ci: update actions to node24 (#50523)

ci: update actions to node24 (#50373)

* ci: update actions to node24

* chore: fixup actions/cache to 5.0.4 everywhere

(cherry picked from commit 639d3b99b7)

.github/actions/build-electron/action.yml

@@ -125,6 +125,9 @@ runs:
         fi
         sed $SEDOPTION '/.*builtins-pgo/d' out/Default/mksnapshot_args
         sed $SEDOPTION '/--turbo-profiling-input/d' out/Default/mksnapshot_args
+        sed $SEDOPTION '/--reorder-builtins/d' out/Default/mksnapshot_args
+        sed $SEDOPTION '/--warn-about-builtin-profile-data/d' out/Default/mksnapshot_args
+        sed $SEDOPTION '/--abort-on-bad-builtin-profile-data/d' out/Default/mksnapshot_args
 
         if [ "${{ inputs.target-platform }}" = "win" ]; then
           cd out/Default
@@ -271,12 +274,12 @@ runs:
       run: ./src/electron/script/actions/move-artifacts.sh
     - name: Upload Generated Artifacts ${{ inputs.step-suffix }}
       if: always() && !cancelled()
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
       with:
         name: generated_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./generated_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
     - name: Upload Src Artifacts ${{ inputs.step-suffix }}
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
       with:
         name: src_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./src_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}

.github/actions/checkout/action.yml

@@ -43,7 +43,7 @@ runs:
       curl --unix-socket /var/run/sas/sas.sock --fail "http://foo/$CACHE_FILE?platform=${{ inputs.target-platform }}&getAccountName=true" > sas-token
   - name: Save SAS Key
     if: ${{ inputs.generate-sas-token == 'true' }}
-    uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+    uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
     with:
       path: sas-token
       key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-${{ github.run_attempt }}

.github/actions/install-dependencies/action.yml

@@ -7,7 +7,7 @@ runs:
     shell: bash
     id: yarn-cache-dir-path
     run: echo "dir=$(node src/electron/script/yarn.js config get cacheFolder)" >> $GITHUB_OUTPUT
-  - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+  - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
     id: yarn-cache
     with:
       path: ${{ steps.yarn-cache-dir-path.outputs.dir }}

.github/actions/restore-cache-azcopy/action.yml

@@ -8,14 +8,14 @@ runs:
   steps:
   - name: Obtain SAS Key
     continue-on-error: true
-    uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+    uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
     with:
       path: sas-token
       key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-1
       enableCrossOsArchive: true
   - name: Obtain SAS Key
     continue-on-error: true
-    uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+    uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
     with:
       path: sas-token
       key: sas-key-${{ inputs.target-platform }}-${{ github.run_number }}-${{ github.run_attempt }}
@@ -24,7 +24,7 @@ runs:
     # The cache will always exist here as a result of the checkout job
     # Either it was uploaded to Azure in the checkout job for this commit
     # or it was uploaded in the checkout job for a previous commit.
-    uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+    uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
     with:
       timeout_minutes: 30
       max_attempts: 3
@@ -101,7 +101,7 @@ runs:
 
   - name: Move Src Cache (Windows)
     if: ${{ inputs.target-platform == 'win' }}
-    uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+    uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
     with:
       timeout_minutes: 30
       max_attempts: 3

.github/workflows/apply-patches.yml

@@ -71,3 +71,11 @@ jobs:
       uses: ./src/electron/.github/actions/checkout
       with:
         target-platform: linux
+    - name: Upload Patch Conflict Fix
+      if: ${{ failure() }}
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: update-patches
+        path: patches/update-patches.patch
+        if-no-files-found: ignore
+        archive: false

.github/workflows/build.yml

@@ -431,3 +431,30 @@ jobs:
     - name: GitHub Actions Jobs Done
       run: |
         echo "All GitHub Actions Jobs are done"
+
+  check-signed-commits:
+    name: Check signed commits in green PR
+    needs: gha-done
+    if: ${{ contains(github.event.pull_request.labels.*.name, 'needs-signed-commits')}}
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Check signed commits in PR
+        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
+        with:
+          comment: |
+            ⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification) 
+            for all incoming PRs. To get your PR merged, please sign those commits 
+            (`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch 
+            (`git push --force-with-lease`)
+
+            For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key).
+
+      - name: Remove needs-signed-commits label
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr edit $PR_URL --remove-label needs-signed-commits

.github/workflows/pipeline-segment-electron-test.yml

@@ -191,15 +191,25 @@ jobs:
       run: |
         cd src/out/Default
         unzip -:o dist.zip
-    #- name: Import & Trust Self-Signed Codesigning Cert on MacOS
-    #  if: ${{ inputs.target-platform == 'macos' && inputs.target-arch == 'x64' }}
-    #  run: |
-    #    sudo security authorizationdb write com.apple.trust-settings.admin allow
-    #    cd src/electron
-    #    ./script/codesign/generate-identity.sh
+    - name: Import & Trust Self-Signed Codesigning Cert on MacOS
+      if: ${{ inputs.target-platform == 'macos' }}
+      run: |
+        cd src/electron
+        ./script/codesign/generate-identity.sh
+    # Only sign on x64 — arm64 builds are already ad-hoc signed, and re-signing
+    # with an untrusted cert breaks macOS system integrations (e.g. dock bounce).
+    # Autoupdater tests sign their own fixture copies via signApp().
+    - name: Sign Electron.app for macOS tests
+      if: ${{ inputs.target-platform == 'macos' && inputs.target-arch == 'x64' }}
+      run: |
+        identity=$(src/electron/script/codesign/get-trusted-identity.sh)
+        if [ -n "$identity" ]; then
+          codesign -s "$identity" --deep --force src/out/Default/Electron.app
+        fi
 
     - name: Run Electron Tests
       shell: bash
+      timeout-minutes: 40
       env:
         MOCHA_REPORTER: mocha-multi-reporters
         MOCHA_MULTI_REPORTERS: mocha-junit-reporter, tap
@@ -250,6 +260,19 @@ jobs:
             
           fi
         fi
+    - name: Take screenshot on timeout or cancellation
+      if: ${{ inputs.target-platform != 'linux' && (cancelled() || failure()) }}
+      shell: bash
+      run: |
+        screenshot_dir="src/electron/spec/artifacts"
+        mkdir -p "$screenshot_dir"
+        screenshot_file="$screenshot_dir/screenshot-timeout-$(date +%Y%m%d%H%M%S).png"
+        if [ "${{ inputs.target-platform }}" = "macos" ]; then
+          screencapture -x "$screenshot_file" || true
+        elif [ "${{ inputs.target-platform }}" = "win" ]; then
+          powershell -command "Add-Type -AssemblyName System.Windows.Forms; \$screen = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds; \$bitmap = New-Object System.Drawing.Bitmap(\$screen.Width, \$screen.Height); \$graphics = [System.Drawing.Graphics]::FromImage(\$bitmap); \$graphics.CopyFromScreen(\$screen.Location, [System.Drawing.Point]::Empty, \$screen.Size); \$bitmap.Save('$screenshot_file')" || true
+        fi
+
     - name: Upload Test results to Datadog
       env:
         DD_ENV: ci
@@ -265,8 +288,8 @@ jobs:
         fi
       if: always() && !cancelled()
     - name: Upload Test Artifacts
-      if: always() && !cancelled()
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+      if: always()
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
       with:
         name: test_artifacts_${{ env.ARTIFACT_KEY }}_${{ matrix.shard }}
         path: src/electron/spec/artifacts

.github/workflows/pull-request-opened-synchronized.yml

@@ -0,0 +1,35 @@
+name: Pull Request Opened/Synchronized
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+permissions: {}
+
+jobs:
+  check-signed-commits:
+    name: Check signed commits in PR
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'needs-signed-commits')}}
+    runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Check signed commits in PR
+        uses: 1Password/check-signed-commits-action@ed2885f3ed2577a4f5d3c3fe895432a557d23d52 # v1
+        with:
+          comment: |
+            ⚠️ This PR contains unsigned commits. This repository enforces [commit signatures](https://docs.github.com/en/authentication/managing-commit-signature-verification) 
+            for all incoming PRs. To get your PR merged, please sign those commits 
+            (`git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}`) and force push them to this branch 
+            (`git push --force-with-lease`)
+
+            For more information on signing commits, see GitHub's documentation on [Telling Git about your signing key](https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key).
+
+      - name: Add needs-signed-commits label
+        if: ${{ failure() }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr edit $PR_URL --add-label needs-signed-commits

.yarnrc.yml

@@ -9,4 +9,8 @@ npmMinimalAgeGate: 10080
 npmPreapprovedPackages:
   - "@electron/*"
 
+httpProxy: "${HTTP_PROXY:-}"
+
+httpsProxy: "${HTTPS_PROXY:-}"
+
 yarnPath: .yarn/releases/yarn-4.12.0.cjs

DEPS

@@ -2,9 +2,9 @@ gclient_gn_args_from = 'src'
 
 vars = {
   'chromium_version':
-    '144.0.7559.225',
+    '144.0.7559.236',
   'node_version':
-    'v24.14.0',
+    'v24.14.1',
   'nan_version':
     '675cefebca42410733da8a454c8d9391fcebfbc2',
   'squirrel.mac_version':

build/args/all.gn

@@ -51,9 +51,6 @@ is_cfi = false
 use_qt5 = false
 use_qt6 = false
 
-# Disables the builtins PGO for V8
-v8_builtins_profiling_log_file = ""
-
 # https://chromium.googlesource.com/chromium/src/+/main/docs/dangling_ptr.md
 # TODO(vertedinde): hunt down dangling pointers on Linux
 enable_dangling_raw_ptr_checks = false

default_app/main.ts

@@ -255,7 +255,7 @@ async function startRepl () {
 if (option.file && !option.webdriver) {
   const file = option.file;
   // eslint-disable-next-line n/no-deprecated-api
-  const protocol = url.parse(file).protocol;
+  const protocol = URL.canParse(file) ? new URL(file).protocol : null;
   const extension = path.extname(file);
   if (protocol === 'http:' || protocol === 'https:' || protocol === 'file:' || protocol === 'chrome:') {
     await loadApplicationByURL(file);

docs/api/desktop-capturer.md

@@ -94,7 +94,7 @@ The `desktopCapturer` module has the following methods:
 Returns `Promise<DesktopCapturerSource[]>` - Resolves with an array of [`DesktopCapturerSource`](structures/desktop-capturer-source.md) objects, each `DesktopCapturerSource` represents a screen or an individual window that can be captured.
 
 > [!NOTE]
-
+<!-- markdownlint-disable-next-line MD032 -->
 > * Capturing audio requires `NSAudioCaptureUsageDescription` Info.plist key on macOS 14.2 Sonoma and higher - [read more](#macos-versions-142-or-higher).
 > * Capturing the screen contents requires user consent on macOS 10.15 Catalina or higher, which can detected by [`systemPreferences.getMediaAccessStatus`][].
 
@@ -109,30 +109,41 @@ Returns `Promise<DesktopCapturerSource[]>` - Resolves with an array of [`Desktop
 
 PipeWire supports a single capture for both screens and windows. If you request the window and screen type, the selected source will be returned as a window capture.
 
----
+### macOS versions 14.2 or higher
 
-### MacOS versions 14.2 or higher
-
-`NSAudioCaptureUsageDescription` Info.plist key must be added in-order for audio to be captured by `desktopCapturer`. If instead you are running electron from another program like a terminal or IDE then that parent program must contain the Info.plist key.
+`NSAudioCaptureUsageDescription` Info.plist key must be added in order for audio to be captured by
+`desktopCapturer`. If instead you are running Electron from another program like a terminal or IDE
+then that parent program must contain the Info.plist key.
 
 This is in order to facillitate use of Apple's new [CoreAudio Tap API](https://developer.apple.com/documentation/CoreAudio/capturing-system-audio-with-core-audio-taps#Configure-the-sample-code-project) by Chromium.
 
 > [!WARNING]
-> Failure of `desktopCapturer` to start an audio stream due to `NSAudioCaptureUsageDescription` permission not present will still create a dead audio stream however no warnings or errors are displayed.
+> Failure of `desktopCapturer` to start an audio stream due to `NSAudioCaptureUsageDescription`
+> permission not present will still create a dead audio stream however no warnings or errors are
+> displayed.
 
-As of electron `v39.0.0-beta.4` Chromium [made Apple's new `CoreAudio Tap API` the default](https://source.chromium.org/chromium/chromium/src/+/ad17e8f8b93d5f34891b06085d373a668918255e) for desktop audio capture. There is no fallback to the older `Screen & System Audio Recording` permissions system even if [CoreAudio Tap API](https://developer.apple.com/documentation/CoreAudio/capturing-system-audio-with-core-audio-taps) stream creation fails.
+As of Electron `v39.0.0-beta.4`, Chromium [made Apple's new `CoreAudio Tap API` the default](https://source.chromium.org/chromium/chromium/src/+/ad17e8f8b93d5f34891b06085d373a668918255e)
+for desktop audio capture. There is no fallback to the older `Screen & System Audio Recording`
+permissions system even if [CoreAudio Tap API](https://developer.apple.com/documentation/CoreAudio/capturing-system-audio-with-core-audio-taps) stream creation fails.
 
-If you need to continue using `Screen & System Audio Recording` permissions for `desktopCapturer` on macOS versions 14.2 and later, you can apply a chromium feature flag to force use of that older permissions system:
+If you need to continue using `Screen & System Audio Recording` permissions for `desktopCapturer`
+on macOS versions 14.2 and later, you can apply a Chromium feature flag to force use of that older
+permissions system:
 
 ```js
 // main.js (right beneath your require/import statments)
 app.commandLine.appendSwitch('disable-features', 'MacCatapLoopbackAudioForScreenShare')
 ```
 
----
+### macOS versions 12.7.6 or lower
 
-### MacOS versions 12.7.6 or lower
+`navigator.mediaDevices.getUserMedia` does not work on macOS versions 12.7.6 and prior for audio
+capture due to a fundamental limitation whereby apps that want to access the system's audio require
+a [signed kernel extension](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html).
+Chromium, and by extension Electron, does not provide this. Only in macOS 13 and onwards does Apple
+provide APIs to capture desktop audio without the need for a signed kernel extension.
 
-`navigator.mediaDevices.getUserMedia` does not work on macOS versions 12.7.6 and prior for audio capture due to a fundamental limitation whereby apps that want to access the system's audio require a [signed kernel extension](https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html). Chromium, and by extension Electron, does not provide this. Only in macOS 13 and onwards does Apple provide APIs to capture desktop audio without the need for a signed kernel extension.
-
-It is possible to circumvent this limitation by capturing system audio with another macOS app like [BlackHole](https://existential.audio/blackhole/) or [Soundflower](https://rogueamoeba.com/freebies/soundflower/) and passing it through a virtual audio input device. This virtual device can then be queried with `navigator.mediaDevices.getUserMedia`.
+It is possible to circumvent this limitation by capturing system audio with another macOS app like
+[BlackHole](https://existential.audio/blackhole/) or [Soundflower](https://rogueamoeba.com/freebies/soundflower/)
+and passing it through a virtual audio input device. This virtual device can then be queried
+with `navigator.mediaDevices.getUserMedia`.

docs/api/notification.md

@@ -111,7 +111,8 @@ app.whenReady().then(() => {
 
 Returns:
 
-* `event` Event
+* `details` Event\<\>
+  * `reason` _Windows_ string (optional) - The reason the notification was closed. This can be 'userCanceled', 'applicationHidden', or 'timedOut'.
 
 Emitted when the notification is closed by manual intervention from the user.
 

docs/api/screen.md

@@ -110,6 +110,8 @@ Returns [`Point`](structures/point.md)
 
 The current absolute position of the mouse pointer.
 
+Not supported on Wayland (Linux).
+
 > [!NOTE]
 > The return value is a DIP point, not a screen physical point.
 

docs/tutorial/electron-timelines.md

@@ -7,47 +7,7 @@ check out our [Electron Versioning](./electron-versioning.md) doc.
 
 ## Timeline
 
-| Electron | Alpha | Beta | Stable | EOL | Chrome | Node | Supported |
-| ------- | ----- | ------- | ------ | ------ | ---- | ---- | ---- |
-| 40.0.0 |  2025-Oct-30 | 2025-Dec-03 | 2026-Jan-13 | 2026-Jun-30 | M144 | TBD | ✅ |
-| 39.0.0 |  2025-Sep-04 | 2025-Oct-01 | 2025-Oct-28 | 2026-May-05 | M142 | v22.20 | ✅ |
-| 38.0.0 |  2025-Jun-26 | 2025-Aug-06 | 2025-Sep-02 | 2026-Mar-10 | M140 | v22.18 | ✅ |
-| 37.0.0 |  2025-May-01 | 2025-May-28 | 2025-Jun-24 | 2026-Jan-13 | M138 | v22.16 | ✅ |
-| 36.0.0 |  2025-Mar-06 | 2025-Apr-02 | 2025-Apr-29 | 2025-Oct-28 | M136 | v22.14 | 🚫 |
-| 35.0.0 |  2025-Jan-16 | 2025-Feb-05 | 2025-Mar-04 | 2025-Sep-02 | M134 | v22.14 | 🚫 |
-| 34.0.0 |  2024-Oct-17 | 2024-Nov-13 | 2025-Jan-14 | 2025-Jun-24 | M132 | v20.18 | 🚫 |
-| 33.0.0 |  2024-Aug-22 | 2024-Sep-18 | 2024-Oct-15 | 2025-Apr-29 | M130 | v20.18 | 🚫 |
-| 32.0.0 |  2024-Jun-14 | 2024-Jul-24 | 2024-Aug-20 | 2025-Mar-04 | M128 | v20.16 | 🚫 |
-| 31.0.0 |  2024-Apr-18 | 2024-May-15 | 2024-Jun-11 | 2025-Jan-14 | M126 | v20.14 | 🚫 |
-| 30.0.0 |  2024-Feb-22 | 2024-Mar-20 | 2024-Apr-16 | 2024-Oct-15 | M124 | v20.11 | 🚫 |
-| 29.0.0 |  2023-Dec-07 | 2024-Jan-24 | 2024-Feb-20 | 2024-Aug-20 | M122 | v20.9 | 🚫 |
-| 28.0.0 |  2023-Oct-11 | 2023-Nov-06 | 2023-Dec-05 | 2024-Jun-11 | M120 | v18.18 | 🚫 |
-| 27.0.0 |  2023-Aug-17 | 2023-Sep-13 | 2023-Oct-10 | 2024-Apr-16 | M118 | v18.17 | 🚫 |
-| 26.0.0 | 2023-Jun-01 | 2023-Jun-27 | 2023-Aug-15 | 2024-Feb-20 | M116 | v18.16 | 🚫 |
-| 25.0.0 | 2023-Apr-10 | 2023-May-02 | 2023-May-30 | 2023-Dec-05 | M114 | v18.15 | 🚫 |
-| 24.0.0 | 2023-Feb-09 | 2023-Mar-07 | 2023-Apr-04 | 2023-Oct-10 | M112 | v18.14 | 🚫 |
-| 23.0.0 | 2022-Dec-01 | 2023-Jan-10 | 2023-Feb-07 | 2023-Aug-15 | M110 | v18.12 | 🚫 |
-| 22.0.0 | 2022-Sep-29 | 2022-Oct-25 | 2022-Nov-29 | 2023-Oct-10 | M108 | v16.17 | 🚫 |
-| 21.0.0 | 2022-Aug-04 | 2022-Aug-30 | 2022-Sep-27 | 2023-Apr-04 | M106 | v16.16 | 🚫 |
-| 20.0.0 | 2022-May-26 | 2022-Jun-21 | 2022-Aug-02 | 2023-Feb-07 | M104 | v16.15 | 🚫 |
-| 19.0.0 | 2022-Mar-31 | 2022-Apr-26 | 2022-May-24 | 2022-Nov-29 | M102 | v16.14 | 🚫 |
-| 18.0.0 | 2022-Feb-03 | 2022-Mar-03 | 2022-Mar-29 | 2022-Sep-27 | M100 | v16.13 | 🚫 |
-| 17.0.0 | 2021-Nov-18 | 2022-Jan-06 | 2022-Feb-01 | 2022-Aug-02 | M98 | v16.13 | 🚫 |
-| 16.0.0 | 2021-Sep-23 | 2021-Oct-20 | 2021-Nov-16 | 2022-May-24 | M96 | v16.9 | 🚫 |
-| 15.0.0 | 2021-Jul-20 | 2021-Sep-01 | 2021-Sep-21 | 2022-May-24 | M94 | v16.5 | 🚫 |
-| 14.0.0 | -- | 2021-May-27 | 2021-Aug-31 | 2022-Mar-29 | M93 | v14.17 | 🚫 |
-| 13.0.0 | -- | 2021-Mar-04 | 2021-May-25 | 2022-Feb-01 | M91 | v14.16 | 🚫 |
-| 12.0.0 | -- | 2020-Nov-19 | 2021-Mar-02 | 2021-Nov-16 | M89 | v14.16 | 🚫 |
-| 11.0.0 | -- | 2020-Aug-27 | 2020-Nov-17 | 2021-Aug-31 | M87 | v12.18 | 🚫 |
-| 10.0.0 | -- | 2020-May-21 | 2020-Aug-25 | 2021-May-25 | M85 | v12.16 | 🚫 |
-| 9.0.0 | -- | 2020-Feb-06 | 2020-May-19 | 2021-Mar-02 | M83 | v12.14 | 🚫 |
-| 8.0.0 | -- | 2019-Oct-24 | 2020-Feb-04 | 2020-Nov-17 | M80 | v12.13 | 🚫 |
-| 7.0.0 | -- | 2019-Aug-01 | 2019-Oct-22 | 2020-Aug-25 | M78 | v12.8 | 🚫 |
-| 6.0.0 | -- | 2019-Apr-25 | 2019-Jul-30 | 2020-May-19 | M76 | v12.14.0 | 🚫 |
-| 5.0.0 | -- | 2019-Jan-22 | 2019-Apr-23 | 2020-Feb-04 | M73 | v12.0 | 🚫 |
-| 4.0.0 | -- | 2018-Oct-11 | 2018-Dec-20 | 2019-Oct-22 | M69 | v10.11 | 🚫 |
-| 3.0.0 | -- | 2018-Jun-21 | 2018-Sep-18 | 2019-Jul-30 | M66 | v10.2 | 🚫 |
-| 2.0.0 | -- | 2018-Feb-21 | 2018-May-01 | 2019-Apr-23 | M61 | v8.9 | 🚫 |
+[Electron's Release Schedule](https://releases.electronjs.org/schedule) lists a schedule of Electron major releases showing key milestones including alpha, beta, and stable release dates, as well as end-of-life dates and dependency versions.
 
