu/gpu_tests/test_expectations/webgl2_conformance_expectations.txt
+@@ -171,6 +171,10 @@ crbug.com/1085222 [ win10 intel-0x5912 ] deqp/functional/gles3/shaderoperator/un
+ crbug.com/1085222 [ catalina intel-0xa2e ] deqp/functional/gles3/shaderoperator/binary_operator_* [ RetryOnFailure ]
+ crbug.com/1085222 [ catalina intel-0xa2e ] deqp/functional/gles3/shaderoperator/unary_operator_* [ RetryOnFailure ]
+ 
++# Temporary suppression while we wait for a spec update.
++# TODO(jmadill): Remove when possible.
++crbug.com/angleproject/6358 conformance/programs/program-test.html [ Failure ]
++
+ ####################
+ # Win failures     #
+ ####################
+diff --git a/content/test/gpu/gpu_tests/test_expectations/webgl_conformance_expectations.txt b/content/test/gpu/gpu_tests/test_expectations/webgl_conformance_expectations.txt
+index 87b310449dafc66701105e996cd1f564b2dbd601..bea1dc72f4709709552eefdfffe5fa8f250afdab 100644
+--- a/content/test/gpu/gpu_tests/test_expectations/webgl_conformance_expectations.txt
++++ b/content/test/gpu/gpu_tests/test_expectations/webgl_conformance_expectations.txt
+@@ -257,6 +257,10 @@ crbug.com/1163292 [ win nvidia angle-d3d9 ] conformance/textures/misc/texture-co
+ crbug.com/1105129 [ linux ] conformance/context/context-creation.html [ RetryOnFailure ]
+ crbug.com/1105129 [ win ] conformance/context/context-creation.html [ RetryOnFailure ]
+ 
++# Temporary suppression while we wait for a spec update.
++# TODO(jmadill): Remove when possible.
++crbug.com/angleproject/6358 conformance/programs/program-test.html [ Failure ]
++
+ # Win / AMD / Passthrough command decoder / D3D11
+ crbug.com/772037 [ win amd angle-d3d11 passthrough ] conformance/textures/misc/texture-sub-image-cube-maps.html [ RetryOnFailure ]
+ 

patches/chromium/speculative_fix_for_eye_dropper_getcolor_crash.patch

@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ionel Popescu <iopopesc@microsoft.com>
+Date: Wed, 15 Sep 2021 18:16:16 +0000
+Subject: Speculative fix for eye dropper getColor crash.
+
+There seems to be a situation where the captured frame coordinates
+are different than the ones accessible by moving the mouse.
+
+I am not able to locally reproduce this issue, so I am adding DCHECKs
+to validate that the coordinates are correct and I am also handling
+the invalid coordinates to prevent invalid memory access.
+
+(cherry picked from commit a656373ae7212e0d88474bdec4691a4152452748)
+
+Bug: 1246631
+Change-Id: I915d46a71aa73b5dcf08127d347fdd47c1ddf54c
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3152423
+Reviewed-by: Mason Freed <masonf@chromium.org>
+Commit-Queue: Ionel Popescu <iopopesc@microsoft.com>
+Cr-Original-Commit-Position: refs/heads/main@{#920811}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3163070
+Auto-Submit: Ionel Popescu <iopopesc@microsoft.com>
+Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Cr-Commit-Position: refs/branch-heads/4638@{#75}
+Cr-Branched-From: 159257cab5585bc8421abf347984bb32fdfe9eb9-refs/heads/main@{#920003}
+
+diff --git a/chrome/browser/ui/views/eye_dropper/eye_dropper_view.cc b/chrome/browser/ui/views/eye_dropper/eye_dropper_view.cc
+index 7ade75635619fb33151ca2414add02045bccc836..b337d4890f8f1b45ce57bb7ed1607bc9de752b7a 100644
+--- a/chrome/browser/ui/views/eye_dropper/eye_dropper_view.cc
++++ b/chrome/browser/ui/views/eye_dropper/eye_dropper_view.cc
+@@ -65,6 +65,7 @@ class EyeDropperView::ScreenCapturer
+                        std::unique_ptr<webrtc::DesktopFrame> frame) override;
+ 
+   SkBitmap GetBitmap() const;
++  SkColor GetColor(int x, int y) const;
+ 
+  private:
+   std::unique_ptr<webrtc::DesktopCapturer> capturer_;
+@@ -95,6 +96,13 @@ SkBitmap EyeDropperView::ScreenCapturer::GetBitmap() const {
+   return frame_;
+ }
+ 
++SkColor EyeDropperView::ScreenCapturer::GetColor(int x, int y) const {
++  DCHECK(x < frame_.width());
++  DCHECK(y < frame_.height());
++  return x < frame_.width() && y < frame_.height() ? frame_.getColor(x, y)
++                                                   : SK_ColorBLACK;
++}
++
+ EyeDropperView::EyeDropperView(content::RenderFrameHost* frame,
+                                content::EyeDropperListener* listener)
+     : render_frame_host_(frame),
+@@ -178,7 +186,8 @@ void EyeDropperView::OnPaint(gfx::Canvas* view_canvas) {
+ 
+   // Store the pixel color under the cursor as it is the last color seen
+   // by the user before selection.
+-  selected_color_ = frame.getColor(center_position.x(), center_position.y());
++  selected_color_ =
++      screen_capturer_->GetColor(center_position.x(), center_position.y());
+ 
+   // Paint grid.
+   cc::PaintFlags flags;

patches/config.json

@@ -19,5 +19,9 @@
 
   "src/electron/patches/angle": "src/third_party/angle",
 
-  "src/electron/patches/sqlite": "src/third_party/sqlite/src"
+  "src/electron/patches/sqlite": "src/third_party/sqlite/src",
+
+  "src/electron/patches/webrtc": "src/third_party/webrtc",
+
+  "src/electron/patches/pdfium": "src/third_party/pdfium"
 }

patches/node/.patches

@@ -36,3 +36,4 @@ fix_handle_new_tostring_behavior_in_v8_serdes_test.patch
 fix_the_--harmony-weak-refs_has_been_removed_remove_from_specs.patch
 node-api_faster_threadsafe_function.patch
 src_add_missing_context_scopes.patch
+fix_remove_expired_dst_root_ca_x3.patch

patches/node/fix_remove_expired_dst_root_ca_x3.patch

@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: deepak1556 <hop2deep@gmail.com>
+Date: Fri, 1 Oct 2021 08:03:08 +0900
+Subject: fix: remove expired DST Root CA X3
+
+The alternative ISRG Root X1 trusted certificate is
+already available in this bundle.
+
+https://letsencrypt.org/docs/certificate-compatibility/
+https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
+
+diff --git a/src/node_root_certs.h b/src/node_root_certs.h
+index 47beb730f4b853f1bf248a7fd1b1cd7d726bdf7e..94ac882ec7e4e2eb61d1f0094f79fb6f603d978c 100644
+--- a/src/node_root_certs.h
++++ b/src/node_root_certs.h
+@@ -525,26 +525,6 @@
+ "yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep+OkuE6N36B9K\n"
+ "-----END CERTIFICATE-----",
+ 
+-/* DST Root CA X3 */
+-"-----BEGIN CERTIFICATE-----\n"
+-"MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYD\n"
+-"VQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENB\n"
+-"IFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRh\n"
+-"bCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJ\n"
+-"KoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdA\n"
+-"wRgUi+DoM3ZJKuM/IUmTrE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwG\n"
+-"MoOifooUMM0RoOEqOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4X\n"
+-"Lh7dIN9bxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n"
+-"7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkq\n"
+-"tilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n"
+-"HQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqGSIb3DQEBBQUAA4IBAQCjGiyb\n"
+-"FwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikugdB/OEIKcdBodfpga3csTS7MgROSR\n"
+-"6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaL\n"
+-"bumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir\n"
+-"/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06Xyx\n"
+-"V3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n"
+-"-----END CERTIFICATE-----",
+-
+ /* SwissSign Gold CA - G2 */
+ "-----BEGIN CERTIFICATE-----\n"
+ "MIIFujCCA6KgAwIBAgIJALtAHEP1Xk+wMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkNI\n"

patches/pdfium/.patches

@@ -0,0 +1 @@
+m94_use_more_safe_arithmetic_in_cfx_dibbase.patch

patches/pdfium/m94_use_more_safe_arithmetic_in_cfx_dibbase.patch

@@ -0,0 +1,143 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tom Sepez <tsepez@chromium.org>
+Date: Thu, 14 Oct 2021 18:29:32 +0000
+Subject: M94: Use more safe arithmetic in CFX_DIBBase
+
+Most of the calculations are "safe" because we know that the DIB
+has validated sizes before allocating a buffer, and that calculations
+in terms of bytes won't overflow and will be within the buffer. But
+calculations in terms of bits might create overflow in temporaries,
+so use safe arithmetic there instead.
+
+Re-arranging the order of operations thus converting to bytes first
+might be one option, but we want to handle the 1 bpp case.
+
+Test would require large images that might not be possible on
+all platforms.
+
+Bug: chromium:1253399
+Change-Id: I3c6c5b8b1f1bf3f429c7d377a8a84c5ab53cafd9
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/85510
+Reviewed-by: Lei Zhang <thestig@chromium.org>
+Commit-Queue: Tom Sepez <tsepez@chromium.org>
+(cherry picked from commit a8b293732a0160d1bc1d5b0ad5744922f0f820d5)
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/85950
+
+diff --git a/core/fxge/dib/cfx_bitmapcomposer.cpp b/core/fxge/dib/cfx_bitmapcomposer.cpp
+index 86066ba72dccc78d65dbaaba76ee4d47d18080a2..af7a2480989668d0108b91fe4e60f2d6a12d31dd 100644
+--- a/core/fxge/dib/cfx_bitmapcomposer.cpp
++++ b/core/fxge/dib/cfx_bitmapcomposer.cpp
+@@ -6,6 +6,7 @@
+ 
+ #include "core/fxge/dib/cfx_bitmapcomposer.h"
+ 
++#include "core/fxcrt/fx_safe_types.h"
+ #include "core/fxge/cfx_cliprgn.h"
+ #include "core/fxge/dib/cfx_dibitmap.h"
+ 
+@@ -109,8 +110,17 @@ void CFX_BitmapComposer::ComposeScanline(int line,
+                     m_pClipMask->GetPitch() +
+                 (m_DestLeft - m_pClipRgn->GetBox().left);
+   }
+-  uint8_t* dest_scan = m_pBitmap->GetWritableScanline(line + m_DestTop) +
+-                       m_DestLeft * m_pBitmap->GetBPP() / 8;
++  uint8_t* dest_scan = m_pBitmap->GetWritableScanline(line + m_DestTop);
++  if (dest_scan) {
++    FX_SAFE_UINT32 offset = m_DestLeft;
++    offset *= m_pBitmap->GetBPP();
++    offset /= 8;
++    if (!offset.IsValid())
++      return;
++
++    // Help some compilers perform pointer arithmetic against safe numerics.
++    dest_scan += static_cast<uint32_t>(offset.ValueOrDie());
++  }
+   uint8_t* dest_alpha_scan =
+       m_pBitmap->m_pAlphaMask
+           ? m_pBitmap->m_pAlphaMask->GetWritableScanline(line + m_DestTop) +
+diff --git a/core/fxge/dib/cfx_dibbase.cpp b/core/fxge/dib/cfx_dibbase.cpp
+index 137556e4fd3de77521ae50c3f2f00d6e43651149..e0186e5c58aa09f24b263783a700cf627bd727ec 100644
+--- a/core/fxge/dib/cfx_dibbase.cpp
++++ b/core/fxge/dib/cfx_dibbase.cpp
+@@ -628,15 +628,25 @@ RetainPtr<CFX_DIBitmap> CFX_DIBBase::Clone(const FX_RECT* pClip) const {
+       }
+     }
+   } else {
+-    int copy_len = (pNewBitmap->GetWidth() * pNewBitmap->GetBPP() + 7) / 8;
+-    if (m_Pitch < static_cast<uint32_t>(copy_len))
+-      copy_len = m_Pitch;
++    FX_SAFE_UINT32 copy_len = pNewBitmap->GetWidth();
++    copy_len *= pNewBitmap->GetBPP();
++    copy_len += 7;
++    copy_len /= 8;
++    if (!copy_len.IsValid())
++      return nullptr;
++
++    copy_len = std::min<uint32_t>(m_Pitch, copy_len.ValueOrDie());
++
++    FX_SAFE_UINT32 offset = rect.left;
++    offset *= GetBppFromFormat(m_Format);
++    offset /= 8;
++    if (!offset.IsValid())
++      return nullptr;
+ 
+     for (int row = rect.top; row < rect.bottom; ++row) {
+-      const uint8_t* src_scan =
+-          GetScanline(row) + rect.left * GetBppFromFormat(m_Format) / 8;
++      const uint8_t* src_scan = GetScanline(row) + offset.ValueOrDie();
+       uint8_t* dest_scan = pNewBitmap->GetWritableScanline(row - rect.top);
+-      memcpy(dest_scan, src_scan, copy_len);
++      memcpy(dest_scan, src_scan, copy_len.ValueOrDie());
+     }
+   }
+   return pNewBitmap;
+diff --git a/core/fxge/dib/cfx_dibitmap.cpp b/core/fxge/dib/cfx_dibitmap.cpp
+index 5012d4400be224189fa175fc4a6603ff88069835..ad23d4bb6bb82767bf2e27f3f4538e3f2f29c481 100644
+--- a/core/fxge/dib/cfx_dibitmap.cpp
++++ b/core/fxge/dib/cfx_dibitmap.cpp
+@@ -216,8 +216,14 @@ bool CFX_DIBitmap::TransferWithUnequalFormats(
+   if (GetBppFromFormat(m_Format) == 8)
+     dest_format = FXDIB_Format::k8bppMask;
+ 
++  FX_SAFE_UINT32 offset = dest_left;
++  offset *= GetBPP();
++  offset /= 8;
++  if (!offset.IsValid())
++    return false;
++
+   uint8_t* dest_buf =
+-      m_pBuffer.Get() + dest_top * m_Pitch + dest_left * GetBPP() / 8;
++      m_pBuffer.Get() + dest_top * m_Pitch + offset.ValueOrDie();
+   std::vector<uint32_t, FxAllocAllocator<uint32_t>> d_plt;
+   return ConvertBuffer(dest_format, dest_buf, m_Pitch, width, height,
+                        pSrcBitmap, src_left, src_top, &d_plt);
+@@ -497,7 +503,13 @@ uint32_t CFX_DIBitmap::GetPixel(int x, int y) const {
+   if (!m_pBuffer)
+     return 0;
+ 
+-  uint8_t* pos = m_pBuffer.Get() + y * m_Pitch + x * GetBPP() / 8;
++  FX_SAFE_UINT32 offset = x;
++  offset *= GetBPP();
++  offset /= 8;
++  if (!offset.IsValid())
++    return 0;
++
++  uint8_t* pos = m_pBuffer.Get() + y * m_Pitch + offset.ValueOrDie();
+   switch (GetFormat()) {
+     case FXDIB_Format::k1bppMask: {
+       if ((*pos) & (1 << (7 - x % 8))) {
+@@ -536,7 +548,13 @@ void CFX_DIBitmap::SetPixel(int x, int y, uint32_t color) {
+   if (x < 0 || x >= m_Width || y < 0 || y >= m_Height)
+     return;
+ 
+-  uint8_t* pos = m_pBuffer.Get() + y * m_Pitch + x * GetBPP() / 8;
++  FX_SAFE_UINT32 offset = x;
++  offset *= GetBPP();
++  offset /= 8;
++  if (!offset.IsValid())
++    return;
++
++  uint8_t* pos = m_pBuffer.Get() + y * m_Pitch + offset.ValueOrDie();
+   switch (GetFormat()) {
+     case FXDIB_Format::k1bppMask:
+       if (color >> 24) {

