chore: cherry-pick 9bebe8549a36 from chromium (#35884)

* chore: [18-x-y] cherry-pick 9bebe8549a36 from chromium

* resolve conflict

ELECTRON_VERSION

@@ -1 +1 @@
-18.3.13
+18.3.15

package.json

@@ -1,6 +1,6 @@
 {
   "name": "electron",
-  "version": "18.3.13",
+  "version": "18.3.15",
   "repository": "https://github.com/electron/electron",
   "description": "Build cross platform desktop apps with JavaScript, HTML, and CSS",
   "devDependencies": {

patches/chromium/.patches

@@ -152,5 +152,10 @@ cherry-pick-54e32332750c.patch
 cherry-pick-2f19801aeb77.patch
 cherry-pick-96306321286a.patch
 feat_add_set_can_resize_mutator.patch
+cherry-pick-9b5207569882.patch
 cherry-pick-51daffbf5cd8.patch
 cherry-pick-079105b7ebba.patch
+cherry-pick-eb4d31309df7.patch
+cherry-pick-d74d2b9f00c7.patch
+cherry-pick-2083e894852c.patch
+cherry-pick-9bebe8549a36.patch

patches/chromium/cherry-pick-2083e894852c.patch

@@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Anton Bikineev <bikineev@chromium.org>
+Date: Sun, 10 Jul 2022 22:17:03 +0000
+Subject: Fix heap-overflow in blink::TableLayoutAlgorithmAuto::InsertSpanCell
+
+The CL fixes size confusion between Member<> and raw pointers.
+
+The bug was found (and the fix was proposed) by m.cooolie@gmail.com.
+
+Bug: 1341539
+Change-Id: I99d524fd65c2d6305693d09ad274c23178271269
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3751138
+Reviewed-by: Kentaro Hara <haraken@chromium.org>
+Commit-Queue: Anton Bikineev <bikineev@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1022529}
+
+diff --git a/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc b/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc
+index 1e1575cf47027584a9d06d7c5f6046fa15990b10..1a4a06a4761c52b8dd9ae9052b7c51b9236694a5 100644
+--- a/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc
++++ b/third_party/blink/renderer/core/layout/table_layout_algorithm_auto.cc
+@@ -673,7 +673,7 @@ void TableLayoutAlgorithmAuto::InsertSpanCell(LayoutTableCell* cell) {
+          span > span_cells_[pos]->ColSpan())
+     pos++;
+   memmove(span_cells_.data() + pos + 1, span_cells_.data() + pos,
+-          (size - pos - 1) * sizeof(LayoutTableCell*));
++          (size - pos - 1) * sizeof(decltype(span_cells_)::value_type));
+   span_cells_[pos] = cell;
+ }
+ 

patches/chromium/cherry-pick-9b5207569882.patch

@@ -0,0 +1,179 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ken Rockot <rockot@google.com>
+Date: Wed, 31 Aug 2022 15:39:45 +0000
+Subject: Mojo: Validate response message type
+
+Ensures that a response message is actually the type expected by the
+original request.
+
+Fixed: 1358134
+Change-Id: I8f8f58168764477fbf7a6d2e8aeb040f07793d45
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3864274
+Reviewed-by: Robert Sesek <rsesek@chromium.org>
+Commit-Queue: Ken Rockot <rockot@google.com>
+Cr-Commit-Position: refs/heads/main@{#1041553}
+
+diff --git a/mojo/public/cpp/bindings/interface_endpoint_client.h b/mojo/public/cpp/bindings/interface_endpoint_client.h
+index 5434c2189075ba003854d1c2687e72e9d0c553b4..ef8f61c4de81a28057517394a08c07fa4078b494 100644
+--- a/mojo/public/cpp/bindings/interface_endpoint_client.h
++++ b/mojo/public/cpp/bindings/interface_endpoint_client.h
+@@ -213,20 +213,32 @@ class COMPONENT_EXPORT(MOJO_CPP_BINDINGS) InterfaceEndpointClient
+   void ForgetAsyncRequest(uint64_t request_id);
+ 
+  private:
+-  // Maps from the id of a response to the MessageReceiver that handles the
+-  // response.
+-  using AsyncResponderMap =
+-      std::map<uint64_t, std::unique_ptr<MessageReceiver>>;
++  struct PendingAsyncResponse {
++   public:
++    PendingAsyncResponse(uint32_t request_message_name,
++                         std::unique_ptr<MessageReceiver> responder);
++    PendingAsyncResponse(PendingAsyncResponse&&);
++    PendingAsyncResponse(const PendingAsyncResponse&) = delete;
++    PendingAsyncResponse& operator=(PendingAsyncResponse&&);
++    PendingAsyncResponse& operator=(const PendingAsyncResponse&) = delete;
++    ~PendingAsyncResponse();
++
++    uint32_t request_message_name;
++    std::unique_ptr<MessageReceiver> responder;
++  };
++
++  using AsyncResponderMap = std::map<uint64_t, PendingAsyncResponse>;
+ 
+   struct SyncResponseInfo {
+    public:
+-    explicit SyncResponseInfo(bool* in_response_received);
++    SyncResponseInfo(uint32_t request_message_name, bool* in_response_received);
+ 
+     SyncResponseInfo(const SyncResponseInfo&) = delete;
+     SyncResponseInfo& operator=(const SyncResponseInfo&) = delete;
+ 
+     ~SyncResponseInfo();
+ 
++    uint32_t request_message_name;
+     Message response;
+ 
+     // Points to a stack-allocated variable.
+diff --git a/mojo/public/cpp/bindings/lib/interface_endpoint_client.cc b/mojo/public/cpp/bindings/lib/interface_endpoint_client.cc
+index 265c3b4e9b51bd4af8456e2b575518a82aa68322..3ccc876ebc0459841c6dce4bd383d6889d820fa3 100644
+--- a/mojo/public/cpp/bindings/lib/interface_endpoint_client.cc
++++ b/mojo/public/cpp/bindings/lib/interface_endpoint_client.cc
+@@ -27,6 +27,7 @@
+ #include "mojo/public/cpp/bindings/sync_call_restrictions.h"
+ #include "mojo/public/cpp/bindings/sync_event_watcher.h"
+ #include "mojo/public/cpp/bindings/thread_safe_proxy.h"
++#include "third_party/abseil-cpp/absl/types/optional.h"
+ 
+ namespace mojo {
+ 
+@@ -312,9 +313,27 @@ class ResponderThunk : public MessageReceiverWithStatus {
+ 
+ // ----------------------------------------------------------------------------
+ 
++InterfaceEndpointClient::PendingAsyncResponse::PendingAsyncResponse(
++    uint32_t request_message_name,
++    std::unique_ptr<MessageReceiver> responder)
++    : request_message_name(request_message_name),
++      responder(std::move(responder)) {}
++
++InterfaceEndpointClient::PendingAsyncResponse::PendingAsyncResponse(
++    PendingAsyncResponse&&) = default;
++
++InterfaceEndpointClient::PendingAsyncResponse&
++InterfaceEndpointClient::PendingAsyncResponse::operator=(
++    PendingAsyncResponse&&) = default;
++
++InterfaceEndpointClient::PendingAsyncResponse::~PendingAsyncResponse() =
++    default;
++
+ InterfaceEndpointClient::SyncResponseInfo::SyncResponseInfo(
++    uint32_t request_message_name,
+     bool* in_response_received)
+-    : response_received(in_response_received) {}
++    : request_message_name(request_message_name),
++      response_received(in_response_received) {}
+ 
+ InterfaceEndpointClient::SyncResponseInfo::~SyncResponseInfo() {}
+ 
+@@ -598,6 +617,7 @@ bool InterfaceEndpointClient::SendMessageWithResponder(
+   // message before calling |SendMessage()| below.
+ #endif
+ 
++  const uint32_t message_name = message->name();
+   const bool is_sync = message->has_flag(Message::kFlagIsSync);
+   const bool exclusive_wait = message->has_flag(Message::kFlagNoInterrupt);
+   if (!controller_->SendMessage(message))
+@@ -614,7 +634,8 @@ bool InterfaceEndpointClient::SendMessageWithResponder(
+       controller_->RegisterExternalSyncWaiter(request_id);
+     }
+     base::AutoLock lock(async_responders_lock_);
+-    async_responders_[request_id] = std::move(responder);
++    async_responders_.emplace(
++        request_id, PendingAsyncResponse{message_name, std::move(responder)});
+     return true;
+   }
+ 
+@@ -622,7 +643,8 @@ bool InterfaceEndpointClient::SendMessageWithResponder(
+ 
+   bool response_received = false;
+   sync_responses_.insert(std::make_pair(
+-      request_id, std::make_unique<SyncResponseInfo>(&response_received)));
++      request_id,
++      std::make_unique<SyncResponseInfo>(message_name, &response_received)));
+ 
+   base::WeakPtr<InterfaceEndpointClient> weak_self =
+       weak_ptr_factory_.GetWeakPtr();
+@@ -800,13 +822,13 @@ void InterfaceEndpointClient::ResetFromAnotherSequenceUnsafe() {
+ }
+ 
+ void InterfaceEndpointClient::ForgetAsyncRequest(uint64_t request_id) {
+-  std::unique_ptr<MessageReceiver> responder;
++  absl::optional<PendingAsyncResponse> response;
+   {
+     base::AutoLock lock(async_responders_lock_);
+     auto it = async_responders_.find(request_id);
+     if (it == async_responders_.end())
+       return;
+-    responder = std::move(it->second);
++    response = std::move(it->second);
+     async_responders_.erase(it);
+   }
+ }
+@@ -872,6 +894,10 @@ bool InterfaceEndpointClient::HandleValidatedMessage(Message* message) {
+         return false;
+ 
+       if (it->second) {
++        if (message->name() != it->second->request_message_name) {
++          return false;
++        }
++
+         it->second->response = std::move(*message);
+         *it->second->response_received = true;
+         return true;
+@@ -882,18 +908,22 @@ bool InterfaceEndpointClient::HandleValidatedMessage(Message* message) {
+       sync_responses_.erase(it);
+     }
+ 
+-    std::unique_ptr<MessageReceiver> responder;
++    absl::optional<PendingAsyncResponse> pending_response;
+     {
+       base::AutoLock lock(async_responders_lock_);
+       auto it = async_responders_.find(request_id);
+       if (it == async_responders_.end())
+         return false;
+-      responder = std::move(it->second);
++      pending_response = std::move(it->second);
+       async_responders_.erase(it);
+     }
+ 
++    if (message->name() != pending_response->request_message_name) {
++      return false;
++    }
++
+     internal::MessageDispatchContext dispatch_context(message);
+-    return responder->Accept(message);
++    return pending_response->responder->Accept(message);
+   } else {
+     if (mojo::internal::ControlMessageHandler::IsControlMessage(message))
+       return control_message_handler_.Accept(message);