 :::info Official support dates may change
 

filenames.gni

@@ -115,6 +115,8 @@ filenames = {
     "shell/browser/win/scoped_hstring.h",
     "shell/common/api/electron_api_native_image_win.cc",
     "shell/common/application_info_win.cc",
+    "shell/common/command_line_util_win.cc",
+    "shell/common/command_line_util_win.h",
     "shell/common/language_util_win.cc",
     "shell/common/node_bindings_win.cc",
     "shell/common/node_bindings_win.h",

lib/browser/api/power-monitor.ts

@@ -8,13 +8,19 @@ const {
   isOnBatteryPower
 } = process._linkedBinding('electron_browser_power_monitor');
 
+// Hold the native PowerMonitor at module level so it is never garbage-collected
+// while this module is alive. The C++ side registers OS-level callbacks (HWND
+// user-data on Windows, shutdown handler on macOS, notification observers) that
+// prevent safe collection of the C++ wrapper while those registrations exist.
+let pm: any;
+
 class PowerMonitor extends EventEmitter implements Electron.PowerMonitor {
   constructor () {
     super();
     // Don't start the event source until both a) the app is ready and b)
     // there's a listener registered for a powerMonitor event.
     this.once('newListener', () => {
-      const pm = createPowerMonitor();
+      pm = createPowerMonitor();
       pm.emit = this.emit.bind(this);
 
       if (process.platform === 'linux') {

lib/browser/api/web-contents.ts

@@ -777,8 +777,7 @@ WebContents.prototype._init = function () {
   const originCounts = new Map<string, number>();
   const openDialogs = new Set<AbortController>();
   this.on('-run-dialog', async (info, callback) => {
-    const originUrl = new URL(info.frame.url);
-    const origin = originUrl.protocol === 'file:' ? originUrl.href : originUrl.origin;
+    const origin = info.frame.origin === 'file://' ? info.frame.url : info.frame.origin;
     if ((originCounts.get(origin) ?? 0) < 0) return callback(false, '');
 
     const prefs = this.getLastWebPreferences();

lib/browser/guest-window-manager.ts

@@ -17,11 +17,6 @@ export type WindowOpenArgs = {
   features: string,
 }
 
-const frameNamesToWindow = new Map<string, WebContents>();
-const registerFrameNameToGuestWindow = (name: string, webContents: WebContents) => frameNamesToWindow.set(name, webContents);
-const unregisterFrameName = (name: string) => frameNamesToWindow.delete(name);
-const getGuestWebContentsByFrameName = (name: string) => frameNamesToWindow.get(name);
-
 /**
  * `openGuestWindow` is called to create and setup event handling for the new
  * window.
@@ -47,20 +42,6 @@ export function openGuestWindow ({ embedder, guest, referrer, disposition, postD
     ...overrideBrowserWindowOptions
   };
 
-  // To spec, subsequent window.open calls with the same frame name (`target` in
-  // spec parlance) will reuse the previous window.
-  // https://html.spec.whatwg.org/multipage/window-object.html#apis-for-creating-and-navigating-browsing-contexts-by-name
-  const existingWebContents = getGuestWebContentsByFrameName(frameName);
-  if (existingWebContents) {
-    if (existingWebContents.isDestroyed()) {
-      // FIXME(t57ser): The webContents is destroyed for some reason, unregister the frame name
-      unregisterFrameName(frameName);
-    } else {
-      existingWebContents.loadURL(url);
-      return;
-    }
-  }
-
   if (createWindow) {
     const webContents = createWindow({
       webContents: guest,
@@ -72,7 +53,7 @@ export function openGuestWindow ({ embedder, guest, referrer, disposition, postD
         throw new Error('Invalid webContents. Created window should be connected to webContents passed with options object.');
       }
 
-      handleWindowLifecycleEvents({ embedder, frameName, guest, outlivesOpener });
+      handleWindowLifecycleEvents({ embedder, guest, outlivesOpener });
     }
 
     return;
@@ -96,7 +77,7 @@ export function openGuestWindow ({ embedder, guest, referrer, disposition, postD
     });
   }
 
-  handleWindowLifecycleEvents({ embedder, frameName, guest: window.webContents, outlivesOpener });
+  handleWindowLifecycleEvents({ embedder, guest: window.webContents, outlivesOpener });
 
   embedder.emit('did-create-window', window, { url, frameName, options: browserWindowOptions, disposition, referrer, postData });
 }
@@ -107,10 +88,9 @@ export function openGuestWindow ({ embedder, guest, referrer, disposition, postD
  * too is the guest destroyed; this is Electron convention and isn't based in
  * browser behavior.
  */
-const handleWindowLifecycleEvents = function ({ embedder, guest, frameName, outlivesOpener }: {
+const handleWindowLifecycleEvents = function ({ embedder, guest, outlivesOpener }: {
   embedder: WebContents,
   guest: WebContents,
-  frameName: string,
   outlivesOpener: boolean
 }) {
   const closedByEmbedder = function () {
@@ -128,13 +108,6 @@ const handleWindowLifecycleEvents = function ({ embedder, guest, frameName, outl
     embedder.once('current-render-view-deleted' as any, closedByEmbedder);
   }
   guest.once('destroyed', closedByUser);
-
-  if (frameName) {
-    registerFrameNameToGuestWindow(frameName, guest);
-    guest.once('destroyed', function () {
-      unregisterFrameName(frameName);
-    });
-  }
 };
 
 // Security options that child windows will always inherit from parent windows

lib/browser/ipc-main-internal-utils.ts

@@ -19,8 +19,8 @@ export function invokeInWebContents<T> (sender: Electron.WebContents, command: s
     const requestId = ++nextId;
     const channel = `${command}_RESPONSE_${requestId}`;
     ipcMainInternal.on(channel, function handler (event, error: Error, result: any) {
-      if (event.type === 'frame' && event.sender !== sender) {
-        console.error(`Reply to ${command} sent by unexpected WebContents (${event.sender.id})`);
+      if (event.type !== 'frame' || event.sender !== sender) {
+        console.error(`Reply to ${command} sent by unexpected sender`);
         return;
       }
 
@@ -43,8 +43,8 @@ export function invokeInWebFrameMain<T> (sender: Electron.WebFrameMain, command:
     const channel = `${command}_RESPONSE_${requestId}`;
     const frameTreeNodeId = sender.frameTreeNodeId;
     ipcMainInternal.on(channel, function handler (event, error: Error, result: any) {
-      if (event.type === 'frame' && event.frameTreeNodeId !== frameTreeNodeId) {
-        console.error(`Reply to ${command} sent by unexpected WebFrameMain (${event.frameTreeNodeId})`);
+      if (event.type !== 'frame' || event.frameTreeNodeId !== frameTreeNodeId) {
+        console.error(`Reply to ${command} sent by unexpected sender`);
         return;
       }
 

lib/common/api/net-client-request.ts

@@ -227,10 +227,9 @@ function validateHeader (name: any, value: any): void {
 }
 
 function parseOptions (optionsIn: ClientRequestConstructorOptions | string): NodeJS.CreateURLLoaderOptions & ExtraURLLoaderOptions {
-  // eslint-disable-next-line n/no-deprecated-api
-  const options: any = typeof optionsIn === 'string' ? url.parse(optionsIn) : { ...optionsIn };
+  const options: any = typeof optionsIn === 'string' ? new URL(optionsIn) : { ...optionsIn };
 
-  let urlStr: string = options.url;
+  let urlStr: string = options.url || options.href;
 
   if (!urlStr) {
     const urlObj: url.UrlObject = {};
@@ -260,8 +259,8 @@ function parseOptions (optionsIn: ClientRequestConstructorOptions | string): Nod
       // an invalid request.
       throw new TypeError('Request path contains unescaped characters');
     }
-    // eslint-disable-next-line n/no-deprecated-api
-    const pathObj = url.parse(options.path || '/');
+
+    const pathObj = new URL(options.path || '/', 'http://localhost');
     urlObj.pathname = pathObj.pathname;
     urlObj.search = pathObj.search;
     urlObj.hash = pathObj.hash;

lib/node/asar-fs-wrapper.ts

@@ -1232,6 +1232,8 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {
   // has filesystem caching.
   overrideAPI(fs, 'copyFile');
   overrideAPISync(fs, 'copyFileSync');
+  overrideAPI(fs, 'cp');
+  overrideAPISync(fs, 'cpSync');
 
   overrideAPI(fs, 'open');
   overrideAPISync(process, 'dlopen', 1);

lib/renderer/api/context-bridge.ts

@@ -23,11 +23,14 @@ export default contextBridge;
 
 export const internalContextBridge = {
   contextIsolationEnabled: process.contextIsolated,
+  tryOverrideGlobalValueFromIsolatedWorld: (keys: string[], value: any) => {
+    return binding._overrideGlobalValueFromIsolatedWorld(keys, value, true, true);
+  },
   overrideGlobalValueFromIsolatedWorld: (keys: string[], value: any) => {
-    return binding._overrideGlobalValueFromIsolatedWorld(keys, value, false);
+    return binding._overrideGlobalValueFromIsolatedWorld(keys, value, false, false);
   },
   overrideGlobalValueWithDynamicPropsFromIsolatedWorld: (keys: string[], value: any) => {
-    return binding._overrideGlobalValueFromIsolatedWorld(keys, value, true);
+    return binding._overrideGlobalValueFromIsolatedWorld(keys, value, true, false);
   },
   overrideGlobalPropertyFromIsolatedWorld: (keys: string[], getter: Function, setter?: Function) => {
     return binding._overrideGlobalPropertyFromIsolatedWorld(keys, getter, setter || null);

lib/renderer/inspector.ts

@@ -11,14 +11,12 @@ const { contextIsolationEnabled } = internalContextBridge;
 * 1) Use menu API to show context menu.
 */
 window.onload = function () {
-  if (window.InspectorFrontendHost) {
-    if (contextIsolationEnabled) {
-      internalContextBridge.overrideGlobalValueFromIsolatedWorld([
-        'InspectorFrontendHost', 'showContextMenuAtPoint'
-      ], createMenu);
-    } else {
-      window.InspectorFrontendHost.showContextMenuAtPoint = createMenu;
-    }
+  if (contextIsolationEnabled) {
+    internalContextBridge.tryOverrideGlobalValueFromIsolatedWorld([
+      'InspectorFrontendHost', 'showContextMenuAtPoint'
+    ], createMenu);
+  } else {
+    window.InspectorFrontendHost!.showContextMenuAtPoint = createMenu;
   }
 };
 

patches/angle/.patches

@@ -0,0 +1 @@
+optionally_validate_gl_max_uniform_blocks_at_compile_time.patch

patches/angle/optionally_validate_gl_max_uniform_blocks_at_compile_time.patch

@@ -0,0 +1,376 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Geoff Lang <geofflang@chromium.org>
+Date: Wed, 11 Feb 2026 15:51:46 -0500
+Subject: Optionally validate GL_MAX_*_UNIFORM_BLOCKS at compile time.
+
+These were validated at link time but some drivers have compiler crashes
+when compiling shaders with too many uniform blocks.
+
+Bug: chromium:475877320
+Change-Id: I4413ce06307b4fe9e27105d85f66f610c235a301
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/7568089
+Commit-Queue: Geoff Lang <geofflang@chromium.org>
+Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
+
+diff --git a/include/GLSLANG/ShaderLang.h b/include/GLSLANG/ShaderLang.h
+index 90b1239689c98a8c94f8c6f57d572268a4450923..81445ade5f2285d52a6b83bfc574c0fa56d4a0da 100644
+--- a/include/GLSLANG/ShaderLang.h
++++ b/include/GLSLANG/ShaderLang.h
+@@ -26,7 +26,7 @@
+ 
+ // Version number for shader translation API.
+ // It is incremented every time the API changes.
+-#define ANGLE_SH_VERSION 386
++#define ANGLE_SH_VERSION 387
+ 
+ enum ShShaderSpec
+ {
+@@ -383,6 +383,10 @@ struct ShCompileOptions
+ 
+     uint64_t forceShaderPrecisionHighpToMediump : 1;
+ 
++    // Validate that the count of uniform blocks is within the GL_MAX_*_UNIFORM_BLOCKS limits. These
++    // limits must be supplied in the BuiltinResources.
++    uint64_t validatePerStageMaxUniformBlocks : 1;
++
+     // Ask compiler to generate Vulkan transform feedback emulation support code.
+     uint64_t addVulkanXfbEmulationSupportCode : 1;
+ 
+@@ -584,6 +588,12 @@ struct ShBuiltInResources
+     int MinProgramTexelOffset;
+     int MaxProgramTexelOffset;
+ 
++    // GL_MAX_FRAGMENT_UNIFORM_BLOCKS
++    int MaxFragmentUniformBlocks;
++
++    // GL_MAX_VERTEX_UNIFORM_BLOCKS
++    int MaxVertexUniformBlocks;
++
+     // Extension constants.
+ 
+     // Value of GL_MAX_DUAL_SOURCE_DRAW_BUFFERS_EXT for OpenGL ES output context.
+@@ -701,6 +711,9 @@ struct ShBuiltInResources
+     // maximum point size (higher limit from ALIASED_POINT_SIZE_RANGE)
+     float MaxPointSize;
+ 
++    // GL_MAX_COMPUTE_UNIFORM_BLOCKS
++    int MaxComputeUniformBlocks;
++
+     // EXT_geometry_shader constants
+     int MaxGeometryUniformComponents;
+     int MaxGeometryUniformBlocks;
+@@ -724,6 +737,7 @@ struct ShBuiltInResources
+     int MaxTessControlImageUniforms;
+     int MaxTessControlAtomicCounters;
+     int MaxTessControlAtomicCounterBuffers;
++    int MaxTessControlUniformBlocks;
+ 
+     int MaxTessPatchComponents;
+     int MaxPatchVertices;
+@@ -736,6 +750,7 @@ struct ShBuiltInResources
+     int MaxTessEvaluationImageUniforms;
+     int MaxTessEvaluationAtomicCounters;
+     int MaxTessEvaluationAtomicCounterBuffers;
++    int MaxTessEvaluationUniformBlocks;
+ 
+     // Subpixel bits used in rasterization.
+     int SubPixelBits;
+diff --git a/include/platform/autogen/FeaturesGL_autogen.h b/include/platform/autogen/FeaturesGL_autogen.h
+index a732a77d66ec2fad9677d500d8f0ae3d0d92c454..f0b391dfbc4d238df458b334951371429fd496a4 100644
+--- a/include/platform/autogen/FeaturesGL_autogen.h
++++ b/include/platform/autogen/FeaturesGL_autogen.h
+@@ -638,6 +638,12 @@ struct FeaturesGL : FeatureSetBase
+         &members,
+     };
+ 
++    FeatureInfo validateMaxPerStageUniformBlocksAtCompileTime = {
++        "validateMaxPerStageUniformBlocksAtCompileTime",
++        FeatureCategory::OpenGLWorkarounds,
++        &members,
++    };
++
+ };
+ 
+ inline FeaturesGL::FeaturesGL()  = default;
+diff --git a/include/platform/gl_features.json b/include/platform/gl_features.json
+index e993768974e63d19bf4b71702fe9725aa97ea2fb..03454778c2acfd10c2a3762ef6ad1e9eb0fc7bb2 100644
+--- a/include/platform/gl_features.json
++++ b/include/platform/gl_features.json
+@@ -828,6 +828,14 @@
+                 "Some ES2 Mali drivers are unable to query enough information from a linked program to use passthrough shaders."
+             ],
+             "issue": "https://crbug.com/451796659"
++        },
++        {
++            "name": "validate_max_per_stage_uniform_blocks_at_compile_time",
++            "category": "Workarounds",
++            "description": [
++                "Validate GL_MAX_*_UNIFORM_BLOCKS at compile time instead of link time to work around compiler bugs."
++            ],
++            "issue": "http://crbug.com/475877320"
+         }
+     ]
+ }
+diff --git a/src/compiler/translator/Compiler.cpp b/src/compiler/translator/Compiler.cpp
+index 7e36dc2cd24a5d0a3a1a009a1171684e4dfe62e5..aae0f1008d573a55e822c10cf02149b8ccef6055 100644
+--- a/src/compiler/translator/Compiler.cpp
++++ b/src/compiler/translator/Compiler.cpp
+@@ -1563,6 +1563,8 @@ void TCompiler::setResourceString()
+         << ":MaxFragmentInputVectors:" << mResources.MaxFragmentInputVectors
+         << ":MinProgramTexelOffset:" << mResources.MinProgramTexelOffset
+         << ":MaxProgramTexelOffset:" << mResources.MaxProgramTexelOffset
++        << ":MaxFragmentUniformBlocks:" << mResources.MaxFragmentUniformBlocks
++        << ":MaxVertexUniformBlocks:" << mResources.MaxVertexUniformBlocks
+         << ":MaxDualSourceDrawBuffers:" << mResources.MaxDualSourceDrawBuffers
+         << ":MaxViewsOVR:" << mResources.MaxViewsOVR
+         << ":NV_draw_buffers:" << mResources.NV_draw_buffers
+@@ -1612,6 +1614,7 @@ void TCompiler::setResourceString()
+         << ":MaxFragmentAtomicCounterBuffers:" << mResources.MaxFragmentAtomicCounterBuffers
+         << ":MaxCombinedAtomicCounterBuffers:" << mResources.MaxCombinedAtomicCounterBuffers
+         << ":MaxAtomicCounterBufferSize:" << mResources.MaxAtomicCounterBufferSize
++        << ":MaxComputeUnformBlocks:" << mResources.MaxComputeUniformBlocks
+         << ":MaxGeometryUniformComponents:" << mResources.MaxGeometryUniformComponents
+         << ":MaxGeometryUniformBlocks:" << mResources.MaxGeometryUniformBlocks
+         << ":MaxGeometryInputComponents:" << mResources.MaxGeometryInputComponents
+@@ -1635,6 +1638,7 @@ void TCompiler::setResourceString()
+         << ":MaxTessControlImageUniforms:" << mResources.MaxTessControlImageUniforms
+         << ":MaxTessControlAtomicCounters:" << mResources.MaxTessControlAtomicCounters
+         << ":MaxTessControlAtomicCounterBuffers:" << mResources.MaxTessControlAtomicCounterBuffers
++        << ":MaxTessControlUniformBlocks:" << mResources.MaxTessControlUniformBlocks
+         << ":MaxTessPatchComponents:" << mResources.MaxTessPatchComponents
+         << ":MaxPatchVertices:" << mResources.MaxPatchVertices
+         << ":MaxTessGenLevel:" << mResources.MaxTessGenLevel
+@@ -1644,7 +1648,9 @@ void TCompiler::setResourceString()
+         << ":MaxTessEvaluationUniformComponents:" << mResources.MaxTessEvaluationUniformComponents
+         << ":MaxTessEvaluationImageUniforms:" << mResources.MaxTessEvaluationImageUniforms
+         << ":MaxTessEvaluationAtomicCounters:" << mResources.MaxTessEvaluationAtomicCounters
+-        << ":MaxTessEvaluationAtomicCounterBuffers:" << mResources.MaxTessEvaluationAtomicCounterBuffers;
++        << ":MaxTessEvaluationAtomicCounterBuffers:" << mResources.MaxTessEvaluationAtomicCounterBuffers
++        << ":MaxTessControlUniformBlocks:" << mResources.MaxTessControlUniformBlocks
++    ;
+     // clang-format on
+ 
+     mBuiltInResourcesString = strstream.str();
+diff --git a/src/compiler/translator/ParseContext.cpp b/src/compiler/translator/ParseContext.cpp
+index a8a5e562b2006402e1473c8c6710d75d7c83c42f..e04d27fe695caba55bb29f94c7425d4ecc3d2344 100644
+--- a/src/compiler/translator/ParseContext.cpp
++++ b/src/compiler/translator/ParseContext.cpp
+@@ -367,6 +367,37 @@ bool IsESSL100ConstantExpression(TIntermNode *node)
+ {
+     return node->getAsConstantUnion() != nullptr && node->getAsTyped()->getQualifier() == EvqConst;
+ }
++
++unsigned int GetMaxUniformBlocksForShaderType(sh::GLenum shaderType,
++                                              const ShCompileOptions &options,
++                                              const ShBuiltInResources &resources)
++{
++    // If the validatePerStageMaxUniformBlocks workaround is disabled. Set a limit that will not be
++    // hit.
++    if (!options.validatePerStageMaxUniformBlocks)
++    {
++        return std::numeric_limits<unsigned int>::max();
++    }
++
++    switch (shaderType)
++    {
++        case GL_FRAGMENT_SHADER:
++            return resources.MaxFragmentUniformBlocks;
++        case GL_VERTEX_SHADER:
++            return resources.MaxVertexUniformBlocks;
++        case GL_COMPUTE_SHADER:
++            return resources.MaxComputeUniformBlocks;
++        case GL_GEOMETRY_SHADER:
++            return resources.MaxGeometryUniformBlocks;
++        case GL_TESS_CONTROL_SHADER:
++            return resources.MaxTessControlUniformBlocks;
++        case GL_TESS_EVALUATION_SHADER:
++            return resources.MaxTessEvaluationUniformBlocks;
++        default:
++            UNREACHABLE();
++            return 0;
++    }
++}
+ }  // namespace
+ 
+ // This tracks each binding point's current default offset for inheritance of subsequent
+@@ -459,6 +490,8 @@ TParseContext::TParseContext(TSymbolTable &symt,
+       mMaxPixelLocalStoragePlanes(resources.MaxPixelLocalStoragePlanes),
+       mMaxFunctionParameters(resources.MaxFunctionParameters),
+       mMaxCallStackDepth(resources.MaxCallStackDepth),
++      mMaxUniformBlocks(GetMaxUniformBlocksForShaderType(mShaderType, options, resources)),
++      mNumUniformBlocks(0),
+       mDeclaringFunction(false),
+       mDeclaringMain(false),
+       mMainFunction(nullptr),
+@@ -6082,6 +6115,22 @@ TIntermDeclaration *TParseContext::addInterfaceBlock(
+         error(arraySizesLine, "geometry shader input blocks must be an array", "");
+     }
+ 
++    // Validate max uniform block limits
++    if (typeQualifier.qualifier == EvqUniform)
++    {
++        unsigned int blockCount =
++            arraySizes == nullptr || arraySizes->empty() ? 1 : (*arraySizes)[0];
++        if (mNumUniformBlocks + blockCount > mMaxUniformBlocks)
++        {
++            error(arraySizesLine,
++                  "uniform block count greater than per stage maximum uniform blocks", "");
++        }
++        else
++        {
++            mNumUniformBlocks += blockCount;
++        }
++    }
++
+     checkIndexIsNotSpecified(typeQualifier.line, typeQualifier.layoutQualifier.index);
+ 
+     if (mShaderVersion < 310)
+diff --git a/src/compiler/translator/ParseContext.h b/src/compiler/translator/ParseContext.h
+index f3d0417dd91cda2226203b9b39c2dc8acc1ac880..baf074bd86fe587a72cd3a431fbf0231d6ebd68c 100644
+--- a/src/compiler/translator/ParseContext.h
++++ b/src/compiler/translator/ParseContext.h
+@@ -910,6 +910,12 @@ class TParseContext : angle::NonCopyable
+     // and there are no known users.
+     TUnorderedMap<TQualifier, bool> mBuiltInQualified;
+ 
++    // Maximum number of uniform blocks allowed to be declared in this shader. Taken from the
++    // built-in resources and resolved to this shader type.
++    unsigned int mMaxUniformBlocks;
++    // Current count of declared uniform blocks.
++    unsigned int mNumUniformBlocks;
++
+     // keeps track whether we are declaring / defining a function
+     bool mDeclaringFunction;
+ 
+diff --git a/src/compiler/translator/ShaderLang.cpp b/src/compiler/translator/ShaderLang.cpp
+index 6044849e6a6392fed77909b45fea475fa4978325..e292cf0403a77f2f70ca9176785fcdad9aac7302 100644
+--- a/src/compiler/translator/ShaderLang.cpp
++++ b/src/compiler/translator/ShaderLang.cpp
+@@ -263,6 +263,8 @@ void InitBuiltInResources(ShBuiltInResources *resources)
+     resources->MaxFragmentInputVectors = 15;
+     resources->MinProgramTexelOffset   = -8;
+     resources->MaxProgramTexelOffset   = 7;
++    resources->MaxFragmentUniformBlocks = 12;
++    resources->MaxVertexUniformBlocks   = 12;
+ 
+     // Extensions constants.
+     resources->MaxDualSourceDrawBuffers = 0;
+@@ -323,6 +325,8 @@ void InitBuiltInResources(ShBuiltInResources *resources)
+     resources->MaxUniformBufferBindings       = 32;
+     resources->MaxShaderStorageBufferBindings = 4;
+ 
++    resources->MaxComputeUniformBlocks = 12;
++
+     resources->MaxGeometryUniformComponents     = 1024;
+     resources->MaxGeometryUniformBlocks         = 12;
+     resources->MaxGeometryInputComponents       = 64;
+@@ -344,6 +348,7 @@ void InitBuiltInResources(ShBuiltInResources *resources)
+     resources->MaxTessControlImageUniforms         = 0;
+     resources->MaxTessControlAtomicCounters        = 0;
+     resources->MaxTessControlAtomicCounterBuffers  = 0;
++    resources->MaxTessControlUniformBlocks         = 12;
+ 
+     resources->MaxTessPatchComponents = 120;
+     resources->MaxPatchVertices       = 32;
+@@ -356,6 +361,7 @@ void InitBuiltInResources(ShBuiltInResources *resources)
+     resources->MaxTessEvaluationImageUniforms        = 0;
+     resources->MaxTessEvaluationAtomicCounters       = 0;
+     resources->MaxTessEvaluationAtomicCounterBuffers = 0;
++    resources->MaxTessEvaluationUniformBlocks        = 12;
+ 
+     resources->SubPixelBits = 8;
+ 
+diff --git a/src/libANGLE/Compiler.cpp b/src/libANGLE/Compiler.cpp
+index 00684c8ed08609a3a4d6ef6f36107756207ed72b..1893b6bddb33fde567162e2e9dbb12785dad538d 100644
+--- a/src/libANGLE/Compiler.cpp
++++ b/src/libANGLE/Compiler.cpp
+@@ -169,6 +169,8 @@ Compiler::Compiler(rx::GLImplFactory *implFactory, const State &state, egl::Disp
+     mResources.MaxFragmentInputVectors = caps.maxFragmentInputComponents / 4;
+     mResources.MinProgramTexelOffset   = caps.minProgramTexelOffset;
+     mResources.MaxProgramTexelOffset   = caps.maxProgramTexelOffset;
++    mResources.MaxFragmentUniformBlocks = caps.maxShaderUniformBlocks[gl::ShaderType::Fragment];
++    mResources.MaxVertexUniformBlocks   = caps.maxShaderUniformBlocks[gl::ShaderType::Vertex];
+ 
+     // EXT_blend_func_extended
+     mResources.EXT_blend_func_extended  = extensions.blendFuncExtendedEXT;
+@@ -211,6 +213,7 @@ Compiler::Compiler(rx::GLImplFactory *implFactory, const State &state, egl::Disp
+     mResources.MaxCombinedImageUniforms         = caps.maxCombinedImageUniforms;
+     mResources.MaxCombinedShaderOutputResources = caps.maxCombinedShaderOutputResources;
+     mResources.MaxUniformLocations              = caps.maxUniformLocations;
++    mResources.MaxComputeUniformBlocks = caps.maxShaderUniformBlocks[gl::ShaderType::Compute];
+ 
+     for (size_t index = 0u; index < 3u; ++index)
+     {
+@@ -280,6 +283,8 @@ Compiler::Compiler(rx::GLImplFactory *implFactory, const State &state, egl::Disp
+     mResources.MaxTessControlAtomicCounters = caps.maxShaderAtomicCounters[ShaderType::TessControl];
+     mResources.MaxTessControlAtomicCounterBuffers =
+         caps.maxShaderAtomicCounterBuffers[ShaderType::TessControl];
++    mResources.MaxTessControlUniformBlocks =
++        caps.maxShaderUniformBlocks[gl::ShaderType::TessControl];
+ 
+     mResources.MaxTessPatchComponents = caps.maxTessPatchComponents;
+     mResources.MaxPatchVertices       = caps.maxPatchVertices;
+@@ -297,6 +302,8 @@ Compiler::Compiler(rx::GLImplFactory *implFactory, const State &state, egl::Disp
+         caps.maxShaderAtomicCounters[ShaderType::TessEvaluation];
+     mResources.MaxTessEvaluationAtomicCounterBuffers =
+         caps.maxShaderAtomicCounterBuffers[ShaderType::TessEvaluation];
++    mResources.MaxTessEvaluationUniformBlocks =
++        caps.maxShaderUniformBlocks[gl::ShaderType::TessEvaluation];
+ 
+     // Subpixel bits.
+     mResources.SubPixelBits = static_cast<int>(caps.subPixelBits);
+diff --git a/src/libANGLE/renderer/gl/ShaderGL.cpp b/src/libANGLE/renderer/gl/ShaderGL.cpp
+index a10d5545f409faa259a464437401980e40b80e33..d8db2a1f92494fd0dbf0cb6011ab9cea989c5b45 100644
+--- a/src/libANGLE/renderer/gl/ShaderGL.cpp
++++ b/src/libANGLE/renderer/gl/ShaderGL.cpp
+@@ -272,6 +272,11 @@ std::shared_ptr<ShaderTranslateTask> ShaderGL::compile(const gl::Context *contex
+         options->pls = contextGL->getNativePixelLocalStorageOptions();
+     }
+ 
++    if (features.validateMaxPerStageUniformBlocksAtCompileTime.enabled)
++    {
++        options->validatePerStageMaxUniformBlocks = true;
++    }
++
+     return std::shared_ptr<ShaderTranslateTask>(
+         new ShaderTranslateTaskGL(functions, mShaderID, contextGL->hasNativeParallelCompile()));
+ }
+diff --git a/src/libANGLE/renderer/gl/renderergl_utils.cpp b/src/libANGLE/renderer/gl/renderergl_utils.cpp
+index d9694c09146dcb34948646df5ca95a4d8b993d9e..e82a10262dc128e55d2357bf9efc67903c30206b 100644
+--- a/src/libANGLE/renderer/gl/renderergl_utils.cpp
++++ b/src/libANGLE/renderer/gl/renderergl_utils.cpp
+@@ -2718,6 +2718,10 @@ void InitializeFeatures(const FunctionsGL *functions, angle::FeaturesGL *feature
+     // Mali 400 series drivers fail linking shaders when passthrough shaders are enabled. Likely due
+     // to not querying correct information from varyings and uniforms.
+     ANGLE_FEATURE_CONDITION(features, disablePassthroughShaders, IsAdreno4xx(functions));
++
++    // IMG GL drivers crash while compiling shaders with more than the limit of uniform blocks.
++    ANGLE_FEATURE_CONDITION(features, validateMaxPerStageUniformBlocksAtCompileTime,
++                            IsPowerVR(vendor));
+ }
+ 
+ void InitializeFrontendFeatures(const FunctionsGL *functions, angle::FrontendFeatures *features)
+diff --git a/util/autogen/angle_features_autogen.cpp b/util/autogen/angle_features_autogen.cpp
+index f38ad24bdce73c1ec5facd1130bdf09f896298ee..c07c7e5fa2d28c50101c77bd856f18158777e276 100644
+--- a/util/autogen/angle_features_autogen.cpp
++++ b/util/autogen/angle_features_autogen.cpp
+@@ -484,6 +484,7 @@ constexpr PackedEnumMap<Feature, const char *> kFeatureNames = {{
+     {Feature::UseVkEventForBufferBarrier, "useVkEventForBufferBarrier"},
+     {Feature::UseVkEventForImageBarrier, "useVkEventForImageBarrier"},
+     {Feature::UseVmaForImageSuballocation, "useVmaForImageSuballocation"},
++    {Feature::ValidateMaxPerStageUniformBlocksAtCompileTime, "validateMaxPerStageUniformBlocksAtCompileTime"},
+     {Feature::VaryingsRequireMatchingPrecisionInSpirv, "varyingsRequireMatchingPrecisionInSpirv"},
+     {Feature::VerifyPipelineCacheInBlobCache, "verifyPipelineCacheInBlobCache"},
+     {Feature::VertexIDDoesNotIncludeBaseVertex, "vertexIDDoesNotIncludeBaseVertex"},
+diff --git a/util/autogen/angle_features_autogen.h b/util/autogen/angle_features_autogen.h
+index 0eef4d53d814db20bb943fcda9e5b1837c371951..e33fd47ac493a3946d87c03a2d6f29b08e2b63aa 100644
+--- a/util/autogen/angle_features_autogen.h
++++ b/util/autogen/angle_features_autogen.h
+@@ -484,6 +484,7 @@ enum class Feature
+     UseVkEventForBufferBarrier,
+     UseVkEventForImageBarrier,
+     UseVmaForImageSuballocation,
++    ValidateMaxPerStageUniformBlocksAtCompileTime,
+     VaryingsRequireMatchingPrecisionInSpirv,
+     VerifyPipelineCacheInBlobCache,
+     VertexIDDoesNotIncludeBaseVertex,