patches/v8/.patches

@@ -9,4 +9,12 @@ fix_build_deprecated_attirbute_for_older_msvc_versions.patch
 cherry-pick-e38d55313ad9.patch
 cherry-pick-1234770.patch
 cherry-pick-1231950.patch
+cherry-pick-1228036.patch
 cherry-pick-1234764.patch
+cherry-pick-fbfd2557c2ab.patch
+cherry-pick-034c2003be31.patch
+regexp_add_a_currently_failing_cctest_for_irregexp_reentrancy.patch
+regexp_allow_reentrant_irregexp_execution.patch
+regexp_remove_the_stack_parameter_from_regexp_matchers.patch
+cherry-pick-5c4acf2ae64a.patch
+cherry-pick-6de4e210688e.patch

patches/v8/cherry-pick-034c2003be31.patch

@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Georg Neis <neis@chromium.org>
+Date: Thu, 9 Sep 2021 14:41:58 +0200
+Subject: Merged: [compiler] Fix a bug in global property access reduction
+
+Bug: chromium:1247763
+(cherry picked from commit 6391d7a58d0c58cd5d096d22453b954b3ecc6fec)
+
+Change-Id: Ifa775224ed30a2d680c6e3653063483c733de831
+No-Try: true
+No-Presubmit: true
+No-Tree-Checks: true
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3151960
+Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
+Reviewed-by: Toon Verwaest <verwaest@chromium.org>
+Reviewed-by: Michael Hablich <hablich@chromium.org>
+Cr-Commit-Position: refs/branch-heads/9.3@{#37}
+Cr-Branched-From: 7744dce208a555494e4a33e24fadc71ea20b3895-refs/heads/9.3.345@{#1}
+Cr-Branched-From: 4b6b4cabf3b6a20cdfda72b369df49f3311c4344-refs/heads/master@{#75728}
+
+diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc
+index 3d9290a0bf9d3f0f638c7e0c4bb16ce84c125c32..df83ab6db85dd53ccba30c78d3866110f1ee0685 100644
+--- a/src/compiler/js-native-context-specialization.cc
++++ b/src/compiler/js-native-context-specialization.cc
+@@ -841,6 +841,12 @@ Reduction JSNativeContextSpecialization::ReduceGlobalAccess(
+       return NoChange();
+     } else if (property_cell_type == PropertyCellType::kUndefined) {
+       return NoChange();
++    } else if (property_cell_type == PropertyCellType::kConstantType) {
++      // We rely on stability further below.
++      if (property_cell_value.IsHeapObject() &&
++          !property_cell_value.AsHeapObject().map().is_stable()) {
++        return NoChange();
++      }
+     }
+   } else if (access_mode == AccessMode::kHas) {
+     DCHECK_EQ(receiver, lookup_start_object);
+@@ -957,17 +963,7 @@ Reduction JSNativeContextSpecialization::ReduceGlobalAccess(
+         if (property_cell_value.IsHeapObject()) {
+           MapRef property_cell_value_map =
+               property_cell_value.AsHeapObject().map();
+-          if (property_cell_value_map.is_stable()) {
+-            dependencies()->DependOnStableMap(property_cell_value_map);
+-          } else {
+-            // The value's map is already unstable. If this store were to go
+-            // through the C++ runtime, it would transition the PropertyCell to
+-            // kMutable. We don't want to change the cell type from generated
+-            // code (to simplify concurrent heap access), however, so we keep
+-            // it as kConstantType and do the store anyways (if the new value's
+-            // map matches). This is safe because it merely prolongs the limbo
+-            // state that we are in already.
+-          }
++          dependencies()->DependOnStableMap(property_cell_value_map);
+ 
+           // Check that the {value} is a HeapObject.
+           value = effect = graph()->NewNode(simplified()->CheckHeapObject(),

patches/v8/cherry-pick-1228036.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Georg Neis <neis@chromium.org>
+Date: Mon, 26 Jul 2021 16:40:39 +0200
+Subject: Finish concurrent sweeping before overwriting ByteArrays
+
+Bug: chromium:1228036
+Change-Id: I5abe7009920d2c8f81f024c9ae7bb6b13607da1a
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3054119
+Commit-Queue: Georg Neis <neis@chromium.org>
+Reviewed-by: Hannes Payer <hpayer@chromium.org>
+
+diff --git a/src/deoptimizer/translated-state.cc b/src/deoptimizer/translated-state.cc
+index 02c473d22b18a0a4c288e655afdb73340a0d0ffc..b5378a553a49e41c96713cf3f2ed901f7cfe4626 100644
+--- a/src/deoptimizer/translated-state.cc
++++ b/src/deoptimizer/translated-state.cc
+@@ -514,6 +514,12 @@ Handle<Object> TranslatedValue::GetValue() {
+     //    pass the verifier.
+     container_->EnsureObjectAllocatedAt(this);
+ 
++    // Finish any sweeping so that it becomes safe to overwrite the ByteArray
++    // headers.
++    // TODO(hpayer): Find a cleaner way to support a group of
++    // non-fully-initialized objects.
++    isolate()->heap()->mark_compact_collector()->EnsureSweepingCompleted();
++
+     // 2. Initialize the objects. If we have allocated only byte arrays
+     //    for some objects, we now overwrite the byte arrays with the
+     //    correct object fields. Note that this phase does not allocate
+@@ -1397,9 +1403,9 @@ TranslatedValue* TranslatedState::GetValueByObjectIndex(int object_index) {
+ }
+ 
+ Handle<HeapObject> TranslatedState::InitializeObjectAt(TranslatedValue* slot) {
+-  slot = ResolveCapturedObject(slot);
+-
+   DisallowGarbageCollection no_gc;
++
++  slot = ResolveCapturedObject(slot);
+   if (slot->materialization_state() != TranslatedValue::kFinished) {
+     std::stack<int> worklist;
+     worklist.push(slot->object_index());

patches/v8/cherry-pick-5c4acf2ae64a.patch

@@ -0,0 +1,319 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Adam Klein <adamk@chromium.org>
+Date: Wed, 29 Sep 2021 14:56:46 -0700
+Subject: Merged: [heap] Improve ephemeron processing
+
+Revision: 1054ee7f349d6be22e9518cf9b794b206d0e5818
+
+Bug: chromium:1252918
+Change-Id: I0764cb78d4a0d4b5859c0edf383c2827321db398
+No-Try: true
+No-Presubmit: true
+No-Tree-Checks: true
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3195062
+Reviewed-by: Shu-yu Guo <syg@chromium.org>
+Cr-Commit-Position: refs/branch-heads/9.4@{#37}
+Cr-Branched-From: 3b51863bc25492549a8bf96ff67ce481b1a3337b-refs/heads/9.4.146@{#1}
+Cr-Branched-From: 2890419fc8fb9bdb507fdd801d76fa7dd9f022b5-refs/heads/master@{#76233}
+
+diff --git a/src/heap/concurrent-marking.cc b/src/heap/concurrent-marking.cc
+index eb1511f71d9491f05636d422c3ba9d3ecf401efa..085af904369da631d2dc9aa3db05ab5e1b3812fe 100644
+--- a/src/heap/concurrent-marking.cc
++++ b/src/heap/concurrent-marking.cc
+@@ -433,7 +433,7 @@ void ConcurrentMarking::Run(JobDelegate* delegate,
+     isolate->PrintWithTimestamp("Starting concurrent marking task %d\n",
+                                 task_id);
+   }
+-  bool ephemeron_marked = false;
++  bool another_ephemeron_iteration = false;
+ 
+   {
+     TimedScope scope(&time_ms);
+@@ -443,7 +443,7 @@ void ConcurrentMarking::Run(JobDelegate* delegate,
+ 
+       while (weak_objects_->current_ephemerons.Pop(task_id, &ephemeron)) {
+         if (visitor.ProcessEphemeron(ephemeron.key, ephemeron.value)) {
+-          ephemeron_marked = true;
++          another_ephemeron_iteration = true;
+         }
+       }
+     }
+@@ -484,6 +484,7 @@ void ConcurrentMarking::Run(JobDelegate* delegate,
+           current_marked_bytes += visited_size;
+         }
+       }
++      if (objects_processed > 0) another_ephemeron_iteration = true;
+       marked_bytes += current_marked_bytes;
+       base::AsAtomicWord::Relaxed_Store<size_t>(&task_state->marked_bytes,
+                                                 marked_bytes);
+@@ -499,7 +500,7 @@ void ConcurrentMarking::Run(JobDelegate* delegate,
+ 
+       while (weak_objects_->discovered_ephemerons.Pop(task_id, &ephemeron)) {
+         if (visitor.ProcessEphemeron(ephemeron.key, ephemeron.value)) {
+-          ephemeron_marked = true;
++          another_ephemeron_iteration = true;
+         }
+       }
+     }
+@@ -519,8 +520,8 @@ void ConcurrentMarking::Run(JobDelegate* delegate,
+     base::AsAtomicWord::Relaxed_Store<size_t>(&task_state->marked_bytes, 0);
+     total_marked_bytes_ += marked_bytes;
+ 
+-    if (ephemeron_marked) {
+-      set_ephemeron_marked(true);
++    if (another_ephemeron_iteration) {
++      set_another_ephemeron_iteration(true);
+     }
+   }
+   if (FLAG_trace_concurrent_marking) {
+diff --git a/src/heap/concurrent-marking.h b/src/heap/concurrent-marking.h
+index c685f5cca6de44ca910c5b19c7dce4aa7412e845..54f6057f58b12354629126380452c29c5427c695 100644
+--- a/src/heap/concurrent-marking.h
++++ b/src/heap/concurrent-marking.h
+@@ -91,10 +91,12 @@ class V8_EXPORT_PRIVATE ConcurrentMarking {
+ 
+   size_t TotalMarkedBytes();
+ 
+-  void set_ephemeron_marked(bool ephemeron_marked) {
+-    ephemeron_marked_.store(ephemeron_marked);
++  void set_another_ephemeron_iteration(bool another_ephemeron_iteration) {
++    another_ephemeron_iteration_.store(another_ephemeron_iteration);
++  }
++  bool another_ephemeron_iteration() {
++    return another_ephemeron_iteration_.load();
+   }
+-  bool ephemeron_marked() { return ephemeron_marked_.load(); }
+ 
+  private:
+   struct TaskState {
+@@ -115,7 +117,7 @@ class V8_EXPORT_PRIVATE ConcurrentMarking {
+   WeakObjects* const weak_objects_;
+   TaskState task_state_[kMaxTasks + 1];
+   std::atomic<size_t> total_marked_bytes_{0};
+-  std::atomic<bool> ephemeron_marked_{false};
++  std::atomic<bool> another_ephemeron_iteration_{false};
+ };
+ 
+ }  // namespace internal
+diff --git a/src/heap/incremental-marking.cc b/src/heap/incremental-marking.cc
+index a0938359817fa88008a3280efa478de45417b6a8..efedcdb32b6c71f3030618b47dcb21797495af89 100644
+--- a/src/heap/incremental-marking.cc
++++ b/src/heap/incremental-marking.cc
+@@ -921,7 +921,8 @@ StepResult IncrementalMarking::Step(double max_step_size_in_ms,
+     // This ignores that case where the embedder finds new V8-side objects. The
+     // assumption is that large graphs are well connected and can mostly be
+     // processed on their own. For small graphs, helping is not necessary.
+-    v8_bytes_processed = collector_->ProcessMarkingWorklist(bytes_to_process);
++    std::tie(v8_bytes_processed, std::ignore) =
++        collector_->ProcessMarkingWorklist(bytes_to_process);
+     StepResult v8_result = local_marking_worklists()->IsEmpty()
+                                ? StepResult::kNoImmediateWork
+                                : StepResult::kMoreWorkRemaining;
+diff --git a/src/heap/mark-compact.cc b/src/heap/mark-compact.cc
+index 951b49507cab7116a61895deebe5368d5518b9e2..7ab09caf7b509734e1bf52c2e7310c503499fc65 100644
+--- a/src/heap/mark-compact.cc
++++ b/src/heap/mark-compact.cc
+@@ -1602,24 +1602,24 @@ void MarkCompactCollector::MarkDescriptorArrayFromWriteBarrier(
+       descriptors, number_of_own_descriptors);
+ }
+ 
+-void MarkCompactCollector::ProcessEphemeronsUntilFixpoint() {
+-  bool work_to_do = true;
++bool MarkCompactCollector::ProcessEphemeronsUntilFixpoint() {
+   int iterations = 0;
+   int max_iterations = FLAG_ephemeron_fixpoint_iterations;
+ 
+-  while (work_to_do) {
++  bool another_ephemeron_iteration_main_thread;
++
++  do {
+     PerformWrapperTracing();
+ 
+     if (iterations >= max_iterations) {
+       // Give up fixpoint iteration and switch to linear algorithm.
+-      ProcessEphemeronsLinear();
+-      break;
++      return false;
+     }
+ 
+     // Move ephemerons from next_ephemerons into current_ephemerons to
+     // drain them in this iteration.
+     weak_objects_.current_ephemerons.Swap(weak_objects_.next_ephemerons);
+-    heap()->concurrent_marking()->set_ephemeron_marked(false);
++    heap()->concurrent_marking()->set_another_ephemeron_iteration(false);
+ 
+     {
+       TRACE_GC(heap()->tracer(),
+@@ -1630,47 +1630,54 @@ void MarkCompactCollector::ProcessEphemeronsUntilFixpoint() {
+             TaskPriority::kUserBlocking);
+       }
+ 
+-      work_to_do = ProcessEphemerons();
++      another_ephemeron_iteration_main_thread = ProcessEphemerons();
+       FinishConcurrentMarking();
+     }
+ 
+     CHECK(weak_objects_.current_ephemerons.IsEmpty());
+     CHECK(weak_objects_.discovered_ephemerons.IsEmpty());
+ 
+-    work_to_do = work_to_do || !local_marking_worklists()->IsEmpty() ||
+-                 heap()->concurrent_marking()->ephemeron_marked() ||
+-                 !local_marking_worklists()->IsEmbedderEmpty() ||
+-                 !heap()->local_embedder_heap_tracer()->IsRemoteTracingDone();
+     ++iterations;
+-  }
++  } while (another_ephemeron_iteration_main_thread ||
++           heap()->concurrent_marking()->another_ephemeron_iteration() ||
++           !local_marking_worklists()->IsEmpty() ||
++           !local_marking_worklists()->IsEmbedderEmpty() ||
++           !heap()->local_embedder_heap_tracer()->IsRemoteTracingDone());
+ 
+   CHECK(local_marking_worklists()->IsEmpty());
+   CHECK(weak_objects_.current_ephemerons.IsEmpty());
+   CHECK(weak_objects_.discovered_ephemerons.IsEmpty());
++  return true;
+ }
+ 
+ bool MarkCompactCollector::ProcessEphemerons() {
+   Ephemeron ephemeron;
+-  bool ephemeron_marked = false;
++  bool another_ephemeron_iteration = false;
+ 
+   // Drain current_ephemerons and push ephemerons where key and value are still
+   // unreachable into next_ephemerons.
+   while (weak_objects_.current_ephemerons.Pop(kMainThreadTask, &ephemeron)) {
+     if (ProcessEphemeron(ephemeron.key, ephemeron.value)) {
+-      ephemeron_marked = true;
++      another_ephemeron_iteration = true;
+     }
+   }
+ 
+   // Drain marking worklist and push discovered ephemerons into
+   // discovered_ephemerons.
+-  DrainMarkingWorklist();
++  size_t objects_processed;
++  std::tie(std::ignore, objects_processed) = ProcessMarkingWorklist(0);
++
++  // As soon as a single object was processed and potentially marked another
++  // object we need another iteration. Otherwise we might miss to apply
++  // ephemeron semantics on it.
++  if (objects_processed > 0) another_ephemeron_iteration = true;
+ 
+   // Drain discovered_ephemerons (filled in the drain MarkingWorklist-phase
+   // before) and push ephemerons where key and value are still unreachable into
+   // next_ephemerons.
+   while (weak_objects_.discovered_ephemerons.Pop(kMainThreadTask, &ephemeron)) {
+     if (ProcessEphemeron(ephemeron.key, ephemeron.value)) {
+-      ephemeron_marked = true;
++      another_ephemeron_iteration = true;
+     }
+   }
+ 
+@@ -1678,7 +1685,7 @@ bool MarkCompactCollector::ProcessEphemerons() {
+   weak_objects_.ephemeron_hash_tables.FlushToGlobal(kMainThreadTask);
+   weak_objects_.next_ephemerons.FlushToGlobal(kMainThreadTask);
+ 
+-  return ephemeron_marked;
++  return another_ephemeron_iteration;
+ }
+ 
+ void MarkCompactCollector::ProcessEphemeronsLinear() {
+@@ -1764,6 +1771,12 @@ void MarkCompactCollector::ProcessEphemeronsLinear() {
+   ephemeron_marking_.newly_discovered.shrink_to_fit();
+ 
+   CHECK(local_marking_worklists()->IsEmpty());
++  CHECK(weak_objects_.current_ephemerons.IsEmpty());
++  CHECK(weak_objects_.discovered_ephemerons.IsEmpty());
++
++  // Flush local ephemerons for main task to global pool.
++  weak_objects_.ephemeron_hash_tables.FlushToGlobal(kMainThreadTask);
++  weak_objects_.next_ephemerons.FlushToGlobal(kMainThreadTask);
+ }
+ 
+ void MarkCompactCollector::PerformWrapperTracing() {
+@@ -1785,9 +1798,11 @@ void MarkCompactCollector::PerformWrapperTracing() {
+ void MarkCompactCollector::DrainMarkingWorklist() { ProcessMarkingWorklist(0); }
+ 
+ template <MarkCompactCollector::MarkingWorklistProcessingMode mode>
+-size_t MarkCompactCollector::ProcessMarkingWorklist(size_t bytes_to_process) {
++std::pair<size_t, size_t> MarkCompactCollector::ProcessMarkingWorklist(
++    size_t bytes_to_process) {
+   HeapObject object;
+   size_t bytes_processed = 0;
++  size_t objects_processed = 0;
+   bool is_per_context_mode = local_marking_worklists()->IsPerContextMode();
+   Isolate* isolate = heap()->isolate();
+   while (local_marking_worklists()->Pop(&object) ||
+@@ -1827,18 +1842,19 @@ size_t MarkCompactCollector::ProcessMarkingWorklist(size_t bytes_to_process) {
+                                           map, object, visited_size);
+     }
+     bytes_processed += visited_size;
++    objects_processed++;
+     if (bytes_to_process && bytes_processed >= bytes_to_process) {
+       break;
+     }
+   }
+-  return bytes_processed;
++  return std::make_pair(bytes_processed, objects_processed);
+ }
+ 
+ // Generate definitions for use in other files.
+-template size_t MarkCompactCollector::ProcessMarkingWorklist<
++template std::pair<size_t, size_t> MarkCompactCollector::ProcessMarkingWorklist<
+     MarkCompactCollector::MarkingWorklistProcessingMode::kDefault>(
+     size_t bytes_to_process);
+-template size_t MarkCompactCollector::ProcessMarkingWorklist<
++template std::pair<size_t, size_t> MarkCompactCollector::ProcessMarkingWorklist<
+     MarkCompactCollector::MarkingWorklistProcessingMode::
+         kTrackNewlyDiscoveredObjects>(size_t bytes_to_process);
+ 
+@@ -1863,7 +1879,23 @@ void MarkCompactCollector::ProcessEphemeronMarking() {
+   // buffer, flush it into global pool.
+   weak_objects_.next_ephemerons.FlushToGlobal(kMainThreadTask);
+ 
+-  ProcessEphemeronsUntilFixpoint();
++  if (!ProcessEphemeronsUntilFixpoint()) {
++    // Fixpoint iteration needed too many iterations and was cancelled. Use the
++    // guaranteed linear algorithm.
++    ProcessEphemeronsLinear();
++  }
++
++#ifdef VERIFY_HEAP
++  if (FLAG_verify_heap) {
++    Ephemeron ephemeron;
++
++    weak_objects_.current_ephemerons.Swap(weak_objects_.next_ephemerons);
++
++    while (weak_objects_.current_ephemerons.Pop(kMainThreadTask, &ephemeron)) {
++      CHECK(!ProcessEphemeron(ephemeron.key, ephemeron.value));
++    }
++  }
++#endif
+ 
+   CHECK(local_marking_worklists()->IsEmpty());
+   CHECK(heap()->local_embedder_heap_tracer()->IsRemoteTracingDone());
+diff --git a/src/heap/mark-compact.h b/src/heap/mark-compact.h
+index 733588ae80ae3530fd53988c706de7c58084d2cf..0674ce674fc37c993294536afd324909f4dea05e 100644
+--- a/src/heap/mark-compact.h
++++ b/src/heap/mark-compact.h
+@@ -588,7 +588,7 @@ class MarkCompactCollector final : public MarkCompactCollectorBase {
+   // is drained until it is empty.
+   template <MarkingWorklistProcessingMode mode =
+                 MarkingWorklistProcessingMode::kDefault>
+-  size_t ProcessMarkingWorklist(size_t bytes_to_process);
++  std::pair<size_t, size_t> ProcessMarkingWorklist(size_t bytes_to_process);
+ 
+  private:
+   void ComputeEvacuationHeuristics(size_t area_size,
+@@ -634,8 +634,9 @@ class MarkCompactCollector final : public MarkCompactCollectorBase {
+   bool ProcessEphemeron(HeapObject key, HeapObject value);
+ 
+   // Marks ephemerons and drains marking worklist iteratively
+-  // until a fixpoint is reached.
+-  void ProcessEphemeronsUntilFixpoint();
++  // until a fixpoint is reached. Returns false if too many iterations have been
++  // tried and the linear approach should be used.
++  bool ProcessEphemeronsUntilFixpoint();
+ 
+   // Drains ephemeron and marking worklists. Single iteration of the
+   // fixpoint iteration.