patches/chromium/cherry-pick-9bebe8549a36.patch

@@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Xiaocheng Hu <xiaochengh@chromium.org>
+Date: Wed, 28 Sep 2022 19:09:02 +0000
+Subject: Ensure iterator validity in CustomElementRegistry::DefineInternal()
+
+Currently, this function first resolves a promise, and then erases an
+iterator from a hash map, but the promise resolving may run synchronous
+JavaScript that invalidates the iterator.
+
+This patch switches the ordering so that we always use the iterator when
+it's valid.
+
+(cherry picked from commit ed87ab54b29898a96a87e8fd497425db32539350)
+
+(cherry picked from commit b0bfc4334369bd1d44bc6507dfefc012afb7e12d)
+
+Fixed: 1366813
+Change-Id: Iaa6631db5f3ad47049f46ddf909f18a49e5880c0
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3915346
+Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
+Reviewed-by: Joey Arhar <jarhar@chromium.org>
+Cr-Original-Original-Commit-Position: refs/heads/main@{#1050816}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3922738
+Commit-Queue: Joey Arhar <jarhar@chromium.org>
+Auto-Submit: Xiaocheng Hu <xiaochengh@chromium.org>
+Cr-Original-Commit-Position: refs/branch-heads/5304@{#203}
+Cr-Original-Branched-From: 5d7b1fc9cb7103d9c82eed647cf4be38cf09738b-refs/heads/main@{#1047731}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3924290
+Cr-Commit-Position: refs/branch-heads/5249@{#686}
+Cr-Branched-From: 4f7bea5de862aaa52e6bde5920755a9ef9db120b-refs/heads/main@{#1036826}
+
+diff --git a/third_party/blink/renderer/core/html/custom/custom_element_registry.cc b/third_party/blink/renderer/core/html/custom/custom_element_registry.cc
+index 5a63b6f0fd74d8c836c805e4d03e7be0b0205f15..6e37fba2cd627d69e602381e79f64c8ba72128b6 100644
+--- a/third_party/blink/renderer/core/html/custom/custom_element_registry.cc
++++ b/third_party/blink/renderer/core/html/custom/custom_element_registry.cc
+@@ -217,8 +217,11 @@ CustomElementDefinition* CustomElementRegistry::DefineInternal(
+   // 16: when-defined promise processing
+   const auto& entry = when_defined_promise_map_.find(name);
+   if (entry != when_defined_promise_map_.end()) {
+-    entry->value->Resolve();
++    ScriptPromiseResolver* resolver = entry->value;
+     when_defined_promise_map_.erase(entry);
++    // Resolve() may run synchronous JavaScript that invalidates iterators of
++    // |when_defined_promise_map_|, so it must be called after erasing |entry|.
++    resolver->Resolve();
+   }
+ 
+   return definition;
+diff --git a/third_party/blink/web_tests/external/wpt/custom-elements/when-defined-reentry-crash.html b/third_party/blink/web_tests/external/wpt/custom-elements/when-defined-reentry-crash.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..38614cbbd7836a955c40ea64165a22bcb44f7e63
+--- /dev/null
++++ b/third_party/blink/web_tests/external/wpt/custom-elements/when-defined-reentry-crash.html
+@@ -0,0 +1,25 @@
++<!DOCTYPE html>
++<meta charset="utf-8">
++<title>Check for crashes when a whenDefined promise resolving re-entries</title>
++<meta name="author" href="mailto:xiaochengh@chromium.org">
++<link rel="help" href="https://html.spec.whatwg.org/multipage/custom-elements.html#custom-elements-api">
++<link rel="help" href="https://bugs.chromium.org/p/chromium/issues/detail?id=1366813">
++<script>
++class CustomElement extends HTMLElement {}
++
++Object.prototype.__defineGetter__("then", main);
++
++let depth = 0;
++function main() {
++  if (depth > 1) return;
++  ++depth;
++  customElements.whenDefined("custom-a"); // Causes re-entry of main()
++  try { customElements.define("custom-a", CustomElement) } catch (e) {}
++  customElements.whenDefined("custom-b");
++  --depth;
++}
++
++main();
++</script>
++
++Test passes if it does not crash.