patches/chromium/.patches

@@ -149,3 +149,14 @@ move_wayland_pointer_lock_overrides_to_common_code.patch
 loaf_add_feature_to_enable_sourceurl_for_all_protocols.patch
 fix_update_dbus_signal_signature_for_xdg_globalshortcuts_portal.patch
 patch_osr_control_screen_info.patch
+cherry-pick-12f932985275.patch
+fix_mac_high_res_icons.patch
+cherry-pick-074d472db745.patch
+cherry-pick-50b057660b4d.patch
+cherry-pick-45c5a70d984d.patch
+cherry-pick-05e4b544803c.patch
+cherry-pick-5efc7a0127a6.patch
+feat_plumb_node_integration_in_worker_through_workersettings.patch
+cherry-pick-fbfb27470bf6.patch
+fix_fire_menu_popup_start_for_dynamically_created_aria_menus.patch
+fix_out-of-bounds_read_in_diff_rulesets.patch

patches/chromium/can_create_window.patch

@@ -9,10 +9,10 @@ potentially prevent a window from being created.
 TODO(loc): this patch is currently broken.
 
 diff --git a/content/browser/renderer_host/render_frame_host_impl.cc b/content/browser/renderer_host/render_frame_host_impl.cc
-index edaf9a7b2efc5ed7f4e946d720de54d5001f44d4..7d27b076c1947d2cd08364f87286ed6d9f460cdc 100644
+index ce64151028cc30c81292326ee73126cb8415aec5..3feca12a6185afef139a0cb4a8148b5a3ca9e32f 100644
 --- a/content/browser/renderer_host/render_frame_host_impl.cc
 +++ b/content/browser/renderer_host/render_frame_host_impl.cc
-@@ -9867,6 +9867,7 @@ void RenderFrameHostImpl::CreateNewWindow(
+@@ -9868,6 +9868,7 @@ void RenderFrameHostImpl::CreateNewWindow(
            last_committed_origin_, params->window_container_type,
            params->target_url, params->referrer.To<Referrer>(),
            params->frame_name, params->disposition, *params->features,

patches/chromium/cherry-pick-05e4b544803c.patch

@@ -0,0 +1,204 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Anders Hartvoll Ruud <andruud@chromium.org>
+Date: Wed, 25 Feb 2026 03:24:31 -0800
+Subject: Stringify CSSUnparsedValues via toString, as normal
+
+CSSUnparsedValue exposes a special stringification function
+ToUnparsedString() in addition to the regular toString().
+The documentation says it returns "tokens without substituting
+variables", but it's not clear what this means; we don't substitute
+any variables in CSSStyleValue::toString() either.
+
+This CL makes ToUnparsedString() private (and renames it).
+Clients needing to serialize a CSSUnparsedValue can do so via
+the normal toString() function. (If ToUnparsedString() existed
+for performance reasons, that should have been documented.)
+
+Also, the /**/-"fixup" pass over the value has been folded into
+ToStringInternal(). This is to make it easy to find the canonical string
+representation of this value within CSSUnparsedValue (without going
+through a CSSValue).
+
+The main point of this CL is to prepare for validating
+the "argument grammar" of the value during the StyleValue-to-CSSValue
+conversion in StylePropertyMap (which requires item (2) above).
+
+We now jump through additional hoops to ultimately get a string
+from the outside of CSSUnparsedValue, but there should otherwise
+be no behavior change.
+
+Bug: 484751092
+Change-Id: I5db45ad85f780c67a2ea3ba8482c390ebab10068
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7600415
+Commit-Queue: Anders Hartvoll Ruud <andruud@chromium.org>
+Reviewed-by: Steinar H Gunderson <sesse@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1590041}
+
+diff --git a/third_party/blink/renderer/core/css/cssom/cross_thread_style_value_test.cc b/third_party/blink/renderer/core/css/cssom/cross_thread_style_value_test.cc
+index dcc2eccbc84e6cd5710ab51cee2dab49661467c1..86d42c87a6bd10838a3e059c9227868e5bfc0798 100644
+--- a/third_party/blink/renderer/core/css/cssom/cross_thread_style_value_test.cc
++++ b/third_party/blink/renderer/core/css/cssom/cross_thread_style_value_test.cc
+@@ -19,12 +19,12 @@
+ #include "third_party/blink/renderer/core/css/cssom/css_keyword_value.h"
+ #include "third_party/blink/renderer/core/css/cssom/css_style_value.h"
+ #include "third_party/blink/renderer/core/css/cssom/css_unit_value.h"
+-#include "third_party/blink/renderer/core/css/cssom/css_unparsed_value.h"
+ #include "third_party/blink/renderer/core/css/cssom/css_unsupported_color.h"
+ #include "third_party/blink/renderer/platform/scheduler/public/non_main_thread.h"
+ #include "third_party/blink/renderer/platform/scheduler/public/post_cross_thread_task.h"
+ #include "third_party/blink/renderer/platform/wtf/cross_thread_copier_std.h"
+ #include "third_party/blink/renderer/platform/wtf/cross_thread_functional.h"
++#include "third_party/blink/renderer/platform/wtf/wtf.h"
+ 
+ namespace blink {
+ 
+@@ -152,8 +152,7 @@ TEST_F(CrossThreadStyleValueTest, CrossThreadUnparsedValueToCSSStyleValue) {
+   CSSStyleValue* style_value = value->ToCSSStyleValue();
+   EXPECT_EQ(style_value->GetType(),
+             CSSStyleValue::StyleValueType::kUnparsedType);
+-  EXPECT_EQ(static_cast<CSSUnparsedValue*>(style_value)->ToUnparsedString(),
+-            "Unparsed");
++  EXPECT_EQ(style_value->toString(), "Unparsed");
+ }
+ 
+ TEST_F(CrossThreadStyleValueTest, PassKeywordValueCrossThread) {
+diff --git a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc
+index 567d4fad7436c24d4c42bc36ebfd7ee3641e3b90..12d70ed096cb1c509a2acf14b7f421273d833d0e 100644
+--- a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc
++++ b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc
+@@ -137,16 +137,26 @@ IndexedPropertySetterResult CSSUnparsedValue::AnonymousIndexedSetter(
+ }
+ 
+ const CSSValue* CSSUnparsedValue::ToCSSValue() const {
+-  String unparsed_string = ToUnparsedString();
+-  CSSParserTokenStream stream(unparsed_string);
++  String unparsed_string = ToStringInternal();
+ 
+-  if (stream.AtEnd()) {
++  if (unparsed_string.IsNull()) {
+     return MakeGarbageCollected<CSSUnparsedDeclarationValue>(
+         MakeGarbageCollected<CSSVariableData>());
+   }
+ 
+-  // The string we just parsed has /**/ inserted between every token
+-  // to make sure we get back the correct sequence of tokens.
++  // TODO(crbug.com/985028): We should probably propagate the CSSParserContext
++  // to here.
++  return MakeGarbageCollected<CSSUnparsedDeclarationValue>(
++      CSSVariableData::Create(unparsed_string, false /* is_animation_tainted */,
++                              false /* is_attr_tainted */,
++                              false /* needs_variable_resolution */));
++}
++
++String CSSUnparsedValue::ToStringInternal() const {
++  String serialized = SerializeSegments();
++
++  // The serialization above defensively inserted /**/ between segments
++  // to make sure that e.g. ['foo', 'bar'] does not collapse into 'foobar'.
+   // The spec mentions nothing of the sort:
+   // https://drafts.css-houdini.org/css-typed-om-1/#unparsedvalue-serialization
+   //
+@@ -160,6 +170,10 @@ const CSSValue* CSSUnparsedValue::ToCSSValue() const {
+   // the original contents of any comments will be lost, but Typed OM does
+   // not have anywhere to store that kind of data, so it is expected.
+   StringBuilder builder;
++  CSSParserTokenStream stream(serialized);
++  if (stream.AtEnd()) {
++    return g_null_atom;
++  }
+   CSSParserToken token = stream.ConsumeRaw();
+   token.Serialize(builder);
+   while (!stream.Peek().IsEOF()) {
+@@ -169,17 +183,10 @@ const CSSValue* CSSUnparsedValue::ToCSSValue() const {
+     token = stream.ConsumeRaw();
+     token.Serialize(builder);
+   }
+-  String original_text = builder.ReleaseString();
+-
+-  // TODO(crbug.com/985028): We should probably propagate the CSSParserContext
+-  // to here.
+-  return MakeGarbageCollected<CSSUnparsedDeclarationValue>(
+-      CSSVariableData::Create(original_text, false /* is_animation_tainted */,
+-                              false /* is_attr_tainted */,
+-                              false /* needs_variable_resolution */));
++  return builder.ReleaseString();
+ }
+ 
+-String CSSUnparsedValue::ToUnparsedString() const {
++String CSSUnparsedValue::SerializeSegments() const {
+   StringBuilder builder;
+   HeapHashSet<Member<const CSSUnparsedValue>> values_on_stack;
+   if (AppendUnparsedString(builder, values_on_stack)) {
+diff --git a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h
+index 5d1961b170f14ae21ca8f69b3c3cd8af28f4478a..ec7e3ed708f406d7a61fdb370b2eed8a8297cffb 100644
+--- a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h
++++ b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h
+@@ -67,15 +67,9 @@ class CORE_EXPORT CSSUnparsedValue final : public CSSStyleValue {
+     CSSStyleValue::Trace(visitor);
+   }
+ 
+-  // Unlike CSSStyleValue::toString(), this returns tokens without
+-  // substituting variables. There are extra /**/ inserted between
+-  // every token to ensure there are no ambiguities, which is fine
+-  // because this value is never presented directly to the user
+-  // (ToCSSValue() will parse to a token range and then re-serialize
+-  // using extra /**/ only where needed).
+-  String ToUnparsedString() const;
+-
+  private:
++  String ToStringInternal() const;
++  String SerializeSegments() const;
+   // Return 'false' if there is a cycle in the serialization.
+   bool AppendUnparsedString(
+       StringBuilder&,
+diff --git a/third_party/blink/renderer/core/css/cssom/paint_worklet_style_property_map_test.cc b/third_party/blink/renderer/core/css/cssom/paint_worklet_style_property_map_test.cc
+index f81fa39423a9235bc58e1600ca7a250affd3d9bb..2ee4dd7e591095b8460ca559b29b78e37ab71729 100644
+--- a/third_party/blink/renderer/core/css/cssom/paint_worklet_style_property_map_test.cc
++++ b/third_party/blink/renderer/core/css/cssom/paint_worklet_style_property_map_test.cc
+@@ -5,6 +5,7 @@
+ #include "third_party/blink/renderer/core/css/cssom/paint_worklet_style_property_map.h"
+ 
+ #include <memory>
++
+ #include "base/synchronization/waitable_event.h"
+ #include "base/task/single_thread_task_runner.h"
+ #include "testing/gtest/include/gtest/gtest.h"
+@@ -13,7 +14,6 @@
+ #include "third_party/blink/renderer/core/css/cssom/css_keyword_value.h"
+ #include "third_party/blink/renderer/core/css/cssom/css_paint_worklet_input.h"
+ #include "third_party/blink/renderer/core/css/cssom/css_unit_value.h"
+-#include "third_party/blink/renderer/core/css/cssom/css_unparsed_value.h"
+ #include "third_party/blink/renderer/core/css/cssom/css_unsupported_color.h"
+ #include "third_party/blink/renderer/core/css/properties/longhands/custom_property.h"
+ #include "third_party/blink/renderer/core/dom/element.h"
+@@ -23,6 +23,7 @@
+ #include "third_party/blink/renderer/platform/scheduler/public/post_cross_thread_task.h"
+ #include "third_party/blink/renderer/platform/wtf/cross_thread_copier_base.h"
+ #include "third_party/blink/renderer/platform/wtf/cross_thread_functional.h"
++#include "third_party/blink/renderer/platform/wtf/wtf.h"
+ 
+ namespace blink {
+ 
+@@ -66,8 +67,7 @@ class PaintWorkletStylePropertyMapTest : public PageTestBase {
+     CSSStyleValue* style_value = data.at("--x")->ToCSSStyleValue();
+     EXPECT_EQ(style_value->GetType(),
+               CSSStyleValue::StyleValueType::kUnparsedType);
+-    EXPECT_EQ(static_cast<CSSUnparsedValue*>(style_value)->ToUnparsedString(),
+-              "50");
++    EXPECT_EQ(style_value->toString(), "50");
+     waitable_event->Signal();
+   }
+ 
+diff --git a/third_party/blink/renderer/core/css/properties/computed_style_utils.cc b/third_party/blink/renderer/core/css/properties/computed_style_utils.cc
+index 79b292f72efe32e6b56971ea577481710b0c750c..8b0c9f73656d664b04b640016391965009b667d6 100644
+--- a/third_party/blink/renderer/core/css/properties/computed_style_utils.cc
++++ b/third_party/blink/renderer/core/css/properties/computed_style_utils.cc
+@@ -5059,7 +5059,7 @@ ComputedStyleUtils::CrossThreadStyleValueFromCSSStyleValue(
+           To<CSSUnsupportedColor>(style_value)->Value());
+     case CSSStyleValue::StyleValueType::kUnparsedType:
+       return std::make_unique<CrossThreadUnparsedValue>(
+-          To<CSSUnparsedValue>(style_value)->ToUnparsedString());
++          To<CSSUnparsedValue>(style_value)->toString());
+     default:
+       return std::make_unique<CrossThreadUnsupportedValue>(
+           style_value->toString());

patches/chromium/cherry-pick-074d472db745.patch

@@ -0,0 +1,296 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mikel Astiz <mastiz@chromium.org>
+Date: Tue, 10 Mar 2026 13:22:17 -0700
+Subject: [M146][base] Fix UAF in base::OnceCallbackList on re-entrant Notify()
+
+Before this patch, `base::OnceCallbackList` was susceptible to a
+heap-use-after-free when `Notify()` was called re-entrantly.
+
+The UAF occurred because `OnceCallbackList::RunCallback()` immediately
+spliced executed nodes out of `callbacks_` and into `null_callbacks_`.
+If a nested `Notify()` executed a node that an outer `Notify()` loop was
+already holding an iterator to, and that node's subscription was
+subsequently destroyed during the re-entrant cycle, the node would be
+physically erased from `null_callbacks_`. When control returned to the
+outer loop, it would attempt to evaluate the now-dangling iterator.
+
+This CL fixes the bug by deferring list mutations until the outermost
+iteration completes:
+1. `RunCallback()` no longer splices nodes during iteration.
+2. Cancellation logic is pushed down to the subclasses via a new
+   `CancelCallback()` hook, which is an extension to the pre-existing
+   `CancelNullCallback()` with increased responsibilities and clearer
+   semantics.
+3. If a subscription is destroyed while `is_iterating` is true,
+   `OnceCallbackList` resets the node and stashes its iterator in
+   `pending_erasures_`.
+4. A new `CleanUpNullCallbacksPostIteration()` phase runs at the end
+   of the outermost `Notify()`, which safely splices executed nodes
+   into `null_callbacks_` and physically erases the pending dead nodes.
+
+As a side effect, the type-trait hack in `Notify()` based on
+`is_instantiation<CallbackType, OnceCallback>` can be removed, because
+this information is exposed directly by
+`OnceCallbackList::CleanUpNullCallbacksPostIteration()`.
+
+The newly-added unit-test
+CallbackListTest.OnceCallbackListCancelDuringReentrantNotify reproduces
+the scenario and crashed before this patch.
+
+(cherry picked from commit 36acd49636845be2419269acbe9a5137da3d5d96)
+
+Change-Id: I6b1e2bcb97be1bc8d6a15e5ca7511992e00e1772
+Fixed: 489381399
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7627506
+Commit-Queue: Mikel Astiz <mastiz@chromium.org>
+Reviewed-by: Gabriel Charette <gab@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#1594520}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7653916
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Cr-Commit-Position: refs/branch-heads/7680@{#2287}
+Cr-Branched-From: 76b7d80e5cda23fe6537eed26d68c92e995c7f39-refs/heads/main@{#1582197}
+
+diff --git a/base/callback_list.h b/base/callback_list.h
+index 82cb11dc0ee02906b009cc383c41a056861199d0..d5f99cf685486f1ea74718b4e6b228a5d83f0c29 100644
+--- a/base/callback_list.h
++++ b/base/callback_list.h
+@@ -9,6 +9,7 @@
+ #include <list>
+ #include <memory>
+ #include <utility>
++#include <vector>
+ 
+ #include "base/auto_reset.h"
+ #include "base/base_export.h"
+@@ -16,7 +17,6 @@
+ #include "base/functional/bind.h"
+ #include "base/functional/callback.h"
+ #include "base/memory/weak_ptr.h"
+-#include "base/types/is_instantiation.h"
+ 
+ // OVERVIEW:
+ //
+@@ -240,17 +240,14 @@ class CallbackListBase {
+ 
+     // Any null callbacks remaining in the list were canceled due to
+     // Subscription destruction during iteration, and can safely be erased now.
+-    const size_t erased_callbacks =
+-        std::erase_if(callbacks_, [](const auto& cb) { return cb.is_null(); });
+-
+-    // Run |removal_callback_| if any callbacks were canceled. Note that we
+-    // cannot simply compare list sizes before and after iterating, since
+-    // notification may result in Add()ing new callbacks as well as canceling
+-    // them. Also note that if this is a OnceCallbackList, the OnceCallbacks
+-    // that were executed above have all been removed regardless of whether
+-    // they're counted in |erased_callbacks_|.
+-    if (removal_callback_ &&
+-        (erased_callbacks || is_instantiation<CallbackType, OnceCallback>)) {
++    const bool any_callbacks_erased = static_cast<CallbackListImpl*>(this)
++                                          ->CleanUpNullCallbacksPostIteration();
++
++    // Run |removal_callback_| if any callbacks were canceled or executed. Note
++    // that simply comparing list sizes before and after iterating cannot be
++    // done, since notification may result in Add()ing new callbacks as well as
++    // canceling them.
++    if (removal_callback_ && any_callbacks_erased) {
+       removal_callback_.Run();  // May delete |this|!
+     }
+   }
+@@ -264,21 +261,9 @@ class CallbackListBase {
+  private:
+   // Cancels the callback pointed to by |it|, which is guaranteed to be valid.
+   void CancelCallback(const typename Callbacks::iterator& it) {
+-    if (static_cast<CallbackListImpl*>(this)->CancelNullCallback(it)) {
+-      return;
+-    }
+-
+-    if (iterating_) {
+-      // Calling erase() here is unsafe, since the loop in Notify() may be
+-      // referencing this same iterator, e.g. if adjacent callbacks'
+-      // Subscriptions are both destroyed when the first one is Run().  Just
+-      // reset the callback and let Notify() clean it up at the end.
+-      it->Reset();
+-    } else {
+-      callbacks_.erase(it);
+-      if (removal_callback_) {
+-        removal_callback_.Run();  // May delete |this|!
+-      }
++    if (static_cast<CallbackListImpl*>(this)->CancelCallback(it, iterating_) &&
++        removal_callback_) {
++      removal_callback_.Run();  // May delete |this|!
+     }
+   }
+ 
+@@ -304,23 +289,71 @@ class OnceCallbackList
+   // Runs the current callback, which may cancel it or any other callbacks.
+   template <typename... RunArgs>
+   void RunCallback(typename Traits::Callbacks::iterator it, RunArgs&&... args) {
+-    // OnceCallbacks still have Subscriptions with outstanding iterators;
+-    // splice() removes them from |callbacks_| without invalidating those.
+-    null_callbacks_.splice(null_callbacks_.end(), this->callbacks_, it);
++    // Do not splice here. Splicing during iteration breaks re-entrant Notify()
++    // by invalidating the outer loop's iterator. Splicing is deferred to
++    // CleanUpNullCallbacksPostIteration(), which is called when the outermost
++    // Notify() finishes.
+ 
+     // NOTE: Intentionally does not call std::forward<RunArgs>(args)...; see
+     // comments in Notify().
+     std::move(*it).Run(args...);
+   }
+ 
+-  // If |it| refers to an already-canceled callback, does any necessary cleanup
+-  // and returns true.  Otherwise returns false.
+-  bool CancelNullCallback(const typename Traits::Callbacks::iterator& it) {
++  // Called during subscription destruction to cancel the callback. Returns true
++  // if the callback was removed from the active list and the generic removal
++  // callback should be executed. Returns false if the callback was already
++  // executed, or if the erasure is deferred due to active iteration.
++  bool CancelCallback(const typename Traits::Callbacks::iterator& it,
++                      bool is_iterating) {
++    if (is_iterating) {
++      // During iteration, nodes cannot be safely erased from |callbacks_|
++      // without invalidating iterators. They also cannot be spliced into
++      // |null_callbacks_| right now. Thus, the node is reset and tracked for
++      // erasure in CleanUpNullCallbacksPostIteration().
++      it->Reset();
++      pending_erasures_.push_back(it);
++      return false;
++    }
++
+     if (it->is_null()) {
++      // The callback already ran, so it's safely sitting in |null_callbacks_|.
+       null_callbacks_.erase(it);
+-      return true;
++      return false;
+     }
+-    return false;
++
++    // The callback hasn't run yet, so it's still in |callbacks_|.
++    this->callbacks_.erase(it);
++    return true;
++  }
++
++  // Performs post-iteration cleanup. Successfully executed callbacks (which
++  // become null) are spliced into |null_callbacks_| to keep their
++  // Subscriptions' iterators valid. Callbacks explicitly canceled during
++  // iteration (tracked in |pending_erasures_|) are erased. Returns true if any
++  // callbacks were erased or spliced out.
++  bool CleanUpNullCallbacksPostIteration() {
++    bool any_spliced = false;
++    for (auto it = this->callbacks_.begin(); it != this->callbacks_.end();) {
++      if (it->is_null()) {
++        any_spliced = true;
++        auto next = std::next(it);
++        null_callbacks_.splice(null_callbacks_.end(), this->callbacks_, it);
++        it = next;
++      } else {
++        ++it;
++      }
++    }
++
++    bool any_erased = !pending_erasures_.empty();
++    for (auto pending_it : pending_erasures_) {
++      // Note: `pending_it` was originally an iterator into `callbacks_`, but
++      // the node it points to has just been spliced into `null_callbacks_`. The
++      // iterator itself remains valid and can now be used for erasure from
++      // `null_callbacks_`.
++      null_callbacks_.erase(pending_it);
++    }
++    pending_erasures_.clear();
++    return any_spliced || any_erased;
+   }
+ 
+   // Holds null callbacks whose Subscriptions are still alive, so the
+@@ -328,6 +361,11 @@ class OnceCallbackList
+   // OnceCallbacks, since RepeatingCallbacks are not canceled except by
+   // Subscription destruction.
+   typename Traits::Callbacks null_callbacks_;
++
++  // Holds iterators for callbacks canceled during iteration.
++  // Erasure is deferred to CleanUpNullCallbacksPostIteration() when iteration
++  // completes to prevent invalidating iterators that an outer loop might hold.
++  std::vector<typename Traits::Callbacks::iterator> pending_erasures_;
+ };
+ 
+ template <typename Signature>
+@@ -344,14 +382,29 @@ class RepeatingCallbackList
+     it->Run(args...);
+   }
+ 
+-  // If |it| refers to an already-canceled callback, does any necessary cleanup
+-  // and returns true.  Otherwise returns false.
+-  bool CancelNullCallback(const typename Traits::Callbacks::iterator& it) {
+-    // Because at most one Subscription can point to a given callback, and
+-    // RepeatingCallbacks are only reset by CancelCallback(), no one should be
+-    // able to request cancellation of a canceled RepeatingCallback.
+-    DCHECK(!it->is_null());
+-    return false;
++  // Called during subscription destruction to cancel the callback. Returns true
++  // if the callback was removed from the active list and the generic removal
++  // callback should be executed. Returns false if the callback was already
++  // executed, or if the erasure is deferred due to active iteration.
++  bool CancelCallback(const typename Traits::Callbacks::iterator& it,
++                      bool is_iterating) {
++    if (is_iterating) {
++      // During iteration, nodes cannot be safely erased from |callbacks_|
++      // without invalidating iterators. The node is reset and will be swept up
++      // by CleanUpNullCallbacksPostIteration().
++      it->Reset();
++      return false;
++    }
++
++    this->callbacks_.erase(it);
++    return true;
++  }
++
++  // Performs post-iteration cleanup by erasing all canceled callbacks. Returns
++  // true if any callbacks were erased.
++  bool CleanUpNullCallbacksPostIteration() {
++    return std::erase_if(this->callbacks_,
++                         [](const auto& cb) { return cb.is_null(); }) > 0;
+   }
+ };
+ 
+diff --git a/base/callback_list_unittest.cc b/base/callback_list_unittest.cc
+index 7474278525e5efecc0de903809a54d366896d524..a855443fbae862befbc3a2a484ea335632136e94 100644
+--- a/base/callback_list_unittest.cc
++++ b/base/callback_list_unittest.cc
+@@ -10,6 +10,7 @@
+ #include "base/functional/bind.h"
+ #include "base/functional/callback_helpers.h"
+ #include "base/memory/raw_ptr.h"
++#include "base/test/bind.h"
+ #include "base/test/test_future.h"
+ #include "testing/gtest/include/gtest/gtest.h"
+ 
+@@ -577,6 +578,30 @@ TEST(CallbackListTest, ReentrantNotify) {
+   EXPECT_EQ(1, d.total());
+ }
+ 
++// Regression test for crbug.com/489381399: Verifies Notify() can be called
++// reentrantly for OnceCallbackList even if a callback is canceled during the
++// reentrant notification.
++TEST(CallbackListTest, OnceCallbackListCancelDuringReentrantNotify) {
++  OnceClosureList cb_reg;
++  CallbackListSubscription sub_a, sub_b;
++
++  auto cb_a = base::BindLambdaForTesting([&]() {
++    // Re-entrant notification.
++    cb_reg.Notify();
++    // After re-entrant notification returns, sub_b has been run. Destroying it
++    // now should be a no-op.
++    sub_b = {};
++  });
++
++  auto cb_b = base::DoNothing();
++
++  sub_a = cb_reg.Add(std::move(cb_a));
++  sub_b = cb_reg.Add(std::move(cb_b));
++
++  // This should not crash.
++  cb_reg.Notify();
++}
++
+ TEST(CallbackListTest, ClearPreventsInvocation) {
+   Listener listener;
+   RepeatingClosureList cb_reg;