patches/v8/cherry-pick-6de4e210688e.patch

@@ -0,0 +1,77 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= <marja@chromium.org>
+Date: Fri, 3 Sep 2021 11:46:26 +0200
+Subject: Fix class variable redeclaration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ParserBase::ParseClassLiteral and BaseConsumedPreparseData::RestoreDataForScope
+both declare the class variable, but the logic is so complex
+that they sometimes ended up both declaring it.
+
+This is further complicated by some of the variable values (esp.
+inner_scope_calls_eval_) potentially changing in between, so we can't
+just redo the same logic any more.
+
+Forcefully make it work by making RestoreDataForScope declare the variable
+iff ParseClassLiteral didn't.
+
+Bug: chromium:1245870
+Change-Id: I777fd9d78145240448fc25709d2b118977d91056
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140596
+Commit-Queue: Marja Hölttä <marja@chromium.org>
+Reviewed-by: Leszek Swirski <leszeks@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#76654}
+
+diff --git a/src/parsing/preparse-data.cc b/src/parsing/preparse-data.cc
+index a085d55e1efe4e302c4c5e91453fae4f0d37dbe5..64e2d44cc85c23efe202d83e7680b3687c6d178d 100644
+--- a/src/parsing/preparse-data.cc
++++ b/src/parsing/preparse-data.cc
+@@ -666,12 +666,13 @@ void BaseConsumedPreparseData<Data>::RestoreDataForScope(
+     scope->AsDeclarationScope()->RecordNeedsPrivateNameContextChainRecalc();
+   }
+   if (ShouldSaveClassVariableIndexField::decode(scope_data_flags)) {
+-    Variable* var;
+-    // An anonymous class whose class variable needs to be saved do not
++    Variable* var = scope->AsClassScope()->class_variable();
++    // An anonymous class whose class variable needs to be saved might not
+     // have the class variable created during reparse since we skip parsing
+     // the inner scopes that contain potential access to static private
+     // methods. So create it now.
+-    if (scope->AsClassScope()->is_anonymous_class()) {
++    if (var == nullptr) {
++      DCHECK(scope->AsClassScope()->is_anonymous_class());
+       var = scope->AsClassScope()->DeclareClassVariable(
+           ast_value_factory, nullptr, kNoSourcePosition);
+       AstNodeFactory factory(ast_value_factory, zone);
+@@ -679,9 +680,6 @@ void BaseConsumedPreparseData<Data>::RestoreDataForScope(
+           factory.NewVariableDeclaration(kNoSourcePosition);
+       scope->declarations()->Add(declaration);
+       declaration->set_var(var);
+-    } else {
+-      var = scope->AsClassScope()->class_variable();
+-      DCHECK_NOT_NULL(var);
+     }
+     var->set_is_used();
+     var->ForceContextAllocation();
+diff --git a/test/mjsunit/regress/regress-crbug-1245870.js b/test/mjsunit/regress/regress-crbug-1245870.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..2ef3f753d500880717f10f26ed8cca4a47079196
+--- /dev/null
++++ b/test/mjsunit/regress/regress-crbug-1245870.js
+@@ -0,0 +1,14 @@
++// Copyright 2021 the V8 project authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++class Outer {
++  test() {
++    return class {
++      static #a() { }
++      b = eval();
++    };
++  }
++}
++const obj = new Outer();
++obj.test();

patches/v8/cherry-pick-fbfd2557c2ab.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mythri A <mythria@chromium.org>
+Date: Fri, 21 May 2021 11:12:41 +0100
+Subject: Return early when initializing feedback cell for AsmWasm functions
+
+AsmWasmFunctions don't allocate / use feedback vectors.
+
+Bug: chromium:1206289
+Change-Id: I970d5eaba6603809a844c2fc5753efba411cd719
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2909854
+Commit-Queue: Mythri Alle <mythria@chromium.org>
+Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#74708}
+
+diff --git a/src/objects/js-function.cc b/src/objects/js-function.cc
+index 35010be838ea1a5a3bebbb8a86d3358092da5199..b17550a29668d3dab082a515c7287b219becd01d 100644
+--- a/src/objects/js-function.cc
++++ b/src/objects/js-function.cc
+@@ -361,6 +361,14 @@ void JSFunction::InitializeFeedbackCell(
+     Handle<JSFunction> function, IsCompiledScope* is_compiled_scope,
+     bool reset_budget_for_feedback_allocation) {
+   Isolate* const isolate = function->GetIsolate();
++#if V8_ENABLE_WEBASSEMBLY
++  // The following checks ensure that the feedback vectors are compatible with
++  // the feedback metadata. For Asm / Wasm functions we never allocate / use
++  // feedback vectors, so a mismatch between the metadata and feedback vector is
++  // harmless. The checks could fail for functions that has has_asm_wasm_broken
++  // set at runtime (for ex: failed instantiation).
++  if (function->shared().HasAsmWasmData()) return;
++#endif  // V8_ENABLE_WEBASSEMBLY
+ 
+   if (function->has_feedback_vector()) {
+     CHECK_EQ(function->feedback_vector().length(),

patches/v8/regexp_add_a_currently_failing_cctest_for_irregexp_reentrancy.patch

@@ -0,0 +1,109 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jakob Gruber <jgruber@chromium.org>
+Date: Mon, 6 Sep 2021 08:29:33 +0200
+Subject: Add a (currently failing) cctest for irregexp reentrancy
+
+The test should be enabled once reentrancy is supported.
+
+Bug: v8:11382
+Change-Id: Ifb90d8a6fd8bf9f05e9ca2405d4e04e013ce7ee3
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3138201
+Commit-Queue: Jakob Gruber <jgruber@chromium.org>
+Auto-Submit: Jakob Gruber <jgruber@chromium.org>
+Reviewed-by: Patrick Thier <pthier@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#76667}
+
+diff --git a/test/cctest/cctest.status b/test/cctest/cctest.status
+index 7b1bf8caa5e3f3975a457e061d966fd60c5ef441..d6691b5e861d29100d0f1c15c887dd824f3929cb 100644
+--- a/test/cctest/cctest.status
++++ b/test/cctest/cctest.status
+@@ -126,6 +126,9 @@
+   'test-strings/StringOOM*': [PASS, ['mode == debug', SKIP]],
+   'test-serialize/CustomSnapshotDataBlobImmortalImmovableRoots': [PASS, ['mode == debug', SKIP]],
+   'test-parsing/ObjectRestNegativeTestSlow': [PASS, ['mode == debug', SKIP]],
++
++  # TODO(v8:11382): Reenable once irregexp is reentrant.
++  'test-regexp/RegExpInterruptReentrantExecution': [FAIL],
+ }],  # ALWAYS
+ 
+ ##############################################################################
+@@ -606,6 +609,9 @@
+ 
+   # Instruction cache flushing is disabled in jitless mode.
+   'test-icache/*': [SKIP],
++
++  # Tests generated irregexp code.
++  'test-regexp/RegExpInterruptReentrantExecution': [SKIP],
+ }], # lite_mode or variant == jitless
+ 
+ ##############################################################################
+diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc
+index 5eafa420bc21f40a2eb0caaa76ad2ffd4bd8db85..db0fb3c965c66e7d5a173559c52deca36bc47ebd 100644
+--- a/test/cctest/test-api.cc
++++ b/test/cctest/test-api.cc
+@@ -21581,10 +21581,6 @@ TEST(RegExpInterruptAndMakeSubjectTwoByteExternal) {
+   // experimental engine.
+   i::FLAG_enable_experimental_regexp_engine_on_excessive_backtracks = false;
+   RegExpInterruptTest test;
+-  // We want to be stuck regexp execution, so no fallback to linear-time
+-  // engine.
+-  // TODO(mbid,v8:10765): Find a way to test interrupt support of the
+-  // experimental engine.
+   test.RunTest(RegExpInterruptTest::MakeSubjectTwoByteExternal);
+ }
+ 
+diff --git a/test/cctest/test-regexp.cc b/test/cctest/test-regexp.cc
+index 63495194d4fbce61abbe9a7e83a446341f6f3dd6..fa02c23c47dcefb4ee77c9fc4c8222f52653e576 100644
+--- a/test/cctest/test-regexp.cc
++++ b/test/cctest/test-regexp.cc
+@@ -2340,6 +2340,50 @@ TEST(UnicodePropertyEscapeCodeSize) {
+   }
+ }
+ 
++namespace {
++
++struct RegExpExecData {
++  i::Isolate* isolate;
++  i::Handle<i::JSRegExp> regexp;
++  i::Handle<i::String> subject;
++};
++
++i::Handle<i::Object> RegExpExec(const RegExpExecData* d) {
++  return i::RegExp::Exec(d->isolate, d->regexp, d->subject, 0,
++                         d->isolate->regexp_last_match_info())
++      .ToHandleChecked();
++}
++
++void ReenterRegExp(v8::Isolate* isolate, void* data) {
++  RegExpExecData* d = static_cast<RegExpExecData*>(data);
++  i::Handle<i::Object> result = RegExpExec(d);
++  CHECK(result->IsNull());
++}
++
++}  // namespace
++
++// Tests reentrant irregexp calls.
++TEST(RegExpInterruptReentrantExecution) {
++  CHECK(!i::FLAG_jitless);
++  i::FLAG_regexp_tier_up = false;  // Enter irregexp, not the interpreter.
++
++  LocalContext context;
++  v8::Isolate* isolate = context->GetIsolate();
++  v8::HandleScope scope(isolate);
++
++  RegExpExecData d;
++  d.isolate = reinterpret_cast<i::Isolate*>(isolate);
++  d.regexp = v8::Utils::OpenHandle(
++      *v8::RegExp::New(context.local(), v8_str("(a*)*x"), v8::RegExp::kNone)
++           .ToLocalChecked());
++  d.subject = v8::Utils::OpenHandle(*v8_str("aaaa"));
++
++  isolate->RequestInterrupt(&ReenterRegExp, &d);
++
++  i::Handle<i::Object> result = RegExpExec(&d);
++  CHECK(result->IsNull());
++}
++
+ #undef CHECK_PARSE_ERROR
+ #undef CHECK_SIMPLE
+ #undef CHECK_MIN_MAX