patches/chromium/cherry-pick-d74d2b9f00c7.patch

@@ -0,0 +1,248 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Zakhar Voit <voit@google.com>
+Date: Wed, 24 Aug 2022 10:59:16 +0000
+Subject: Ensure mouse lock widget pointers are cleared in WebContents
+ destructor
+
+Requesting mouse/pointer lock (e.g., via requestPointerLock() from JS)
+results in setting mouse_lock_widget_ to point to the
+RenderWidgetHost that has the mouse lock, in both the widget's
+WebContents and all its outer WebContents.  When a WebContents is
+destroyed, it normally checks if it has an active mouse lock widget
+and calls RejectMouseLockOrUnlockIfNecessary() if so. This usually
+results in calling LostMouseLock(), which will clear
+mouse_lock_widget_ in both the WebContents being destroyed and all its
+ancestor WebContents.  However, there's a time window where this
+doesn't work with <webview>, where a mouse lock request in the guest
+has to go up to the embedder to asynchronously ask it for the
+corresponding permission before it can be granted.  If the embedder
+ends up destroying the <webview> guest while the guest's mouse lock
+request is pending (prior to responding to that request), it could end
+up with a stale mouse_lock_widget_ pointer, since
+RejectMouseLockOrUnlockIfNecessary() follows a different path for
+pending requests and doesn't clear those pointers.  Sadly, the
+RenderWidgetHost destruction is also not going to trigger clearing
+these pointers as it normally does, since ~WebContentsImpl clears
+delegate_ pointers for all of its widgets before destroying them,
+causing ~RenderWidgetHostImpl::Destroy() to not call
+WebContentsImpl::RenderWidgetDeleted(), which normally does this.
+
+This CL ensures that all mouse_lock_widget_ pointers are cleared on
+the entire WebContents chain in the WebContentsImpl destructor. In the
+future, we could also investigate not setting mouse_lock_widget_
+before we actually decide that a mouse lock request should proceed,
+and removing the current implementation's dependency on that behavior.
+
+(cherry picked from commit 8380553a222cbc2c537ab67fc96e50f611ba4560)
+
+(cherry picked from commit 859cf771d8364577cce49da5520b0e4b44ebb5a9)
+
+Bug: 1346245
+Change-Id: Iaf1fec400ca47d7cb20c21ce145dc041317a7db6
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3823606
+Commit-Queue: Alex Moshchuk <alexmos@chromium.org>
+Cr-Original-Original-Commit-Position: refs/heads/main@{#1034481}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3838431
+Cr-Original-Commit-Position: refs/branch-heads/5112@{#1498}
+Cr-Original-Branched-From: b13d3fe7b3c47a56354ef54b221008afa754412e-refs/heads/main@{#1012729}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3848803
+Owners-Override: Artem Sumaneev <asumaneev@google.com>
+Commit-Queue: Zakhar Voit <voit@google.com>
+Reviewed-by: Artem Sumaneev <asumaneev@google.com>
+Cr-Commit-Position: refs/branch-heads/5005@{#1320}
+Cr-Branched-From: 5b4d9450fee01f821b6400e947b3839727643a71-refs/heads/main@{#992738}
+
+diff --git a/chrome/browser/apps/guest_view/web_view_interactive_browsertest.cc b/chrome/browser/apps/guest_view/web_view_interactive_browsertest.cc
+index eabc5f0ff26468ce557e7eff5e7d1108eb84887a..e078b7f461b21c498e5d60b150978f34cb3c7ad2 100644
+--- a/chrome/browser/apps/guest_view/web_view_interactive_browsertest.cc
++++ b/chrome/browser/apps/guest_view/web_view_interactive_browsertest.cc
+@@ -1490,6 +1490,40 @@ IN_PROC_BROWSER_TEST_F(WebViewInteractiveTest, MAYBE_KeyboardFocusWindowCycle) {
+   ASSERT_TRUE(next_step_listener.WaitUntilSatisfied());
+ }
+ 
++// Ensure that destroying a <webview> with a pending mouse lock request doesn't
++// leave a stale mouse lock widget pointer in the embedder WebContents. See
++// https://crbug.com/1346245.
++IN_PROC_BROWSER_TEST_F(WebViewInteractiveTest,
++                       DestroyGuestWithPendingPointerLock) {
++  LoadAndLaunchPlatformApp("web_view/pointer_lock_pending",
++                           "WebViewTest.LAUNCHED");
++
++  content::WebContents* embedder_web_contents = GetFirstAppWindowWebContents();
++  content::WebContents* guest_web_contents =
++      GetGuestViewManager()->WaitForSingleGuestCreated();
++
++  // The embedder is configured to remove the <webview> as soon as it receives
++  // the pointer lock permission request from the guest, without responding to
++  // it.  Hence, have the guest request pointer lock and wait for its
++  // destruction.
++  content::RenderFrameDeletedObserver observer(
++      guest_web_contents->GetMainFrame());
++  EXPECT_TRUE(content::ExecuteScript(
++      guest_web_contents,
++      "document.querySelector('div').requestPointerLock()"));
++  observer.WaitUntilDeleted();
++
++  // The embedder WebContents shouldn't have a mouse lock widget.
++  EXPECT_FALSE(GetMouseLockWidget(embedder_web_contents));
++
++  // Close the embedder app and ensure that this doesn't crash, which used to
++  // be the case if the mouse lock widget (now destroyed) hadn't been cleared
++  // in the embedder.
++  content::WebContentsDestroyedWatcher destroyed_watcher(embedder_web_contents);
++  CloseAppWindow(GetFirstAppWindow());
++  destroyed_watcher.Wait();
++}
++
+ #if BUILDFLAG(IS_MAC)
+ // This test verifies that replacement range for IME works with <webview>s. To
+ // verify this, a <webview> with an <input> inside is loaded. Then the <input>
+diff --git a/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/main.html b/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/main.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..936af1b4ef367a72dbc9c689d119019a10856f42
+--- /dev/null
++++ b/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/main.html
+@@ -0,0 +1,10 @@
++<!--
++ * Copyright 2022 The Chromium Authors. All rights reserved.  Use of this
++ * source code is governed by a BSD-style license that can be found in the
++ * LICENSE file.
++-->
++<html>
++<body>
++  <script src="main.js"></script>
++</body>
++</html>
+diff --git a/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/main.js b/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/main.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..c851df9d0ffce8ec432902fb2cd0a3b6ef5047c8
+--- /dev/null
++++ b/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/main.js
+@@ -0,0 +1,22 @@
++// Copyright 2022 The Chromium Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++onload = function() {
++  var webview = document.createElement('webview');
++
++  webview.addEventListener('permissionrequest', (e) => {
++    if (e.permission != 'pointerLock') {
++      console.log('Received unexpected permission request: ' + e.permission);
++      e.chrome.test.sendMessage('WebViewTest.FAILURE');
++    }
++    webview.parentNode.removeChild(webview);
++  });
++
++  webview.addEventListener('loadstop', (e) => {
++    chrome.test.sendMessage('WebViewTest.LAUNCHED');
++  });
++
++  webview.src = 'data:text/html,<html><body><div></div></body></html>';
++  document.body.appendChild(webview);
++};
+diff --git a/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/manifest.json b/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/manifest.json
+new file mode 100644
+index 0000000000000000000000000000000000000000..ec20c5a50fa78de2e1891a595096a183d6ef7223
+--- /dev/null
++++ b/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/manifest.json
+@@ -0,0 +1,13 @@
++{
++  "name": "<webview> pointer lock test.",
++  "manifest_version": 2,
++  "version": "1",
++  "permissions": [
++    "webview"
++  ],
++  "app": {
++    "background": {
++      "scripts": ["test.js"]
++    }
++  }
++}
+diff --git a/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/test.js b/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/test.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..2b2b9c232e594f7d5d21f2ce1150518a86f92f0a
+--- /dev/null
++++ b/chrome/test/data/extensions/platform_apps/web_view/pointer_lock_pending/test.js
+@@ -0,0 +1,7 @@
++// Copyright 2022 The Chromium Authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++chrome.app.runtime.onLaunched.addListener(function() {
++  chrome.app.window.create('main.html', {}, function () {});
++});
+diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
+index cbcad21d8e320c6019cc7fbf31bd1c2aac5d03d8..8120b63d4d2ea000a9b9ad2e784ef0fe7effbf94 100644
+--- a/content/browser/web_contents/web_contents_impl.cc
++++ b/content/browser/web_contents/web_contents_impl.cc
+@@ -1023,10 +1023,22 @@ WebContentsImpl::~WebContentsImpl() {
+     outermost->SetAsFocusedWebContentsIfNecessary();
+   }
+ 
+-  if (mouse_lock_widget_)
++  if (mouse_lock_widget_) {
+     mouse_lock_widget_->RejectMouseLockOrUnlockIfNecessary(
+         blink::mojom::PointerLockResult::kElementDestroyed);
+ 
++    // Normally, the call above clears mouse_lock_widget_ pointers on the
++    // entire WebContents chain, since it results in calling LostMouseLock()
++    // when the mouse lock is already active. However, this doesn't work for
++    // <webview> guests if the mouse lock request is still pending while the
++    // <webview> is destroyed. Hence, ensure that all mouse lock widget
++    // pointers are cleared. See https://crbug.com/1346245.
++    for (WebContentsImpl* current = this; current;
++         current = current->GetOuterWebContents()) {
++      current->mouse_lock_widget_ = nullptr;
++    }
++  }
++
+   for (RenderWidgetHostImpl* widget : created_widgets_)
+     widget->DetachDelegate();
+   created_widgets_.clear();
+diff --git a/content/browser/web_contents/web_contents_impl.h b/content/browser/web_contents/web_contents_impl.h
+index fad1663512cf30b270289ecfa9c336b08fe67836..84fd84944cb587729a472f7f630d3ec1c4b1dab6 100644
+--- a/content/browser/web_contents/web_contents_impl.h
++++ b/content/browser/web_contents/web_contents_impl.h
+@@ -1318,6 +1318,10 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents,
+   bool CancelPrerendering(FrameTreeNode* frame_tree_node,
+                           PrerenderHost::FinalStatus final_status);
+ 
++  RenderWidgetHost* mouse_lock_widget_for_testing() {
++    return mouse_lock_widget_;
++  }
++
+  private:
+   using FrameTreeIterationCallback = base::RepeatingCallback<void(FrameTree*)>;
+   using RenderViewHostIterationCallback =
+diff --git a/content/public/test/browser_test_utils.cc b/content/public/test/browser_test_utils.cc
+index 7d158699fc826ba81fe0a271605c3076b01a7590..0614592e1ac848d5d79657ba0524def297055051 100644
+--- a/content/public/test/browser_test_utils.cc
++++ b/content/public/test/browser_test_utils.cc
+@@ -2353,6 +2353,11 @@ RenderWidgetHost* GetKeyboardLockWidget(WebContents* web_contents) {
+   return static_cast<WebContentsImpl*>(web_contents)->GetKeyboardLockWidget();
+ }
+ 
++RenderWidgetHost* GetMouseLockWidget(WebContents* web_contents) {
++  return static_cast<WebContentsImpl*>(web_contents)
++      ->mouse_lock_widget_for_testing();
++}
++
+ bool RequestKeyboardLock(WebContents* web_contents,
+                          absl::optional<base::flat_set<ui::DomCode>> codes) {
+   DCHECK(!codes.has_value() || !codes.value().empty());
+diff --git a/content/public/test/browser_test_utils.h b/content/public/test/browser_test_utils.h
+index f6b2bc3b00cb457e070d92e102692fe2423fe3ed..c74c3336a64d58f2b1ca5c971ff4102776ee57b2 100644
+--- a/content/public/test/browser_test_utils.h
++++ b/content/public/test/browser_test_utils.h
+@@ -1062,6 +1062,9 @@ void UiaGetPropertyValueVtArrayVtUnknownValidate(
+ // Returns the RenderWidgetHost that holds the keyboard lock.
+ RenderWidgetHost* GetKeyboardLockWidget(WebContents* web_contents);
+ 
++// Returns the RenderWidgetHost that holds the mouse lock.
++RenderWidgetHost* GetMouseLockWidget(WebContents* web_contents);
++
+ // Allows tests to drive keyboard lock functionality without requiring access
+ // to the RenderWidgetHostImpl header or setting up an HTTP test server.
+ // |codes| represents the set of keys to lock.  If |codes| has no value, then

patches/chromium/cherry-pick-eb4d31309df7.patch

@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Stefan Zager <szager@chromium.org>
+Date: Fri, 9 Sep 2022 01:56:46 +0000
+Subject: Fix for reference to invalid iterator
+
+Evidently, LocalFrameView::layout_subtree_root_list_ can be modified
+during LayoutFromRootObject, leaving the loop variable in an invalid
+state. I don't know the exact sequence, but the test case crashes for
+me without this patch, and doesn't crash with the patch.
+
+(cherry picked from commit 815aa5ca03ab4ecc619b2d2ad7650531bd3892a8)
+
+Bug: 1355237
+Change-Id: Ib17b1fac5b2ec060eda39be76305db18075802fa
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3864877
+Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org>
+Commit-Queue: Stefan Zager <szager@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#1041903}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3884238
+Owners-Override: Srinivas Sista <srinivassista@chromium.org>
+Auto-Submit: Srinivas Sista <srinivassista@chromium.org>
+Reviewed-by: Stefan Zager <szager@chromium.org>
+Cr-Commit-Position: refs/branch-heads/5112@{#1566}
+Cr-Branched-From: b13d3fe7b3c47a56354ef54b221008afa754412e-refs/heads/main@{#1012729}
+
+diff --git a/third_party/blink/renderer/core/frame/local_frame_view.cc b/third_party/blink/renderer/core/frame/local_frame_view.cc
+index d3d15cc69165d4b1e6160d0013093fdfc2bbd705..69b2fcc4324024f99ecd6415d0c94931866fc55a 100644
+--- a/third_party/blink/renderer/core/frame/local_frame_view.cc
++++ b/third_party/blink/renderer/core/frame/local_frame_view.cc
+@@ -803,6 +803,7 @@ void LocalFrameView::PerformLayout() {
+       }
+       for (auto& root : layout_subtree_root_list_.Ordered()) {
+         bool should_rebuild_fragments = false;
++        LayoutObject& root_layout_object = *root;
+         LayoutBlock* cb = root->ContainingNGBlock();
+         if (cb) {
+           auto it = fragment_tree_spines.find(cb);
+@@ -822,7 +823,7 @@ void LocalFrameView::PerformLayout() {
+         // We need to ensure that we mark up all layoutObjects up to the
+         // LayoutView for paint invalidation. This simplifies our code as we
+         // just always do a full tree walk.
+-        if (LayoutObject* container = root->Container())
++        if (LayoutObject* container = root_layout_object.Container())
+           container->SetShouldCheckForPaintInvalidation();
+       }
+       layout_subtree_root_list_.Clear();

patches/config.json

@@ -27,5 +27,7 @@
 
   "src/electron/patches/pdfium": "src/third_party/pdfium",
 
-  "src/electron/patches/sqlite": "src/third_party/sqlite/src"
+  "src/electron/patches/sqlite": "src/third_party/sqlite/src",
+
+  "src/electron/patches/libaom": "src/third_party/libaom/source/libaom"
 }