patches/chromium/cherry-pick-12f932985275.patch

@@ -0,0 +1,762 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Geoff Lang <geofflang@chromium.org>
+Date: Wed, 11 Feb 2026 08:05:52 -0800
+Subject: Ensure the previous complete fbo is not deleted on IMG.
+
+Change-Id: I7d84833312749fc58ecb511b276ff6bd783af1ba
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7533383
+Reviewed-by: Vasiliy Telezhnikov <vasilyt@chromium.org>
+Commit-Queue: Geoff Lang <geofflang@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1583241}
+
+diff --git a/gpu/command_buffer/service/context_group.cc b/gpu/command_buffer/service/context_group.cc
+index 9a913cdefd0681d9972a83d8f940a3c48af0f46d..4a3a68b4415b6cc05eab01f98b1a0afffe73afc9 100644
+--- a/gpu/command_buffer/service/context_group.cc
++++ b/gpu/command_buffer/service/context_group.cc
+@@ -120,9 +120,17 @@ ContextGroup::ContextGroup(
+ 
+   use_passthrough_cmd_decoder_ = gpu_preferences_.use_passthrough_cmd_decoder;
+ }
+-
+ gpu::ContextResult ContextGroup::Initialize(DecoderContext* decoder,
+                                             ContextType context_type) {
++  return InitializeWithCompleteFramebufferForWorkarounds(decoder, context_type,
++                                                         0);
++}
++
++gpu::ContextResult
++ContextGroup::InitializeWithCompleteFramebufferForWorkarounds(
++    DecoderContext* decoder,
++    ContextType context_type,
++    uint32_t complete_fbo_for_workarounds) {
+   switch (context_type) {
+     case CONTEXT_TYPE_WEBGL1:
+       if (kGpuFeatureStatusBlocklisted ==
+@@ -156,8 +164,9 @@ gpu::ContextResult ContextGroup::Initialize(DecoderContext* decoder,
+   DisallowedFeatures adjusted_disallowed_features =
+       GetDisallowedFeatures(context_type);
+ 
+-  feature_info_->Initialize(context_type, use_passthrough_cmd_decoder_,
+-                            adjusted_disallowed_features);
++  feature_info_->InitializeWithCompleteFramebufferForWorkarounds(
++      context_type, use_passthrough_cmd_decoder_, adjusted_disallowed_features,
++      complete_fbo_for_workarounds);
+ 
+   // Fail early if ES3 is requested and driver does not support it.
+   if ((context_type == CONTEXT_TYPE_WEBGL2 ||
+diff --git a/gpu/command_buffer/service/context_group.h b/gpu/command_buffer/service/context_group.h
+index 78ea1ccd987cfc6f8ec0e378f906fb19fdccbc19..051d8126c128c47af71d0862cc0ec9476414825e 100644
+--- a/gpu/command_buffer/service/context_group.h
++++ b/gpu/command_buffer/service/context_group.h
+@@ -72,7 +72,10 @@ class GPU_GLES2_EXPORT ContextGroup : public base::RefCounted<ContextGroup> {
+   // call to destroy if it succeeds.
+   gpu::ContextResult Initialize(DecoderContext* decoder,
+                                 ContextType context_type);
+-
++  gpu::ContextResult InitializeWithCompleteFramebufferForWorkarounds(
++      DecoderContext* decoder,
++      ContextType context_type,
++      uint32_t complete_fbo_for_workarounds);
+   // Destroys all the resources when called for the last context in the group.
+   // It should only be called by DecoderContext.
+   void Destroy(DecoderContext* decoder, bool have_context);
+diff --git a/gpu/command_buffer/service/decoder_context.h b/gpu/command_buffer/service/decoder_context.h
+index f00ad2459ff2b4993af37ac6fe0a5aa661fee692..96edc25e2d1ce364470b75ec1a3658ed0e217e54 100644
+--- a/gpu/command_buffer/service/decoder_context.h
++++ b/gpu/command_buffer/service/decoder_context.h
+@@ -139,6 +139,12 @@ class GPU_GLES2_EXPORT DecoderContext : public AsyncAPIInterface,
+   virtual gles2::ContextGroup* GetContextGroup() = 0;
+   virtual gles2::ErrorState* GetErrorState() = 0;
+ 
++  //
++  // Methods required by GLES2 Decoder helpers
++  //
++  // Bind the framebuffer `service_id` and perform any workarounds needed.
++  virtual void BindFramebuffer(unsigned target, uint32_t service_id) const = 0;
++
+   //
+   // Methods required by Texture.
+   //
+diff --git a/gpu/command_buffer/service/feature_info.cc b/gpu/command_buffer/service/feature_info.cc
+index 14bf6c1a220f7b37fa81ddbc7ac1f2a16fb08e4c..6f1cb7f75f8bc4b80d1bd95be721285bd0bab1a8 100644
+--- a/gpu/command_buffer/service/feature_info.cc
++++ b/gpu/command_buffer/service/feature_info.cc
+@@ -64,7 +64,8 @@ class ScopedPixelUnpackBufferOverride {
+ 
+ bool IsWebGLDrawBuffersSupported(bool webglCompatibilityContext,
+                                  GLenum depth_texture_internal_format,
+-                                 GLenum depth_stencil_texture_internal_format) {
++                                 GLenum depth_stencil_texture_internal_format,
++                                 GLuint complete_fbo_for_workarounds) {
+   // This is called after we make sure GL_EXT_draw_buffers is supported.
+   GLint max_draw_buffers = 0;
+   GLint max_color_attachments = 0;
+@@ -81,6 +82,9 @@ bool IsWebGLDrawBuffersSupported(bool webglCompatibilityContext,
+ 
+   GLuint fbo;
+   glGenFramebuffersEXT(1, &fbo);
++  if (complete_fbo_for_workarounds) {
++    glBindFramebufferEXT(GL_FRAMEBUFFER, complete_fbo_for_workarounds);
++  }
+   glBindFramebufferEXT(GL_FRAMEBUFFER, fbo);
+ 
+   GLuint depth_stencil_texture = 0;
+@@ -157,6 +161,9 @@ bool IsWebGLDrawBuffersSupported(bool webglCompatibilityContext,
+     }
+   }
+ 
++  if (complete_fbo_for_workarounds) {
++    glBindFramebufferEXT(GL_FRAMEBUFFER, complete_fbo_for_workarounds);
++  }
+   glBindFramebufferEXT(GL_FRAMEBUFFER, static_cast<GLuint>(fb_binding));
+   glDeleteFramebuffersEXT(1, &fbo);
+ 
+@@ -238,6 +245,15 @@ void FeatureInfo::InitializeBasicState(const base::CommandLine* command_line) {
+ void FeatureInfo::Initialize(ContextType context_type,
+                              bool is_passthrough_cmd_decoder,
+                              const DisallowedFeatures& disallowed_features) {
++  InitializeWithCompleteFramebufferForWorkarounds(
++      context_type, is_passthrough_cmd_decoder, disallowed_features, 0);
++}
++
++void FeatureInfo::InitializeWithCompleteFramebufferForWorkarounds(
++    ContextType context_type,
++    bool is_passthrough_cmd_decoder,
++    const DisallowedFeatures& disallowed_features,
++    unsigned complete_fbo_for_workarounds) {
+   if (initialized_) {
+     DCHECK_EQ(context_type, context_type_);
+     DCHECK_EQ(is_passthrough_cmd_decoder, is_passthrough_cmd_decoder_);
+@@ -248,14 +264,14 @@ void FeatureInfo::Initialize(ContextType context_type,
+   disallowed_features_ = disallowed_features;
+   context_type_ = context_type;
+   is_passthrough_cmd_decoder_ = is_passthrough_cmd_decoder;
+-  InitializeFeatures();
++  InitializeFeatures(complete_fbo_for_workarounds);
+   initialized_ = true;
+ }
+ 
+ void FeatureInfo::ForceReinitialize() {
+   CHECK(initialized_);
+   CHECK(is_passthrough_cmd_decoder_);
+-  InitializeFeatures();
++  InitializeFeatures(0);
+ }
+ 
+ void FeatureInfo::InitializeForTesting(
+@@ -277,7 +293,7 @@ void FeatureInfo::InitializeForTesting(ContextType context_type) {
+              DisallowedFeatures());
+ }
+ 
+-bool IsGL_REDSupportedOnFBOs() {
++bool IsGL_REDSupportedOnFBOs(uint32_t complete_fbo_for_workarounds) {
+ #if BUILDFLAG(IS_MAC)
+   // The glTexImage2D call below can hang on Mac so skip this since it's only
+   // really needed to workaround a Mesa issue. See https://crbug.com/1158744.
+@@ -311,6 +327,9 @@ bool IsGL_REDSupportedOnFBOs() {
+                GL_UNSIGNED_BYTE, nullptr);
+   GLuint textureFBOID = 0;
+   glGenFramebuffersEXT(1, &textureFBOID);
++  if (complete_fbo_for_workarounds) {
++    glBindFramebufferEXT(GL_FRAMEBUFFER, complete_fbo_for_workarounds);
++  }
+   glBindFramebufferEXT(GL_FRAMEBUFFER, textureFBOID);
+   glFramebufferTexture2DEXT(GL_FRAMEBUFFER, GL_COLOR_ATTACHMENT0, GL_TEXTURE_2D,
+                             textureId, 0);
+@@ -319,6 +338,9 @@ bool IsGL_REDSupportedOnFBOs() {
+   glDeleteFramebuffersEXT(1, &textureFBOID);
+   glDeleteTextures(1, &textureId);
+ 
++  if (complete_fbo_for_workarounds) {
++    glBindFramebufferEXT(GL_FRAMEBUFFER, complete_fbo_for_workarounds);
++  }
+   glBindFramebufferEXT(GL_FRAMEBUFFER, static_cast<GLuint>(fb_binding));
+   glBindTexture(GL_TEXTURE_2D, static_cast<GLuint>(tex_binding));
+ 
+@@ -476,7 +498,7 @@ void FeatureInfo::EnableWEBGLMultiDrawIfPossible(
+   }
+ }
+ 
+-void FeatureInfo::InitializeFeatures() {
++void FeatureInfo::InitializeFeatures(uint32_t complete_fbo_for_workarounds) {
+   // Figure out what extensions to turn on.
+   std::string extensions_string(gl::GetGLExtensionsFromCurrentContext());
+   gfx::ExtensionSet extensions(gfx::MakeExtensionSet(extensions_string));
+@@ -1264,9 +1286,9 @@ void FeatureInfo::InitializeFeatures() {
+        can_emulate_es2_draw_buffers_on_es3_nv) &&
+       (context_type_ == CONTEXT_TYPE_OPENGLES2 ||
+        (context_type_ == CONTEXT_TYPE_WEBGL1 &&
+-        IsWebGLDrawBuffersSupported(is_webgl_compatibility_context,
+-                                    depth_texture_format,
+-                                    depth_stencil_texture_format)));
++        IsWebGLDrawBuffersSupported(
++            is_webgl_compatibility_context, depth_texture_format,
++            depth_stencil_texture_format, complete_fbo_for_workarounds)));
+   if (have_es2_draw_buffers) {
+     AddExtensionString("GL_EXT_draw_buffers");
+     feature_flags_.ext_draw_buffers = true;
+@@ -1387,7 +1409,7 @@ void FeatureInfo::InitializeFeatures() {
+ 
+   if ((gl_version_info_->is_es3 ||
+        gfx::HasExtension(extensions, "GL_EXT_texture_rg")) &&
+-      IsGL_REDSupportedOnFBOs()) {
++      IsGL_REDSupportedOnFBOs(complete_fbo_for_workarounds)) {
+     feature_flags_.ext_texture_rg = true;
+     AddExtensionString("GL_EXT_texture_rg");
+ 
+diff --git a/gpu/command_buffer/service/feature_info.h b/gpu/command_buffer/service/feature_info.h
+index 2db3588ca3ed729799b113350ea8a7c449712587..83c683e900a3267061ced97ba971bf9dc0b88f4f 100644
+--- a/gpu/command_buffer/service/feature_info.h
++++ b/gpu/command_buffer/service/feature_info.h
+@@ -163,6 +163,14 @@ class GPU_GLES2_EXPORT FeatureInfo : public base::RefCounted<FeatureInfo> {
+                   bool is_passthrough_cmd_decoder,
+                   const DisallowedFeatures& disallowed_features);
+ 
++  // Same as initialize but with a provided `complete_fbo_for_workarounds` to
++  // use with the ensure_previous_framebuffer_not_deleted driver bug workaround.
++  void InitializeWithCompleteFramebufferForWorkarounds(
++      ContextType context_type,
++      bool is_passthrough_cmd_decoder,
++      const DisallowedFeatures& disallowed_features,
++      uint32_t complete_fbo_for_workarounds);
++
+   // Same as above, but allows reinitialization.
+   void ForceReinitialize();
+ 
+@@ -250,7 +258,7 @@ class GPU_GLES2_EXPORT FeatureInfo : public base::RefCounted<FeatureInfo> {
+ 
+   void AddExtensionString(std::string_view s);
+   void InitializeBasicState(const base::CommandLine* command_line);
+-  void InitializeFeatures();
++  void InitializeFeatures(uint32_t complete_fbo_for_workarounds);
+   void InitializeFloatAndHalfFloatFeatures(const gfx::ExtensionSet& extensions);
+ 
+   void EnableANGLEInstancedArrayIfPossible(const gfx::ExtensionSet& extensions);
+diff --git a/gpu/command_buffer/service/gles2_cmd_copy_tex_image.cc b/gpu/command_buffer/service/gles2_cmd_copy_tex_image.cc
+index b500acb4fe7cbff0e84a4e52e66459d5b85fdf75..a08bb3ac4ab625f220865803352e206713763d77 100644
+--- a/gpu/command_buffer/service/gles2_cmd_copy_tex_image.cc
++++ b/gpu/command_buffer/service/gles2_cmd_copy_tex_image.cc
+@@ -185,7 +185,7 @@ void CopyTexImageResourceManager::DoCopyTexSubImageToLUMACompatibilityTexture(
+   // framebuffer is copying from a texture and sample directly from that texture
+   // instead of doing an extra copy
+ 
+-  glBindFramebufferEXT(GL_FRAMEBUFFER, source_framebuffer);
++  decoder->BindFramebuffer(GL_FRAMEBUFFER, source_framebuffer);
+   glActiveTexture(GL_TEXTURE0);
+   glBindTexture(GL_TEXTURE_2D, scratch_textures_[0]);
+   glCopyTexImage2D(GL_TEXTURE_2D, 0, source_framebuffer_internal_format, x, y,
+@@ -217,7 +217,7 @@ void CopyTexImageResourceManager::DoCopyTexSubImageToLUMACompatibilityTexture(
+   glTexImage2D(GL_TEXTURE_2D, 0, compatability_format, width, height, 0,
+                compatability_format, luma_type, nullptr);
+ 
+-  glBindFramebufferEXT(GL_FRAMEBUFFER, scratch_fbo_);
++  decoder->BindFramebuffer(GL_FRAMEBUFFER, scratch_fbo_);
+   glFramebufferTexture2DEXT(GL_FRAMEBUFFER, GL_COLOR_ATTACHMENT0, GL_TEXTURE_2D,
+                             scratch_textures_[1], 0);
+ 
+diff --git a/gpu/command_buffer/service/gles2_cmd_copy_texture_chromium.cc b/gpu/command_buffer/service/gles2_cmd_copy_texture_chromium.cc
+index 469642028b839d490199379254a5a44c2fcd7f02..98f476de9e4d423b6ec86f2a69638e43bd0fb423 100644
+--- a/gpu/command_buffer/service/gles2_cmd_copy_texture_chromium.cc
++++ b/gpu/command_buffer/service/gles2_cmd_copy_texture_chromium.cc
+@@ -491,7 +491,8 @@ void DeleteShader(GLuint shader) {
+     glDeleteShader(shader);
+ }
+ 
+-bool BindFramebufferTexture2D(GLenum target,
++bool BindFramebufferTexture2D(DecoderContext* decoder,
++                              GLenum target,
+                               GLuint texture_id,
+                               GLint level,
+                               GLuint framebuffer) {
+@@ -511,7 +512,7 @@ bool BindFramebufferTexture2D(GLenum target,
+   glTexParameterf(binding_target, GL_TEXTURE_WRAP_T, GL_CLAMP_TO_EDGE);
+   glTexParameteri(binding_target, GL_TEXTURE_MAG_FILTER, GL_NEAREST);
+   glTexParameteri(binding_target, GL_TEXTURE_MIN_FILTER, GL_NEAREST);
+-  glBindFramebufferEXT(GL_FRAMEBUFFER, framebuffer);
++  decoder->BindFramebuffer(GL_FRAMEBUFFER, framebuffer);
+   glFramebufferTexture2DEXT(GL_FRAMEBUFFER, GL_COLOR_ATTACHMENT0, target,
+                             texture_id, level);
+ 
+@@ -545,7 +546,7 @@ void DoCopyTexImage2D(
+   DCHECK(dest_binding_target == GL_TEXTURE_2D ||
+          dest_binding_target == GL_TEXTURE_CUBE_MAP);
+   DCHECK(source_level == 0 || decoder->GetFeatureInfo()->IsES3Capable());
+-  if (BindFramebufferTexture2D(source_target, source_id, source_level,
++  if (BindFramebufferTexture2D(decoder, source_target, source_id, source_level,
+                                framebuffer)) {
+     glBindTexture(dest_binding_target, dest_id);
+     glTexParameterf(dest_binding_target, GL_TEXTURE_WRAP_S, GL_CLAMP_TO_EDGE);
+@@ -603,7 +604,7 @@ void DoCopyTexSubImage2D(
+   DCHECK(dest_binding_target == GL_TEXTURE_2D ||
+          dest_binding_target == GL_TEXTURE_CUBE_MAP);
+   DCHECK(source_level == 0 || decoder->GetFeatureInfo()->IsES3Capable());
+-  if (BindFramebufferTexture2D(source_target, source_id, source_level,
++  if (BindFramebufferTexture2D(decoder, source_target, source_id, source_level,
+                                framebuffer)) {
+     glBindTexture(dest_binding_target, dest_id);
+     glTexParameterf(dest_binding_target, GL_TEXTURE_WRAP_S, GL_CLAMP_TO_EDGE);
+@@ -767,7 +768,7 @@ void DoReadbackAndTexImage(TexImageCommandType command_type,
+   DCHECK(dest_binding_target == GL_TEXTURE_2D ||
+          dest_binding_target == GL_TEXTURE_CUBE_MAP);
+   DCHECK(source_level == 0 || decoder->GetFeatureInfo()->IsES3Capable());
+-  if (BindFramebufferTexture2D(source_target, source_id, source_level,
++  if (BindFramebufferTexture2D(decoder, source_target, source_id, source_level,
+                                framebuffer)) {
+     glBindTexture(dest_binding_target, dest_id);
+     glTexParameterf(dest_binding_target, GL_TEXTURE_WRAP_S, GL_CLAMP_TO_EDGE);
+@@ -1341,7 +1342,7 @@ void CopyTextureResourceManagerImpl::DoCopyTextureInternal(
+               (y + height / 2.f) * m_y / source_height);
+ 
+   DCHECK(dest_level == 0 || decoder->GetFeatureInfo()->IsES3Capable());
+-  if (BindFramebufferTexture2D(dest_target, dest_id, dest_level,
++  if (BindFramebufferTexture2D(decoder, dest_target, dest_id, dest_level,
+                                framebuffer_)) {
+ #ifndef NDEBUG
+     // glValidateProgram of MACOSX validates FBO unlike other platforms, so
+diff --git a/gpu/command_buffer/service/gles2_cmd_decoder.cc b/gpu/command_buffer/service/gles2_cmd_decoder.cc
+index 0bb2581fa602217ab77aa429ed51ce0ce5a06f00..895266f5988e2446eadf3d3e1d5c4919416cba76 100644
+--- a/gpu/command_buffer/service/gles2_cmd_decoder.cc
++++ b/gpu/command_buffer/service/gles2_cmd_decoder.cc
+@@ -675,6 +675,9 @@ class GLES2DecoderImpl : public GLES2Decoder,
+   // Implements GpuSwitchingObserver.
+   void OnGpuSwitched() override;
+ 
++  // Bind the framebuffer `fbo` and perform any workarounds needed.
++  void BindFramebuffer(unsigned target, uint32_t service_id) const override;
++
+   // Restores the current state to the user's settings.
+   void RestoreCurrentFramebufferBindings();
+ 
+@@ -2418,6 +2421,10 @@ class GLES2DecoderImpl : public GLES2Decoder,
+   // Backbuffer attachments that are currently undefined.
+   uint32_t backbuffer_needs_clear_bits_;
+ 
++  // An always-complete FBO to use for workarounds
++  GLuint complete_fbo_ = 0;
++  GLuint complete_fbo_color_texture_ = 0;
++
+   // The current decoder error communicates the decoder error through command
+   // processing functions that do not return the error value. Should be set only
+   // if not returning an error.
+@@ -2594,7 +2601,7 @@ ScopedFramebufferBinder::ScopedFramebufferBinder(GLES2DecoderImpl* decoder,
+     : decoder_(decoder) {
+   ScopedGLErrorSuppressor suppressor("ScopedFramebufferBinder::ctor",
+                                      decoder_->error_state_.get());
+-  decoder->api()->glBindFramebufferEXTFn(GL_FRAMEBUFFER, id);
++  decoder->BindFramebuffer(GL_FRAMEBUFFER, id);
+   decoder->OnFboChanged();
+ }
+ 
+@@ -2980,7 +2987,27 @@ gpu::ContextResult GLES2DecoderImpl::Initialize(
+     return gpu::ContextResult::kFatalFailure;
+   }
+ 
+-  auto result = group_->Initialize(this, context_type);
++  if (workarounds().ensure_previous_framebuffer_not_deleted) {
++    // Use a 1x1 RGBA8 framebuffer as the "always complete" framebuffer to bind
++    // before binding other framebuffers
++    api()->glGenTexturesFn(1, &complete_fbo_color_texture_);
++    api()->glBindTextureFn(GL_TEXTURE_2D, complete_fbo_color_texture_);
++    api()->glTexImage2DFn(GL_TEXTURE_2D, 0, GL_RGBA, 1, 1, 0, GL_RGBA,
++                          GL_UNSIGNED_BYTE, nullptr);
++
++    api()->glGenFramebuffersEXTFn(1, &complete_fbo_);
++    api()->glBindFramebufferEXTFn(GL_FRAMEBUFFER, complete_fbo_);
++    api()->glFramebufferTexture2DEXTFn(GL_FRAMEBUFFER, GL_COLOR_ATTACHMENT0,
++                                       GL_TEXTURE_2D,