patches/v8/regexp_remove_the_stack_parameter_from_regexp_matchers.patch

@@ -0,0 +1,398 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jakob Gruber <jgruber@chromium.org>
+Date: Wed, 22 Sep 2021 14:42:48 +0200
+Subject: Remove the `stack` parameter from regexp matchers
+
+The argument is no longer in use.
+
+Bug: v8:11382
+Change-Id: I7febc7fe7ef17ae462c700f0dba3ca1beade3021
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173681
+Commit-Queue: Jakob Gruber <jgruber@chromium.org>
+Reviewed-by: Patrick Thier <pthier@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#77017}
+
+diff --git a/src/builtins/builtins-regexp-gen.cc b/src/builtins/builtins-regexp-gen.cc
+index 23648efb98bd571476a122e9eb4a27e62feddca1..adcb8c800ab3a754200fb0920376155612c1a9b9 100644
+--- a/src/builtins/builtins-regexp-gen.cc
++++ b/src/builtins/builtins-regexp-gen.cc
+@@ -433,8 +433,6 @@ TNode<HeapObject> RegExpBuiltinsAssembler::RegExpExecInternal(
+   // External constants.
+   TNode<ExternalReference> isolate_address =
+       ExternalConstant(ExternalReference::isolate_address(isolate()));
+-  TNode<ExternalReference> regexp_stack_memory_top_address = ExternalConstant(
+-      ExternalReference::address_of_regexp_stack_memory_top_address(isolate()));
+   TNode<ExternalReference> static_offsets_vector_address = ExternalConstant(
+       ExternalReference::address_of_static_offsets_vector(isolate()));
+ 
+@@ -602,26 +600,18 @@ TNode<HeapObject> RegExpBuiltinsAssembler::RegExpExecInternal(
+     MachineType arg5_type = type_int32;
+     TNode<Int32T> arg5 = SmiToInt32(register_count);
+ 
+-    // Argument 6: Start (high end) of backtracking stack memory area. This
+-    // argument is ignored in the interpreter.
+-    TNode<RawPtrT> stack_top = UncheckedCast<RawPtrT>(
+-        Load(MachineType::Pointer(), regexp_stack_memory_top_address));
++    // Argument 6: Indicate that this is a direct call from JavaScript.
++    MachineType arg6_type = type_int32;
++    TNode<Int32T> arg6 = Int32Constant(RegExp::CallOrigin::kFromJs);
+ 
+-    MachineType arg6_type = type_ptr;
+-    TNode<RawPtrT> arg6 = stack_top;
++    // Argument 7: Pass current isolate address.
++    MachineType arg7_type = type_ptr;
++    TNode<ExternalReference> arg7 = isolate_address;
+ 
+-    // Argument 7: Indicate that this is a direct call from JavaScript.
+-    MachineType arg7_type = type_int32;
+-    TNode<Int32T> arg7 = Int32Constant(RegExp::CallOrigin::kFromJs);
+-
+-    // Argument 8: Pass current isolate address.
+-    MachineType arg8_type = type_ptr;
+-    TNode<ExternalReference> arg8 = isolate_address;
+-
+-    // Argument 9: Regular expression object. This argument is ignored in native
++    // Argument 8: Regular expression object. This argument is ignored in native
+     // irregexp code.
+-    MachineType arg9_type = type_tagged;
+-    TNode<JSRegExp> arg9 = regexp;
++    MachineType arg8_type = type_tagged;
++    TNode<JSRegExp> arg8 = regexp;
+ 
+     TNode<RawPtrT> code_entry = LoadCodeObjectEntry(code);
+ 
+@@ -635,8 +625,7 @@ TNode<HeapObject> RegExpBuiltinsAssembler::RegExpExecInternal(
+             std::make_pair(arg1_type, arg1), std::make_pair(arg2_type, arg2),
+             std::make_pair(arg3_type, arg3), std::make_pair(arg4_type, arg4),
+             std::make_pair(arg5_type, arg5), std::make_pair(arg6_type, arg6),
+-            std::make_pair(arg7_type, arg7), std::make_pair(arg8_type, arg8),
+-            std::make_pair(arg9_type, arg9)));
++            std::make_pair(arg7_type, arg7), std::make_pair(arg8_type, arg8)));
+ 
+     // Check the result.
+     // We expect exactly one result since we force the called regexp to behave
+diff --git a/src/regexp/arm/regexp-macro-assembler-arm.cc b/src/regexp/arm/regexp-macro-assembler-arm.cc
+index 9827fc7a166775920a6d7bd91f0aec5be7e370b8..3c8c1d8c8187447cb09a531b937dfa275290a842 100644
+--- a/src/regexp/arm/regexp-macro-assembler-arm.cc
++++ b/src/regexp/arm/regexp-macro-assembler-arm.cc
+@@ -38,14 +38,12 @@ namespace internal {
+  * Each call to a public method should retain this convention.
+  *
+  * The stack will have the following structure:
+- *  - fp[56]  Address regexp     (address of the JSRegExp object; unused in
++ *  - fp[52]  Address regexp     (address of the JSRegExp object; unused in
+  *                                native code, passed to match signature of
+  *                                the interpreter)
+- *  - fp[52]  Isolate* isolate   (address of the current isolate)
+- *  - fp[48]  direct_call        (if 1, direct call from JavaScript code,
++ *  - fp[48]  Isolate* isolate   (address of the current isolate)
++ *  - fp[44]  direct_call        (if 1, direct call from JavaScript code,
+  *                                if 0, call through the runtime system).
+- *  - fp[44]  stack_area_base    (high end of the memory area to use as
+- *                                backtracking stack).
+  *  - fp[40]  capture array size (may fit multiple sets of matches)
+  *  - fp[36]  int* capture_array (int[num_saved_registers_], for output).
+  *  --- sp when called ---
+@@ -82,7 +80,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate,
+  *              Address regexp);
+diff --git a/src/regexp/arm/regexp-macro-assembler-arm.h b/src/regexp/arm/regexp-macro-assembler-arm.h
+index da7f44f3e56278a72e470f7a4658758d220a1818..9bfeada8bee67e9a673d6ac6064bbeca2376cdd9 100644
+--- a/src/regexp/arm/regexp-macro-assembler-arm.h
++++ b/src/regexp/arm/regexp-macro-assembler-arm.h
+@@ -95,15 +95,13 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM
+   static const int kFramePointer = 0;
+ 
+   // Above the frame pointer - Stored registers and stack passed parameters.
+-  // Register 4..11.
+   static const int kStoredRegisters = kFramePointer;
+   // Return address (stored from link register, read into pc on return).
+   static const int kReturnAddress = kStoredRegisters + 8 * kPointerSize;
+   // Stack parameters placed by caller.
+   static const int kRegisterOutput = kReturnAddress + kPointerSize;
+   static const int kNumOutputRegisters = kRegisterOutput + kPointerSize;
+-  static const int kStackHighEnd = kNumOutputRegisters + kPointerSize;
+-  static const int kDirectCall = kStackHighEnd + kPointerSize;
++  static const int kDirectCall = kNumOutputRegisters + kPointerSize;
+   static const int kIsolate = kDirectCall + kPointerSize;
+ 
+   // Below the frame pointer.
+diff --git a/src/regexp/arm64/regexp-macro-assembler-arm64.cc b/src/regexp/arm64/regexp-macro-assembler-arm64.cc
+index 2f064c0e1671f71fa877c3b67d3779e43483afa5..48cde5291f840bb7762d32918098bdab3ec01a83 100644
+--- a/src/regexp/arm64/regexp-macro-assembler-arm64.cc
++++ b/src/regexp/arm64/regexp-macro-assembler-arm64.cc
+@@ -66,14 +66,12 @@ namespace internal {
+  *  ^^^^^^^^^ fp ^^^^^^^^^
+  *  - fp[-8]     direct_call        1 => Direct call from JavaScript code.
+  *                                  0 => Call through the runtime system.
+- *  - fp[-16]    stack_base         High end of the memory area to use as
+- *                                  the backtracking stack.
+- *  - fp[-24]    output_size        Output may fit multiple sets of matches.
+- *  - fp[-32]    input              Handle containing the input string.
+- *  - fp[-40]    success_counter
++ *  - fp[-16]    output_size        Output may fit multiple sets of matches.
++ *  - fp[-24]    input              Handle containing the input string.
++ *  - fp[-32]    success_counter
+  *  ^^^^^^^^^^^^^ From here and downwards we store 32 bit values ^^^^^^^^^^^^^
+- *  - fp[-44]    register N         Capture registers initialized with
+- *  - fp[-48]    register N + 1     non_position_value.
++ *  - fp[-40]    register N         Capture registers initialized with
++ *  - fp[-44]    register N + 1     non_position_value.
+  *               ...                The first kNumCachedRegisters (N) registers
+  *               ...                are cached in x0 to x7.
+  *               ...                Only positions must be stored in the first
+@@ -95,7 +93,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate,
+  *              Address regexp);
+@@ -767,11 +764,10 @@ Handle<HeapObject> RegExpMacroAssemblerARM64::GetCode(Handle<String> source) {
+   // x3:  byte*    input_end
+   // x4:  int*     output array
+   // x5:  int      output array size
+-  // x6:  Address  stack_base
+-  // x7:  int      direct_call
+-
+-  //  sp[8]:  address of the current isolate
+-  //  sp[0]:  secondary link/return address used by native call
++  // x6:  int      direct_call
++  // x7:  Isolate* isolate
++  //
++  // sp[0]:  secondary link/return address used by native call
+ 
+   // Tell the system that we have a stack frame.  Because the type is MANUAL, no
+   // code is generated.
+diff --git a/src/regexp/arm64/regexp-macro-assembler-arm64.h b/src/regexp/arm64/regexp-macro-assembler-arm64.h
+index c5249625928b2cd8d08da52c219075c79cdbf880..7d99c3cbefb963696595e5bdc91b3c53d3d7f263 100644
+--- a/src/regexp/arm64/regexp-macro-assembler-arm64.h
++++ b/src/regexp/arm64/regexp-macro-assembler-arm64.h
+@@ -106,16 +106,12 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM64
+   // Callee-saved registers (x19-x28).
+   static const int kNumCalleeSavedRegisters = 10;
+   static const int kCalleeSavedRegisters = kReturnAddress + kSystemPointerSize;
+-  // Stack parameter placed by caller.
+-  // It is placed above the FP, LR and the callee-saved registers.
+-  static const int kIsolate =
+-      kCalleeSavedRegisters + kNumCalleeSavedRegisters * kSystemPointerSize;
+ 
+   // Below the frame pointer.
+   // Register parameters stored by setup code.
+-  static const int kDirectCall = -kSystemPointerSize;
+-  static const int kStackHighEnd = kDirectCall - kSystemPointerSize;
+-  static const int kOutputSize = kStackHighEnd - kSystemPointerSize;
++  static const int kIsolate = -kSystemPointerSize;
++  static const int kDirectCall = kIsolate - kSystemPointerSize;
++  static const int kOutputSize = kDirectCall - kSystemPointerSize;
+   static const int kInput = kOutputSize - kSystemPointerSize;
+   // When adding local variables remember to push space for them in
+   // the frame in GetCode.
+diff --git a/src/regexp/experimental/experimental.cc b/src/regexp/experimental/experimental.cc
+index 500269c40eac001adbaa3e2677d53b59af8b1566..299838efc63186a5f7df734c4ec4dba9bfa4e6d1 100644
+--- a/src/regexp/experimental/experimental.cc
++++ b/src/regexp/experimental/experimental.cc
+@@ -192,8 +192,7 @@ int32_t ExperimentalRegExp::ExecRaw(Isolate* isolate,
+ int32_t ExperimentalRegExp::MatchForCallFromJs(
+     Address subject, int32_t start_position, Address input_start,
+     Address input_end, int* output_registers, int32_t output_register_count,
+-    Address backtrack_stack, RegExp::CallOrigin call_origin, Isolate* isolate,
+-    Address regexp) {
++    RegExp::CallOrigin call_origin, Isolate* isolate, Address regexp) {