patches/libaom/.patches

@@ -0,0 +1 @@
+use_non_normative_scaler_for_non_optimized_ratio.patch

patches/libaom/use_non_normative_scaler_for_non_optimized_ratio.patch

@@ -0,0 +1,96 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jerome Jiang <jianj@google.com>
+Date: Tue, 30 Aug 2022 14:45:28 -0400
+Subject: Use non normative scaler for non optimized ratio
+
+There are only optimized scalers for 1/4, 1/2 and 3/4 scaling ratio.
+SSSE3 also has 2x upscaling optimization.
+Use non normative scalers for all other scaling ratios.
+
+Bug: chromium:1346938
+Bug: chromium:1338114
+Change-Id: I2a01717b56c53c42906440d5a3f95ca2c00dc571
+(cherry picked from commit ff7b753a63a536423a91b64a066bd385c52ceacc)
+
+diff --git a/av1/common/resize.c b/av1/common/resize.c
+index a3c3c0e5160940974fbbbc84d7011fb4bd26f67e..322363fa1e136ce3b77498b9c20b63d27d339471 100644
+--- a/av1/common/resize.c
++++ b/av1/common/resize.c
+@@ -1366,15 +1366,20 @@ YV12_BUFFER_CONFIG *av1_realloc_and_scale_if_required(
+       aom_internal_error(cm->error, AOM_CODEC_MEM_ERROR,
+                          "Failed to allocate scaled buffer");
+ 
++    const bool has_optimized_scaler = av1_has_optimized_scaler(
++        unscaled->y_crop_width, unscaled->y_crop_height, scaled_width,
++        scaled_height);
++
+ #if CONFIG_AV1_HIGHBITDEPTH
+-    if (use_optimized_scaler && cm->seq_params->bit_depth == AOM_BITS_8) {
++    if (use_optimized_scaler && has_optimized_scaler &&
++        cm->seq_params->bit_depth == AOM_BITS_8) {
+       av1_resize_and_extend_frame(unscaled, scaled, filter, phase, num_planes);
+     } else {
+       av1_resize_and_extend_frame_nonnormative(
+           unscaled, scaled, (int)cm->seq_params->bit_depth, num_planes);
+     }
+ #else
+-    if (use_optimized_scaler) {
++    if (use_optimized_scaler && has_optimized_scaler) {
+       av1_resize_and_extend_frame(unscaled, scaled, filter, phase, num_planes);
+     } else {
+       av1_resize_and_extend_frame_nonnormative(
+diff --git a/av1/common/resize.h b/av1/common/resize.h
+index 75abe6274ee73a202bddd14962f1a4ae8083ce94..9bc23b3ffacd4121bf32dd96bae82ba5c799b1ea 100644
+--- a/av1/common/resize.h
++++ b/av1/common/resize.h
+@@ -105,6 +105,24 @@ static INLINE int av1_superres_scaled(const AV1_COMMON *cm) {
+   return !(cm->width == cm->superres_upscaled_width);
+ }
+ 
++// There's SIMD optimizations for 1/4, 1/2 and 3/4 downscaling.
++// SSSE3 also has optimizations for 2x upscaling.
++// Use non normative scalers for other scaling ratios.
++static INLINE bool av1_has_optimized_scaler(const int src_width,
++                                            const int src_height,
++                                            const int dst_width,
++                                            const int dst_height) {
++  const bool has_optimized_scaler =
++      (dst_width * 4 == src_width && dst_height * 4 == src_height) ||
++      (dst_width * 2 == src_width && dst_height * 2 == src_height) ||
++      (dst_width * 4 == src_width * 3 && dst_height * 4 == src_height * 3);
++#if HAVE_SSSE3
++  return has_optimized_scaler ||
++         (dst_width == src_width * 2 && dst_height == src_height * 2);
++#endif
++  return has_optimized_scaler;
++}
++
+ #define UPSCALE_NORMATIVE_TAPS 8
+ extern const int16_t av1_resize_filter_normative[1 << RS_SUBPEL_BITS]
+                                                 [UPSCALE_NORMATIVE_TAPS];
+diff --git a/av1/encoder/encoder_utils.c b/av1/encoder/encoder_utils.c
+index fd8be7bf18e6a138bf20c25370c635cf3b302e10..cebea60eee37777b175f75d863f8cb94410a065a 100644
+--- a/av1/encoder/encoder_utils.c
++++ b/av1/encoder/encoder_utils.c
+@@ -733,15 +733,19 @@ void av1_scale_references(AV1_COMP *cpi, const InterpFilter filter,
+             aom_internal_error(cm->error, AOM_CODEC_MEM_ERROR,
+                                "Failed to allocate frame buffer");
+           }
++          const bool has_optimized_scaler = av1_has_optimized_scaler(
++              cm->width, cm->height, new_fb->buf.y_crop_width,
++              new_fb->buf.y_crop_height);
+ #if CONFIG_AV1_HIGHBITDEPTH
+-          if (use_optimized_scaler && cm->seq_params->bit_depth == AOM_BITS_8)
++          if (use_optimized_scaler && has_optimized_scaler &&
++              cm->seq_params->bit_depth == AOM_BITS_8)
+             av1_resize_and_extend_frame(ref, &new_fb->buf, filter, phase,
+                                         num_planes);
+           else
+             av1_resize_and_extend_frame_nonnormative(
+                 ref, &new_fb->buf, (int)cm->seq_params->bit_depth, num_planes);
+ #else
+-          if (use_optimized_scaler)
++          if (use_optimized_scaler && has_optimized_scaler)
+             av1_resize_and_extend_frame(ref, &new_fb->buf, filter, phase,
+                                         num_planes);
+           else

patches/pdfium/.patches

@@ -1 +1,4 @@
 cherry-pick-3466cc056b05.patch
+cherry-pick-a66438897056.patch
+cherry-pick-7f0bb5197ed1.patch
+cherry-pick-497f077a1d46.patch