++                                       complete_fbo_color_texture_, 0);
++    CHECK_EQ(api()->glCheckFramebufferStatusEXTFn(GL_FRAMEBUFFER),
++             static_cast<GLenum>(GL_FRAMEBUFFER_COMPLETE));
++  }
++  CHECK_GL_ERROR();
++
++  auto result = group_->InitializeWithCompleteFramebufferForWorkarounds(
++      this, context_type, complete_fbo_);
++
+   if (result != gpu::ContextResult::kSuccess) {
+     // Must not destroy ContextGroup if it is not initialized.
+     group_ = nullptr;
+@@ -3116,7 +3143,7 @@ gpu::ContextResult GLES2DecoderImpl::Initialize(
+     state_.viewport_width = initial_size.width();
+     state_.viewport_height = initial_size.height();
+   } else {
+-    api()->glBindFramebufferEXTFn(GL_FRAMEBUFFER, GetBackbufferServiceId());
++    BindFramebuffer(GL_FRAMEBUFFER, GetBackbufferServiceId());
+     // These are NOT if the back buffer has these proprorties. They are
+     // if we want the command buffer to enforce them regardless of what
+     // the real backbuffer is assuming the real back buffer gives us more than
+@@ -3809,7 +3836,7 @@ void GLES2DecoderImpl::DeleteFramebuffersHelper(
+         if (workarounds().unbind_attachments_on_bound_render_fbo_delete)
+           framebuffer->DoUnbindGLAttachmentsForWorkaround(target);
+ 
+-        api()->glBindFramebufferEXTFn(target, GetBackbufferServiceId());
++        BindFramebuffer(target, GetBackbufferServiceId());
+         state_.UpdateWindowRectanglesForBoundDrawFramebufferClientID(0);
+         framebuffer_state_.bound_draw_framebuffer = nullptr;
+         framebuffer_state_.clear_state_dirty = true;
+@@ -3817,7 +3844,7 @@ void GLES2DecoderImpl::DeleteFramebuffersHelper(
+       if (framebuffer == framebuffer_state_.bound_read_framebuffer.get()) {
+         framebuffer_state_.bound_read_framebuffer = nullptr;
+         GLenum target = GetReadFramebufferTarget();
+-        api()->glBindFramebufferEXTFn(target, GetBackbufferServiceId());
++        BindFramebuffer(target, GetBackbufferServiceId());
+       }
+       OnFboChanged();
+       RemoveFramebuffer(client_id);
+@@ -3965,33 +3992,32 @@ void GLES2DecoderImpl::ProcessFinishedAsyncTransfers() {
+   ProcessPendingReadPixels(false);
+ }
+ 
+-static void RebindCurrentFramebuffer(gl::GLApi* api,
+-                                     GLenum target,
+-                                     Framebuffer* framebuffer,
+-                                     GLuint back_buffer_service_id) {
+-  GLuint framebuffer_id = framebuffer ? framebuffer->service_id() : 0;
++void GLES2DecoderImpl::RestoreCurrentFramebufferBindings() {
++  framebuffer_state_.clear_state_dirty = true;
+ 
+-  if (framebuffer_id == 0) {
+-    framebuffer_id = back_buffer_service_id;
+-  }
++  auto rebind_current_framebuffer = [this](GLenum target,
++                                           Framebuffer* framebuffer,
++                                           GLuint back_buffer_service_id) {
++    GLuint framebuffer_id = framebuffer ? framebuffer->service_id() : 0;
+ 
+-  api->glBindFramebufferEXTFn(target, framebuffer_id);
+-}
++    if (framebuffer_id == 0) {
++      framebuffer_id = back_buffer_service_id;
++    }
+ 
+-void GLES2DecoderImpl::RestoreCurrentFramebufferBindings() {
+-  framebuffer_state_.clear_state_dirty = true;
++    BindFramebuffer(target, framebuffer_id);
++  };
+ 
+   if (!SupportsSeparateFramebufferBinds()) {
+-    RebindCurrentFramebuffer(api(), GL_FRAMEBUFFER,
+-                             framebuffer_state_.bound_draw_framebuffer.get(),
+-                             GetBackbufferServiceId());
++    rebind_current_framebuffer(GL_FRAMEBUFFER,
++                               framebuffer_state_.bound_draw_framebuffer.get(),
++                               GetBackbufferServiceId());
+   } else {
+-    RebindCurrentFramebuffer(api(), GL_READ_FRAMEBUFFER,
+-                             framebuffer_state_.bound_read_framebuffer.get(),
+-                             GetBackbufferServiceId());
+-    RebindCurrentFramebuffer(api(), GL_DRAW_FRAMEBUFFER,
+-                             framebuffer_state_.bound_draw_framebuffer.get(),
+-                             GetBackbufferServiceId());
++    rebind_current_framebuffer(GL_READ_FRAMEBUFFER,
++                               framebuffer_state_.bound_read_framebuffer.get(),
++                               GetBackbufferServiceId());
++    rebind_current_framebuffer(GL_DRAW_FRAMEBUFFER,
++                               framebuffer_state_.bound_draw_framebuffer.get(),
++                               GetBackbufferServiceId());
+   }
+   OnFboChanged();
+ }
+@@ -4380,6 +4406,16 @@ void GLES2DecoderImpl::OnGpuSwitched() {
+   client()->OnGpuSwitched();
+ }
+ 
++void GLES2DecoderImpl::BindFramebuffer(unsigned target,
++                                       uint32_t service_id) const {
++  if (workarounds().ensure_previous_framebuffer_not_deleted) {
++    DCHECK(complete_fbo_);
++    api()->glBindFramebufferEXTFn(target, complete_fbo_);
++  }
++
++  api()->glBindFramebufferEXTFn(target, service_id);
++}
++
+ void GLES2DecoderImpl::Destroy(bool have_context) {
+   if (!initialized())
+     return;
+@@ -4429,6 +4465,13 @@ void GLES2DecoderImpl::Destroy(bool have_context) {
+       offscreen_target_frame_buffer_->Destroy();
+     if (offscreen_target_color_texture_.get())
+       offscreen_target_color_texture_->Destroy();
++
++    if (complete_fbo_color_texture_) {
++      api()->glDeleteTexturesFn(1, &complete_fbo_color_texture_);
++    }
++    if (complete_fbo_) {
++      api()->glDeleteFramebuffersEXTFn(1, &complete_fbo_);
++    }
+   } else {
+     if (offscreen_target_frame_buffer_.get())
+       offscreen_target_frame_buffer_->Invalidate();
+@@ -5058,13 +5101,13 @@ void GLES2DecoderImpl::RestoreFramebufferBindings() const {
+           ? framebuffer_state_.bound_draw_framebuffer->service_id()
+           : GetBackbufferServiceId();
+   if (!SupportsSeparateFramebufferBinds()) {
+-    api()->glBindFramebufferEXTFn(GL_FRAMEBUFFER, service_id);
++    BindFramebuffer(GL_FRAMEBUFFER, service_id);
+   } else {
+-    api()->glBindFramebufferEXTFn(GL_DRAW_FRAMEBUFFER, service_id);
++    BindFramebuffer(GL_DRAW_FRAMEBUFFER, service_id);
+     service_id = framebuffer_state_.bound_read_framebuffer.get()
+                      ? framebuffer_state_.bound_read_framebuffer->service_id()
+                      : GetBackbufferServiceId();
+-    api()->glBindFramebufferEXTFn(GL_READ_FRAMEBUFFER, service_id);
++    BindFramebuffer(GL_READ_FRAMEBUFFER, service_id);
+   }
+   OnFboChanged();
+ }
+@@ -5205,7 +5248,7 @@ void GLES2DecoderImpl::DoBindFramebuffer(GLenum target, GLuint client_id) {
+     service_id = GetBackbufferServiceId();
+   }
+ 
+-  api()->glBindFramebufferEXTFn(target, service_id);
++  BindFramebuffer(target, service_id);
+   OnFboChanged();
+ }
+ 
+@@ -6976,8 +7019,7 @@ void GLES2DecoderImpl::ClearUnclearedAttachments(
+     if (target == GL_READ_FRAMEBUFFER && draw_framebuffer != framebuffer) {
+       // TODO(zmo): There is no guarantee that an FBO that is complete on the
+       // READ attachment will be complete as a DRAW attachment.
+-      api()->glBindFramebufferEXTFn(GL_DRAW_FRAMEBUFFER,
+-                                    framebuffer->service_id());
++      BindFramebuffer(GL_DRAW_FRAMEBUFFER, framebuffer->service_id());
+     }
+     state_.SetDeviceColorMask(GL_TRUE, GL_TRUE, GL_TRUE, GL_TRUE);
+     state_.SetDeviceCapabilityState(GL_SCISSOR_TEST, false);
+@@ -7024,8 +7066,7 @@ void GLES2DecoderImpl::ClearUnclearedAttachments(
+         target == GL_READ_FRAMEBUFFER && draw_framebuffer != framebuffer) {
+       // TODO(zmo): There is no guarantee that an FBO that is complete on the
+       // READ attachment will be complete as a DRAW attachment.
+-      api()->glBindFramebufferEXTFn(GL_DRAW_FRAMEBUFFER,
+-                                    framebuffer->service_id());
++      BindFramebuffer(GL_DRAW_FRAMEBUFFER, framebuffer->service_id());
+     }
+     state_.SetDeviceCapabilityState(GL_SCISSOR_TEST, false);
+     ClearDeviceWindowRectangles();
+@@ -7043,7 +7084,7 @@ void GLES2DecoderImpl::ClearUnclearedAttachments(
+     if (target == GL_READ_FRAMEBUFFER && draw_framebuffer != framebuffer) {
+       GLuint service_id = draw_framebuffer ? draw_framebuffer->service_id() :
+                                              GetBackbufferServiceId();
+-      api()->glBindFramebufferEXTFn(GL_DRAW_FRAMEBUFFER, service_id);
++      BindFramebuffer(GL_DRAW_FRAMEBUFFER, service_id);
+     }
+   }
+ 
+@@ -7900,7 +7941,8 @@ void GLES2DecoderImpl::RenderbufferStorageMultisampleHelperAMD(
+ 
+ bool GLES2DecoderImpl::RegenerateRenderbufferIfNeeded(
+     Renderbuffer* renderbuffer) {
+-  if (!renderbuffer->RegenerateAndBindBackingObjectIfNeeded(workarounds())) {
++  if (!renderbuffer->RegenerateAndBindBackingObjectIfNeeded(this,
++                                                            workarounds())) {
+     return false;
+   }
+ 
+@@ -12059,7 +12101,7 @@ bool GLES2DecoderImpl::ClearLevelUsingGL(Texture* texture,
+   GLenum fb_target = GetDrawFramebufferTarget();
+   GLuint fb = 0;
+   api()->glGenFramebuffersEXTFn(1, &fb);
+-  api()->glBindFramebufferEXTFn(fb_target, fb);
++  BindFramebuffer(fb_target, fb);
+ 
+   bool have_color = (channels & GLES2Util::kRGBA) != 0;
+   if (have_color) {
+@@ -12102,7 +12144,7 @@ bool GLES2DecoderImpl::ClearLevelUsingGL(Texture* texture,
+   Framebuffer* framebuffer = GetFramebufferInfoForTarget(fb_target);
+   GLuint fb_service_id =
+       framebuffer ? framebuffer->service_id() : GetBackbufferServiceId();
+-  api()->glBindFramebufferEXTFn(fb_target, fb_service_id);
++  BindFramebuffer(fb_target, fb_service_id);
+   return result;
+ }
+ 
+@@ -14581,8 +14623,9 @@ error::Error GLES2DecoderImpl::HandleGetRequestableExtensionsCHROMIUM(
+       new FeatureInfo(workarounds(), group_->gpu_feature_info()));
+   DisallowedFeatures disallowed_features = feature_info_->disallowed_features();
+   disallowed_features.AllowExtensions();
+-  info->Initialize(feature_info_->context_type(),
+-                   false /* is_passthrough_cmd_decoder */, disallowed_features);
++  info->InitializeWithCompleteFramebufferForWorkarounds(
++      feature_info_->context_type(), false /* is_passthrough_cmd_decoder */,
++      disallowed_features, complete_fbo_);
+   bucket->SetFromString(gfx::MakeExtensionString(info->extensions()).c_str());
+   return error::kNoError;
+ }
+diff --git a/gpu/command_buffer/service/gles2_cmd_decoder_mock.h b/gpu/command_buffer/service/gles2_cmd_decoder_mock.h
+index bd3158e174f0881f99c45a0c8b8d5640e3be2b8f..cc160b5771954b485652f4b0cdc6695bfdea9954 100644
+--- a/gpu/command_buffer/service/gles2_cmd_decoder_mock.h
++++ b/gpu/command_buffer/service/gles2_cmd_decoder_mock.h
+@@ -147,6 +147,8 @@ class MockGLES2Decoder : public GLES2Decoder {
+                     int height,
+                     int depth));
+   MOCK_METHOD0(GetErrorState, ErrorState *());
++  MOCK_CONST_METHOD2(BindFramebuffer,
++                     void(unsigned target, uint32_t service_id));
+ 
+   MOCK_METHOD0(GetLogger, Logger*());
+ 
+diff --git a/gpu/command_buffer/service/gles2_cmd_decoder_passthrough.cc b/gpu/command_buffer/service/gles2_cmd_decoder_passthrough.cc
+index e8808f50df6d179879bc44fcacfb4154a4ac0454..de9f2f5cfb247a914606d3ba8b24f0924ac728e0 100644
+--- a/gpu/command_buffer/service/gles2_cmd_decoder_passthrough.cc
++++ b/gpu/command_buffer/service/gles2_cmd_decoder_passthrough.cc
+@@ -1541,6 +1541,11 @@ gpu::gles2::ErrorState* GLES2DecoderPassthroughImpl::GetErrorState() {
+   return nullptr;
+ }
+ 
++void GLES2DecoderPassthroughImpl::BindFramebuffer(unsigned target,
++                                                  uint32_t service_id) const {
++  NOTREACHED();
++}
++
+ void GLES2DecoderPassthroughImpl::WaitForReadPixels(
+     base::OnceClosure callback) {}
+ 
+diff --git a/gpu/command_buffer/service/gles2_cmd_decoder_passthrough.h b/gpu/command_buffer/service/gles2_cmd_decoder_passthrough.h
+index 30dc611c8f0a84ec3493e3f865b6640cab157e2a..50938ca4a0086d14493ec7e0d85b99615c0c7fb7 100644
+--- a/gpu/command_buffer/service/gles2_cmd_decoder_passthrough.h
++++ b/gpu/command_buffer/service/gles2_cmd_decoder_passthrough.h
+@@ -315,6 +315,8 @@ class GPU_GLES2_EXPORT GLES2DecoderPassthroughImpl
+ 
+   ErrorState* GetErrorState() override;
+ 
++  void BindFramebuffer(unsigned target, uint32_t service_id) const override;
++
+   void WaitForReadPixels(base::OnceClosure callback) override;
+ 
+   // Returns true if the context was lost either by GL_ARB_robustness, forced
+diff --git a/gpu/command_buffer/service/raster_decoder.cc b/gpu/command_buffer/service/raster_decoder.cc
+index 5f61aac4fc217a97ccfcdbd6634056e5f305a425..767fee8cace6dec4cfaf1ccdd46f1764a7ae5318 100644
+--- a/gpu/command_buffer/service/raster_decoder.cc
++++ b/gpu/command_buffer/service/raster_decoder.cc
+@@ -560,6 +560,7 @@ class RasterDecoderImpl final : public RasterDecoder,
+ 
+   gles2::ContextGroup* GetContextGroup() override;
+   gles2::ErrorState* GetErrorState() override;
++  void BindFramebuffer(unsigned target, uint32_t service_id) const override;
+ 
+   bool IsCompressedTextureFormat(unsigned format) override;
+   bool ClearLevel(gles2::Texture* texture,
+@@ -1598,6 +1599,11 @@ gles2::ErrorState* RasterDecoderImpl::GetErrorState() {
+   return error_state_.get();
+ }
+ 
++void RasterDecoderImpl::BindFramebuffer(unsigned target,
++                                        uint32_t service_id) const {
++  NOTREACHED();
++}
++
+ bool RasterDecoderImpl::IsCompressedTextureFormat(unsigned format) {
+   return feature_info()->validators()->compressed_texture_format.IsValid(
+       format);
+diff --git a/gpu/command_buffer/service/renderbuffer_manager.cc b/gpu/command_buffer/service/renderbuffer_manager.cc
+index 8075cb3acf7204a661a6c094edc1c1a783d46dfb..6cdb9186c4e3bfe40dd437db6b92343f60830171 100644
+--- a/gpu/command_buffer/service/renderbuffer_manager.cc
++++ b/gpu/command_buffer/service/renderbuffer_manager.cc
+@@ -15,6 +15,7 @@
+ #include "base/trace_event/memory_dump_manager.h"
+ #include "base/trace_event/trace_event.h"
+ #include "gpu/command_buffer/common/gles2_cmd_utils.h"
++#include "gpu/command_buffer/service/decoder_context.h"
+ #include "gpu/command_buffer/service/feature_info.h"
+ #include "gpu/command_buffer/service/framebuffer_manager.h"
+ #include "gpu/command_buffer/service/gles2_cmd_decoder.h"
+@@ -141,6 +142,7 @@ Renderbuffer::Renderbuffer(RenderbufferManager* manager,
+ }
+ 
+ bool Renderbuffer::RegenerateAndBindBackingObjectIfNeeded(
++    const DecoderContext* decoder,
+     const GpuDriverBugWorkarounds& workarounds) {
+   bool multisample_workaround =
+       workarounds.multisample_renderbuffer_resize_emulation;
+@@ -167,7 +169,7 @@ bool Renderbuffer::RegenerateAndBindBackingObjectIfNeeded(
+ 
+   // Attach new renderbuffer to all framebuffers
+   for (auto& point : framebuffer_attachment_points_) {
+-    glBindFramebufferEXT(GL_DRAW_FRAMEBUFFER, point.first->service_id());
++    decoder->BindFramebuffer(GL_DRAW_FRAMEBUFFER, point.first->service_id());
+     glFramebufferRenderbufferEXT(GL_DRAW_FRAMEBUFFER, point.second,
+                                  GL_RENDERBUFFER, service_id_);
+   }
+diff --git a/gpu/command_buffer/service/renderbuffer_manager.h b/gpu/command_buffer/service/renderbuffer_manager.h
+index 7d575387ca8f6a7cb1b4bb020c52f7b53bed5d10..5eabeb9dd160122366507b7dfba53fd1c3285115 100644
+--- a/gpu/command_buffer/service/renderbuffer_manager.h
++++ b/gpu/command_buffer/service/renderbuffer_manager.h
+@@ -22,6 +22,7 @@
+ 
+ namespace gpu {
+ class GpuDriverBugWorkarounds;
++class DecoderContext;
+ 
+ namespace gles2 {
+ 
+@@ -79,6 +80,7 @@ class GPU_GLES2_EXPORT Renderbuffer : public base::RefCounted<Renderbuffer> {
+   // Regenerates the object backing this client_id, creating a new service_id.
+   // Also reattaches any framebuffers using this renderbuffer.
+   bool RegenerateAndBindBackingObjectIfNeeded(
++      const DecoderContext* decoder,
+       const GpuDriverBugWorkarounds& workarounds);
+ 
+   void AddFramebufferAttachmentPoint(Framebuffer* framebuffer,
+diff --git a/gpu/command_buffer/service/webgpu_decoder_impl.cc b/gpu/command_buffer/service/webgpu_decoder_impl.cc
+index 172834911e75edb3ed1c4dceb3ec23755bf3b5f6..fb873fee0e4b1d33edd4210fad8ad74c6d563355 100644
+--- a/gpu/command_buffer/service/webgpu_decoder_impl.cc
++++ b/gpu/command_buffer/service/webgpu_decoder_impl.cc
+@@ -305,6 +305,9 @@ class WebGPUDecoderImpl final : public WebGPUDecoder {
+   std::string_view GetLogPrefix() override { return "WebGPUDecoderImpl"; }
+   gles2::ContextGroup* GetContextGroup() override { return nullptr; }
+   gles2::ErrorState* GetErrorState() override { NOTREACHED(); }
++  void BindFramebuffer(unsigned target, uint32_t service_id) const override {
++    NOTREACHED();
++  }
+   bool IsCompressedTextureFormat(unsigned format) override { NOTREACHED(); }
+   bool ClearLevel(gles2::Texture* texture,
+                   unsigned target,
+diff --git a/gpu/config/gpu_driver_bug_list.json b/gpu/config/gpu_driver_bug_list.json
+index ebea892a523322b38a22ba6b0442262edcd6166b..2af5b0460beed7b78c00c9f2a70e14e5f7696ac0 100644
+--- a/gpu/config/gpu_driver_bug_list.json
++++ b/gpu/config/gpu_driver_bug_list.json
+@@ -3818,6 +3818,31 @@
+       "features": [
+         "disable_d3d12_video_encoder"
+       ]
++    },
++    {
++      "id": 470,
++      "description": "Disable D3D12 video encoder on Windows versions older 11 24H2",
++      "os": {
++        "type": "win",
++        "version": {
++          "op": "<",
++          "value": "10.0.26100.2033"
++        }
++      },
++      "features": [
++        "disable_d3d12_video_encoder"
++      ]
++    },
++    {
++      "id": 471,
++      "description": "IMG drivers can sometimes reference previously bound complete framebuffers.",
++      "os": {
++        "type": "android"
++      },
++      "gl_vendor": "Imagination.*",
++      "features": [
++        "ensure_previous_framebuffer_not_deleted"
++      ]
+     }
+   ]
+ }
+diff --git a/gpu/config/gpu_workaround_list.txt b/gpu/config/gpu_workaround_list.txt
+index 7f8b6e019f9b1986411b17c4ef1a2e863eb689f0..30ee7799cdd0a344e433e95cd74e4630a7c87aff 100644
+--- a/gpu/config/gpu_workaround_list.txt
++++ b/gpu/config/gpu_workaround_list.txt
+@@ -78,6 +78,7 @@ dont_delete_source_texture_for_egl_image
+ dont_use_loops_to_initialize_variables
+ enable_bgra8_overlays_with_yuv_overlay_support
+ enable_webgl_timer_query_extensions
++ensure_previous_framebuffer_not_deleted
+ etc1_power_of_two_only
+ exit_on_context_lost
+ flush_before_create_fence