+   DCHECK(FLAG_enable_experimental_regexp_engine);
+   DCHECK_NOT_NULL(isolate);
+   DCHECK_NOT_NULL(output_registers);
+diff --git a/src/regexp/experimental/experimental.h b/src/regexp/experimental/experimental.h
+index 1b44100cc88bed7825c0a30fb05e8477c47860ec..671792e5ef82919af652f431c5f6b325fea08d77 100644
+--- a/src/regexp/experimental/experimental.h
++++ b/src/regexp/experimental/experimental.h
+@@ -33,7 +33,6 @@ class ExperimentalRegExp final : public AllStatic {
+                                     Address input_start, Address input_end,
+                                     int* output_registers,
+                                     int32_t output_register_count,
+-                                    Address backtrack_stack,
+                                     RegExp::CallOrigin call_origin,
+                                     Isolate* isolate, Address regexp);
+   static MaybeHandle<Object> Exec(
+diff --git a/src/regexp/ia32/regexp-macro-assembler-ia32.cc b/src/regexp/ia32/regexp-macro-assembler-ia32.cc
+index 036fd62185f2b5338d512d7ea441a4c74f9727ee..7bd08ad112952d323353ccba956abf1100246bb8 100644
+--- a/src/regexp/ia32/regexp-macro-assembler-ia32.cc
++++ b/src/regexp/ia32/regexp-macro-assembler-ia32.cc
+@@ -40,8 +40,6 @@ namespace internal {
+  *       - Isolate* isolate     (address of the current isolate)
+  *       - direct_call          (if 1, direct call from JavaScript code, if 0
+  *                               call through the runtime system)
+- *       - stack_area_base      (high end of the memory area to use as
+- *                               backtracking stack)
+  *       - capture array size   (may fit multiple sets of matches)
+  *       - int* capture_array   (int[num_saved_registers_], for output).
+  *       - end of input         (address of end of string)
+@@ -74,7 +72,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate
+  *              Address regexp);
+diff --git a/src/regexp/ia32/regexp-macro-assembler-ia32.h b/src/regexp/ia32/regexp-macro-assembler-ia32.h
+index f02cb564ad507f95c688fbcdad6db4ed47f85c11..e9a22e802419c079f362d7ff66cf30c56022b68e 100644
+--- a/src/regexp/ia32/regexp-macro-assembler-ia32.h
++++ b/src/regexp/ia32/regexp-macro-assembler-ia32.h
+@@ -107,8 +107,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerIA32
+   // one set of capture results.  For the case of non-global regexp, we ignore
+   // this value.
+   static const int kNumOutputRegisters = kRegisterOutput + kSystemPointerSize;
+-  static const int kStackHighEnd = kNumOutputRegisters + kSystemPointerSize;
+-  static const int kDirectCall = kStackHighEnd + kSystemPointerSize;
++  static const int kDirectCall = kNumOutputRegisters + kSystemPointerSize;
+   static const int kIsolate = kDirectCall + kSystemPointerSize;
+   // Below the frame pointer - local stack variables.
+   // When adding local variables remember to push space for them in
+diff --git a/src/regexp/regexp-interpreter.cc b/src/regexp/regexp-interpreter.cc
+index ac2654cd5fd9807391aa15aac76a3e8cae5b0c53..32f6f92fcd1946b041d885433f6e8ca7ef62e730 100644
+--- a/src/regexp/regexp-interpreter.cc
++++ b/src/regexp/regexp-interpreter.cc
+@@ -1106,7 +1106,7 @@ IrregexpInterpreter::Result IrregexpInterpreter::MatchInternal(
+ // builtin.
+ IrregexpInterpreter::Result IrregexpInterpreter::MatchForCallFromJs(
+     Address subject, int32_t start_position, Address, Address,
+-    int* output_registers, int32_t output_register_count, Address,
++    int* output_registers, int32_t output_register_count,
+     RegExp::CallOrigin call_origin, Isolate* isolate, Address regexp) {
+   DCHECK_NOT_NULL(isolate);
+   DCHECK_NOT_NULL(output_registers);
+diff --git a/src/regexp/regexp-interpreter.h b/src/regexp/regexp-interpreter.h
+index 9b4a8c6c307266a78a35f52ef4ef0afe5b6af6fe..19f9513acc2c7d309179ca5e18ca7ef2165e74f4 100644
+--- a/src/regexp/regexp-interpreter.h
++++ b/src/regexp/regexp-interpreter.h
+@@ -34,9 +34,8 @@ class V8_EXPORT_PRIVATE IrregexpInterpreter : public AllStatic {
+   // RETRY is returned if a retry through the runtime is needed (e.g. when
+   // interrupts have been scheduled or the regexp is marked for tier-up).
+   //
+-  // Arguments input_start, input_end and backtrack_stack are
+-  // unused. They are only passed to match the signature of the native irregex
+-  // code.
++  // Arguments input_start and input_end are unused. They are only passed to
++  // match the signature of the native irregex code.
+   //
+   // Arguments output_registers and output_register_count describe the results
+   // array, which will contain register values of all captures if SUCCESS is
+@@ -45,7 +44,6 @@ class V8_EXPORT_PRIVATE IrregexpInterpreter : public AllStatic {
+                                    Address input_start, Address input_end,
+                                    int* output_registers,
+                                    int32_t output_register_count,
+-                                   Address backtrack_stack,
+                                    RegExp::CallOrigin call_origin,
+                                    Isolate* isolate, Address regexp);
+ 
+diff --git a/src/regexp/regexp-macro-assembler.cc b/src/regexp/regexp-macro-assembler.cc
+index 0275558eba45d6090f61f51c3de08f81481c1aee..e20cafe9bead6749f8cf9433b8b560e918cd18ac 100644
+--- a/src/regexp/regexp-macro-assembler.cc
++++ b/src/regexp/regexp-macro-assembler.cc
+@@ -300,24 +300,21 @@ int NativeRegExpMacroAssembler::Execute(
+     String input,  // This needs to be the unpacked (sliced, cons) string.
+     int start_offset, const byte* input_start, const byte* input_end,
+     int* output, int output_size, Isolate* isolate, JSRegExp regexp) {
+-  // Ensure that the minimum stack has been allocated.
+   RegExpStackScope stack_scope(isolate);
+-  Address stack_base = stack_scope.stack()->memory_top();
+ 
+   bool is_one_byte = String::IsOneByteRepresentationUnderneath(input);
+   Code code = Code::cast(regexp.Code(is_one_byte));
+   RegExp::CallOrigin call_origin = RegExp::CallOrigin::kFromRuntime;
+ 
+-  using RegexpMatcherSig = int(
+-      Address input_string, int start_offset,  // NOLINT(readability/casting)
+-      const byte* input_start, const byte* input_end, int* output,
+-      int output_size, Address stack_base, int call_origin, Isolate* isolate,
+-      Address regexp);
++  using RegexpMatcherSig =
++      // NOLINTNEXTLINE(readability/casting)
++      int(Address input_string, int start_offset, const byte* input_start,
++          const byte* input_end, int* output, int output_size, int call_origin,
++          Isolate* isolate, Address regexp);
+ 
+   auto fn = GeneratedCode<RegexpMatcherSig>::FromCode(code);
+-  int result =
+-      fn.Call(input.ptr(), start_offset, input_start, input_end, output,
+-              output_size, stack_base, call_origin, isolate, regexp.ptr());
++  int result = fn.Call(input.ptr(), start_offset, input_start, input_end,
++                       output, output_size, call_origin, isolate, regexp.ptr());
+   DCHECK_GE(result, SMALLEST_REGEXP_RESULT);
+ 
+   if (result == EXCEPTION && !isolate->has_pending_exception()) {
+diff --git a/src/regexp/x64/regexp-macro-assembler-x64.cc b/src/regexp/x64/regexp-macro-assembler-x64.cc
+index 42b79f1a9fd0e296ace1148dacedb4ff474a4139..fc87575a1a907b3b8b7fbc102ce16d214fde102f 100644
+--- a/src/regexp/x64/regexp-macro-assembler-x64.cc
++++ b/src/regexp/x64/regexp-macro-assembler-x64.cc
+@@ -47,14 +47,12 @@ namespace internal {
+  * Each call to a C++ method should retain these registers.
+  *
+  * The stack will have the following content, in some order, indexable from the
+- * frame pointer (see, e.g., kStackHighEnd):
++ * frame pointer (see, e.g., kDirectCall):
+  *    - Address regexp       (address of the JSRegExp object; unused in native
+  *                            code, passed to match signature of interpreter)
+  *    - Isolate* isolate     (address of the current isolate)
+  *    - direct_call          (if 1, direct call from JavaScript code, if 0 call
+  *                            through the runtime system)
+- *    - stack_area_base      (high end of the memory area to use as
+- *                            backtracking stack)
+  *    - capture array size   (may fit multiple sets of matches)
+  *    - int* capture_array   (int[num_saved_registers_], for output).
+  *    - end of input         (address of end of string)
+@@ -85,7 +83,6 @@ namespace internal {
+  *              Address end,
+  *              int* capture_output_array,
+  *              int num_capture_registers,
+- *              byte* stack_area_base,
+  *              bool direct_call = false,
+  *              Isolate* isolate,
+  *              Address regexp);
+@@ -862,8 +859,6 @@ Handle<HeapObject> RegExpMacroAssemblerX64::GetCode(Handle<String> source) {
+   }
+ 
+   // Initialize backtrack stack pointer.
+-  // TODO(jgruber): Remove the kStackHighEnd parameter (and others like
+-  // kIsolate).
+   LoadRegExpStackPointerFromMemory(backtrack_stackpointer());
+ 
+   __ jmp(&start_label_);
+diff --git a/src/regexp/x64/regexp-macro-assembler-x64.h b/src/regexp/x64/regexp-macro-assembler-x64.h
+index ff9ce0a43daa591343e8cebb25b5fdda8190a222..701697a12a5cbdbce0b8f554b2768b20b5dd434e 100644
+--- a/src/regexp/x64/regexp-macro-assembler-x64.h
++++ b/src/regexp/x64/regexp-macro-assembler-x64.h
+@@ -106,9 +106,8 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerX64
+   // this value. NumOutputRegisters is passed as 32-bit value.  The upper
+   // 32 bit of this 64-bit stack slot may contain garbage.
+   static const int kNumOutputRegisters = kRegisterOutput + kSystemPointerSize;
+-  static const int kStackHighEnd = kNumOutputRegisters + kSystemPointerSize;
+   // DirectCall is passed as 32 bit int (values 0 or 1).
+-  static const int kDirectCall = kStackHighEnd + kSystemPointerSize;
++  static const int kDirectCall = kNumOutputRegisters + kSystemPointerSize;
+   static const int kIsolate = kDirectCall + kSystemPointerSize;
+ #else
+   // In AMD64 ABI Calling Convention, the first six integer parameters
+@@ -119,13 +118,12 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerX64
+   static const int kInputStart = kStartIndex - kSystemPointerSize;
+   static const int kInputEnd = kInputStart - kSystemPointerSize;
+   static const int kRegisterOutput = kInputEnd - kSystemPointerSize;
+-
+   // For the case of global regular expression, we have room to store at least
+   // one set of capture results.  For the case of non-global regexp, we ignore
+   // this value.
+   static const int kNumOutputRegisters = kRegisterOutput - kSystemPointerSize;
+-  static const int kStackHighEnd = kFrameAlign;
+-  static const int kDirectCall = kStackHighEnd + kSystemPointerSize;
++
++  static const int kDirectCall = kFrameAlign;
+   static const int kIsolate = kDirectCall + kSystemPointerSize;
+ #endif
+ 