patches/pdfium/cherry-pick-497f077a1d46.patch

@@ -0,0 +1,374 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tom Sepez <tsepez@chromium.org>
+Date: Thu, 8 Sep 2022 23:05:34 +0000
+Subject: Return retained const objects from SearchNameNodeByNameInternal()
+
+Cherry-pick of d51720c9bb55d1163ab4fdcdc6981e753aa2354d + manual
+conflict resolution.
+
+Bug: chromium:1358075
+Change-Id: Ibb20a6feaf79f7b351f22c607c306da40026d53e
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/97739
+Auto-Submit: Tom Sepez <tsepez@chromium.org>
+Reviewed-by: Lei Zhang <thestig@chromium.org>
+Commit-Queue: Lei Zhang <thestig@chromium.org>
+Commit-Queue: Tom Sepez <tsepez@chromium.org>
+
+diff --git a/core/fpdfapi/parser/cpdf_array.h b/core/fpdfapi/parser/cpdf_array.h
+index 223cd59ab7cb6cc2c08071118d1fbb3241904c6b..a2c067878847cc8ed17eb78bee416716f08a338b 100644
+--- a/core/fpdfapi/parser/cpdf_array.h
++++ b/core/fpdfapi/parser/cpdf_array.h
+@@ -194,4 +194,8 @@ inline RetainPtr<CPDF_Array> ToArray(RetainPtr<CPDF_Object> obj) {
+   return RetainPtr<CPDF_Array>(ToArray(obj.Get()));
+ }
+ 
++inline RetainPtr<const CPDF_Array> ToArray(RetainPtr<const CPDF_Object> obj) {
++  return RetainPtr<const CPDF_Array>(ToArray(obj.Get()));
++}
++
+ #endif  // CORE_FPDFAPI_PARSER_CPDF_ARRAY_H_
+diff --git a/core/fpdfapi/parser/cpdf_dictionary.h b/core/fpdfapi/parser/cpdf_dictionary.h
+index fe990efaa9844fc6a7aa2c6fd671d74a2446383a..6fe4a7bb2ce48d1faac7fc1ffb471cc3d85b50af 100644
+--- a/core/fpdfapi/parser/cpdf_dictionary.h
++++ b/core/fpdfapi/parser/cpdf_dictionary.h
+@@ -170,4 +170,9 @@ inline RetainPtr<CPDF_Dictionary> ToDictionary(RetainPtr<CPDF_Object> obj) {
+   return RetainPtr<CPDF_Dictionary>(ToDictionary(obj.Get()));
+ }
+ 
++inline RetainPtr<const CPDF_Dictionary> ToDictionary(
++    RetainPtr<const CPDF_Object> obj) {
++  return RetainPtr<const CPDF_Dictionary>(ToDictionary(obj.Get()));
++}
++
+ #endif  // CORE_FPDFAPI_PARSER_CPDF_DICTIONARY_H_
+diff --git a/core/fpdfapi/parser/cpdf_number.h b/core/fpdfapi/parser/cpdf_number.h
+index 864bbb2186f0c6208db9942121d2f80b214d46a1..0ca1130ec5a0f595054ff3e4d3d73c5e57f94e6c 100644
+--- a/core/fpdfapi/parser/cpdf_number.h
++++ b/core/fpdfapi/parser/cpdf_number.h
+@@ -49,4 +49,12 @@ inline const CPDF_Number* ToNumber(const CPDF_Object* obj) {
+   return obj ? obj->AsNumber() : nullptr;
+ }
+ 
++inline RetainPtr<CPDF_Number> ToNumber(RetainPtr<CPDF_Object> obj) {
++  return RetainPtr<CPDF_Number>(ToNumber(obj.Get()));
++}
++
++inline RetainPtr<const CPDF_Number> ToNumber(RetainPtr<const CPDF_Object> obj) {
++  return RetainPtr<const CPDF_Number>(ToNumber(obj.Get()));
++}
++
+ #endif  // CORE_FPDFAPI_PARSER_CPDF_NUMBER_H_
+diff --git a/core/fpdfapi/parser/cpdf_stream.h b/core/fpdfapi/parser/cpdf_stream.h
+index bb61f8c2f7c65cdfab98463e46cb9514884a5ebc..7eab920a862d3c08540d4cb591ed4ff49dc2431d 100644
+--- a/core/fpdfapi/parser/cpdf_stream.h
++++ b/core/fpdfapi/parser/cpdf_stream.h
+@@ -93,4 +93,8 @@ inline RetainPtr<CPDF_Stream> ToStream(RetainPtr<CPDF_Object> obj) {
+   return RetainPtr<CPDF_Stream>(ToStream(obj.Get()));
+ }
+ 
++inline RetainPtr<const CPDF_Stream> ToStream(RetainPtr<const CPDF_Object> obj) {
++  return RetainPtr<const CPDF_Stream>(ToStream(obj.Get()));
++}
++
+ #endif  // CORE_FPDFAPI_PARSER_CPDF_STREAM_H_
+diff --git a/core/fpdfdoc/cpdf_dest.cpp b/core/fpdfdoc/cpdf_dest.cpp
+index f3b11523918258e7702bda360129857165abc945..fcc09d9e580832678980987489d58ac3c7c0b9bf 100644
+--- a/core/fpdfdoc/cpdf_dest.cpp
++++ b/core/fpdfdoc/cpdf_dest.cpp
+@@ -41,9 +41,11 @@ CPDF_Dest CPDF_Dest::Create(CPDF_Document* pDoc, const CPDF_Object* pDest) {
+   if (!pDest)
+     return CPDF_Dest(nullptr);
+ 
+-  if (pDest->IsString() || pDest->IsName())
+-    return CPDF_Dest(CPDF_NameTree::LookupNamedDest(pDoc, pDest->GetString()));
+-
++  if (pDest->IsString() || pDest->IsName()) {
++    // TODO(tsepez): make CPDF_Dest constructor take retained args.
++    return CPDF_Dest(
++        CPDF_NameTree::LookupNamedDest(pDoc, pDest->GetString()).Get());
++  }
+   return CPDF_Dest(pDest->AsArray());
+ }
+ 
+diff --git a/core/fpdfdoc/cpdf_nametree.cpp b/core/fpdfdoc/cpdf_nametree.cpp
+index 20b68b5874ff14b5625c6fc028211ce44b53a119..7c48adbc7bb742a6133badb99cfaa0722bfb147a 100644
+--- a/core/fpdfdoc/cpdf_nametree.cpp
++++ b/core/fpdfdoc/cpdf_nametree.cpp
+@@ -169,7 +169,7 @@ bool UpdateNodesAndLimitsUponDeletion(CPDF_Dictionary* pNode,
+ // will be the index of |csName| in |ppFind|. If |csName| is not found, |ppFind|
+ // will be the leaf array that |csName| should be added to, and |pFindIndex|
+ // will be the index that it should be added at.
+-CPDF_Object* SearchNameNodeByNameInternal(
++RetainPtr<const CPDF_Object> SearchNameNodeByNameInternal(
+     const RetainPtr<CPDF_Dictionary>& pNode,
+     const WideString& csName,
+     int nLevel,
+@@ -216,7 +216,7 @@ CPDF_Object* SearchNameNodeByNameInternal(
+         continue;
+ 
+       *nIndex += i;
+-      return pNames->GetDirectObjectAt(i * 2 + 1);
++      return pdfium::WrapRetain(pNames->GetDirectObjectAt(i * 2 + 1));
+     }
+     *nIndex += dwCount;
+     return nullptr;
+@@ -232,7 +232,7 @@ CPDF_Object* SearchNameNodeByNameInternal(
+     if (!pKid)
+       continue;
+ 
+-    CPDF_Object* pFound = SearchNameNodeByNameInternal(
++    RetainPtr<const CPDF_Object> pFound = SearchNameNodeByNameInternal(
+         pKid, csName, nLevel + 1, nIndex, ppFind, pFindIndex);
+     if (pFound)
+       return pFound;
+@@ -242,10 +242,11 @@ CPDF_Object* SearchNameNodeByNameInternal(
+ 
+ // Wrapper for SearchNameNodeByNameInternal() so callers do not need to know
+ // about the details.
+-CPDF_Object* SearchNameNodeByName(const RetainPtr<CPDF_Dictionary>& pNode,
+-                                  const WideString& csName,
+-                                  RetainPtr<CPDF_Array>* ppFind,
+-                                  int* pFindIndex) {
++RetainPtr<const CPDF_Object> SearchNameNodeByName(
++    const RetainPtr<CPDF_Dictionary>& pNode,
++    const WideString& csName,
++    RetainPtr<CPDF_Array>* ppFind,
++    int* pFindIndex) {
+   size_t nIndex = 0;
+   return SearchNameNodeByNameInternal(pNode, csName, 0, &nIndex, ppFind,
+                                       pFindIndex);
+@@ -343,24 +344,25 @@ size_t CountNamesInternal(CPDF_Dictionary* pNode, int nLevel) {
+   return nCount;
+ }
+ 
+-CPDF_Array* GetNamedDestFromObject(CPDF_Object* obj) {
+-  if (!obj)
+-    return nullptr;
+-  CPDF_Array* array = obj->AsArray();
++RetainPtr<const CPDF_Array> GetNamedDestFromObject(
++    RetainPtr<const CPDF_Object> obj) {
++  RetainPtr<const CPDF_Array> array = ToArray(obj);
+   if (array)
+     return array;
+-  CPDF_Dictionary* dict = obj->AsDictionary();
++  RetainPtr<const CPDF_Dictionary> dict = ToDictionary(obj);
+   if (dict)
+-    return dict->GetArrayFor("D");
++    return pdfium::WrapRetain(dict->GetArrayFor("D"));
+   return nullptr;
+ }
+ 
+-CPDF_Array* LookupOldStyleNamedDest(CPDF_Document* pDoc,
+-                                    const ByteString& name) {
+-  CPDF_Dictionary* pDests = pDoc->GetRoot()->GetDictFor("Dests");
++RetainPtr<const CPDF_Array> LookupOldStyleNamedDest(CPDF_Document* pDoc,
++                                                    const ByteString& name) {
++  const CPDF_Dictionary* pDests = pDoc->GetRoot()->GetDictFor("Dests");
+   if (!pDests)
+     return nullptr;
+-  return GetNamedDestFromObject(pDests->GetDirectObjectFor(name));
++  // TODO(tsepez): return const retained objects from CPDF object getters.
++  return GetNamedDestFromObject(
++      pdfium::WrapRetain(pDests->GetDirectObjectFor(name)));
+ }
+ 
+ }  // namespace
+@@ -423,9 +425,10 @@ std::unique_ptr<CPDF_NameTree> CPDF_NameTree::CreateForTesting(
+ }
+ 
+ // static
+-CPDF_Array* CPDF_NameTree::LookupNamedDest(CPDF_Document* pDoc,
+-                                           const ByteString& name) {
+-  CPDF_Array* dest_array = nullptr;
++RetainPtr<const CPDF_Array> CPDF_NameTree::LookupNamedDest(
++    CPDF_Document* pDoc,
++    const ByteString& name) {
++  RetainPtr<const CPDF_Array> dest_array;
+   std::unique_ptr<CPDF_NameTree> name_tree = Create(pDoc, "Dests");
+   if (name_tree)
+     dest_array = name_tree->LookupNewStyleNamedDest(name);
+@@ -525,10 +528,12 @@ CPDF_Object* CPDF_NameTree::LookupValueAndName(size_t nIndex,
+   return result.value().value;
+ }
+ 
+-CPDF_Object* CPDF_NameTree::LookupValue(const WideString& csName) const {
++RetainPtr<const CPDF_Object> CPDF_NameTree::LookupValue(
++    const WideString& csName) const {
+   return SearchNameNodeByName(m_pRoot, csName, nullptr, nullptr);
+ }
+ 
+-CPDF_Array* CPDF_NameTree::LookupNewStyleNamedDest(const ByteString& sName) {
++RetainPtr<const CPDF_Array> CPDF_NameTree::LookupNewStyleNamedDest(
++    const ByteString& sName) {
+   return GetNamedDestFromObject(LookupValue(PDF_DecodeText(sName.raw_span())));
+ }
+diff --git a/core/fpdfdoc/cpdf_nametree.h b/core/fpdfdoc/cpdf_nametree.h
+index e27f5b13cd76052e1de533b94f85ae505aa56339..30371b42ac622b53b79e180789a491a917c3f263 100644
+--- a/core/fpdfdoc/cpdf_nametree.h
++++ b/core/fpdfdoc/cpdf_nametree.h
+@@ -38,14 +38,14 @@ class CPDF_NameTree {
+   static std::unique_ptr<CPDF_NameTree> CreateForTesting(
+       CPDF_Dictionary* pRoot);
+ 
+-  static CPDF_Array* LookupNamedDest(CPDF_Document* doc,
+-                                     const ByteString& name);
++  static RetainPtr<const CPDF_Array> LookupNamedDest(CPDF_Document* doc,
++                                                     const ByteString& name);
+ 
+   bool AddValueAndName(RetainPtr<CPDF_Object> pObj, const WideString& name);
+   bool DeleteValueAndName(size_t nIndex);
+ 
+   CPDF_Object* LookupValueAndName(size_t nIndex, WideString* csName) const;
+-  CPDF_Object* LookupValue(const WideString& csName) const;
++  RetainPtr<const CPDF_Object> LookupValue(const WideString& csName) const;
+ 
+   size_t GetCount() const;
+   CPDF_Dictionary* GetRootForTesting() const { return m_pRoot.Get(); }
+@@ -53,7 +53,7 @@ class CPDF_NameTree {
+  private:
+   explicit CPDF_NameTree(CPDF_Dictionary* pRoot);
+ 
+-  CPDF_Array* LookupNewStyleNamedDest(const ByteString& name);
++  RetainPtr<const CPDF_Array> LookupNewStyleNamedDest(const ByteString& name);
+ 
+   const RetainPtr<CPDF_Dictionary> m_pRoot;
+ };
+diff --git a/core/fpdfdoc/cpdf_nametree_unittest.cpp b/core/fpdfdoc/cpdf_nametree_unittest.cpp
+index 36617e74d438985b17a889043f2e5ac73836bb3a..e144033bfd66448e45267788d66e577ab366b964 100644
+--- a/core/fpdfdoc/cpdf_nametree_unittest.cpp
++++ b/core/fpdfdoc/cpdf_nametree_unittest.cpp
+@@ -120,7 +120,7 @@ TEST(cpdf_nametree, GetUnicodeNameWithBOM) {
+   EXPECT_STREQ(L"1", stored_name.c_str());
+ 
+   // Check that the correct value object can be obtained by looking up "1".
+-  const CPDF_Number* pNumber = ToNumber(name_tree->LookupValue(L"1"));
++  RetainPtr<const CPDF_Number> pNumber = ToNumber(name_tree->LookupValue(L"1"));
+   ASSERT_TRUE(pNumber);
+   EXPECT_EQ(100, pNumber->GetInteger());
+ }
+@@ -140,7 +140,8 @@ TEST(cpdf_nametree, GetFromTreeWithLimitsArrayWith4Items) {
+   std::unique_ptr<CPDF_NameTree> name_tree =
+       CPDF_NameTree::CreateForTesting(pRootDict.Get());
+ 
+-  const CPDF_Number* pNumber = ToNumber(name_tree->LookupValue(L"9.txt"));
++  RetainPtr<const CPDF_Number> pNumber =
++      ToNumber(name_tree->LookupValue(L"9.txt"));
+   ASSERT_TRUE(pNumber);
+   EXPECT_EQ(999, pNumber->GetInteger());
+   CheckLimitsArray(pKid1, "1.txt", "9.txt");
+diff --git a/fpdfsdk/fpdf_view.cpp b/fpdfsdk/fpdf_view.cpp
+index e253687e461bdce6046655ea8fd10240c755a8b6..597be5c902af271014e921531eab56cfa166602a 100644
+--- a/fpdfsdk/fpdf_view.cpp
++++ b/fpdfsdk/fpdf_view.cpp
+@@ -1048,7 +1048,9 @@ FPDF_GetNamedDestByName(FPDF_DOCUMENT document, FPDF_BYTESTRING name) {
+     return nullptr;
+ 
+   ByteString dest_name(name);
+-  return FPDFDestFromCPDFArray(CPDF_NameTree::LookupNamedDest(pDoc, dest_name));
++  // TODO(tsepez): murky ownership, should caller get a reference?
++  return FPDFDestFromCPDFArray(
++      CPDF_NameTree::LookupNamedDest(pDoc, dest_name).Get());
+ }
+ 
+ #ifdef PDF_ENABLE_V8
+diff --git a/fxjs/cjs_document.cpp b/fxjs/cjs_document.cpp
+index 328ff282ac8564992570b39b3610b0846ab02535..f228df7229b2df9cb2342a353881b2d802a345ae 100644
+--- a/fxjs/cjs_document.cpp
++++ b/fxjs/cjs_document.cpp
+@@ -1394,12 +1394,13 @@ CJS_Result CJS_Document::gotoNamedDest(
+     return CJS_Result::Failure(JSMessage::kBadObjectError);
+ 
+   CPDF_Document* pDocument = m_pFormFillEnv->GetPDFDocument();
+-  CPDF_Array* dest_array = CPDF_NameTree::LookupNamedDest(
++  RetainPtr<const CPDF_Array> dest_array = CPDF_NameTree::LookupNamedDest(
+       pDocument, pRuntime->ToByteString(params[0]));
+   if (!dest_array)
+     return CJS_Result::Failure(JSMessage::kBadObjectError);
+ 
+-  CPDF_Dest dest(dest_array);
++  // TODO(tsepez): make CPDF_Dest constructor take retained argument.
++  CPDF_Dest dest(dest_array.Get());
+   const CPDF_Array* arrayObject = dest.GetArray();
+   std::vector<float> scrollPositionArray;
+   if (arrayObject) {
+diff --git a/testing/resources/javascript/bug_1358075.in b/testing/resources/javascript/bug_1358075.in
+new file mode 100644
+index 0000000000000000000000000000000000000000..b503bf2d81eb3ca9adaa108c5075c04fa1c69f89
+--- /dev/null
++++ b/testing/resources/javascript/bug_1358075.in
+@@ -0,0 +1,39 @@
++{{header}}
++{{object 1 0}} <<
++  /Pages 1 0 R
++  /OpenAction 2 0 R
++  /Names <<
++    /Dests 3 0 R
++  >>
++>>
++endobj
++{{object 2 0}} <<
++  /Type /Action
++  /S /JavaScript
++  /JS (
++        this.gotoNamedDest\("2"\);
++        app.alert\("completed"\);
++  )
++>>
++endobj
++{{object 3 0}} <<
++  /Kids 4 0 R
++>>
++endobj
++{{object 4 0}} [
++  (1)
++  (3)
++  <<
++    /Kids [
++      <<
++        /Limits 4 0 R
++        /Names [(2) []]
++      >>
++    ]
++  >>
++]
++endobj
++{{xref}}
++{{trailer}}
++{{startxref}}
++%%EOF
+diff --git a/testing/resources/javascript/bug_1358075_expected.txt b/testing/resources/javascript/bug_1358075_expected.txt
+new file mode 100644
+index 0000000000000000000000000000000000000000..13d460b3b9aa905cec757ab821b980f379772565
+--- /dev/null
++++ b/testing/resources/javascript/bug_1358075_expected.txt
+@@ -0,0 +1 @@
++Alert: completed
+diff --git a/xfa/fxfa/cxfa_ffdoc.cpp b/xfa/fxfa/cxfa_ffdoc.cpp
+index 4838e1096d131159a6f2f49b7db9312027e7fede..46e7887413d11efd0fbee2f883d9e2b68e8f975e 100644
+--- a/xfa/fxfa/cxfa_ffdoc.cpp
++++ b/xfa/fxfa/cxfa_ffdoc.cpp
+@@ -280,7 +280,8 @@ RetainPtr<CFX_DIBitmap> CXFA_FFDoc::GetPDFNamedImage(WideStringView wsName,
+   if (count == 0)
+     return nullptr;
+ 
+-  CPDF_Object* pObject = name_tree->LookupValue(WideString(wsName));
++  RetainPtr<const CPDF_Object> pObject =
++      name_tree->LookupValue(WideString(wsName));
+   if (!pObject) {
+     for (size_t i = 0; i < count; ++i) {
+       WideString wsTemp;
+@@ -292,11 +293,12 @@ RetainPtr<CFX_DIBitmap> CXFA_FFDoc::GetPDFNamedImage(WideStringView wsName,
+     }
+   }
+ 
+-  CPDF_Stream* pStream = ToStream(pObject);
++  RetainPtr<const CPDF_Stream> pStream = ToStream(pObject);
+   if (!pStream)
+     return nullptr;
+ 
+-  auto pAcc = pdfium::MakeRetain<CPDF_StreamAcc>(pStream);
++  // TODO(tsepez): make CPDF_StreamAcc constructor take retained argument.
++  auto pAcc = pdfium::MakeRetain<CPDF_StreamAcc>(pStream.Get());
+   pAcc->LoadAllDataFiltered();
+ 
+   auto pImageFileRead =