patches/chromium/cherry-pick-45c5a70d984d.patch

@@ -0,0 +1,199 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Anders Hartvoll Ruud <andruud@chromium.org>
+Date: Wed, 25 Feb 2026 03:24:19 -0800
+Subject: Describe a vector of segments as "segments", not "tokens"
+
+The specification uses the term "tokens" to refer to a sequence
+of V8CSSUnparsedSegment objects, and CSSUnparsedValue has adopted
+this terminology. While it is usually a good idea for Blink
+to mirror the language used in specifications, "tokens" is very
+confusing here, since it always means CSSParserTokens in every other
+place in the style code.
+
+Bug: 487117772
+Change-Id: I2dc132c4e618e398e1f8bdabc03a8d2ab6c118e7
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7606599
+Commit-Queue: Anders Hartvoll Ruud <andruud@chromium.org>
+Reviewed-by: Steinar H Gunderson <sesse@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1590040}
+
+diff --git a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc
+index 486e9d10c1e0a682ec239f4df696f4133300eebb..567d4fad7436c24d4c42bc36ebfd7ee3641e3b90 100644
+--- a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc
++++ b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc
+@@ -28,12 +28,12 @@ String FindVariableName(CSSParserTokenStream& stream) {
+ 
+ V8CSSUnparsedSegment* VariableReferenceValue(
+     const StringView& variable_name,
+-    const HeapVector<Member<V8CSSUnparsedSegment>>& tokens) {
++    const HeapVector<Member<V8CSSUnparsedSegment>>& segments) {
+   CSSUnparsedValue* unparsed_value;
+-  if (tokens.size() == 0) {
++  if (segments.size() == 0) {
+     unparsed_value = nullptr;
+   } else {
+-    unparsed_value = CSSUnparsedValue::Create(tokens);
++    unparsed_value = CSSUnparsedValue::Create(segments);
+   }
+ 
+   CSSStyleVariableReferenceValue* variable_reference =
+@@ -50,13 +50,13 @@ V8CSSUnparsedSegment* VariableReferenceValue(
+ HeapVector<Member<V8CSSUnparsedSegment>> ParserTokenStreamToTokens(
+     CSSParserTokenStream& stream) {
+   int nesting_level = 0;
+-  HeapVector<Member<V8CSSUnparsedSegment>> tokens;
++  HeapVector<Member<V8CSSUnparsedSegment>> segments;
+   StringBuilder builder;
+   while (stream.Peek().GetType() != kEOFToken) {
+     if (stream.Peek().FunctionId() == CSSValueID::kVar ||
+         stream.Peek().FunctionId() == CSSValueID::kEnv) {
+       if (!builder.empty()) {
+-        tokens.push_back(MakeGarbageCollected<V8CSSUnparsedSegment>(
++        segments.push_back(MakeGarbageCollected<V8CSSUnparsedSegment>(
+             builder.ReleaseString()));
+       }
+ 
+@@ -71,7 +71,7 @@ HeapVector<Member<V8CSSUnparsedSegment>> ParserTokenStreamToTokens(
+       if (!ref) {
+         break;
+       }
+-      tokens.push_back(ref);
++      segments.push_back(ref);
+     } else {
+       if (stream.Peek().GetBlockType() == CSSParserToken::kBlockStart) {
+         ++nesting_level;
+@@ -86,10 +86,10 @@ HeapVector<Member<V8CSSUnparsedSegment>> ParserTokenStreamToTokens(
+     }
+   }
+   if (!builder.empty()) {
+-    tokens.push_back(
++    segments.push_back(
+         MakeGarbageCollected<V8CSSUnparsedSegment>(builder.ReleaseString()));
+   }
+-  return tokens;
++  return segments;
+ }
+ 
+ }  // namespace
+@@ -109,8 +109,8 @@ CSSUnparsedValue* CSSUnparsedValue::FromCSSVariableData(
+ V8CSSUnparsedSegment* CSSUnparsedValue::AnonymousIndexedGetter(
+     uint32_t index,
+     ExceptionState& exception_state) const {
+-  if (index < tokens_.size()) {
+-    return tokens_[index].Get();
++  if (index < segments_.size()) {
++    return segments_[index].Get();
+   }
+   return nullptr;
+ }
+@@ -119,20 +119,20 @@ IndexedPropertySetterResult CSSUnparsedValue::AnonymousIndexedSetter(
+     uint32_t index,
+     V8CSSUnparsedSegment* segment,
+     ExceptionState& exception_state) {
+-  if (index < tokens_.size()) {
+-    tokens_[index] = segment;
++  if (index < segments_.size()) {
++    segments_[index] = segment;
+     return IndexedPropertySetterResult::kIntercepted;
+   }
+ 
+-  if (index == tokens_.size()) {
+-    tokens_.push_back(segment);
++  if (index == segments_.size()) {
++    segments_.push_back(segment);
+     return IndexedPropertySetterResult::kIntercepted;
+   }
+ 
+   exception_state.ThrowRangeError(
+       ExceptionMessages::IndexOutsideRange<unsigned>(
+-          "index", index, 0, ExceptionMessages::kInclusiveBound, tokens_.size(),
+-          ExceptionMessages::kInclusiveBound));
++          "index", index, 0, ExceptionMessages::kInclusiveBound,
++          segments_.size(), ExceptionMessages::kInclusiveBound));
+   return IndexedPropertySetterResult::kIntercepted;
+ }
+ 
+@@ -195,14 +195,14 @@ bool CSSUnparsedValue::AppendUnparsedString(
+     return false;  // Cycle.
+   }
+   values_on_stack.insert(this);
+-  for (unsigned i = 0; i < tokens_.size(); i++) {
++  for (unsigned i = 0; i < segments_.size(); i++) {
+     if (i) {
+       builder.Append("/**/");
+     }
+-    switch (tokens_[i]->GetContentType()) {
++    switch (segments_[i]->GetContentType()) {
+       case V8CSSUnparsedSegment::ContentType::kCSSVariableReferenceValue: {
+         const auto* reference_value =
+-            tokens_[i]->GetAsCSSVariableReferenceValue();
++            segments_[i]->GetAsCSSVariableReferenceValue();
+         builder.Append("var(");
+         builder.Append(reference_value->variable());
+         if (reference_value->fallback()) {
+@@ -216,7 +216,7 @@ bool CSSUnparsedValue::AppendUnparsedString(
+         break;
+       }
+       case V8CSSUnparsedSegment::ContentType::kString:
+-        builder.Append(tokens_[i]->GetAsString());
++        builder.Append(segments_[i]->GetAsString());
+         break;
+     }
+   }
+diff --git a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h
+index c9dab7a0b3ffeaeb6b5d2ab50d876d40c38a760e..5d1961b170f14ae21ca8f69b3c3cd8af28f4478a 100644
+--- a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h
++++ b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h
+@@ -26,8 +26,8 @@ class CORE_EXPORT CSSUnparsedValue final : public CSSStyleValue {
+ 
+  public:
+   static CSSUnparsedValue* Create(
+-      const HeapVector<Member<V8CSSUnparsedSegment>>& tokens) {
+-    return MakeGarbageCollected<CSSUnparsedValue>(tokens);
++      const HeapVector<Member<V8CSSUnparsedSegment>>& segments) {
++    return MakeGarbageCollected<CSSUnparsedValue>(segments);
+   }
+ 
+   // Blink-internal constructor
+@@ -37,14 +37,14 @@ class CORE_EXPORT CSSUnparsedValue final : public CSSStyleValue {
+   static CSSUnparsedValue* FromCSSValue(const CSSUnparsedDeclarationValue&);
+   static CSSUnparsedValue* FromCSSVariableData(const CSSVariableData&);
+   static CSSUnparsedValue* FromString(const String& string) {
+-    HeapVector<Member<V8CSSUnparsedSegment>> tokens;
+-    tokens.push_back(MakeGarbageCollected<V8CSSUnparsedSegment>(string));
+-    return Create(tokens);
++    HeapVector<Member<V8CSSUnparsedSegment>> segments;
++    segments.push_back(MakeGarbageCollected<V8CSSUnparsedSegment>(string));
++    return Create(segments);
+   }
+ 
+   explicit CSSUnparsedValue(
+-      const HeapVector<Member<V8CSSUnparsedSegment>>& tokens)
+-      : tokens_(tokens) {}
++      const HeapVector<Member<V8CSSUnparsedSegment>>& segments)
++      : segments_(segments) {}
+   CSSUnparsedValue(const CSSUnparsedValue&) = delete;
+   CSSUnparsedValue& operator=(const CSSUnparsedValue&) = delete;
+ 
+@@ -60,10 +60,10 @@ class CORE_EXPORT CSSUnparsedValue final : public CSSStyleValue {
+       V8CSSUnparsedSegment* segment,
+       ExceptionState& exception_state);
+ 
+-  wtf_size_t length() const { return tokens_.size(); }
++  wtf_size_t length() const { return segments_.size(); }
+ 
+   void Trace(Visitor* visitor) const override {
+-    visitor->Trace(tokens_);
++    visitor->Trace(segments_);
+     CSSStyleValue::Trace(visitor);
+   }
+ 
+@@ -81,7 +81,7 @@ class CORE_EXPORT CSSUnparsedValue final : public CSSStyleValue {
+       StringBuilder&,
+       HeapHashSet<Member<const CSSUnparsedValue>>& values_on_stack) const;
+ 
+-  HeapVector<Member<V8CSSUnparsedSegment>> tokens_;
++  HeapVector<Member<V8CSSUnparsedSegment>> segments_;
+ 
+   FRIEND_TEST_ALL_PREFIXES(CSSUnparsedDeclarationValueTest, MixedList);
+ };

patches/chromium/cherry-pick-50b057660b4d.patch

@@ -0,0 +1,149 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kai Ninomiya <kainino@chromium.org>
+Date: Wed, 11 Mar 2026 14:52:44 -0700
+Subject: [M146] Increment WebGL context generation number on context restore
+
+Objects created while the context is lost should not be valid to use
+after the context is restored.
+- Replace number_of_context_losses_ with a "context generation number"
+  which increments on both context loss and context restore.
+  - Technically, it would make sense to increment it only on context
+    restore, but just in case any logic is relying on the current
+    behavior, increment it in both places.
+  - It's uint64_t just in case someone figures out how to increment it 4
+    billion times.
+- Remove unused WebGLRenderingContextBase::number_of_context_losses_,
+  left over from before it was moved into WebGLContextObjectSupport.
+
+(cherry picked from commit c1433740f3ea902fd6b15d63c4865ad60a3761f9)
+
+Bug: 485935305
+Change-Id: I1007217c8e69cfb8de4f117e0b7845ca574579c4
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7630664
+Reviewed-by: Kenneth Russell <kbr@chromium.org>
+Commit-Queue: Kai Ninomiya <kainino@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#1593726}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7658823
+Auto-Submit: Kai Ninomiya <kainino@chromium.org>
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Cr-Commit-Position: refs/branch-heads/7680@{#2370}
+Cr-Branched-From: 76b7d80e5cda23fe6537eed26d68c92e995c7f39-refs/heads/main@{#1582197}
+
+diff --git a/third_party/blink/renderer/modules/webgl/webgl_context_object_support.cc b/third_party/blink/renderer/modules/webgl/webgl_context_object_support.cc
+index 6a3b1416354e7993e7a9ebd25c4ca08593105d9a..83941f8163a5e9425f2df8fd3bb98e1fd37537ad 100644
+--- a/third_party/blink/renderer/modules/webgl/webgl_context_object_support.cc
++++ b/third_party/blink/renderer/modules/webgl/webgl_context_object_support.cc
+@@ -22,7 +22,10 @@ WebGLContextObjectSupport::WebGLContextObjectSupport(
+ 
+ void WebGLContextObjectSupport::OnContextLost() {
+   DCHECK(!is_lost_);
+-  number_of_context_losses_++;
++  // Invalidate all past objects.
++  // (It may not be strictly necessary to do this here, since it's also done in
++  // OnContextRestored, but we did it historically, and there's no harm in it.)
++  context_generation_++;
+   is_lost_ = true;
+   gles2_interface_ = nullptr;
+   extensions_enabled_.reset();
+@@ -31,6 +34,8 @@ void WebGLContextObjectSupport::OnContextLost() {
+ void WebGLContextObjectSupport::OnContextRestored(
+     gpu::gles2::GLES2Interface* gl) {
+   DCHECK(is_lost_);
++  // Invalidate all past objects.
++  context_generation_++;
+   is_lost_ = false;
+   gles2_interface_ = gl;
+ }
+diff --git a/third_party/blink/renderer/modules/webgl/webgl_context_object_support.h b/third_party/blink/renderer/modules/webgl/webgl_context_object_support.h
+index 907866bb21acf9647d1c0ecd791e642e96b734fc..ba8b79f8bb9db12058614982a625baaff5546af7 100644
+--- a/third_party/blink/renderer/modules/webgl/webgl_context_object_support.h
++++ b/third_party/blink/renderer/modules/webgl/webgl_context_object_support.h
+@@ -33,10 +33,10 @@ class MODULES_EXPORT WebGLContextObjectSupport : public ScriptWrappable {
+   bool IsWebGL2() const { return is_webgl2_; }
+   bool IsLost() const { return is_lost_; }
+ 
+-  // How many context losses there were, to check whether a WebGLObject was
+-  // created since the last context resoration or before that (and hence invalid
+-  // to use).
+-  uint32_t NumberOfContextLosses() const { return number_of_context_losses_; }
++  // Which "generation" the context is on (essentially, how many times it has
++  // been restored), to check whether a WebGLObject was created since the last
++  // context restoration, or before that (and hence invalid to use).
++  uint64_t GetContextGeneration() const { return context_generation_; }
+ 
+   bool ExtensionEnabled(WebGLExtensionName name) const {
+     return extensions_enabled_.test(name);
+@@ -65,7 +65,7 @@ class MODULES_EXPORT WebGLContextObjectSupport : public ScriptWrappable {
+   std::bitset<kWebGLExtensionNameCount> extensions_enabled_ = {};
+   raw_ptr<gpu::gles2::GLES2Interface> gles2_interface_ = nullptr;
+ 
+-  uint32_t number_of_context_losses_ = 0;
++  uint64_t context_generation_ = 0;
+   bool is_lost_ = true;
+   bool is_webgl2_;
+ };
+diff --git a/third_party/blink/renderer/modules/webgl/webgl_object.cc b/third_party/blink/renderer/modules/webgl/webgl_object.cc
+index 9d984de0073796f23a5038bfc0a51ec676179765..07e0a9a4aa3406a1298a677a3159edadc5f2cbb5 100644
+--- a/third_party/blink/renderer/modules/webgl/webgl_object.cc
++++ b/third_party/blink/renderer/modules/webgl/webgl_object.cc
+@@ -33,9 +33,9 @@ namespace blink {
+ 
+ WebGLObject::WebGLObject(WebGLContextObjectSupport* context)
+     : context_(context),
+-      cached_number_of_context_losses_(std::numeric_limits<uint32_t>::max()) {
++      context_generation_at_creation_(std::numeric_limits<uint64_t>::max()) {
+   if (context_) {
+-    cached_number_of_context_losses_ = context->NumberOfContextLosses();
++    context_generation_at_creation_ = context->GetContextGeneration();
+   }
+ }
+ 
+@@ -46,7 +46,7 @@ bool WebGLObject::Validate(const WebGLContextObjectSupport* context) const {
+   // the objects they ever created, so there's no way to invalidate them
+   // eagerly during context loss. The invalidation is discovered lazily.
+   return (context == context_ && context_ != nullptr &&
+-          cached_number_of_context_losses_ == context->NumberOfContextLosses());
++          context_generation_at_creation_ == context->GetContextGeneration());
+ }
+ 
+ void WebGLObject::SetObject(GLuint object) {
+@@ -71,7 +71,7 @@ void WebGLObject::DeleteObject(gpu::gles2::GLES2Interface* gl) {
+     return;
+   }
+ 
+-  if (context_->NumberOfContextLosses() != cached_number_of_context_losses_) {
++  if (context_->GetContextGeneration() != context_generation_at_creation_) {
+     // This object has been invalidated.
+     return;
+   }
+diff --git a/third_party/blink/renderer/modules/webgl/webgl_object.h b/third_party/blink/renderer/modules/webgl/webgl_object.h
+index bb56df0f99e8e8432e03442feb9302b8dde27d01..97caa90e34288911b1a827e60c2569544d2b8f69 100644
+--- a/third_party/blink/renderer/modules/webgl/webgl_object.h
++++ b/third_party/blink/renderer/modules/webgl/webgl_object.h
+@@ -123,9 +123,9 @@ class WebGLObject : public ScriptWrappable {
+ 
+   GLuint object_ = 0;
+ 
+-  // This was the number of context losses of the object's associated
+-  // WebGLContext at the time this object was created.
+-  uint32_t cached_number_of_context_losses_;
++  // The context generation number of the associated WebGLContext when the
++  // object was created, to prevent reuse in later generations.
++  uint64_t context_generation_at_creation_;
+ 
+   unsigned attachment_count_ = 0;
+ 
+diff --git a/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.h b/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.h
+index 060563a9955a8564d176177fc389c4f98aa64e9f..f24221cb2f47cfde515179ff945c13756487ebfc 100644
+--- a/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.h
++++ b/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.h
+@@ -2073,8 +2073,6 @@ class MODULES_EXPORT WebGLRenderingContextBase
+ 
+   bool has_been_drawn_to_ = false;
+ 
+-  uint32_t number_of_context_losses_ = 0;
+-
+   // Tracks if the context has ever called glBeginPixelLocalStorageANGLE. If it
+   // has, we need to start using the pixel local storage interrupt mechanism
+   // when we take over the client's context.

patches/chromium/cherry-pick-5efc7a0127a6.patch

@@ -0,0 +1,219 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Anders Hartvoll Ruud <andruud@chromium.org>
+Date: Wed, 25 Feb 2026 06:21:21 -0800
+Subject: Validate CSSUnparsedValues upon assignment
+
+CSS Typed OM has a concept of a value "matching a grammar" (or not)
+upon assignment to a property [1]. For CSSUnparsedValues, we currently
+don't perform any significant validation, and as a consequence
+we allow "invalid" CSSUnparsedDeclarationValues to be created
+(causing DCHECKs later in the pipeline).
+
+This CL makes sure values can be parsed using CSSVariableParser::
+ConsumeUnparsedDeclaration before assignment.
+
+We're still not handling the value in the context of the destination
+property, which we probably should. This is also a problem with
+current state of things, however, so for now the goal is primarily
+to avoid the DCHECKs in Issue 484751092.
+
+Finally, I opened an issue against the specification [2], which
+currently doesn't define any of this.
+
+[1] https://drafts.css-houdini.org/css-typed-om-1/#create-an-internal-representation
+[2] https://github.com/w3c/csswg-drafts/issues/13547
+
+Fixed: 484751092
+Change-Id: Id7f888a6df8c02ade24910900f5d01909cb2dfad
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7595347
+Reviewed-by: Steinar H Gunderson <sesse@chromium.org>
+Commit-Queue: Anders Hartvoll Ruud <andruud@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1590110}
+
+diff --git a/third_party/blink/renderer/build/scripts/core/css/templates/cssom_types.cc.tmpl b/third_party/blink/renderer/build/scripts/core/css/templates/cssom_types.cc.tmpl
+index edfa73a57d30ebd4f9a7147702df42b836f7d82b..4442ba0872ca4c739596b546e6d3b600c5a31598 100644
+--- a/third_party/blink/renderer/build/scripts/core/css/templates/cssom_types.cc.tmpl
++++ b/third_party/blink/renderer/build/scripts/core/css/templates/cssom_types.cc.tmpl
+@@ -11,6 +11,7 @@
+ #include "third_party/blink/renderer/core/css/cssom/css_keyword_value.h"
+ #include "third_party/blink/renderer/core/css/cssom/css_numeric_value.h"
+ #include "third_party/blink/renderer/core/css/cssom/css_style_value.h"
++#include "third_party/blink/renderer/core/css/cssom/css_unparsed_value.h"
+ #include "third_party/blink/renderer/core/css/cssom/css_unsupported_style_value.h"
+ #include "third_party/blink/renderer/core/css/cssom/cssom_keywords.h"
+ #include "third_party/blink/renderer/core/css/properties/css_property.h"
+@@ -105,8 +106,8 @@ bool CSSOMTypes::PropertyCanTake(CSSPropertyID id,
+                     : CSSPropertyName(id);
+     return unsupported_style_value->IsValidFor(name);
+   }
+-  if (value.GetType() == CSSStyleValue::kUnparsedType) {
+-    return true;
++  if (auto* unparsed_value = DynamicTo<CSSUnparsedValue>(value)) {
++    return unparsed_value->IsValidDeclarationValue();
+   }
+ 
+   switch (id) {
+diff --git a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc
+index 12d70ed096cb1c509a2acf14b7f421273d833d0e..5f9d6a39effe207e44dd84cececebdb6c666f011 100644
+--- a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc
++++ b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.cc
+@@ -4,11 +4,13 @@
+ 
+ #include "third_party/blink/renderer/core/css/cssom/css_unparsed_value.h"
+ 
++#include "css_style_value.h"
+ #include "third_party/blink/renderer/core/css/css_unparsed_declaration_value.h"
+ #include "third_party/blink/renderer/core/css/css_variable_data.h"
+ #include "third_party/blink/renderer/core/css/cssom/css_style_variable_reference_value.h"
+ #include "third_party/blink/renderer/core/css/parser/css_parser_token_stream.h"
+ #include "third_party/blink/renderer/core/css/parser/css_tokenizer.h"
++#include "third_party/blink/renderer/core/css/parser/css_variable_parser.h"
+ #include "third_party/blink/renderer/core/css_value_keywords.h"
+ #include "third_party/blink/renderer/platform/bindings/exception_messages.h"
+ #include "third_party/blink/renderer/platform/bindings/exception_state.h"
+@@ -136,6 +138,10 @@ IndexedPropertySetterResult CSSUnparsedValue::AnonymousIndexedSetter(
+   return IndexedPropertySetterResult::kIntercepted;
+ }
+ 
++bool CSSUnparsedValue::IsValidDeclarationValue() const {
++  return IsValidDeclarationValue(ToStringInternal());
++}
++
+ const CSSValue* CSSUnparsedValue::ToCSSValue() const {
+   String unparsed_string = ToStringInternal();
+ 
+@@ -144,12 +150,40 @@ const CSSValue* CSSUnparsedValue::ToCSSValue() const {
+         MakeGarbageCollected<CSSVariableData>());
+   }
+ 
++  CHECK(IsValidDeclarationValue(unparsed_string));
++  // The call to IsValidDeclarationValue() above also creates a CSSVariableData
++  // to carry out its check. It would be nice to use that here, but WPTs
++  // expect leading whitespace to be preserved, even though it's not possible
++  // to create such declaration values normally.
++  CSSVariableData* variable_data =
++      CSSVariableData::Create(unparsed_string,
++                              /*is_animation_tainted=*/false,
++                              /*is_attr_tainted=*/false,
++                              /*needs_variable_resolution=*/false);
++
+   // TODO(crbug.com/985028): We should probably propagate the CSSParserContext
+   // to here.
+-  return MakeGarbageCollected<CSSUnparsedDeclarationValue>(
+-      CSSVariableData::Create(unparsed_string, false /* is_animation_tainted */,
+-                              false /* is_attr_tainted */,
+-                              false /* needs_variable_resolution */));
++  return MakeGarbageCollected<CSSUnparsedDeclarationValue>(variable_data);
++}
++
++bool CSSUnparsedValue::IsValidDeclarationValue(const String& string) {
++  CSSParserTokenStream stream(string);
++  bool important_unused;
++  // This checks that the value does not violate the "argument grammar" [1]
++  // of any substitution functions, and that it is a valid <declaration-value>
++  // otherwise.
++  //
++  // [1] https://drafts.csswg.org/css-values-5/#argument-grammar
++  //
++  // TODO(andruud): 'restricted_value' depends on the destination property.
++  return CSSVariableParser::ConsumeUnparsedDeclaration(
++      stream,
++      /*allow_important_annotation=*/false,
++      /*is_animation_tainted=*/false,
++      /*must_contain_variable_reference=*/false,
++      /*restricted_value=*/false,
++      /*comma_ends_declaration=*/false, important_unused,
++      *StrictCSSParserContext(SecureContextMode::kInsecureContext));
+ }
+ 
+ String CSSUnparsedValue::ToStringInternal() const {
+diff --git a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h
+index ec7e3ed708f406d7a61fdb370b2eed8a8297cffb..7fd66aed677e31046a1bd206854b2cbeac07c25b 100644
+--- a/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h
++++ b/third_party/blink/renderer/core/css/cssom/css_unparsed_value.h
+@@ -48,6 +48,14 @@ class CORE_EXPORT CSSUnparsedValue final : public CSSStyleValue {
+   CSSUnparsedValue(const CSSUnparsedValue&) = delete;
+   CSSUnparsedValue& operator=(const CSSUnparsedValue&) = delete;
+ 
++  // True if this CSSUnparsedValue can be converted into
++  // a CSSUnparsedDeclarationValue.
++  //
++  // We may want to ban some invalid values earlier, see:
++  // https://github.com/w3c/csswg-drafts/issues/13547
++  bool IsValidDeclarationValue() const;
++
++  // Requires IsValidDeclarationValue()==true.
+   const CSSValue* ToCSSValue() const override;
+ 
+   StyleValueType GetType() const override { return kUnparsedType; }
+@@ -68,6 +76,7 @@ class CORE_EXPORT CSSUnparsedValue final : public CSSStyleValue {
+   }
+ 
+  private:
++  static bool IsValidDeclarationValue(const String&);
+   String ToStringInternal() const;
+   String SerializeSegments() const;
+   // Return 'false' if there is a cycle in the serialization.
+diff --git a/third_party/blink/web_tests/external/wpt/css/css-typed-om/missing-variable-in-unparsed-value-crash.html b/third_party/blink/web_tests/external/wpt/css/css-typed-om/missing-variable-in-unparsed-value-crash.html
+deleted file mode 100644
+index b92bd62deb71f2623b0265bed099d739cd1fce3a..0000000000000000000000000000000000000000
+--- a/third_party/blink/web_tests/external/wpt/css/css-typed-om/missing-variable-in-unparsed-value-crash.html
++++ /dev/null
+@@ -1,12 +0,0 @@
+-<!DOCTYPE html>
+-<title>Crash Test: Missing variable name in CSSUnparsedValue</title>
+-<link rel="help" href="https://issues.chromium.org/issues/484811719">
+-<div id="div"></div>
+-<script>
+-  for (let i = 0; i < 5000; ++i) {
+-    const bad = new CSSUnparsedValue(['var(,)']);
+-    div.attributeStyleMap.set('--x', bad);
+-    div.attributeStyleMap.get('--x');
+-  }
+-</script>
+-<p>PASS if no crash</p>
+diff --git a/third_party/blink/web_tests/external/wpt/css/css-typed-om/set-invalid-untyped-value-crash.html b/third_party/blink/web_tests/external/wpt/css/css-typed-om/set-invalid-untyped-value-crash.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..ce618bf38fe651297b969ffdc16e212dee6a3688
+--- /dev/null
++++ b/third_party/blink/web_tests/external/wpt/css/css-typed-om/set-invalid-untyped-value-crash.html
+@@ -0,0 +1,39 @@
++<!DOCTYPE html>
++<title>Crash when setting invalid CSSUnparsedValue</title>
++<link rel="help" href="https://github.com/w3c/csswg-drafts/issues/13547">
++<div id=target></div>
++<script>
++  let examples = [
++    'var()',
++    'var(,)',
++    'var(0)',
++    'env()',
++    'env(,)',
++    'env(0)',
++    'attr()',
++    'attr(,)',
++    'attr(0)',
++    'if()',
++    'if(,)',
++    'if(0)',
++    '--f()',
++    '--f(,)',
++    '--f(0)',
++    'thing!!!',
++    'var(--x) !important',
++  ];
++  // Some of the above cases may be valid. That's fine; just don't crash.
++
++  for (let e of examples) {
++    try {
++      let value = new CSSUnparsedValue([e]);
++      target.attributeStyleMap.set('width', value);
++      // One of the two above statements should likely throw an exception.
++      // If they don't, then we should at least not crash on get():
++      target.attributeStyleMap.get('width');
++    } catch (e) {
++      // Intentionally empty.
++    }
++    target.offsetTop;
++  }
++</script>