patches/webrtc/.patches

@@ -0,0 +1 @@
+merge_to_94_add_direction_indicator_to_transformableframes.patch

patches/webrtc/merge_to_94_add_direction_indicator_to_transformableframes.patch

@@ -0,0 +1,222 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tony Herre <toprice@chromium.org>
+Date: Mon, 4 Oct 2021 10:02:51 +0000
+Subject: Add Direction indicator to TransformableFrames
+
+Currently the implementation of FrameTransformers uses distinct,
+incompatible types for recevied vs about-to-be-sent frames. This adds a
+flag in the interface so we can at least check that we are being given
+the correct type. crbug.com/1250638 tracks removing the need for this.
+
+Chrome will be updated after this to check the direction flag and provide
+a javascript error if the wrong type of frame is written into the
+encoded insertable streams writable stream, rather than crashing.
+
+(cherry picked from commit 8fb41a39e1a2d151d1c00c409630dcee80adeb76)
+
+Bug: chromium:1247260
+Change-Id: I9cbb66962ea0718ed47c5e5dba19a8ff9635b0b1
+Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/232301
+Reviewed-by: Harald Alvestrand <hta@webrtc.org>
+Commit-Queue: Tony Herre <toprice@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#35100}
+Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/233943
+Commit-Queue: Harald Alvestrand <hta@webrtc.org>
+Cr-Commit-Position: refs/branch-heads/4606@{#4}
+Cr-Branched-From: 8b18304e66524060eca390f143033ba51322b3a2-refs/heads/master@{#34737}
+
+diff --git a/api/frame_transformer_interface.h b/api/frame_transformer_interface.h
+index 2cfe6edb884b53b0b3fa87afad264aa411d112bd..d04acc098cb564c161f87c87d68511429895757c 100644
+--- a/api/frame_transformer_interface.h
++++ b/api/frame_transformer_interface.h
+@@ -35,6 +35,16 @@ class TransformableFrameInterface {
+ 
+   virtual uint32_t GetTimestamp() const = 0;
+   virtual uint32_t GetSsrc() const = 0;
++
++  enum class Direction {
++    kUnknown,
++    kReceiver,
++    kSender,
++  };
++  // TODO(crbug.com/1250638): Remove this distinction between receiver and
++  // sender frames to allow received frames to be directly re-transmitted on
++  // other PeerConnectionss.
++  virtual Direction GetDirection() const { return Direction::kUnknown; }
+ };
+ 
+ class TransformableVideoFrameInterface : public TransformableFrameInterface {
+diff --git a/audio/channel_receive_frame_transformer_delegate.cc b/audio/channel_receive_frame_transformer_delegate.cc
+index 261afbb10075c443b8627846a8434d7ef5b19a15..ec744bc61e28a8b72a6c6bb78893962cdd5f22e2 100644
+--- a/audio/channel_receive_frame_transformer_delegate.cc
++++ b/audio/channel_receive_frame_transformer_delegate.cc
+@@ -18,15 +18,16 @@
+ namespace webrtc {
+ namespace {
+ 
+-class TransformableAudioFrame : public TransformableAudioFrameInterface {
++class TransformableIncomingAudioFrame
++    : public TransformableAudioFrameInterface {
+  public:
+-  TransformableAudioFrame(rtc::ArrayView<const uint8_t> payload,
+-                          const RTPHeader& header,
+-                          uint32_t ssrc)
++  TransformableIncomingAudioFrame(rtc::ArrayView<const uint8_t> payload,
++                                  const RTPHeader& header,
++                                  uint32_t ssrc)
+       : payload_(payload.data(), payload.size()),
+         header_(header),
+         ssrc_(ssrc) {}
+-  ~TransformableAudioFrame() override = default;
++  ~TransformableIncomingAudioFrame() override = default;
+   rtc::ArrayView<const uint8_t> GetData() const override { return payload_; }
+ 
+   void SetData(rtc::ArrayView<const uint8_t> data) override {
+@@ -36,6 +37,7 @@ class TransformableAudioFrame : public TransformableAudioFrameInterface {
+   uint32_t GetTimestamp() const override { return header_.timestamp; }
+   uint32_t GetSsrc() const override { return ssrc_; }
+   const RTPHeader& GetHeader() const override { return header_; }
++  Direction GetDirection() const override { return Direction::kReceiver; }
+ 
+  private:
+   rtc::Buffer payload_;
+@@ -71,7 +73,7 @@ void ChannelReceiveFrameTransformerDelegate::Transform(
+     uint32_t ssrc) {
+   RTC_DCHECK_RUN_ON(&sequence_checker_);
+   frame_transformer_->Transform(
+-      std::make_unique<TransformableAudioFrame>(packet, header, ssrc));
++      std::make_unique<TransformableIncomingAudioFrame>(packet, header, ssrc));
+ }
+ 
+ void ChannelReceiveFrameTransformerDelegate::OnTransformedFrame(
+@@ -88,7 +90,10 @@ void ChannelReceiveFrameTransformerDelegate::ReceiveFrame(
+   RTC_DCHECK_RUN_ON(&sequence_checker_);
+   if (!receive_frame_callback_)
+     return;
+-  auto* transformed_frame = static_cast<TransformableAudioFrame*>(frame.get());
++  RTC_CHECK_EQ(frame->GetDirection(),
++               TransformableFrameInterface::Direction::kReceiver);
++  auto* transformed_frame =
++      static_cast<TransformableIncomingAudioFrame*>(frame.get());
+   receive_frame_callback_(transformed_frame->GetData(),
+                           transformed_frame->GetHeader());
+ }
+diff --git a/audio/channel_send_frame_transformer_delegate.cc b/audio/channel_send_frame_transformer_delegate.cc
+index 72a459d89783f9b7bc498aabc15cd7c7b45f3783..5597e7553e956c9dc20e311f5e16d163d9a7119e 100644
+--- a/audio/channel_send_frame_transformer_delegate.cc
++++ b/audio/channel_send_frame_transformer_delegate.cc
+@@ -15,16 +15,16 @@
+ namespace webrtc {
+ namespace {
+ 
+-class TransformableAudioFrame : public TransformableFrameInterface {
++class TransformableOutgoingAudioFrame : public TransformableFrameInterface {
+  public:
+-  TransformableAudioFrame(AudioFrameType frame_type,
+-                          uint8_t payload_type,
+-                          uint32_t rtp_timestamp,
+-                          uint32_t rtp_start_timestamp,
+-                          const uint8_t* payload_data,
+-                          size_t payload_size,
+-                          int64_t absolute_capture_timestamp_ms,
+-                          uint32_t ssrc)
++  TransformableOutgoingAudioFrame(AudioFrameType frame_type,
++                                  uint8_t payload_type,
++                                  uint32_t rtp_timestamp,
++                                  uint32_t rtp_start_timestamp,
++                                  const uint8_t* payload_data,
++                                  size_t payload_size,
++                                  int64_t absolute_capture_timestamp_ms,
++                                  uint32_t ssrc)
+       : frame_type_(frame_type),
+         payload_type_(payload_type),
+         rtp_timestamp_(rtp_timestamp),
+@@ -32,7 +32,7 @@ class TransformableAudioFrame : public TransformableFrameInterface {
+         payload_(payload_data, payload_size),
+         absolute_capture_timestamp_ms_(absolute_capture_timestamp_ms),
+         ssrc_(ssrc) {}
+-  ~TransformableAudioFrame() override = default;
++  ~TransformableOutgoingAudioFrame() override = default;
+   rtc::ArrayView<const uint8_t> GetData() const override { return payload_; }
+   void SetData(rtc::ArrayView<const uint8_t> data) override {
+     payload_.SetData(data.data(), data.size());
+@@ -48,6 +48,7 @@ class TransformableAudioFrame : public TransformableFrameInterface {
+   int64_t GetAbsoluteCaptureTimestampMs() const {
+     return absolute_capture_timestamp_ms_;
+   }
++  Direction GetDirection() const override { return Direction::kSender; }
+ 
+  private:
+   AudioFrameType frame_type_;
+@@ -90,9 +91,10 @@ void ChannelSendFrameTransformerDelegate::Transform(
+     size_t payload_size,
+     int64_t absolute_capture_timestamp_ms,
+     uint32_t ssrc) {
+-  frame_transformer_->Transform(std::make_unique<TransformableAudioFrame>(
+-      frame_type, payload_type, rtp_timestamp, rtp_start_timestamp,
+-      payload_data, payload_size, absolute_capture_timestamp_ms, ssrc));
++  frame_transformer_->Transform(
++      std::make_unique<TransformableOutgoingAudioFrame>(
++          frame_type, payload_type, rtp_timestamp, rtp_start_timestamp,
++          payload_data, payload_size, absolute_capture_timestamp_ms, ssrc));
+ }
+ 
+ void ChannelSendFrameTransformerDelegate::OnTransformedFrame(
+@@ -111,9 +113,12 @@ void ChannelSendFrameTransformerDelegate::SendFrame(
+     std::unique_ptr<TransformableFrameInterface> frame) const {
+   MutexLock lock(&send_lock_);
+   RTC_DCHECK_RUN_ON(encoder_queue_);
++  RTC_CHECK_EQ(frame->GetDirection(),
++               TransformableFrameInterface::Direction::kSender);
+   if (!send_frame_callback_)
+     return;
+-  auto* transformed_frame = static_cast<TransformableAudioFrame*>(frame.get());
++  auto* transformed_frame =
++      static_cast<TransformableOutgoingAudioFrame*>(frame.get());
+   send_frame_callback_(transformed_frame->GetFrameType(),
+                        transformed_frame->GetPayloadType(),
+                        transformed_frame->GetTimestamp() -
+diff --git a/modules/rtp_rtcp/source/rtp_sender_video_frame_transformer_delegate.cc b/modules/rtp_rtcp/source/rtp_sender_video_frame_transformer_delegate.cc
+index 074b64086a6cb2ff5014319b53305dd8385d8de6..8fe275e71984983fa248c1b9fb6e66c90a91ed3f 100644
+--- a/modules/rtp_rtcp/source/rtp_sender_video_frame_transformer_delegate.cc
++++ b/modules/rtp_rtcp/source/rtp_sender_video_frame_transformer_delegate.cc
+@@ -75,6 +75,8 @@ class TransformableVideoSenderFrame : public TransformableVideoFrameInterface {
+     return expected_retransmission_time_ms_;
+   }
+ 
++  Direction GetDirection() const override { return Direction::kSender; }
++
+  private:
+   rtc::scoped_refptr<EncodedImageBufferInterface> encoded_data_;
+   const RTPVideoHeader header_;
+@@ -143,6 +145,8 @@ void RTPSenderVideoFrameTransformerDelegate::OnTransformedFrame(
+ void RTPSenderVideoFrameTransformerDelegate::SendVideo(
+     std::unique_ptr<TransformableFrameInterface> transformed_frame) const {
+   RTC_CHECK(encoder_queue_->IsCurrent());
++  RTC_CHECK_EQ(transformed_frame->GetDirection(),
++               TransformableFrameInterface::Direction::kSender);
+   MutexLock lock(&sender_lock_);
+   if (!sender_)
+     return;
+diff --git a/video/rtp_video_stream_receiver_frame_transformer_delegate.cc b/video/rtp_video_stream_receiver_frame_transformer_delegate.cc
+index f2f81df3ee76603c24ccc8ce93beaedb7d1eeaac..d6c6944e0efe999ea2e4b1a74184e8a74de7312a 100644
+--- a/video/rtp_video_stream_receiver_frame_transformer_delegate.cc
++++ b/video/rtp_video_stream_receiver_frame_transformer_delegate.cc
+@@ -58,6 +58,8 @@ class TransformableVideoReceiverFrame
+     return std::move(frame_);
+   }
+ 
++  Direction GetDirection() const override { return Direction::kReceiver; }
++
+  private:
+   std::unique_ptr<RtpFrameObject> frame_;
+   const VideoFrameMetadata metadata_;
+@@ -110,6 +112,8 @@ void RtpVideoStreamReceiverFrameTransformerDelegate::OnTransformedFrame(
+ void RtpVideoStreamReceiverFrameTransformerDelegate::ManageFrame(
+     std::unique_ptr<TransformableFrameInterface> frame) {
+   RTC_DCHECK_RUN_ON(&network_sequence_checker_);
++  RTC_CHECK_EQ(frame->GetDirection(),
++               TransformableFrameInterface::Direction::kReceiver);
+   if (!receiver_)
+     return;
+   auto transformed_frame = absl::WrapUnique(

shell/browser/api/electron_api_browser_window.cc

@@ -59,6 +59,17 @@ BrowserWindow::BrowserWindow(gin::Arguments* args,
     web_preferences.Set(options::kShow, show);
   }
 
+  bool titleBarOverlay = false;
+  options.Get(options::ktitleBarOverlay, &titleBarOverlay);
+  if (titleBarOverlay) {
+    std::string enabled_features = "";
+    if (web_preferences.Get(options::kEnableBlinkFeatures, &enabled_features)) {
+      enabled_features += ",";
+    }
+    enabled_features += features::kWebAppWindowControlsOverlay.name;
+    web_preferences.Set(options::kEnableBlinkFeatures, enabled_features);
+  }
+
   // Copy the webContents option to webPreferences. This is only used internally
   // to implement nativeWindowOpen option.
   if (options.Get("webContents", &value)) {
@@ -326,6 +337,11 @@ void BrowserWindow::OnWindowLeaveFullScreen() {
   BaseWindow::OnWindowLeaveFullScreen();
 }
 
+void BrowserWindow::UpdateWindowControlsOverlay(
+    const gfx::Rect& bounding_rect) {
+  web_contents()->UpdateWindowControlsOverlay(bounding_rect);
+}
+
 void BrowserWindow::Focus() {
   if (api_web_contents_->IsOffScreen())
     FocusOnWebView();

shell/browser/api/electron_api_browser_window.h

@@ -69,6 +69,7 @@ class BrowserWindow : public BaseWindow,
   void RequestPreferredWidth(int* width) override;
   void OnCloseButtonClicked(bool* prevent_default) override;
   void OnWindowIsKeyChanged(bool is_key) override;
+  void UpdateWindowControlsOverlay(const gfx::Rect& bounding_rect) override;
 
   // BaseWindow:
   void OnWindowClosed() override;

shell/browser/api/electron_api_browser_window_mac.mm

@@ -39,10 +39,7 @@ void BrowserWindow::OverrideNSWindowContentView(
 
 void BrowserWindow::UpdateDraggableRegions(
     const std::vector<mojom::DraggableRegionPtr>& regions) {
-  if (window_->has_frame())
-    return;
-
-  if (!web_contents())
+  if (window_->has_frame() || !web_contents())
     return;
 
   // All ControlRegionViews should be added as children of the WebContentsView,
@@ -78,8 +75,13 @@ void BrowserWindow::UpdateDraggableRegions(
         DraggableRegionsToSkRegion(regions), webViewWidth, webViewHeight);
   }
 
+  // Draggable regions on BrowserViews are independent from those of
+  // BrowserWindows, so if a BrowserView with different draggable regions than
+  // the BrowserWindow it belongs to is superimposed on top of that window, the
+  // draggable regions of the BrowserView take precedence over those of the
+  // BrowserWindow.
   for (NativeBrowserView* view : window_->browser_views()) {
-    view->UpdateDraggableRegions(drag_exclude_rects);
+    view->UpdateDraggableRegions(view->GetDraggableRegions());
   }
 
   // Create and add a ControlRegionView for each region that needs to be

shell/browser/api/electron_api_global_shortcut.cc

@@ -9,6 +9,7 @@
 
 #include "base/stl_util.h"
 #include "base/strings/utf_string_conversions.h"
+#include "chrome/common/extensions/command.h"
 #include "gin/dictionary.h"
 #include "gin/object_template_builder.h"
 #include "shell/browser/api/electron_api_system_preferences.h"
@@ -21,6 +22,7 @@
 #include "base/mac/mac_util.h"
 #endif
 
+using extensions::Command;
 using extensions::GlobalShortcutListener;
 
 namespace {
@@ -28,22 +30,23 @@ namespace {
 #if defined(OS_MAC)
 bool RegisteringMediaKeyForUntrustedClient(const ui::Accelerator& accelerator) {
   if (base::mac::IsAtLeastOS10_14()) {
-    constexpr ui::KeyboardCode mediaKeys[] = {
-        ui::VKEY_MEDIA_PLAY_PAUSE, ui::VKEY_MEDIA_NEXT_TRACK,
-        ui::VKEY_MEDIA_PREV_TRACK, ui::VKEY_MEDIA_STOP,
-        ui::VKEY_VOLUME_UP,        ui::VKEY_VOLUME_DOWN,
-        ui::VKEY_VOLUME_MUTE};
-
-    if (std::find(std::begin(mediaKeys), std::end(mediaKeys),
-                  accelerator.key_code()) != std::end(mediaKeys)) {
-      bool trusted =
-          electron::api::SystemPreferences::IsTrustedAccessibilityClient(false);
-      if (!trusted)
+    if (Command::IsMediaKey(accelerator)) {
+      if (!electron::api::SystemPreferences::IsTrustedAccessibilityClient(
+              false))
         return true;
     }
   }
   return false;
 }
+
+bool MapHasMediaKeys(
+    const std::map<ui::Accelerator, base::RepeatingClosure>& accelerator_map) {
+  auto media_key = std::find_if(
+      accelerator_map.begin(), accelerator_map.end(),
+      [](const auto& ac) { return Command::IsMediaKey(ac.first); });
+
+  return media_key != accelerator_map.end();
+}
 #endif
 
 }  // namespace
@@ -83,7 +86,7 @@ bool GlobalShortcut::RegisterAll(
 
   for (auto& accelerator : accelerators) {
     if (!Register(accelerator, callback)) {
-      // unregister all shortcuts if any failed
+      // Unregister all shortcuts if any failed.
       UnregisterSome(registered);
       return false;
     }
@@ -101,8 +104,12 @@ bool GlobalShortcut::Register(const ui::Accelerator& accelerator,
     return false;
   }
 #if defined(OS_MAC)
-  if (RegisteringMediaKeyForUntrustedClient(accelerator))
-    return false;
+  if (Command::IsMediaKey(accelerator)) {
+    if (RegisteringMediaKeyForUntrustedClient(accelerator))
+      return false;
+
+    GlobalShortcutListener::SetShouldUseInternalMediaKeyHandling(false);
+  }
 #endif
 
   if (!GlobalShortcutListener::GetInstance()->RegisterAccelerator(accelerator,
@@ -123,6 +130,13 @@ void GlobalShortcut::Unregister(const ui::Accelerator& accelerator) {
   if (accelerator_callback_map_.erase(accelerator) == 0)
     return;
 
+#if defined(OS_MAC)
+  if (Command::IsMediaKey(accelerator) &&
+      !MapHasMediaKeys(accelerator_callback_map_)) {
+    GlobalShortcutListener::SetShouldUseInternalMediaKeyHandling(true);
+  }
+#endif
+
   GlobalShortcutListener::GetInstance()->UnregisterAccelerator(accelerator,
                                                                this);
 }

shell/browser/api/electron_api_menu.cc

@@ -236,13 +236,11 @@ std::u16string Menu::GetToolTipAt(int index) const {
   return model_->GetToolTipAt(index);
 }
 
-#if DCHECK_IS_ON()
 std::u16string Menu::GetAcceleratorTextAtForTesting(int index) const {
   ui::Accelerator accelerator;
   model_->GetAcceleratorAtWithParams(index, true, &accelerator);
   return accelerator.GetShortcutText();
 }
-#endif
 
 bool Menu::IsItemCheckedAt(int index) const {
   return model_->IsItemCheckedAt(index);
@@ -297,9 +295,7 @@ v8::Local<v8::ObjectTemplate> Menu::FillObjectTemplate(
       .SetMethod("isVisibleAt", &Menu::IsVisibleAt)
       .SetMethod("popupAt", &Menu::PopupAt)
       .SetMethod("closePopupAt", &Menu::ClosePopupAt)
-#if DCHECK_IS_ON()
-      .SetMethod("getAcceleratorTextAt", &Menu::GetAcceleratorTextAtForTesting)
-#endif
+      .SetMethod("_getAcceleratorTextAt", &Menu::GetAcceleratorTextAtForTesting)
       .Build();
 }
 

shell/browser/api/electron_api_menu.h

@@ -78,9 +78,7 @@ class Menu : public gin::Wrappable<Menu>,
                        int positioning_item,
                        base::OnceClosure callback) = 0;
   virtual void ClosePopupAt(int32_t window_id) = 0;
-#if DCHECK_IS_ON()
   virtual std::u16string GetAcceleratorTextAtForTesting(int index) const;
-#endif
 
   std::unique_ptr<ElectronMenuModel> model_;
   Menu* parent_ = nullptr;

shell/browser/api/electron_api_menu_mac.h

@@ -35,9 +35,7 @@ class MenuMac : public Menu {
                  int positioning_item,
                  base::OnceClosure callback);
   void ClosePopupAt(int32_t window_id) override;
-#if DCHECK_IS_ON()
   std::u16string GetAcceleratorTextAtForTesting(int index) const override;
-#endif
 
  private:
   friend class Menu;

shell/browser/api/electron_api_menu_mac.mm

@@ -127,7 +127,6 @@ void MenuMac::ClosePopupAt(int32_t window_id) {
                                                    std::move(close_popup));
 }
 