patches/pdfium/cherry-pick-7f0bb5197ed1.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tom Sepez <tsepez@chromium.org>
+Date: Thu, 8 Sep 2022 23:45:54 +0000
+Subject: Avoid de-referencing end() in GetNextAvailContentHeight().
+
+Add the same HasCurrentViewRecord() check as in other methods.
+
+Bug: chromium:1355682
+Change-Id: I466f386f037801daa82ead30239f34e025748748
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/96910
+Reviewed-by: Lei Zhang <thestig@chromium.org>
+Auto-Submit: Tom Sepez <tsepez@chromium.org>
+Commit-Queue: Lei Zhang <thestig@chromium.org>
+(cherry picked from commit 0d76a139d7ffbbdfb0ef5f5e714597a25f9767c4)
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/97738
+Commit-Queue: Tom Sepez <tsepez@chromium.org>
+
+diff --git a/xfa/fxfa/layout/cxfa_viewlayoutprocessor.cpp b/xfa/fxfa/layout/cxfa_viewlayoutprocessor.cpp
+index 086e02d686d9fcabea6c3320ce515ae5180b6443..a92c1dfbea9684c9258b9eef594b94f93af4f525 100644
+--- a/xfa/fxfa/layout/cxfa_viewlayoutprocessor.cpp
++++ b/xfa/fxfa/layout/cxfa_viewlayoutprocessor.cpp
+@@ -1550,6 +1550,8 @@ void CXFA_ViewLayoutProcessor::ProcessLastPageSet() {
+ }
+ 
+ bool CXFA_ViewLayoutProcessor::GetNextAvailContentHeight(float fChildHeight) {
++  if (!HasCurrentViewRecord())
++    return false;
+   CXFA_Node* pCurContentNode =
+       GetCurrentViewRecord()->pCurContentArea->GetFormNode();
+   if (!pCurContentNode)

patches/pdfium/cherry-pick-a66438897056.patch

@@ -0,0 +1,127 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tom Sepez <tsepez@chromium.org>
+Date: Thu, 8 Sep 2022 21:45:44 +0000
+Subject: Enforce maximum legal object number during linearized parses.
+
+- Watch for overflow of object numbers.
+- Re-validate CPDF_Object pointer after notification in CPDF_FormField.
+
+Bug: chromium:1358090
+Change-Id: I1effd8f47277d177c804dd14b20b101e71780067
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/97130
+Reviewed-by: Lei Zhang <thestig@chromium.org>
+Commit-Queue: Tom Sepez <tsepez@chromium.org>
+(cherry picked from commit 81ab3354f79765438bad0e9d683adcfce96727fa)
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/97733
+Auto-Submit: Tom Sepez <tsepez@chromium.org>
+Commit-Queue: Lei Zhang <thestig@chromium.org>
+
+diff --git a/core/fpdfapi/parser/cpdf_hint_tables.cpp b/core/fpdfapi/parser/cpdf_hint_tables.cpp
+index 3445e90c9f68bc2386272b4d72f72d90c10bf7ec..0f2632c6d4a5dd7e6cd18c7d2bdc370b68e5bcb9 100644
+--- a/core/fpdfapi/parser/cpdf_hint_tables.cpp
++++ b/core/fpdfapi/parser/cpdf_hint_tables.cpp
+@@ -13,6 +13,7 @@
+ #include "core/fpdfapi/parser/cpdf_dictionary.h"
+ #include "core/fpdfapi/parser/cpdf_document.h"
+ #include "core/fpdfapi/parser/cpdf_linearized_header.h"
++#include "core/fpdfapi/parser/cpdf_parser.h"
+ #include "core/fpdfapi/parser/cpdf_read_validator.h"
+ #include "core/fpdfapi/parser/cpdf_stream.h"
+ #include "core/fpdfapi/parser/cpdf_stream_acc.h"
+@@ -101,7 +102,7 @@ bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) {
+ 
+   // Item 1: The least number of objects in a page.
+   const uint32_t dwObjLeastNum = hStream->GetBits(32);
+-  if (!dwObjLeastNum)
++  if (!dwObjLeastNum || dwObjLeastNum >= CPDF_Parser::kMaxObjectNumber)
+     return false;
+ 
+   // Item 2: The location of the first page's page object.
+@@ -164,7 +165,7 @@ bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) {
+   m_PageInfos[nFirstPageNum].set_start_obj_num(
+       m_pLinearized->GetFirstPageObjNum());
+   // The object number of remaining pages starts from 1.
+-  uint32_t dwStartObjNum = 1;
++  FX_SAFE_UINT32 dwStartObjNum = 1;
+   for (uint32_t i = 0; i < nPages; ++i) {
+     FX_SAFE_UINT32 safeDeltaObj = hStream->GetBits(dwDeltaObjectsBits);
+     safeDeltaObj += dwObjLeastNum;
+@@ -173,8 +174,12 @@ bool CPDF_HintTables::ReadPageHintTable(CFX_BitStream* hStream) {
+     m_PageInfos[i].set_objects_count(safeDeltaObj.ValueOrDie());
+     if (i == nFirstPageNum)
+       continue;
+-    m_PageInfos[i].set_start_obj_num(dwStartObjNum);
++    m_PageInfos[i].set_start_obj_num(dwStartObjNum.ValueOrDie());
+     dwStartObjNum += m_PageInfos[i].objects_count();
++    if (!dwStartObjNum.IsValid() ||
++        dwStartObjNum.ValueOrDie() >= CPDF_Parser::kMaxObjectNumber) {
++      return false;
++    }
+   }
+   hStream->ByteAlign();
+ 
+diff --git a/core/fpdfdoc/cpdf_formfield.cpp b/core/fpdfdoc/cpdf_formfield.cpp
+index 456acea63b761e601046d9862fdab032ba20f71d..691b52450fe8d63c77fbc9f3e930b03d932adad0 100644
+--- a/core/fpdfdoc/cpdf_formfield.cpp
++++ b/core/fpdfdoc/cpdf_formfield.cpp
+@@ -178,14 +178,15 @@ bool CPDF_FormField::ResetField() {
+     case kRichText:
+     case kFile:
+     default: {
+-      const CPDF_Object* pDV = GetDefaultValueObject();
+       WideString csDValue;
+-      if (pDV)
+-        csDValue = pDV->GetUnicodeText();
+-
+       WideString csValue;
+       {
+-        // Limit the scope of |pV| because it may get invalidated below.
++        // Limit scope of |pDV| and |pV| because they may get invalidated
++        // during notification below.
++        const CPDF_Object* pDV = GetDefaultValueObject();
++        if (pDV)
++          csDValue = pDV->GetUnicodeText();
++
+         const CPDF_Object* pV = GetValueObject();
+         if (pV)
+           csValue = pV->GetUnicodeText();
+@@ -195,21 +196,26 @@ bool CPDF_FormField::ResetField() {
+       if (!bHasRV && (csDValue == csValue))
+         return false;
+ 
+-      if (!NotifyBeforeValueChange(csDValue)) {
++      if (!NotifyBeforeValueChange(csDValue))
+         return false;
+-      }
+-      if (pDV) {
+-        RetainPtr<CPDF_Object> pClone = pDV->Clone();
+-        if (!pClone)
+-          return false;
+-
+-        m_pDict->SetFor(pdfium::form_fields::kV, std::move(pClone));
+-        if (bHasRV) {
+-          m_pDict->SetFor("RV", pDV->Clone());
++
++      {
++        // Limit scope of |pDV| because it may get invalidated during
++        // notification below.
++        const CPDF_Object* pDV = GetDefaultValueObject();
++        if (pDV) {
++          RetainPtr<CPDF_Object> pClone = pDV->Clone();
++          if (!pClone)
++            return false;
++
++          m_pDict->SetFor(pdfium::form_fields::kV, std::move(pClone));
++          if (bHasRV) {
++            m_pDict->SetFor("RV", pDV->Clone());
++          }
++        } else {
++          m_pDict->RemoveFor(pdfium::form_fields::kV);
++          m_pDict->RemoveFor("RV");
+         }
+-      } else {
+-        m_pDict->RemoveFor(pdfium::form_fields::kV);
+-        m_pDict->RemoveFor("RV");
+       }
+       NotifyAfterValueChange();
+       break;