patches/chromium/cherry-pick-fbfb27470bf6.patch

@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Geoff Lang <geofflang@chromium.org>
+Date: Wed, 18 Feb 2026 13:54:37 -0800
+Subject: Validate uniform block count limits at compile time on IMG.
+
+Normally these limits are validated at link time but the IMG compiler
+has issues when these limits are exceeded. Validate at compile time
+instead.
+
+Bug: chromium:475877320
+Change-Id: Ieeed6914b8cdd2b5e50242d06facae62badddefd
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7568129
+Auto-Submit: Geoff Lang <geofflang@chromium.org>
+Reviewed-by: Kyle Charbonneau <kylechar@chromium.org>
+Commit-Queue: Kyle Charbonneau <kylechar@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1586673}
+
+diff --git a/gpu/command_buffer/service/gles2_cmd_decoder.cc b/gpu/command_buffer/service/gles2_cmd_decoder.cc
+index 895266f5988e2446eadf3d3e1d5c4919416cba76..aeafafece78faa6ece837386fe170592589d1b10 100644
+--- a/gpu/command_buffer/service/gles2_cmd_decoder.cc
++++ b/gpu/command_buffer/service/gles2_cmd_decoder.cc
+@@ -3678,6 +3678,9 @@ bool GLES2DecoderImpl::InitializeShaderTranslator() {
+     driver_bug_workarounds.dontUseLoopsToInitializeVariables = true;
+   if (workarounds().remove_dynamic_indexing_of_swizzled_vector)
+     driver_bug_workarounds.removeDynamicIndexingOfSwizzledVector = true;
++  if (workarounds().validate_max_per_stage_uniform_blocks_at_compile_time) {
++    driver_bug_workarounds.validatePerStageMaxUniformBlocks = true;
++  }
+ 
+   // Initialize uninitialized locals by default
+   driver_bug_workarounds.initializeUninitializedLocals = true;
+diff --git a/gpu/config/gpu_driver_bug_list.json b/gpu/config/gpu_driver_bug_list.json
+index 2af5b0460beed7b78c00c9f2a70e14e5f7696ac0..3cc48e4a79576f93bfa22b8f8d1b74e5ba5baae7 100644
+--- a/gpu/config/gpu_driver_bug_list.json
++++ b/gpu/config/gpu_driver_bug_list.json
+@@ -3843,6 +3843,17 @@
+       "features": [
+         "ensure_previous_framebuffer_not_deleted"
+       ]
++    },
++    {
++      "id": 472,
++      "description": "Validate GL_MAX_*_UNIFORM_BLOCKS at compile time instead of link time to work around compiler bugs.",
++      "os": {
++        "type": "android"
++      },
++      "gl_vendor": "Imagination.*",
++      "features": [
++        "validate_max_per_stage_uniform_blocks_at_compile_time"
++      ]
+     }
+   ]
+ }
+diff --git a/gpu/config/gpu_workaround_list.txt b/gpu/config/gpu_workaround_list.txt
+index 30ee7799cdd0a344e433e95cd74e4630a7c87aff..6d43d0b1937cd1eeaa044fb9949a52ba2e07d446 100644
+--- a/gpu/config/gpu_workaround_list.txt
++++ b/gpu/config/gpu_workaround_list.txt
+@@ -126,6 +126,7 @@ use_first_valid_ref_for_av1_invalid_ref
+ use_gpu_driver_workaround_for_testing
+ use_non_zero_size_for_client_side_stream_buffers
+ use_virtualized_gl_contexts
++validate_max_per_stage_uniform_blocks_at_compile_time
+ wake_up_gpu_before_drawing
+ webgl_or_caps_max_texture_size_limit_4096
+ webgl_or_caps_max_texture_size_limit_8192

patches/chromium/feat_add_data_parameter_to_processsingleton.patch

@@ -65,7 +65,7 @@ index 2748dd196fe1f56357348a204e24f0b8a28b97dd..5800dd00b47c657d9e6766f3fc5a3065
  #if BUILDFLAG(IS_WIN)
    bool EscapeVirtualization(const base::FilePath& user_data_dir);
 diff --git a/chrome/browser/process_singleton_posix.cc b/chrome/browser/process_singleton_posix.cc
-index 73aa4cb9652870b0bff4684d7c72ae7dbd852db8..b55c942a8ccb326e4898172a7b4f6c0aa3183a0b 100644
+index 73aa4cb9652870b0bff4684d7c72ae7dbd852db8..144788ceadea85c9d1fae12d1ba4dbc1fc7cd699 100644
 --- a/chrome/browser/process_singleton_posix.cc
 +++ b/chrome/browser/process_singleton_posix.cc
 @@ -619,6 +619,7 @@ class ProcessSingleton::LinuxWatcher
@@ -106,22 +106,41 @@ index 73aa4cb9652870b0bff4684d7c72ae7dbd852db8..b55c942a8ccb326e4898172a7b4f6c0a
    const size_t kMinMessageLength = kStartToken.length() + 4;
    if (bytes_read_ < kMinMessageLength) {
      buf_[bytes_read_] = 0;
-@@ -745,10 +751,26 @@ void ProcessSingleton::LinuxWatcher::SocketReader::
+@@ -745,10 +751,45 @@ void ProcessSingleton::LinuxWatcher::SocketReader::
    tokens.erase(tokens.begin());
    tokens.erase(tokens.begin());
  
 +  size_t num_args;
-+  base::StringToSizeT(tokens[0], &num_args);
-+  std::vector<std::string> command_line(tokens.begin() + 1, tokens.begin() + 1 + num_args);
++  if (!base::StringToSizeT(tokens[0], &num_args) ||
++      num_args > tokens.size() - 1) {
++    LOG(ERROR) << "Invalid num_args in socket message";
++    CleanupAndDeleteSelf();
++    return;
++  }
++  std::vector<std::string> command_line(tokens.begin() + 1,
++                                        tokens.begin() + 1 + num_args);
 +
 +  std::vector<uint8_t> additional_data;
-+  if (tokens.size() >= 3 + num_args) {
++  // After consuming [num_args, argv...], two more tokens are needed for
++  // additional data: [size, payload]. Subtract to avoid overflow when
++  // num_args is large.
++  if (tokens.size() - 1 - num_args >= 2) {
 +    size_t additional_data_size;
-+    base::StringToSizeT(tokens[1 + num_args], &additional_data_size);
++    if (!base::StringToSizeT(tokens[1 + num_args], &additional_data_size)) {
++      LOG(ERROR) << "Invalid additional_data_size in socket message";
++      CleanupAndDeleteSelf();
++      return;
++    }
 +    std::string remaining_args = base::JoinString(
 +        base::span(tokens).subspan(2 + num_args),
 +        std::string(1, kTokenDelimiter));
-+    const auto adspan = base::as_byte_span(remaining_args).first(additional_data_size);
++    if (additional_data_size > remaining_args.size()) {
++      LOG(ERROR) << "additional_data_size exceeds payload length";
++      CleanupAndDeleteSelf();
++      return;
++    }
++    const auto adspan =
++        base::as_byte_span(remaining_args).first(additional_data_size);
 +    additional_data.assign(adspan.begin(), adspan.end());
 +  }
 +
@@ -134,7 +153,7 @@ index 73aa4cb9652870b0bff4684d7c72ae7dbd852db8..b55c942a8ccb326e4898172a7b4f6c0a
    fd_watch_controller_.reset();
  
    // LinuxWatcher::HandleMessage() is in charge of destroying this SocketReader
-@@ -777,8 +799,10 @@ void ProcessSingleton::LinuxWatcher::SocketReader::FinishWithACK(
+@@ -777,8 +818,10 @@ void ProcessSingleton::LinuxWatcher::SocketReader::FinishWithACK(
  //
  ProcessSingleton::ProcessSingleton(
      const base::FilePath& user_data_dir,
@@ -145,7 +164,7 @@ index 73aa4cb9652870b0bff4684d7c72ae7dbd852db8..b55c942a8ccb326e4898172a7b4f6c0a
        current_pid_(base::GetCurrentProcId()) {
    socket_path_ = user_data_dir.Append(chrome::kSingletonSocketFilename);
    lock_path_ = user_data_dir.Append(chrome::kSingletonLockFilename);
-@@ -899,7 +923,8 @@ ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcessWithTimeout(
+@@ -899,7 +942,8 @@ ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcessWithTimeout(
               sizeof(socket_timeout));
  
    // Found another process, prepare our command line
@@ -155,7 +174,7 @@ index 73aa4cb9652870b0bff4684d7c72ae7dbd852db8..b55c942a8ccb326e4898172a7b4f6c0a
    std::string to_send(kStartToken);
    to_send.push_back(kTokenDelimiter);
  
-@@ -909,11 +934,21 @@ ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcessWithTimeout(
+@@ -909,11 +953,21 @@ ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcessWithTimeout(
    to_send.append(current_dir.value());
  
    const std::vector<std::string>& argv = cmd_line.argv();
@@ -178,10 +197,18 @@ index 73aa4cb9652870b0bff4684d7c72ae7dbd852db8..b55c942a8ccb326e4898172a7b4f6c0a
    if (!WriteToSocket(socket.fd(), to_send)) {
      // Try to kill the other process, because it might have been dead.
 diff --git a/chrome/browser/process_singleton_win.cc b/chrome/browser/process_singleton_win.cc
-index ae659d84a5ae2f2e87ce288477506575f8d86839..d93c7e8487ab1a2bbb5f56f2ca44868f947e6bfc 100644
+index ae659d84a5ae2f2e87ce288477506575f8d86839..274887d62ff8d008bb86815a11205fcaa5f2c2ff 100644
 --- a/chrome/browser/process_singleton_win.cc
 +++ b/chrome/browser/process_singleton_win.cc
-@@ -81,10 +81,12 @@ BOOL CALLBACK BrowserWindowEnumeration(HWND window, LPARAM param) {
+@@ -9,6 +9,7 @@
+ #include <shellapi.h>
+ #include <stddef.h>
+ 
++#include "base/base64.h"
+ #include "base/base_paths.h"
+ #include "base/command_line.h"
+ #include "base/files/file_path.h"
+@@ -81,10 +82,12 @@ BOOL CALLBACK BrowserWindowEnumeration(HWND window, LPARAM param) {
  
  bool ParseCommandLine(const COPYDATASTRUCT* cds,
                        base::CommandLine* parsed_command_line,
@@ -196,7 +223,7 @@ index ae659d84a5ae2f2e87ce288477506575f8d86839..d93c7e8487ab1a2bbb5f56f2ca44868f
    static const int min_message_size = 7;
    if (cds->cbData < min_message_size * sizeof(wchar_t) ||
        cds->cbData % sizeof(wchar_t) != 0) {
-@@ -134,6 +136,23 @@ bool ParseCommandLine(const COPYDATASTRUCT* cds,
+@@ -134,6 +137,25 @@ bool ParseCommandLine(const COPYDATASTRUCT* cds,
      const std::wstring cmd_line =
          msg.substr(second_null + 1, third_null - second_null);
      *parsed_command_line = base::CommandLine::FromString(cmd_line);
@@ -209,18 +236,20 @@ index ae659d84a5ae2f2e87ce288477506575f8d86839..d93c7e8487ab1a2bbb5f56f2ca44868f
 +      return true;
 +    }
 +
-+    // Get the actual additional data.
-+    const std::wstring additional_data =
-+        msg.substr(third_null + 1, fourth_null - third_null);
-+    base::span<const uint8_t> additional_data_bytes =
-+        base::as_byte_span(additional_data);
-+    *parsed_additional_data = std::vector<uint8_t>(
-+        additional_data_bytes.begin(), additional_data_bytes.end());
++    // Get the actual additional data. It is base64-encoded so it can
++    // safely traverse the null-delimited wchar_t buffer.
++    const std::wstring encoded_w =
++        msg.substr(third_null + 1, fourth_null - third_null - 1);
++    std::string encoded = base::WideToASCII(encoded_w);
++    std::optional<std::vector<uint8_t>> decoded = base::Base64Decode(encoded);
++    if (decoded) {
++      *parsed_additional_data = std::move(*decoded);
++    }
 +
      return true;
    }
    return false;
-@@ -155,13 +174,14 @@ bool ProcessLaunchNotification(
+@@ -155,13 +177,14 @@ bool ProcessLaunchNotification(
  
    base::CommandLine parsed_command_line(base::CommandLine::NO_PROGRAM);
    base::FilePath current_directory;
@@ -238,7 +267,7 @@ index ae659d84a5ae2f2e87ce288477506575f8d86839..d93c7e8487ab1a2bbb5f56f2ca44868f
    return true;
  }
  
-@@ -265,9 +285,11 @@ bool ProcessSingleton::EscapeVirtualization(
+@@ -265,9 +288,11 @@ bool ProcessSingleton::EscapeVirtualization(
  ProcessSingleton::ProcessSingleton(
      const std::string& program_name,
      const base::FilePath& user_data_dir,
@@ -250,7 +279,7 @@ index ae659d84a5ae2f2e87ce288477506575f8d86839..d93c7e8487ab1a2bbb5f56f2ca44868f
        program_name_(program_name),
        is_app_sandboxed_(is_app_sandboxed),
        is_virtualized_(false),
-@@ -294,7 +316,7 @@ ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcess() {
+@@ -294,7 +319,7 @@ ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcess() {
      return PROCESS_NONE;
    }
  
@@ -260,10 +289,18 @@ index ae659d84a5ae2f2e87ce288477506575f8d86839..d93c7e8487ab1a2bbb5f56f2ca44868f
        return PROCESS_NOTIFIED;
      case NotifyChromeResult::kFailed:
 diff --git a/chrome/browser/win/chrome_process_finder.cc b/chrome/browser/win/chrome_process_finder.cc
-index 594f3bc08a4385c177fb488123cef79448e94850..5a1dde19a4bc2bf728eba4c738f831c3e5b73942 100644
+index 594f3bc08a4385c177fb488123cef79448e94850..28e5a18a19718b2e748ada6882341413a1ab0705 100644
 --- a/chrome/browser/win/chrome_process_finder.cc
 +++ b/chrome/browser/win/chrome_process_finder.cc
-@@ -39,7 +39,9 @@ HWND FindRunningChromeWindow(const base::FilePath& user_data_dir) {
+@@ -11,6 +11,7 @@
+ #include <string>
+ #include <string_view>
+ 
++#include "base/base64.h"
+ #include "base/check.h"
+ #include "base/command_line.h"
+ #include "base/files/file_path.h"
+@@ -39,7 +40,9 @@ HWND FindRunningChromeWindow(const base::FilePath& user_data_dir) {
    return base::win::MessageWindow::FindWindow(user_data_dir.value());
  }
  
@@ -274,7 +311,7 @@ index 594f3bc08a4385c177fb488123cef79448e94850..5a1dde19a4bc2bf728eba4c738f831c3
    TRACE_EVENT0("startup", "AttemptToNotifyRunningChrome");
  
    DCHECK(remote_window);
-@@ -70,12 +72,24 @@ NotifyChromeResult AttemptToNotifyRunningChrome(HWND remote_window) {
+@@ -70,12 +73,22 @@ NotifyChromeResult AttemptToNotifyRunningChrome(HWND remote_window) {
      new_command_line.AppendSwitch(switches::kSourceAppId);
    }
    // Send the command line to the remote chrome window.
@@ -286,14 +323,12 @@ index 594f3bc08a4385c177fb488123cef79448e94850..5a1dde19a4bc2bf728eba4c738f831c3
         std::wstring_view{L"\0", 1}, new_command_line.GetCommandLineString(),
         std::wstring_view{L"\0", 1}});
  
-+  size_t additional_data_size = additional_data.size_bytes();
-+  if (additional_data_size) {
-+    size_t padded_size = additional_data_size / sizeof(wchar_t);
-+    if (additional_data_size % sizeof(wchar_t) != 0) {
-+      padded_size++;
-+    }
-+    to_send.append(reinterpret_cast<const wchar_t*>(additional_data.data()),
-+                   padded_size);
++  if (!additional_data.empty()) {
++    // Base64-encode so the payload survives the null-delimited wchar_t
++    // framing; raw serialized bytes can contain 0x0000 sequences which
++    // would otherwise terminate the field early.
++    std::string encoded = base::Base64Encode(additional_data);
++    to_send.append(base::ASCIIToWide(encoded));
 +    to_send.append(L"\0", 1);  // Null separator.
 +  }
 +

patches/chromium/feat_plumb_node_integration_in_worker_through_workersettings.patch

@@ -0,0 +1,73 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Samuel Attard <sattard@anthropic.com>
+Date: Sat, 7 Mar 2026 23:07:30 -0800
+Subject: feat: plumb node_integration_in_worker through WorkerSettings
+
+Copy the node_integration_in_worker flag from the initiating frame's
+WebPreferences into WorkerSettings at dedicated worker creation time,
+so the value is readable per-worker on the worker thread rather than
+relying on a process-wide command line switch. The value is also
+propagated to nested workers via WorkerSettings::Copy.
+
+diff --git a/third_party/blink/renderer/core/workers/dedicated_worker.cc b/third_party/blink/renderer/core/workers/dedicated_worker.cc
+index a0f78583334fdf4912b897e88d8ce518773dbfb1..300c5a3b806222e46388d2f0d906737cf282e52e 100644
+--- a/third_party/blink/renderer/core/workers/dedicated_worker.cc
++++ b/third_party/blink/renderer/core/workers/dedicated_worker.cc
+@@ -37,6 +37,7 @@
+ #include "third_party/blink/renderer/core/frame/local_frame_client.h"
+ #include "third_party/blink/renderer/core/frame/web_frame_widget_impl.h"
+ #include "third_party/blink/renderer/core/frame/web_local_frame_impl.h"
++#include "third_party/blink/renderer/core/exported/web_view_impl.h"
+ #include "third_party/blink/renderer/core/inspector/inspector_trace_events.h"
+ #include "third_party/blink/renderer/core/inspector/main_thread_debugger.h"
+ #include "third_party/blink/renderer/core/loader/document_loader.h"
+@@ -555,6 +556,12 @@ DedicatedWorker::CreateGlobalScopeCreationParams(
+     auto* frame = window->GetFrame();
+     parent_devtools_token = frame->GetDevToolsFrameToken();
+     settings = std::make_unique<WorkerSettings>(frame->GetSettings());
++    if (auto* web_local_frame = WebLocalFrameImpl::FromFrame(frame)) {
++      if (auto* web_view = web_local_frame->ViewImpl()) {
++        settings->SetNodeIntegrationInWorker(
++            web_view->GetWebPreferences().node_integration_in_worker);
++      }
++    }
+     agent_group_scheduler_compositor_task_runner =
+         execution_context->GetScheduler()
+             ->ToFrameScheduler()
+diff --git a/third_party/blink/renderer/core/workers/worker_settings.cc b/third_party/blink/renderer/core/workers/worker_settings.cc
+index 45680c5f6ea0c7e89ccf43eb88f8a11e3318c02e..3fa3af62f4e7ba8186441c5e3184b1c04fe32d12 100644
+--- a/third_party/blink/renderer/core/workers/worker_settings.cc
++++ b/third_party/blink/renderer/core/workers/worker_settings.cc
+@@ -40,6 +40,8 @@ std::unique_ptr<WorkerSettings> WorkerSettings::Copy(
+       old_settings->strictly_block_blockable_mixed_content_;
+   new_settings->generic_font_family_settings_ =
+       old_settings->generic_font_family_settings_;
++  new_settings->node_integration_in_worker_ =
++      old_settings->node_integration_in_worker_;
+   return new_settings;
+ }
+ 
+diff --git a/third_party/blink/renderer/core/workers/worker_settings.h b/third_party/blink/renderer/core/workers/worker_settings.h
+index 45c60dd2c44b05fdd279f759069383479823c7f2..33a2a0337efb9a46293e11d0d09b3fc182ab9618 100644
+--- a/third_party/blink/renderer/core/workers/worker_settings.h
++++ b/third_party/blink/renderer/core/workers/worker_settings.h
+@@ -43,6 +43,11 @@ class CORE_EXPORT WorkerSettings {
+     return generic_font_family_settings_;
+   }
+ 
++  bool NodeIntegrationInWorker() const { return node_integration_in_worker_; }
++  void SetNodeIntegrationInWorker(bool value) {
++    node_integration_in_worker_ = value;
++  }
++
+  private:
+   void CopyFlagValuesFromSettings(Settings*);
+ 
+@@ -54,6 +59,7 @@ class CORE_EXPORT WorkerSettings {
+   bool strict_mixed_content_checking_ = false;
+   bool allow_running_of_insecure_content_ = false;
+   bool strictly_block_blockable_mixed_content_ = false;
++  bool node_integration_in_worker_ = false;
+ 
+   GenericFontFamilySettings generic_font_family_settings_;
+ };

patches/chromium/fix_fire_menu_popup_start_for_dynamically_created_aria_menus.patch

@@ -0,0 +1,95 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keeley Hammond <khammond@slack-corp.com>
+Date: Thu, 19 Mar 2026 00:34:37 -0700
+Subject: fix: fire MENU_POPUP_START for dynamically created ARIA menus
+
+When an ARIA menu element is dynamically created (e.g. via appendChild)
+rather than being shown by toggling visibility, the AXMenuOpened event
+was not fired. The OnIgnoredChanged path handles the visibility toggle
+case, but OnAtomicUpdateFinished did not fire MENU_POPUP_START for
+newly created menu nodes.
+
+Previous attempts to fix this (crbug.com/1254875) were reverted because
+they fired the event too eagerly in OnNodeCreated (before the tree was
+fully formed) and without filtering, causing regressions with screen
+readers on pages that misused role="menu".
+
+This fix addresses both issues:
+1. Fires MENU_POPUP_START in OnAtomicUpdateFinished (after the tree
+   update is complete) rather than in OnNodeCreated.
+2. Only fires if the menu has at least one menuitem child, filtering
+   out false positives from misused role="menu" elements.
+
+MENU_POPUP_END for deleted menus is already handled by
+AXTreeManager::OnNodeWillBeDeleted, which fires the event directly
+on the menu node before destruction.
+
+The change is behind the DynamicMenuPopupEvents feature flag, disabled
+by default, to allow stabilization before enabling by default. Enable
+with --enable-features=DynamicMenuPopupEvents.
+
+This patch can be removed when a CL containing the fix is accepted
+into Chromium.
+
+Bug: 40794596
+
+diff --git a/ui/accessibility/ax_event_generator.cc b/ui/accessibility/ax_event_generator.cc
+index 597b68bccc041a6431e35817669450e38fd56153..396820b148be04b91207e2359f9e441d331ccc10 100644
+--- a/ui/accessibility/ax_event_generator.cc
++++ b/ui/accessibility/ax_event_generator.cc
+@@ -5,6 +5,7 @@
+ #include "ui/accessibility/ax_event_generator.h"
+ 
+ #include "base/containers/contains.h"
++#include "base/feature_list.h"
+ #include "base/no_destructor.h"
+ #include "ui/accessibility/ax_enums.mojom.h"
+ #include "ui/accessibility/ax_event.h"
+@@ -13,6 +14,12 @@
+ 
+ namespace ui {
+ 
++// Feature flag for firing MENU_POPUP_START for dynamically created ARIA menus.
++// Disabled by default to allow stabilization before enabling globally.
++BASE_FEATURE(kDynamicMenuPopupEvents,
++             "DynamicMenuPopupEvents",
++             base::FEATURE_DISABLED_BY_DEFAULT);
++
+ namespace {
+ 
+ bool HasEvent(const std::set<AXEventGenerator::EventParams>& node_events,
+@@ -907,12 +914,31 @@ void AXEventGenerator::OnAtomicUpdateFinished(
+                              /*new_value*/ true);
+     }
+ 
+-    if (IsAlert(change.node->GetRole()))
++    if (IsAlert(change.node->GetRole())) {
+       AddEvent(change.node, Event::ALERT);
+-    else if (change.node->data().IsActiveLiveRegionRoot())
++    } else if (change.node->data().IsActiveLiveRegionRoot()) {
+       AddEvent(change.node, Event::LIVE_REGION_CREATED);
+-    else if (change.node->data().IsContainedInActiveLiveRegion())
++    } else if (change.node->data().IsContainedInActiveLiveRegion()) {
+       FireLiveRegionEvents(change.node, /* is_removal */ false);
++    }
++
++    // Fire MENU_POPUP_START when a menu is dynamically created (e.g. via
++    // appendChild). The OnIgnoredChanged path handles menus that already exist
++    // in the DOM and are shown/hidden. This handles the case where the menu
++    // element itself is created on the fly.
++    // Only fire if the menu has at least one menuitem child, to avoid false
++    // positives from elements that misuse role="menu".
++    if (base::FeatureList::IsEnabled(kDynamicMenuPopupEvents) &&
++        change.node->GetRole() == ax::mojom::Role::kMenu &&
++        !change.node->IsInvisibleOrIgnored()) {
++      for (auto iter = change.node->UnignoredChildrenBegin();
++           iter != change.node->UnignoredChildrenEnd(); ++iter) {
++        if (IsMenuItem(iter->GetRole())) {
++          AddEvent(change.node, Event::MENU_POPUP_START);
++          break;
++        }
++      }
++    }
+   }
+ 
+   FireActiveDescendantEvents();