-#if DCHECK_IS_ON()
 std::u16string MenuMac::GetAcceleratorTextAtForTesting(int index) const {
   // A least effort to get the real shortcut text of NSMenuItem, the code does
   // not need to be perfect since it is test only.
@@ -163,7 +162,6 @@ std::u16string MenuMac::GetAcceleratorTextAtForTesting(int index) const {
     text += key;
   return text;
 }
-#endif
 
 void MenuMac::ClosePopupOnUI(int32_t window_id) {
   auto controller = popup_controllers_.find(window_id);

shell/browser/api/electron_api_web_contents.cc

@@ -74,6 +74,7 @@
 #include "mojo/public/cpp/system/platform_handle.h"
 #include "ppapi/buildflags/buildflags.h"
 #include "printing/buildflags/buildflags.h"
+#include "services/resource_coordinator/public/cpp/memory_instrumentation/memory_instrumentation.h"
 #include "services/service_manager/public/cpp/interface_provider.h"
 #include "shell/browser/api/electron_api_browser_window.h"
 #include "shell/browser/api/electron_api_debugger.h"
@@ -101,6 +102,7 @@
 #include "shell/browser/web_view_guest_delegate.h"
 #include "shell/browser/web_view_manager.h"
 #include "shell/common/api/electron_api_native_image.h"
+#include "shell/common/api/electron_bindings.h"
 #include "shell/common/color_util.h"
 #include "shell/common/electron_constants.h"
 #include "shell/common/gin_converters/base_converter.h"
@@ -911,6 +913,12 @@ void WebContents::InitWithWebContents(content::WebContents* web_contents,
 }
 
 WebContents::~WebContents() {
+  // clear out objects that have been granted permissions so that when
+  // WebContents::RenderFrameDeleted is called as a result of WebContents
+  // destruction it doesn't try to clear out a granted_devices_
+  // on a destructed object.
+  granted_devices_.clear();
+
   MarkDestroyed();
   // The destroy() is called.
   if (inspectable_web_contents_) {
@@ -1387,8 +1395,19 @@ void WebContents::HandleNewRenderFrame(
     rwh_impl->disable_hidden_ = !background_throttling_;
 
   auto* web_frame = WebFrameMain::FromRenderFrameHost(render_frame_host);
-  if (web_frame)
+  if (web_frame) {
+    // When render process reuse is disabled a new siteinstance will always be
+    // forced for every navigation, if a WebFrameMain instance was created
+    // for a FrameTreeNodeId before navigation started, the corresponding
+    // RenderFrameHost will not be the same when the navigation completes.
+    // Compare GlobalFrameRoutingId to avoid incorrect behavior.
+    if (!ElectronBrowserClient::Get()->CanUseCustomSiteInstance() &&
+        web_frame->render_frame_host()->GetGlobalFrameRoutingId() !=
+            render_frame_host->GetGlobalFrameRoutingId()) {
+      return;
+    }
     web_frame->Connect();
+  }
 }
 
 void WebContents::RenderFrameCreated(
@@ -1404,6 +1423,12 @@ void WebContents::RenderFrameDeleted(
   // - Cross-origin navigation creates a new RFH in a separate process which
   //   is swapped by content::RenderFrameHostManager.
   //
+
+  // clear out objects that have been granted permissions
+  if (!granted_devices_.empty()) {
+    granted_devices_.erase(render_frame_host->GetFrameTreeNodeId());
+  }
+
   // WebFrameMain::FromRenderFrameHost(rfh) will use the RFH's FrameTreeNode ID
   // to find an existing instance of WebFrameMain. During a cross-origin
   // navigation, the deleted RFH will be the old host which was swapped out. In
@@ -1420,12 +1445,11 @@ void WebContents::RenderFrameHostChanged(content::RenderFrameHost* old_host,
   // If an instance of WebFrameMain exists, it will need to have its RFH
   // swapped as well.
   //
-  // |old_host| can be a nullptr in so we use |new_host| for looking up the
+  // |old_host| can be a nullptr so we use |new_host| for looking up the
   // WebFrameMain instance.
   auto* web_frame =
       WebFrameMain::FromFrameTreeNodeId(new_host->GetFrameTreeNodeId());
   if (web_frame) {
-    CHECK_EQ(web_frame->render_frame_host(), old_host);
     web_frame->UpdateRenderFrameHost(new_host);
   }
 }
@@ -1655,6 +1679,9 @@ void WebContents::MessageTo(bool internal,
     gin::Handle<WebFrameMain> web_frame_main =
         WebFrameMain::From(JavascriptEnvironment::GetIsolate(), frame);
 
+    if (!web_frame_main->CheckRenderFrame())
+      return;
+
     int32_t sender_id = ID();
     web_frame_main->GetRendererApi()->Message(internal, channel,
                                               std::move(arguments), sender_id);
@@ -1710,6 +1737,10 @@ void WebContents::ReadyToCommitNavigation(
 
 void WebContents::DidFinishNavigation(
     content::NavigationHandle* navigation_handle) {
+  if (owner_window_) {
+    owner_window_->NotifyLayoutWindowControlsOverlay();
+  }
+
   if (!navigation_handle->HasCommitted())
     return;
   bool is_main_frame = navigation_handle->IsInMainFrame();
@@ -3196,6 +3227,26 @@ void WebContents::NotifyUserActivation() {
         blink::mojom::UserActivationNotificationType::kInteraction);
 }
 
+v8::Local<v8::Promise> WebContents::GetProcessMemoryInfo(v8::Isolate* isolate) {
+  gin_helper::Promise<gin_helper::Dictionary> promise(isolate);
+  v8::Local<v8::Promise> handle = promise.GetHandle();
+
+  auto* frame_host = web_contents()->GetMainFrame();
+  if (!frame_host) {
+    promise.RejectWithErrorMessage("Failed to create memory dump");
+    return handle;
+  }
+
+  auto pid = frame_host->GetProcess()->GetProcess().Pid();
+  v8::Global<v8::Context> context(isolate, isolate->GetCurrentContext());
+  memory_instrumentation::MemoryInstrumentation::GetInstance()
+      ->RequestGlobalDumpForPid(
+          pid, std::vector<std::string>(),
+          base::BindOnce(&ElectronBindings::DidReceiveMemoryDump,
+                         std::move(context), std::move(promise), pid));
+  return handle;
+}
+
 v8::Local<v8::Promise> WebContents::TakeHeapSnapshot(
     v8::Isolate* isolate,
     const base::FilePath& file_path) {
@@ -3244,6 +3295,42 @@ v8::Local<v8::Promise> WebContents::TakeHeapSnapshot(
   return handle;
 }
 
+void WebContents::GrantDevicePermission(
+    const url::Origin& origin,
+    const base::Value* device,
+    content::PermissionType permissionType,
+    content::RenderFrameHost* render_frame_host) {
+  granted_devices_[render_frame_host->GetFrameTreeNodeId()][permissionType]
+                  [origin]
+                      .push_back(
+                          std::make_unique<base::Value>(device->Clone()));
+}
+
+std::vector<base::Value> WebContents::GetGrantedDevices(
+    const url::Origin& origin,
+    content::PermissionType permissionType,
+    content::RenderFrameHost* render_frame_host) {
+  const auto& devices_for_frame_host_it =
+      granted_devices_.find(render_frame_host->GetFrameTreeNodeId());
+  if (devices_for_frame_host_it == granted_devices_.end())
+    return {};
+
+  const auto& current_devices_it =
+      devices_for_frame_host_it->second.find(permissionType);
+  if (current_devices_it == devices_for_frame_host_it->second.end())
+    return {};
+
+  const auto& origin_devices_it = current_devices_it->second.find(origin);
+  if (origin_devices_it == current_devices_it->second.end())
+    return {};
+
+  std::vector<base::Value> results;
+  for (const auto& object : origin_devices_it->second)
+    results.push_back(object->Clone());
+
+  return results;
+}
+
 void WebContents::UpdatePreferredSize(content::WebContents* web_contents,
                                       const gfx::Size& pref_size) {
   Emit("preferred-size-changed", pref_size);
@@ -3802,6 +3889,7 @@ v8::Local<v8::ObjectTemplate> WebContents::FillObjectTemplate(
                  &WebContents::GetWebRTCIPHandlingPolicy)
       .SetMethod("_grantOriginAccess", &WebContents::GrantOriginAccess)
       .SetMethod("takeHeapSnapshot", &WebContents::TakeHeapSnapshot)
+      .SetMethod("_getProcessMemoryInfo", &WebContents::GetProcessMemoryInfo)
       .SetProperty("id", &WebContents::ID)
       .SetProperty("session", &WebContents::Session)
       .SetProperty("hostWebContents", &WebContents::HostWebContents)
@@ -3924,6 +4012,16 @@ gin::Handle<WebContents> WebContentsFromID(v8::Isolate* isolate, int32_t id) {
                   : gin::Handle<WebContents>();
 }
 
+gin::Handle<WebContents> WebContentsFromDevToolsTargetID(
+    v8::Isolate* isolate,
+    std::string target_id) {
+  auto agent_host = content::DevToolsAgentHost::GetForId(target_id);
+  WebContents* contents =
+      agent_host ? WebContents::From(agent_host->GetWebContents()) : nullptr;
+  return contents ? gin::CreateHandle(isolate, contents)
+                  : gin::Handle<WebContents>();
+}
+
 std::vector<gin::Handle<WebContents>> GetAllWebContentsAsV8(
     v8::Isolate* isolate) {
   std::vector<gin::Handle<WebContents>> list;
@@ -3942,6 +4040,7 @@ void Initialize(v8::Local<v8::Object> exports,
   gin_helper::Dictionary dict(isolate, exports);
   dict.Set("WebContents", WebContents::GetConstructor(context));
   dict.SetMethod("fromId", &WebContentsFromID);
+  dict.SetMethod("fromDevToolsTargetId", &WebContentsFromDevToolsTargetID);
   dict.SetMethod("getAllWebContents", &GetAllWebContentsAsV8);
 }
 

shell/browser/api/electron_api_web_contents.h

@@ -20,6 +20,7 @@
 #include "content/common/frame.mojom.h"
 #include "content/public/browser/devtools_agent_host.h"
 #include "content/public/browser/keyboard_event_processing_result.h"
+#include "content/public/browser/permission_type.h"
 #include "content/public/browser/render_widget_host.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/browser/web_contents_delegate.h"
@@ -90,6 +91,11 @@ class OffScreenWebContentsView;
 
 namespace api {
 
+using DevicePermissionMap = std::map<
+    int,
+    std::map<content::PermissionType,
+             std::map<url::Origin, std::vector<std::unique_ptr<base::Value>>>>>;
+
 // Wrapper around the content::WebContents.
 class WebContents : public gin::Wrappable<WebContents>,
                     public gin_helper::EventEmitterMixin<WebContents>,
@@ -323,6 +329,7 @@ class WebContents : public gin::Wrappable<WebContents>,
 
   v8::Local<v8::Promise> TakeHeapSnapshot(v8::Isolate* isolate,
                                           const base::FilePath& file_path);
+  v8::Local<v8::Promise> GetProcessMemoryInfo(v8::Isolate* isolate);
 
   // Properties.
   int32_t ID() const { return id_; }
@@ -428,6 +435,21 @@ class WebContents : public gin::Wrappable<WebContents>,
   void DoGetZoomLevel(
       electron::mojom::ElectronBrowser::DoGetZoomLevelCallback callback);
 
+  // Grants |origin| access to |device|.
+  // To be used in place of ObjectPermissionContextBase::GrantObjectPermission.
+  void GrantDevicePermission(const url::Origin& origin,
+                             const base::Value* device,
+                             content::PermissionType permissionType,
+                             content::RenderFrameHost* render_frame_host);
+
+  // Returns the list of devices that |origin| has been granted permission to
+  // access. To be used in place of
+  // ObjectPermissionContextBase::GetGrantedObjects.
+  std::vector<base::Value> GetGrantedDevices(
+      const url::Origin& origin,
+      content::PermissionType permissionType,
+      content::RenderFrameHost* render_frame_host);
+
  private:
   // Does not manage lifetime of |web_contents|.
   WebContents(v8::Isolate* isolate, content::WebContents* web_contents);
@@ -786,6 +808,9 @@ class WebContents : public gin::Wrappable<WebContents>,
 
   service_manager::BinderRegistryWithArgs<content::RenderFrameHost*> registry_;
 
+  // In-memory cache that holds objects that have been granted permissions.
+  DevicePermissionMap granted_devices_;
+
   base::WeakPtrFactory<WebContents> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(WebContents);

shell/browser/api/gpuinfo_manager.cc

@@ -31,9 +31,7 @@ GPUInfoManager::~GPUInfoManager() {
 // Based on
 // https://chromium.googlesource.com/chromium/src.git/+/69.0.3497.106/content/browser/gpu/gpu_data_manager_impl_private.cc#838
 bool GPUInfoManager::NeedsCompleteGpuInfoCollection() const {
-#if defined(OS_MAC)
-  return gpu_data_manager_->GetGPUInfo().gl_vendor.empty();
-#elif defined(OS_WIN)
+#if defined(OS_WIN)
   return gpu_data_manager_->DxdiagDx12VulkanRequested() &&
          gpu_data_manager_->GetGPUInfo().dx_diagnostics.IsEmpty();
 #else

shell/browser/electron_permission_manager.cc

@@ -15,9 +15,17 @@
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/web_contents.h"
+#include "gin/data_object_builder.h"
+#include "shell/browser/api/electron_api_web_contents.h"
 #include "shell/browser/electron_browser_client.h"
 #include "shell/browser/electron_browser_main_parts.h"
+#include "shell/browser/serial/serial_chooser_context.h"
+#include "shell/browser/web_contents_permission_helper.h"
 #include "shell/browser/web_contents_preferences.h"
+#include "shell/common/gin_converters/content_converter.h"
+#include "shell/common/gin_converters/frame_converter.h"
+#include "shell/common/gin_converters/value_converter.h"
+#include "shell/common/gin_helper/event_emitter_caller.h"
 
 namespace electron {
 
@@ -277,6 +285,65 @@ bool ElectronPermissionManager::CheckPermissionWithDetails(
                             mutable_details);
 }
 
+bool ElectronPermissionManager::CheckDevicePermission(
+    content::PermissionType permission,
+    const url::Origin& origin,
+    const base::Value* device,
+    content::RenderFrameHost* render_frame_host) const {
+  auto* web_contents =
+      content::WebContents::FromRenderFrameHost(render_frame_host);
+  api::WebContents* api_web_contents = api::WebContents::From(web_contents);
+
+  if (api_web_contents) {
+    std::vector<base::Value> granted_devices =
+        api_web_contents->GetGrantedDevices(origin, permission,
+                                            render_frame_host);
+
+    for (const auto& granted_device : granted_devices) {
+      if (permission ==
+          static_cast<content::PermissionType>(
+              WebContentsPermissionHelper::PermissionType::SERIAL)) {
+#if defined(OS_WIN)
+        if (device->FindStringKey(kDeviceInstanceIdKey) ==
+            granted_device.FindStringKey(kDeviceInstanceIdKey))
+          return true;
+#else
+        if (device->FindIntKey(kVendorIdKey) !=
+                granted_device.FindIntKey(kVendorIdKey) ||
+            device->FindIntKey(kProductIdKey) !=
+                granted_device.FindIntKey(kProductIdKey) ||
+            *device->FindStringKey(kSerialNumberKey) !=
+                *granted_device.FindStringKey(kSerialNumberKey)) {
+          continue;
+        }
+
+#if defined(OS_MAC)
+        if (*device->FindStringKey(kUsbDriverKey) !=
+            *granted_device.FindStringKey(kUsbDriverKey)) {
+          continue;
+        }
+#endif  // defined(OS_MAC)
+        return true;
+#endif  // defined(OS_WIN)
+      }
+    }
+  }
+  return false;
+}
+
+void ElectronPermissionManager::GrantDevicePermission(
+    content::PermissionType permission,
+    const url::Origin& origin,
+    const base::Value* device,
+    content::RenderFrameHost* render_frame_host) const {
+  auto* web_contents =
+      content::WebContents::FromRenderFrameHost(render_frame_host);
+  api::WebContents* api_web_contents = api::WebContents::From(web_contents);
+  if (api_web_contents)
+    api_web_contents->GrantDevicePermission(origin, device, permission,
+                                            render_frame_host);
+}
+
 blink::mojom::PermissionStatus
 ElectronPermissionManager::GetPermissionStatusForFrame(
     content::PermissionType permission,

shell/browser/electron_permission_manager.h

@@ -13,6 +13,7 @@
 #include "base/containers/id_map.h"
 #include "base/values.h"
 #include "content/public/browser/permission_controller_delegate.h"
+#include "gin/dictionary.h"
 
 namespace content {
 class WebContents;
@@ -77,6 +78,16 @@ class ElectronPermissionManager : public content::PermissionControllerDelegate {
                                   const GURL& requesting_origin,
                                   const base::DictionaryValue* details) const;
 