patches/sqlite/.patches

@@ -1 +1,2 @@
 utf-8_q_simplify_20the_20logic_20that_20converts_20the_20_1_20.patch
+utf-8_q_when_20applying_20the_20omit-order-by_20optimization.patch

patches/sqlite/utf-8_q_when_20applying_20the_20omit-order-by_20optimization.patch

@@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ayu Ishii <ayui@chromium.org>
+Date: Fri, 15 Jul 2022 13:20:47 +0000
+Subject: When applying the omit-ORDER-BY optimization, defer deleting the AST
+ of the deleted ORDER BY clause until after code generation ends.
+
+FossilOrigin-Name: b88d6c4b814ec4166ec50f32a2f10d7857df05414c0048c1234ab290a273e50c
+(cherry picked from commit 9dde91f61386e4fc53eb95b6cbd26bf30521225f)
+Bug: 1343348
+Change-Id: Id677f72166c00a05f95c25438230f4b1d40f4d4d
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/deps/sqlite/+/3764026
+Reviewed-by: Austin Sullivan <asully@chromium.org>
+Commit-Queue: Ayu Ishii <ayui@chromium.org>
+Reviewed-by: Joshua Bell <jsbell@chromium.org>
+
+diff --git a/amalgamation/sqlite3.c b/amalgamation/sqlite3.c
+index c7f9ddb45fe5b8ec29b37406308df66797a2d7b7..80d356ed5a66ad6e5bf2ce3fdba2f0686cb451bd 100644
+--- a/amalgamation/sqlite3.c
++++ b/amalgamation/sqlite3.c
+@@ -139696,7 +139696,9 @@ SQLITE_PRIVATE int sqlite3Select(
+     ){
+       SELECTTRACE(0x100,pParse,p,
+                 ("omit superfluous ORDER BY on %r FROM-clause subquery\n",i+1));
+-      sqlite3ExprListDelete(db, pSub->pOrderBy);
++      sqlite3ParserAddCleanup(pParse,
++         (void(*)(sqlite3*,void*))sqlite3ExprListDelete,
++         pSub->pOrderBy);
+       pSub->pOrderBy = 0;
+     }
+ 
+diff --git a/amalgamation_dev/sqlite3.c b/amalgamation_dev/sqlite3.c
+index b5c0c9e93abe5c16af86b8a4444b35c6880b2ba7..9da59fc429290ba0964f2c2abd4dd8c4312e864d 100644
+--- a/amalgamation_dev/sqlite3.c
++++ b/amalgamation_dev/sqlite3.c
+@@ -139709,7 +139709,9 @@ SQLITE_PRIVATE int sqlite3Select(
+     ){
+       SELECTTRACE(0x100,pParse,p,
+                 ("omit superfluous ORDER BY on %r FROM-clause subquery\n",i+1));
+-      sqlite3ExprListDelete(db, pSub->pOrderBy);
++      sqlite3ParserAddCleanup(pParse,
++         (void(*)(sqlite3*,void*))sqlite3ExprListDelete,
++         pSub->pOrderBy);
+       pSub->pOrderBy = 0;
+     }
+ 
+diff --git a/src/select.c b/src/select.c
+index 7f15c2acb28c109cda63b6e08370910ca0da76f4..f2e319e3405526055cc7fdbd9073bdebdfb3a94a 100644
+--- a/src/select.c
++++ b/src/select.c
+@@ -6491,7 +6491,9 @@ int sqlite3Select(
+     ){
+       SELECTTRACE(0x100,pParse,p,
+                 ("omit superfluous ORDER BY on %r FROM-clause subquery\n",i+1));
+-      sqlite3ExprListDelete(db, pSub->pOrderBy);
++      sqlite3ParserAddCleanup(pParse,
++         (void(*)(sqlite3*,void*))sqlite3ExprListDelete,
++         pSub->pOrderBy);
+       pSub->pOrderBy = 0;
+     }
+ 

patches/v8/.patches

@@ -12,3 +12,6 @@ cherry-pick-44c4e56fea2c.patch
 version_10_2_154_10_cherry-pick.patch
 cherry-pick-13ffdf63a471.patch
 cherry-pick-8ea66a7833e2.patch
+cherry-pick-c0a5a7d5006d.patch
+cherry-pick-3704cf78f471.patch
+cherry-pick-2f6a2939514f.patch

patches/v8/cherry-pick-2f6a2939514f.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tobias Tebbi <tebbi@chromium.org>
+Date: Thu, 1 Sep 2022 15:35:33 +0200
+Subject: Merged: [compiler] fix typing of [[DateValue]]
+
+Bug: chromium:1356308
+(cherry picked from commit ae329407989f1e4689baba7a7827863057d688a9)
+
+Change-Id: I1e132e96325296d180488774ef183daa36dc22c7
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3915224
+Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
+Cr-Commit-Position: refs/branch-heads/10.6@{#25}
+Cr-Branched-From: 41bc7435693fbce8ef86753cd9239e30550a3e2d-refs/heads/10.6.194@{#1}
+Cr-Branched-From: d5f29b929ce7746409201d77f44048f3e9529b40-refs/heads/main@{#82548}
+
+diff --git a/src/compiler/type-cache.h b/src/compiler/type-cache.h
+index 6442b6f6b0ee39bf1a820168e9dd924e81bc0cb3..a34d094edaa4cb7dd7ac692e4a11d7c890744d7c 100644
+--- a/src/compiler/type-cache.h
++++ b/src/compiler/type-cache.h
+@@ -131,9 +131,10 @@ class V8_EXPORT_PRIVATE TypeCache final {
+   Type const kStringLengthType = CreateRange(0.0, String::kMaxLength);
+ 
+   // A time value always contains a tagged number in the range
+-  // [-kMaxTimeInMs, kMaxTimeInMs].
+-  Type const kTimeValueType =
+-      CreateRange(-DateCache::kMaxTimeInMs, DateCache::kMaxTimeInMs);
++  // [-kMaxTimeInMs, kMaxTimeInMs] or -0.
++  Type const kTimeValueType = Type::Union(
++      CreateRange(-DateCache::kMaxTimeInMs, DateCache::kMaxTimeInMs),
++      Type::MinusZero(), zone());
+ 
+   // The JSDate::day property always contains a tagged number in the range
+   // [1, 31] or NaN.

patches/v8/cherry-pick-3704cf78f471.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dominik=20Inf=C3=BChr?= <dinfuehr@chromium.org>
+Date: Thu, 8 Sep 2022 16:27:54 +0200
+Subject: Merged: [heap] Fix aborting compaction with map space compaction
+
+Revision: 3ec02e314cfca04e7457a60363af98b9c9957b16
+
+BUG=chromium:1359294,v8:12578
+NOTRY=true
+NOPRESUBMIT=true
+NOTREECHECKS=true
+R=mlippautz@chromium.org
+
+Change-Id: I04093833a1bfef4269eb578fa5a002872015199e
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3882977
+Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
+Cr-Commit-Position: refs/branch-heads/10.4@{#43}
+Cr-Branched-From: b1413ed7c71ababe05d590de4b5c4ed97b68693e-refs/heads/10.4.132@{#1}
+Cr-Branched-From: 9d0a09368569234a1d1094975e2e92591922cd08-refs/heads/main@{#80972}
+
+diff --git a/src/heap/mark-compact.cc b/src/heap/mark-compact.cc
+index 6999d52f2d38b1eb937e5fb46d26a90d4bfe6c0f..bdbafb366d430cb4e9481abbe2a296bdaf8843b6 100644
+--- a/src/heap/mark-compact.cc
++++ b/src/heap/mark-compact.cc
+@@ -1897,7 +1897,7 @@ class EvacuateRecordOnlyVisitor final : public HeapObjectVisitor {
+     // Instead of calling object.IterateBodyFast(cage_base(), &visitor) here
+     // we can shortcut and use the precomputed size value passed to the visitor.
+     DCHECK_EQ(object.SizeFromMap(map), size);
+-    object.IterateBodyFast(map, size, &visitor);
++    object.IterateFast(map, size, &visitor);
+     return true;
+   }
+ 