+  bool CheckDevicePermission(content::PermissionType permission,
+                             const url::Origin& origin,
+                             const base::Value* object,
+                             content::RenderFrameHost* render_frame_host) const;
+
+  void GrantDevicePermission(content::PermissionType permission,
+                             const url::Origin& origin,
+                             const base::Value* object,
+                             content::RenderFrameHost* render_frame_host) const;
+
  protected:
   void OnPermissionResponse(int request_id,
                             int permission_id,

shell/browser/native_browser_view_mac.mm

@@ -59,7 +59,12 @@ const NSAutoresizingMaskOptions kDefaultAutoResizingMask =
 }
 
 - (BOOL)mouseDownCanMoveWindow {
-  return NO;
+  return
+      [self.window respondsToSelector:@selector(performWindowDragWithEvent:)];
+}
+
+- (BOOL)acceptsFirstMouse:(NSEvent*)event {
+  return YES;
 }
 
 - (BOOL)shouldIgnoreMouseEvent {
@@ -81,16 +86,15 @@ const NSAutoresizingMaskOptions kDefaultAutoResizingMask =
 - (void)mouseDown:(NSEvent*)event {
   [super mouseDown:event];
 
-  if ([self.window respondsToSelector:@selector(performWindowDragWithEvent)]) {
+  if ([self.window respondsToSelector:@selector(performWindowDragWithEvent:)]) {
     // According to Google, using performWindowDragWithEvent:
     // does not generate a NSWindowWillMoveNotification. Hence post one.
     [[NSNotificationCenter defaultCenter]
         postNotificationName:NSWindowWillMoveNotification
                       object:self];
 
-    if (@available(macOS 10.11, *)) {
-      [self.window performWindowDragWithEvent:event];
-    }
+    [self.window performWindowDragWithEvent:event];
+
     return;
   }
 
@@ -102,7 +106,7 @@ const NSAutoresizingMaskOptions kDefaultAutoResizingMask =
 }
 
 - (void)mouseDragged:(NSEvent*)event {
-  if ([self.window respondsToSelector:@selector(performWindowDragWithEvent)]) {
+  if ([self.window respondsToSelector:@selector(performWindowDragWithEvent:)]) {
     return;
   }
 

shell/browser/native_browser_view_views.cc

@@ -9,7 +9,7 @@
 #include <vector>
 
 #include "shell/browser/ui/drag_util.h"
-#include "shell/browser/ui/inspectable_web_contents_view.h"
+#include "shell/browser/ui/views/inspectable_web_contents_view_views.h"
 #include "ui/gfx/geometry/rect.h"
 #include "ui/views/background.h"
 #include "ui/views/view.h"
@@ -49,7 +49,7 @@ void NativeBrowserViewViews::SetAutoResizeProportions(
     const gfx::Size& window_size) {
   if ((auto_resize_flags_ & AutoResizeFlags::kAutoResizeHorizontal) &&
       !auto_horizontal_proportion_set_) {
-    auto* iwc_view = GetInspectableWebContentsView();
+    InspectableWebContentsView* iwc_view = GetInspectableWebContentsView();
     if (!iwc_view)
       return;
     auto* view = iwc_view->GetView();
@@ -63,7 +63,7 @@ void NativeBrowserViewViews::SetAutoResizeProportions(
   }
   if ((auto_resize_flags_ & AutoResizeFlags::kAutoResizeVertical) &&
       !auto_vertical_proportion_set_) {
-    auto* iwc_view = GetInspectableWebContentsView();
+    InspectableWebContentsView* iwc_view = GetInspectableWebContentsView();
     if (!iwc_view)
       return;
     auto* view = iwc_view->GetView();
@@ -80,7 +80,7 @@ void NativeBrowserViewViews::SetAutoResizeProportions(
 void NativeBrowserViewViews::AutoResize(const gfx::Rect& new_window,
                                         int width_delta,
                                         int height_delta) {
-  auto* iwc_view = GetInspectableWebContentsView();
+  InspectableWebContentsView* iwc_view = GetInspectableWebContentsView();
   if (!iwc_view)
     return;
   auto* view = iwc_view->GetView();
@@ -124,7 +124,7 @@ void NativeBrowserViewViews::ResetAutoResizeProportions() {
 }
 
 void NativeBrowserViewViews::SetBounds(const gfx::Rect& bounds) {
-  auto* iwc_view = GetInspectableWebContentsView();
+  InspectableWebContentsView* iwc_view = GetInspectableWebContentsView();
   if (!iwc_view)
     return;
   auto* view = iwc_view->GetView();
@@ -133,14 +133,20 @@ void NativeBrowserViewViews::SetBounds(const gfx::Rect& bounds) {
 }
 
 gfx::Rect NativeBrowserViewViews::GetBounds() {
-  auto* iwc_view = GetInspectableWebContentsView();
+  InspectableWebContentsView* iwc_view = GetInspectableWebContentsView();
   if (!iwc_view)
     return gfx::Rect();
   return iwc_view->GetView()->bounds();
 }
 
+void NativeBrowserViewViews::RenderViewReady() {
+  InspectableWebContentsView* iwc_view = GetInspectableWebContentsView();
+  if (iwc_view)
+    iwc_view->GetView()->Layout();
+}
+
 void NativeBrowserViewViews::SetBackgroundColor(SkColor color) {
-  auto* iwc_view = GetInspectableWebContentsView();
+  InspectableWebContentsView* iwc_view = GetInspectableWebContentsView();
   if (!iwc_view)
     return;
   auto* view = iwc_view->GetView();

shell/browser/native_browser_view_views.h

@@ -33,6 +33,9 @@ class NativeBrowserViewViews : public NativeBrowserView {
   void UpdateDraggableRegions(
       const std::vector<mojom::DraggableRegionPtr>& regions) override;
 
+  // WebContentsObserver:
+  void RenderViewReady() override;
+
   SkRegion* draggable_region() const { return draggable_region_.get(); }
 
  private:

shell/browser/native_window.cc

@@ -24,6 +24,34 @@
 #include "ui/display/win/screen_win.h"
 #endif
 
+namespace gin {
+
+template <>
+struct Converter<electron::NativeWindow::TitleBarStyle> {
+  static bool FromV8(v8::Isolate* isolate,
+                     v8::Handle<v8::Value> val,
+                     electron::NativeWindow::TitleBarStyle* out) {
+    using TitleBarStyle = electron::NativeWindow::TitleBarStyle;
+    std::string title_bar_style;
+    if (!ConvertFromV8(isolate, val, &title_bar_style))
+      return false;
+    if (title_bar_style == "hidden") {
+      *out = TitleBarStyle::kHidden;
+#if defined(OS_MAC)
+    } else if (title_bar_style == "hiddenInset") {
+      *out = TitleBarStyle::kHiddenInset;
+    } else if (title_bar_style == "customButtonsOnHover") {
+      *out = TitleBarStyle::kCustomButtonsOnHover;
+#endif
+    } else {
+      return false;
+    }
+    return true;
+  }
+};
+
+}  // namespace gin
+
 namespace electron {
 
 namespace {
@@ -54,6 +82,19 @@ NativeWindow::NativeWindow(const gin_helper::Dictionary& options,
   options.Get(options::kFrame, &has_frame_);
   options.Get(options::kTransparent, &transparent_);
   options.Get(options::kEnableLargerThanScreen, &enable_larger_than_screen_);
+  options.Get(options::kTitleBarStyle, &title_bar_style_);
+
+  v8::Local<v8::Value> titlebar_overlay;
+  if (options.Get(options::ktitleBarOverlay, &titlebar_overlay)) {
+    if (titlebar_overlay->IsBoolean()) {
+      options.Get(options::ktitleBarOverlay, &titlebar_overlay_);
+    } else if (titlebar_overlay->IsObject()) {
+      titlebar_overlay_ = true;
+#if !defined(OS_WIN)
+      DCHECK(false);
+#endif
+    }
+  }
 
   if (parent)
     options.Get("modal", &is_modal_);
@@ -391,6 +432,14 @@ void NativeWindow::PreviewFile(const std::string& path,
 
 void NativeWindow::CloseFilePreview() {}
 
+gfx::Rect NativeWindow::GetWindowControlsOverlayRect() {
+  return overlay_rect_;
+}
+
+void NativeWindow::SetWindowControlsOverlayRect(const gfx::Rect& overlay_rect) {
+  overlay_rect_ = overlay_rect;
+}
+
 void NativeWindow::NotifyWindowRequestPreferredWith(int* width) {
   for (NativeWindowObserver& observer : observers_)
     observer.RequestPreferredWidth(width);
@@ -489,6 +538,7 @@ void NativeWindow::NotifyWindowWillMove(const gfx::Rect& new_bounds,
 }
 
 void NativeWindow::NotifyWindowResize() {
+  NotifyLayoutWindowControlsOverlay();
   for (NativeWindowObserver& observer : observers_)
     observer.OnWindowResize();
 }
@@ -587,6 +637,14 @@ void NativeWindow::NotifyWindowSystemContextMenu(int x,
     observer.OnSystemContextMenu(x, y, prevent_default);
 }
 
+void NativeWindow::NotifyLayoutWindowControlsOverlay() {
+  gfx::Rect bounding_rect = GetWindowControlsOverlayRect();
+  if (!bounding_rect.IsEmpty()) {
+    for (NativeWindowObserver& observer : observers_)
+      observer.UpdateWindowControlsOverlay(bounding_rect);
+  }
+}
+
 #if defined(OS_WIN)
 void NativeWindow::NotifyWindowMessage(UINT message,
                                        WPARAM w_param,

shell/browser/native_window.h

@@ -255,6 +255,9 @@ class NativeWindow : public base::SupportsUserData,
     return weak_factory_.GetWeakPtr();
   }
 
+  virtual gfx::Rect GetWindowControlsOverlayRect();
+  virtual void SetWindowControlsOverlayRect(const gfx::Rect& overlay_rect);
+
   // Methods called by the WebContents.
   virtual void HandleKeyboardEvent(
       content::WebContents*,
@@ -298,6 +301,7 @@ class NativeWindow : public base::SupportsUserData,
                                      const base::DictionaryValue& details);
   void NotifyNewWindowForTab();
   void NotifyWindowSystemContextMenu(int x, int y, bool* prevent_default);
+  void NotifyLayoutWindowControlsOverlay();
 
 #if defined(OS_WIN)
   void NotifyWindowMessage(UINT message, WPARAM w_param, LPARAM l_param);
@@ -311,6 +315,14 @@ class NativeWindow : public base::SupportsUserData,
   views::Widget* widget() const { return widget_.get(); }
   views::View* content_view() const { return content_view_; }
 
+  enum class TitleBarStyle {
+    kNormal,
+    kHidden,
+    kHiddenInset,
+    kCustomButtonsOnHover,
+  };
+  TitleBarStyle title_bar_style() const { return title_bar_style_; }
+
   bool has_frame() const { return has_frame_; }
   void set_has_frame(bool has_frame) { has_frame_ = has_frame; }
 
@@ -342,6 +354,12 @@ class NativeWindow : public base::SupportsUserData,
         [&browser_view](NativeBrowserView* n) { return (n == browser_view); });
   }
 
+  // The boolean parsing of the "titleBarOverlay" option
+  bool titlebar_overlay_ = false;
+
+  // The "titleBarStyle" option.
+  TitleBarStyle title_bar_style_ = TitleBarStyle::kNormal;
+
  private:
   std::unique_ptr<views::Widget> widget_;
 
@@ -390,6 +408,8 @@ class NativeWindow : public base::SupportsUserData,
   // Accessible title.
   std::u16string accessible_title_;
 
+  gfx::Rect overlay_rect_;
+
   base::WeakPtrFactory<NativeWindow> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(NativeWindow);

shell/browser/native_window_mac.h

@@ -147,6 +147,7 @@ class NativeWindowMac : public NativeWindow,
   void CloseFilePreview() override;
   gfx::Rect ContentBoundsToWindowBounds(const gfx::Rect& bounds) const override;
   gfx::Rect WindowBoundsToContentBounds(const gfx::Rect& bounds) const override;
+  gfx::Rect GetWindowControlsOverlayRect() override;
   void NotifyWindowEnterFullScreen() override;
   void NotifyWindowLeaveFullScreen() override;
   void SetActive(bool is_key) override;
@@ -182,19 +183,24 @@ class NativeWindowMac : public NativeWindow,
     kInactive,
   };
 
-  enum class TitleBarStyle {
-    kNormal,
-    kHidden,
-    kHiddenInset,
-    kCustomButtonsOnHover,
-  };
-  TitleBarStyle title_bar_style() const { return title_bar_style_; }
-
   ElectronPreviewItem* preview_item() const { return preview_item_.get(); }
   ElectronTouchBar* touch_bar() const { return touch_bar_.get(); }
   bool zoom_to_page_width() const { return zoom_to_page_width_; }
   bool always_simple_fullscreen() const { return always_simple_fullscreen_; }
 
+  // We need to save the result of windowWillUseStandardFrame:defaultFrame
+  // because macOS calls it with what it refers to as the "best fit" frame for a
+  // zoom. This means that even if an aspect ratio is set, macOS might adjust it
+  // to better fit the screen.
+  //
+  // Thus, we can't just calculate the maximized aspect ratio'd sizing from
+  // the current visible screen and compare that to the current window's frame
+  // to determine whether a window is maximized.
+  NSRect default_frame_for_zoom() const { return default_frame_for_zoom_; }
+  void set_default_frame_for_zoom(NSRect frame) {
+    default_frame_for_zoom_ = frame;
+  }
+
  protected:
   // views::WidgetDelegate:
   bool CanResize() const override;
@@ -249,9 +255,6 @@ class NativeWindowMac : public NativeWindow,
   // The presentation options before entering kiosk mode.
   NSApplicationPresentationOptions kiosk_options_;
 
-  // The "titleBarStyle" option.
-  TitleBarStyle title_bar_style_ = TitleBarStyle::kNormal;
-
   // The "visualEffectState" option.
   VisualEffectState visual_effect_state_ = VisualEffectState::kFollowWindow;
 
@@ -274,6 +277,7 @@ class NativeWindowMac : public NativeWindow,
   NSRect original_frame_;
   NSInteger original_level_;
   NSUInteger simple_fullscreen_mask_;
+  NSRect default_frame_for_zoom_;
 
   std::string vibrancy_type_;