patches/v8/cherry-pick-c0a5a7d5006d.patch

@@ -0,0 +1,168 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= <marja@chromium.org>
+Date: Tue, 5 Jul 2022 10:01:42 +0200
+Subject: Fix flag mismatch in serialized data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(cherry picked from commit 3483b970eb1c35f96b2b605cfaf6ca25dc9b6ab9)
+
+Bug: v8:11111,chromium:1339648
+No-Try: true
+No-Presubmit: true
+No-Tree-Checks: true
+Change-Id: I3b472f74f37a4e1514ce20635b16970e95a36e15
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3735162
+Reviewed-by: Shu-yu Guo <syg@chromium.org>
+Commit-Queue: Marja Hölttä <marja@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#81598}
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859324
+Reviewed-by: Simon Zünd <szuend@chromium.org>
+Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
+Commit-Queue: Roger Felipe Zanoni da Silva <rzanoni@google.com>
+Cr-Commit-Position: refs/branch-heads/10.2@{#29}
+Cr-Branched-From: 374091f382e88095694c1283cbdc2acddc1b1417-refs/heads/10.2.154@{#1}
+Cr-Branched-From: f0c353f6315eeb2212ba52478983a3b3af07b5b1-refs/heads/main@{#79976}
+
+diff --git a/src/objects/value-serializer.cc b/src/objects/value-serializer.cc
+index 179c47ca4903bf9cbce5a3f78eb18ef8ffc9d48b..94655f46e33b737c37c2cb3a03f9e0f385cdd454 100644
+--- a/src/objects/value-serializer.cc
++++ b/src/objects/value-serializer.cc
+@@ -63,6 +63,17 @@ static const uint32_t kLatestVersion = 15;
+ static_assert(kLatestVersion == v8::CurrentValueSerializerFormatVersion(),
+               "Exported format version must match latest version.");
+ 
++namespace {
++// For serializing JSArrayBufferView flags. Instead of serializing /
++// deserializing the flags directly, we serialize them bit by bit. This is for
++// ensuring backwards compatilibity in the case where the representation
++// changes. Note that the ValueSerializer data can be stored on disk.
++using JSArrayBufferViewIsLengthTracking = base::BitField<bool, 0, 1>;
++using JSArrayBufferViewIsBackedByRab =
++    JSArrayBufferViewIsLengthTracking::Next<bool, 1>;
++
++}  // namespace
++
+ template <typename T>
+ static size_t BytesNeededForVarint(T value) {
+   static_assert(std::is_integral<T>::value && std::is_unsigned<T>::value,
+@@ -923,6 +934,8 @@ Maybe<bool> ValueSerializer::WriteJSArrayBuffer(
+   if (byte_length > std::numeric_limits<uint32_t>::max()) {
+     return ThrowDataCloneError(MessageTemplate::kDataCloneError, array_buffer);
+   }
++  // TODO(v8:11111): Support RAB / GSAB. The wire version will need to be
++  // bumped.
+   WriteTag(SerializationTag::kArrayBuffer);
+   WriteVarint<uint32_t>(byte_length);
+   WriteRawBytes(array_buffer->backing_store(), byte_length);
+@@ -951,7 +964,10 @@ Maybe<bool> ValueSerializer::WriteJSArrayBufferView(JSArrayBufferView view) {
+   WriteVarint(static_cast<uint8_t>(tag));
+   WriteVarint(static_cast<uint32_t>(view.byte_offset()));
+   WriteVarint(static_cast<uint32_t>(view.byte_length()));
+-  WriteVarint(static_cast<uint32_t>(view.bit_field()));
++  uint32_t flags =
++      JSArrayBufferViewIsLengthTracking::encode(view.is_length_tracking()) |
++      JSArrayBufferViewIsBackedByRab::encode(view.is_backed_by_rab());
++  WriteVarint(flags);
+   return ThrowIfOutOfMemory();
+ }
+ 
+@@ -1948,7 +1964,7 @@ MaybeHandle<JSArrayBuffer> ValueDeserializer::ReadTransferredJSArrayBuffer() {
+ 
+ MaybeHandle<JSArrayBufferView> ValueDeserializer::ReadJSArrayBufferView(
+     Handle<JSArrayBuffer> buffer) {
+-  uint32_t buffer_byte_length = static_cast<uint32_t>(buffer->byte_length());
++  uint32_t buffer_byte_length = static_cast<uint32_t>(buffer->GetByteLength());
+   uint8_t tag = 0;
+   uint32_t byte_offset = 0;
+   uint32_t byte_length = 0;
+@@ -1972,7 +1988,9 @@ MaybeHandle<JSArrayBufferView> ValueDeserializer::ReadJSArrayBufferView(
+       Handle<JSDataView> data_view =
+           isolate_->factory()->NewJSDataView(buffer, byte_offset, byte_length);
+       AddObjectWithID(id, data_view);
+-      data_view->set_bit_field(flags);
++      if (!ValidateAndSetJSArrayBufferViewFlags(*data_view, *buffer, flags)) {
++        return MaybeHandle<JSArrayBufferView>();
++      }
+       return data_view;
+     }
+ #define TYPED_ARRAY_CASE(Type, type, TYPE, ctype) \
+@@ -1989,11 +2007,39 @@ MaybeHandle<JSArrayBufferView> ValueDeserializer::ReadJSArrayBufferView(
+   }
+   Handle<JSTypedArray> typed_array = isolate_->factory()->NewJSTypedArray(
+       external_array_type, buffer, byte_offset, byte_length / element_size);
+-  typed_array->set_bit_field(flags);
++  if (!ValidateAndSetJSArrayBufferViewFlags(*typed_array, *buffer, flags)) {
++    return MaybeHandle<JSArrayBufferView>();
++  }
+   AddObjectWithID(id, typed_array);
+   return typed_array;
+ }
+ 
++bool ValueDeserializer::ValidateAndSetJSArrayBufferViewFlags(
++    JSArrayBufferView view, JSArrayBuffer buffer, uint32_t serialized_flags) {
++  bool is_length_tracking =
++      JSArrayBufferViewIsLengthTracking::decode(serialized_flags);
++  bool is_backed_by_rab =
++      JSArrayBufferViewIsBackedByRab::decode(serialized_flags);
++
++  // TODO(marja): When the version number is bumped the next time, check that
++  // serialized_flags doesn't contain spurious 1-bits.
++
++  if (is_backed_by_rab || is_length_tracking) {
++    if (!FLAG_harmony_rab_gsab) {
++      return false;
++    }
++    if (!buffer.is_resizable()) {
++      return false;
++    }
++    if (is_backed_by_rab && buffer.is_shared()) {
++      return false;
++    }
++  }
++  view.set_is_length_tracking(is_length_tracking);
++  view.set_is_backed_by_rab(is_backed_by_rab);
++  return true;
++}
++
+ MaybeHandle<Object> ValueDeserializer::ReadJSError() {
+   Handle<Object> message = isolate_->factory()->undefined_value();
+   Handle<Object> options = isolate_->factory()->undefined_value();
+diff --git a/src/objects/value-serializer.h b/src/objects/value-serializer.h
+index a3ab32b2cd556ee676a1adc565496c35ba1cfe4b..4b780caf3dbf8a940bdf877f78c0b5f912b4b9e7 100644
+--- a/src/objects/value-serializer.h
++++ b/src/objects/value-serializer.h
+@@ -291,6 +291,9 @@ class ValueDeserializer {
+       V8_WARN_UNUSED_RESULT;
+   MaybeHandle<JSArrayBufferView> ReadJSArrayBufferView(
+       Handle<JSArrayBuffer> buffer) V8_WARN_UNUSED_RESULT;
++  bool ValidateAndSetJSArrayBufferViewFlags(
++      JSArrayBufferView view, JSArrayBuffer buffer,
++      uint32_t serialized_flags) V8_WARN_UNUSED_RESULT;
+   MaybeHandle<Object> ReadJSError() V8_WARN_UNUSED_RESULT;
+ #if V8_ENABLE_WEBASSEMBLY
+   MaybeHandle<JSObject> ReadWasmModuleTransfer() V8_WARN_UNUSED_RESULT;
+diff --git a/test/mjsunit/rab-gsab-valueserializer.js b/test/mjsunit/rab-gsab-valueserializer.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..f523648095f2508680c3c63591364e52909e1d6c
+--- /dev/null
++++ b/test/mjsunit/rab-gsab-valueserializer.js
+@@ -0,0 +1,17 @@
++// Copyright 2022 the V8 project authors. All rights reserved.
++// Use of this source code is governed by a BSD-style license that can be
++// found in the LICENSE file.
++
++// Flags: --harmony-rab-gsab
++
++"use strict";
++
++(function FlagMismatch() {
++  // Length tracking TA, buffer not resizable.
++  const data1 = new Uint8Array([255, 15, 66, 4, 3, 5, 7, 11, 86, 66, 1, 2, 1]);
++  assertThrows(() => { d8.serializer.deserialize(data1.buffer); });
++
++  // RAB backed TA, buffer not resizable.
++  const data2 = new Uint8Array([255, 15, 66, 4, 3, 5, 7, 11, 86, 66, 1, 2, 2]);
++  assertThrows(() => { d8.serializer.deserialize(data2.buffer); });
++})();

shell/browser/api/electron_api_web_contents.cc

@@ -144,6 +144,10 @@
 #include "shell/browser/osr/osr_web_contents_view.h"
 #endif
 
+#if BUILDFLAG(IS_WIN)
+#include "shell/browser/native_window_views.h"
+#endif
+
 #if !BUILDFLAG(IS_MAC)
 #include "ui/aura/window.h"
 #else
@@ -174,9 +178,8 @@
 
 #if BUILDFLAG(IS_WIN)
 #include "printing/backend/win_helper.h"
-#include "shell/browser/native_window_views.h"
-#endif
 #endif
+#endif  // BUILDFLAG(ENABLE_PRINTING)
 
 #if BUILDFLAG(ENABLE_PICTURE_IN_PICTURE)
 #include "chrome/browser/picture_in_picture/picture_in_picture_window_manager.h"

shell/browser/resources/win/electron.rc

@@ -50,8 +50,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 18,3,13,0
- PRODUCTVERSION 18,3,13,0
+ FILEVERSION 18,3,15,0
+ PRODUCTVERSION 18,3,15,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -68,12 +68,12 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "GitHub, Inc."
             VALUE "FileDescription", "Electron"
-            VALUE "FileVersion", "18.3.13"
+            VALUE "FileVersion", "18.3.15"
             VALUE "InternalName", "electron.exe"
             VALUE "LegalCopyright", "Copyright (C) 2015 GitHub, Inc. All rights reserved."
             VALUE "OriginalFilename", "electron.exe"
             VALUE "ProductName", "Electron"
-            VALUE "ProductVersion", "18.3.13"
+            VALUE "ProductVersion", "18.3.15"
             VALUE "SquirrelAwareVersion", "1"
         END
     END