patches/chromium/fix_mac_high_res_icons.patch

@@ -0,0 +1,80 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kanishk Ranjan <kanishkranjan17@gmail.com>
+Date: Thu, 11 Dec 2025 10:03:47 -0800
+Subject: Mac: Fix WebRTC window icon conversion via gfx::Image
+
+The current WebRTC window picker implementation tries to manually convert
+NSImages to ImageSkia, but it does this incorrectly. As a result, the
+icons can appear corrupted or blank.
+
+This CL resolves the issue by using gfx::Image for the conversion. This
+method offers a reliable and standard way to change an NSImage into an
+ImageSkia.
+
+Feature-Flag: kUseGfxImageForMacWindowIcons
+Bug: 465028835
+Change-Id: Ib69bc151e9542d2402c1cd7d282e5f3298581862
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7239386
+Reviewed-by: Elad Alon <eladalon@chromium.org>
+Commit-Queue: Avi Drissman <avi@chromium.org>
+Reviewed-by: Avi Drissman <avi@chromium.org>
+Reviewed-by: Tove Petersson <tovep@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1557501}
+
+diff --git a/AUTHORS b/AUTHORS
+index 7eb8f26120a23539b0780eb3f7e1d6a7ac52b102..fb0796cabdec4419e953306608a5b816ea1f2662 100644
+--- a/AUTHORS
++++ b/AUTHORS
+@@ -824,6 +824,7 @@ Kamil Rytarowski <krytarowski@gmail.com>
+ Kanaru Sato <i.am.kanaru.sato@gmail.com>
+ Kangil Han <kangil.han@samsung.com>
+ Kangyuan Shu <kangyuan.shu@intel.com>
++Kanishk Ranjan <kanishkranjan17@gmail.com>
+ Karan Thakkar <karanjthakkar@gmail.com>
+ Karel Král <kralkareliv@gmail.com>
+ Karl <karlpolicechromium@gmail.com>
+diff --git a/chrome/browser/media/webrtc/window_icon_util_mac.mm b/chrome/browser/media/webrtc/window_icon_util_mac.mm
+index 8bd216b9da864c9a8b82231ce6613cc120b32de7..c37b753c6aaf3b5036aacc74b310343fc7379188 100644
+--- a/chrome/browser/media/webrtc/window_icon_util_mac.mm
++++ b/chrome/browser/media/webrtc/window_icon_util_mac.mm
+@@ -8,9 +8,19 @@
+ 
+ #include "base/apple/foundation_util.h"
+ #include "base/apple/scoped_cftyperef.h"
++#include "base/feature_list.h"
++#include "ui/gfx/image/image.h"
++#include "ui/gfx/image/image_skia.h"
++
++// TODO(crbug.com/465028835): Remove these includes and the fallback code once
++// kUseGfxImageForMacWindowIcons is stable and the feature flag is removed
+ #include "third_party/libyuv/include/libyuv/convert_argb.h"
+ #include "third_party/skia/include/core/SkBitmap.h"
+ 
++BASE_FEATURE(kUseGfxImageForMacWindowIcons,
++             "UseGfxImageForMacWindowIcons",
++             base::FEATURE_ENABLED_BY_DEFAULT);
++
+ gfx::ImageSkia GetWindowIcon(content::DesktopMediaID id) {
+   DCHECK(id.type == content::DesktopMediaID::TYPE_WINDOW);
+ 
+@@ -35,6 +45,20 @@
+   NSImage* icon_image =
+       [[NSRunningApplication runningApplicationWithProcessIdentifier:pid] icon];
+ 
++  // TODO(crbug.com/465028835): Remove this feature check and the fallback
++  // path once kUseGfxImageForMacWindowIcons is stable and the flag is removed
++  if (base::FeatureList::IsEnabled(kUseGfxImageForMacWindowIcons)) {
++    // The app may have terminated, resulting in a nil icon.
++    if (!icon_image) {
++      return gfx::ImageSkia();
++    }
++
++    return gfx::Image(icon_image).AsImageSkia();
++  }
++
++  // TODO(crbug.com/465028835): Remove the code below this line once
++  // kUseGfxImageForMacWindowIcons is stable and the flag is removed.
++
+   // Icon's NSImage defaults to the smallest which can be only 32x32.
+   NSRect proposed_rect = NSMakeRect(0, 0, 128, 128);
+   CGImageRef cg_icon_image =

patches/chromium/fix_out-of-bounds_read_in_diff_rulesets.patch

@@ -0,0 +1,104 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Steinar H. Gunderson" <sesse@chromium.org>
+Date: Mon, 16 Mar 2026 03:53:51 -0700
+Subject: Fix out-of-bounds read in diff rulesets.
+
+When merging diff rulesets, if Add() failed (due to a deliberate hash
+collision, causing RobinHoodMap to refuse the insertion), we would
+call NewlyAddedFromDifferentRuleSet() twice on the same RuleData,
+causing us to potentially read data past the end of the Bloom filter
+backing.
+
+In addition to actually fixing the issue, we mark Add() as [[nodiscard]]
+so that it cannot happen again, and we also spanify
+MovedToDifferentRuleSet() so that a similar error would cause a CHECK
+failure instead of reading out-of-bounds.
+
+(cherry picked from commit 2bfa338165eef94983c6cd35e281450d994d2215)
+
+Fixed: 488188166
+Change-Id: I38974eaa150c7c1e32482febea632b8371731aae
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7623313
+Commit-Queue: Steinar H Gunderson <sesse@chromium.org>
+Reviewed-by: Anders Hartvoll Ruud <andruud@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#1592383}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7665929
+Auto-Submit: Steinar H Gunderson <sesse@chromium.org>
+Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
+Cr-Commit-Position: refs/branch-heads/7680@{#2646}
+Cr-Branched-From: 76b7d80e5cda23fe6537eed26d68c92e995c7f39-refs/heads/main@{#1582197}
+
+diff --git a/third_party/blink/renderer/core/css/rule_set.cc b/third_party/blink/renderer/core/css/rule_set.cc
+index 9a9368dc0e1bf305749fb7b1b9f2f0100e79d78f..9a06fa33fb32649e1439ab5e5a312c011fe33dd6 100644
+--- a/third_party/blink/renderer/core/css/rule_set.cc
++++ b/third_party/blink/renderer/core/css/rule_set.cc
+@@ -215,9 +215,8 @@ void RuleData::MovedToDifferentRuleSet(const Vector<uint16_t>& old_backing,
+                                        Vector<uint16_t>& new_backing,
+                                        unsigned new_position) {
+   unsigned new_pos = new_backing.size();
+-  new_backing.insert(new_backing.size(),
+-                     UNSAFE_TODO(old_backing.data() + bloom_hash_pos_),
+-                     bloom_hash_size_);
++  new_backing.AppendSpan(
++      base::span(old_backing).subspan(bloom_hash_pos_, bloom_hash_size_));
+   bloom_hash_pos_ = new_pos;
+   position_ = new_position;
+ }
+@@ -1496,10 +1495,19 @@ void RuleMap::AddFilteredRulesFromOtherSet(
+       Seeker<StyleScope> scope_seeker(old_rule_set.scope_intervals_);
+       for (const RuleData& rule_data : other.GetRulesFromExtent(extent)) {
+         if (only_include.Contains(const_cast<StyleRule*>(rule_data.Rule()))) {
+-          Add(key, rule_data);
++          RuleData* new_rule_data;
++          if (Add(key, rule_data)) {
++            new_rule_data = &backing.back();
++          } else {
++            // See comment in AddToBucket().
++            new_rule_set.universal_rules_.push_back(rule_data);
++            new_rule_data = &new_rule_set.universal_rules_.back();
++            UnmarkAsCoveredByBucketing(new_rule_data->MutableSelector());
++            new_rule_data->ComputeEntirelyCoveredByBucketing();
++          }
+           new_rule_set.NewlyAddedFromDifferentRuleSet(
+               rule_data, scope_seeker.Seek(rule_data.GetPosition()),
+-              old_rule_set, backing.back());
++              old_rule_set, *new_rule_data);
+         }
+       }
+     }
+@@ -1517,10 +1525,19 @@ void RuleMap::AddFilteredRulesFromOtherSet(
+       const unsigned bucket_number = other.bucket_number_[i];
+       const RuleData& rule_data = other.backing[i];
+       if (only_include.Contains(const_cast<StyleRule*>(rule_data.Rule()))) {
+-        Add(*keys[bucket_number], rule_data);
++        RuleData* new_rule_data;
++        if (Add(*keys[bucket_number], rule_data)) {
++          new_rule_data = &backing.back();
++        } else {
++          // See comment in AddToBucket().
++          new_rule_set.universal_rules_.push_back(rule_data);
++          new_rule_data = &new_rule_set.universal_rules_.back();
++          UnmarkAsCoveredByBucketing(new_rule_data->MutableSelector());
++          new_rule_data->ComputeEntirelyCoveredByBucketing();
++        }
+         new_rule_set.NewlyAddedFromDifferentRuleSet(
+             rule_data, scope_seeker.Seek(rule_data.GetPosition()), old_rule_set,
+-            backing.back());
++            *new_rule_data);
+       }
+     }
+   }
+diff --git a/third_party/blink/renderer/core/css/rule_set.h b/third_party/blink/renderer/core/css/rule_set.h
+index dd15abf39e7208996af6867541aae0d15fb3eda2..ed265c43bd7b386847405e59176548ac282ae60a 100644
+--- a/third_party/blink/renderer/core/css/rule_set.h
++++ b/third_party/blink/renderer/core/css/rule_set.h
+@@ -269,7 +269,7 @@ class RuleMap {
+ 
+  public:
+   // Returns false on failure (which should be very rare).
+-  bool Add(const AtomicString& key, const RuleData& rule_data);
++  [[nodiscard]] bool Add(const AtomicString& key, const RuleData& rule_data);
+   void AddFilteredRulesFromOtherSet(
+       const RuleMap& other,
+       const HeapHashSet<Member<StyleRule>>& only_include,

patches/chromium/webview_fullscreen.patch

@@ -15,10 +15,10 @@ Note that we also need to manually update embedder's
 `api::WebContents::IsFullscreenForTabOrPending` value.
 
 diff --git a/content/browser/renderer_host/render_frame_host_impl.cc b/content/browser/renderer_host/render_frame_host_impl.cc
-index 7d27b076c1947d2cd08364f87286ed6d9f460cdc..55d1609ba46abe9433d22a894fc2b498735ff778 100644
+index 3feca12a6185afef139a0cb4a8148b5a3ca9e32f..393808a7959d684fe4e46f86eff687ec15258fa9 100644
 --- a/content/browser/renderer_host/render_frame_host_impl.cc
 +++ b/content/browser/renderer_host/render_frame_host_impl.cc
-@@ -8973,6 +8973,17 @@ void RenderFrameHostImpl::EnterFullscreen(
+@@ -8974,6 +8974,17 @@ void RenderFrameHostImpl::EnterFullscreen(
      }
    }
  

patches/config.json

@@ -3,6 +3,7 @@
   { "patch_dir": "src/electron/patches/boringssl", "repo": "src/third_party/boringssl/src" },
   { "patch_dir": "src/electron/patches/devtools_frontend", "repo": "src/third_party/devtools-frontend/src" },
   { "patch_dir": "src/electron/patches/ffmpeg", "repo": "src/third_party/ffmpeg" },
+  { "patch_dir": "src/electron/patches/harfbuzz-ng", "repo": "src/third_party/harfbuzz-ng/src" },
   { "patch_dir": "src/electron/patches/v8", "repo": "src/v8" },
   { "patch_dir": "src/electron/patches/node", "repo": "src/third_party/electron_node" },
   { "patch_dir": "src/electron/patches/nan", "repo": "src/third_party/nan" },
@@ -13,5 +14,6 @@
   { "patch_dir": "src/electron/patches/webrtc", "repo": "src/third_party/webrtc" },
   { "patch_dir": "src/electron/patches/reclient-configs", "repo": "src/third_party/engflow-reclient-configs" },
   { "patch_dir": "src/electron/patches/sqlite", "repo": "src/third_party/sqlite/src" },
-  { "patch_dir": "src/electron/patches/skia", "repo": "src/third_party/skia" }
+  { "patch_dir": "src/electron/patches/skia", "repo": "src/third_party/skia" },
+  { "patch_dir": "src/electron/patches/angle", "repo": "src/third_party/angle/src" }
 ]

patches/devtools_frontend/.patches

@@ -1 +1,2 @@
 chore_expose_ui_to_allow_electron_to_set_dock_side.patch
+fix_prefer_browser_runtime_over_node_in_hostruntime_detection.patch

patches/devtools_frontend/fix_prefer_browser_runtime_over_node_in_hostruntime_detection.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shelley Vohr <shelley.vohr@gmail.com>
+Date: Thu, 12 Mar 2026 17:03:29 +0100
+Subject: fix: prefer browser runtime over node in HostRuntime detection
+
+In Electron, the `process` global is available in renderer processes,
+including the DevTools renderer. This causes the IS_NODE check to pass,
+leading DevTools to attempt importing the Node.js platform runtime
+(which uses `node:worker_threads`). However, DevTools Web Workers
+running under the `devtools://` protocol don't have access to Node.js
+built-in modules, resulting in a failed dynamic import.
+
+Fix by checking IS_BROWSER first, since DevTools always runs in a
+browser-like environment. The Node.js runtime is only needed when
+DevTools runs under pure Node.js (e.g., CLI tooling or testing).
+
+diff --git a/front_end/core/platform/HostRuntime.ts b/front_end/core/platform/HostRuntime.ts
+index 91adba7c966a9c4c0e5315d2cfee07f8f622b731..16822b8d4ea74a4ffd6870e5e95948d75918f5d2 100644
+--- a/front_end/core/platform/HostRuntime.ts
++++ b/front_end/core/platform/HostRuntime.ts
+@@ -14,12 +14,12 @@ export const IS_BROWSER =
+     typeof window !== 'undefined' || (typeof self !== 'undefined' && typeof self.postMessage === 'function');
+ 
+ export const HOST_RUNTIME = await (async(): Promise<Api.HostRuntime.HostRuntime> => {
+-  if (IS_NODE) {
+-    return (await import('./node/node.js')).HostRuntime.HOST_RUNTIME;
+-  }
+   if (IS_BROWSER) {
+     return (await import('./browser/browser.js')).HostRuntime.HOST_RUNTIME;
+   }
++  if (IS_NODE) {
++    return (await import('./node/node.js')).HostRuntime.HOST_RUNTIME;
++  }
+ 
+   throw new Error('Unknown runtime!');
+ })();

patches/harfbuzz-ng/.patches

@@ -0,0 +1 @@
+cherry-pick_3_arabic_stch_fixes_to_m138_branch.patch

patches/harfbuzz-ng/cherry-pick_3_arabic_stch_fixes_to_m138_branch.patch

@@ -0,0 +1,150 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tiago Vignatti <vignatti@google.com>
+Date: Fri, 20 Mar 2026 13:19:22 +0000
+Subject: Cherry-pick 3 Arabic, stch fixes to M138 branch.
+
+[arabic] Cap stch expansion per run (#5823)
+
+Cap each stch run to at most 256 output glyphs.
+
+This keeps pathological stretch runs from expanding to unbounded
+sizes, and switches the repeat-count math to 64-bit intermediates so
+the cap is applied before 32-bit arithmetic can wrap.
+
+The existing checked accumulation and buffer growth logic stays in
+place, covering both the per-run overflow and multi-run accumulation
+cases reported in the recent stch advisories.
+
+Tested: meson test -C build --suite shape
+Assisted-by: OpenAI Codex
+
+[arabic] Improve stch measurement pass (#5808)
+
+Use checked arithmetic when calculating the number of extra glyphs
+needed during stch processing. Includes a new hb_unsigned_add_overflows
+helper in hb-algs.hh.
+
+Co-authored-by: Codex (AI assistant)
+Co-authored-by: Gemini (AI assistant)
+
+[arabic] Change a couple enum values
+
+No semantic change.
+
+Bug: 491516670
+Change-Id: I721974ff5792006655e19a0dad1567a5268ad6a2
+Fixed: 493132380
+
+diff --git a/src/hb-algs.hh b/src/hb-algs.hh
+index 7dfa9769699f79a135dcef2df7bcd8b0e0caac3a..85b2e6bdfbb9d54c497c7e5ae22c27825aef5d80 100644
+--- a/src/hb-algs.hh
++++ b/src/hb-algs.hh
+@@ -1154,6 +1154,21 @@ hb_unsigned_mul_overflows (unsigned int count, unsigned int size, unsigned *resu
+   return (size > 0) && (count >= ((unsigned int) -1) / size);
+ }
+ 
++static inline bool
++hb_unsigned_add_overflows (unsigned int a, unsigned int b, unsigned *result = nullptr)
++{
++#if hb_has_builtin(__builtin_add_overflow)
++  unsigned stack_result;
++  if (!result)
++    result = &stack_result;
++  return __builtin_add_overflow (a, b, result);
++#endif
++
++  if (result)
++    *result = a + b;
++  return b > (unsigned int) -1 - a;
++}
++
+ 
+ /*
+  * Sort and search.
+diff --git a/src/hb-ot-shaper-arabic.cc b/src/hb-ot-shaper-arabic.cc
+index c5104c94890aa491284889444c60b476d4f5e0cb..2a05af1462efe3305bbf55a1ff941b328f9e4b14 100644
+--- a/src/hb-ot-shaper-arabic.cc
++++ b/src/hb-ot-shaper-arabic.cc
+@@ -77,8 +77,8 @@ enum hb_arabic_joining_type_t {
+   JOINING_GROUP_DALATH_RISH	= 5,
+   NUM_STATE_MACHINE_COLS	= 6,
+ 
+-  JOINING_TYPE_T = 7,
+-  JOINING_TYPE_X = 8  /* means: use general-category to choose between U or T. */
++  JOINING_TYPE_T = 6,
++  JOINING_TYPE_X = 7  /* means: use general-category to choose between U or T. */
+ };
+ 
+ #include "hb-ot-shaper-arabic-table.hh"
+@@ -561,20 +561,29 @@ apply_stch (const hb_ot_shape_plan_t *plan HB_UNUSED,
+       DEBUG_MSG (ARABIC, nullptr, "fixed tiles:     count=%d width=%" PRId32, n_fixed, w_fixed);
+       DEBUG_MSG (ARABIC, nullptr, "repeating tiles: count=%d width=%" PRId32, n_repeating, w_repeating);
+ 
++      static constexpr unsigned STCH_MAX_GLYPHS = 256;
++
+       /* Number of additional times to repeat each repeating tile. */
+-      int n_copies = 0;
++      unsigned int n_copies = 0;
+ 
+-      hb_position_t w_remaining = w_total - w_fixed;
+-      if (sign * w_remaining > sign * w_repeating && sign * w_repeating > 0)
+-	n_copies = (sign * w_remaining) / (sign * w_repeating) - 1;
++      int64_t w_remaining_signed = (int64_t) w_total - w_fixed;
++      int64_t w_repeating_signed = w_repeating;
++      if (sign < 0)
++      {
++	w_remaining_signed = -w_remaining_signed;
++	w_repeating_signed = -w_repeating_signed;
++      }
++      hb_position_t w_remaining = (hb_position_t) (w_total - w_fixed);
++      if (w_remaining_signed > w_repeating_signed && w_repeating_signed > 0)
++	n_copies = w_remaining_signed / w_repeating_signed - 1;
+ 
+       /* See if we can improve the fit by adding an extra repeat and squeezing them together a bit. */
+       hb_position_t extra_repeat_overlap = 0;
+-      hb_position_t shortfall = sign * w_remaining - sign * w_repeating * (n_copies + 1);
++      int64_t shortfall = w_remaining_signed - w_repeating_signed * (n_copies + 1);
+       if (shortfall > 0 && n_repeating > 0)
+       {
+ 	++n_copies;
+-	hb_position_t excess = (n_copies + 1) * sign * w_repeating - sign * w_remaining;
++	int64_t excess = (n_copies + 1) * w_repeating_signed - w_remaining_signed;
+ 	if (excess > 0)
+ 	{
+ 	  extra_repeat_overlap = excess / (n_copies * n_repeating);
+@@ -582,10 +591,22 @@ apply_stch (const hb_ot_shape_plan_t *plan HB_UNUSED,
+ 	}
+       }
+ 
++      unsigned int max_copies = 0;
++      if (n_repeating > 0)
++      {
++	unsigned int base_glyphs = n_fixed + n_repeating;
++	if (base_glyphs < STCH_MAX_GLYPHS)
++	  max_copies = (STCH_MAX_GLYPHS - base_glyphs) / n_repeating;
++      }
++      n_copies = hb_min (n_copies, max_copies);
++
+       if (step == MEASURE)
+       {
+-	extra_glyphs_needed += n_copies * n_repeating;
+-	DEBUG_MSG (ARABIC, nullptr, "will add extra %d copies of repeating tiles", n_copies);
++	unsigned int added_glyphs = 0;
++	if (unlikely (hb_unsigned_mul_overflows (n_copies, n_repeating, &added_glyphs) ||
++		      hb_unsigned_add_overflows (extra_glyphs_needed, added_glyphs, &extra_glyphs_needed)))
++	  break;
++	DEBUG_MSG (ARABIC, nullptr, "will add extra %u copies of repeating tiles", n_copies);
+       }
+       else
+       {
+@@ -629,7 +650,9 @@ apply_stch (const hb_ot_shape_plan_t *plan HB_UNUSED,
+ 
+     if (step == MEASURE)
+     {
+-      if (unlikely (!buffer->ensure (count + extra_glyphs_needed)))
++      unsigned int total_glyphs = 0;
++      if (unlikely (hb_unsigned_add_overflows (count, extra_glyphs_needed, &total_glyphs) ||
++		    !buffer->ensure (total_glyphs)))
+ 	break;
+     }
+     else

patches/node/api_remove_deprecated_getisolate.patch

@@ -533,10 +533,10 @@ index 55a0c986c5b6989ee9ce277bb6a9778abb2ad2ee..809d88f21e5572807e38132d40ee7587
    READONLY_PROPERTY(target, "exitCodes", exit_codes);
  
 diff --git a/src/node_file.cc b/src/node_file.cc
-index ba6ffc2b6565dea500bc8dd4818c8fcb7648694a..e834325a763f7ea8f53210145b5edd134d6b67e6 100644
+index 96aac2d86695732bf6805f2ad2168a62241b5045..547455bb5011677719a8de1f98cb447561bce6aa 100644
 --- a/src/node_file.cc
 +++ b/src/node_file.cc
-@@ -3843,7 +3843,7 @@ void BindingData::Deserialize(Local<Context> context,
+@@ -3850,7 +3850,7 @@ void BindingData::Deserialize(Local<Context> context,
                                int index,
                                InternalFieldInfoBase* info) {
    DCHECK_IS_SNAPSHOT_SLOT(index);
@@ -686,7 +686,7 @@ index d33ee3c26c111e53edf27e6368ca8f64ff30a349..f1c53c44f201b295888e7932c5e3e2b1
  
    Environment* env = Environment::GetCurrent(isolate);
 diff --git a/src/node_url.cc b/src/node_url.cc
-index 9d1e8ec05161570db11f7b662395509774668d78..9b91f83d879ea02fd3d61913c8dfd35b3bf1ac31 100644
+index 9b676a0156ab8ef47f62627be953c23d4fcbf4f4..6294cd03667980e2ad23cae9e7961262369efb62 100644
 --- a/src/node_url.cc
 +++ b/src/node_url.cc
 @@ -70,7 +70,7 @@ void BindingData::Deserialize(Local<Context> context,

patches/node/build_ensure_native_module_compilation_fails_if_not_using_a_new.patch

@@ -7,7 +7,7 @@ Subject: build: ensure native module compilation fails if not using a new
 This should not be upstreamed, it is a quality-of-life patch for downstream module builders.
 
 diff --git a/common.gypi b/common.gypi
-index b3b5c23e471ece7584d209b3ae4197c46011d50e..bdcea65ad3e0315c85b1818e695d8b63093aed34 100644
+index d9eb9527e3cbb3b101274ab19e6d6ace42f0e022..a1243ad39b8fcf564285ace0b51b1482bd85071b 100644
 --- a/common.gypi
 +++ b/common.gypi
 @@ -89,6 +89,8 @@

patches/node/build_restore_clang_as_default_compiler_on_macos.patch

@@ -11,7 +11,7 @@ node-gyp will use the result of `process.config` that reflects the environment
 in which the binary got built.
 
 diff --git a/common.gypi b/common.gypi
-index bdcea65ad3e0315c85b1818e695d8b63093aed34..0653735a0b154e326e5df7049a7beb395f0015c8 100644
+index a1243ad39b8fcf564285ace0b51b1482bd85071b..60ac7a50718fd8239fd96b811cdccd1c73b2d606 100644
 --- a/common.gypi
 +++ b/common.gypi
 @@ -128,6 +128,7 @@

patches/node/build_restore_macos_deployment_target_to_12_0.patch

@@ -10,7 +10,7 @@ M151, and so we should allow for building until then.
 This patch can be removed at the M151 branch point.
 
 diff --git a/common.gypi b/common.gypi
-index 0653735a0b154e326e5df7049a7beb395f0015c8..006f52ed18d955da0d9a06e881e86e6e724095ac 100644
+index 60ac7a50718fd8239fd96b811cdccd1c73b2d606..709eb83801eeed81f79c4305a86d1a19710298c2 100644
 --- a/common.gypi
 +++ b/common.gypi
 @@ -677,7 +677,7 @@

patches/node/fix_add_default_values_for_variables_in_common_gypi.patch

@@ -7,7 +7,7 @@ common.gypi is a file that's included in the node header bundle, despite
 the fact that we do not build node with gyp.
 
 diff --git a/common.gypi b/common.gypi
-index c5a7dc9cacf8b983984e7c7de9e63d26e418cc8d..b3b5c23e471ece7584d209b3ae4197c46011d50e 100644
+index 283c60eab356a5befc15027cd186ea0416914ee6..d9eb9527e3cbb3b101274ab19e6d6ace42f0e022 100644
 --- a/common.gypi
 +++ b/common.gypi
 @@ -91,6 +91,23 @@

patches/node/fix_allow_passing_fileexists_fn_to_legacymainresolve.patch

@@ -53,10 +53,10 @@ index 81799fc159cf20344aac64cd7129240deb9a4fe8..12b476ff97603718186dd25b1f435d37
    const maybeMain = resolvedOption <= legacyMainResolveExtensionsIndexes.kResolvedByMainIndexNode ?
      packageConfig.main || './' : '';
 diff --git a/src/node_file.cc b/src/node_file.cc
-index 58476306172433db98a3e3a1ab31d13bf42014f1..ba6ffc2b6565dea500bc8dd4818c8fcb7648694a 100644
+index c69b4eb461cab79906833152d02f76f81149ad7e..96aac2d86695732bf6805f2ad2168a62241b5045 100644
 --- a/src/node_file.cc
 +++ b/src/node_file.cc
-@@ -3592,13 +3592,25 @@ static void CpSyncCopyDir(const FunctionCallbackInfo<Value>& args) {
+@@ -3599,13 +3599,25 @@ static void CpSyncCopyDir(const FunctionCallbackInfo<Value>& args) {
  }
  
  BindingData::FilePathIsFileReturnType BindingData::FilePathIsFile(
@@ -83,7 +83,7 @@ index 58476306172433db98a3e3a1ab31d13bf42014f1..ba6ffc2b6565dea500bc8dd4818c8fcb
    uv_fs_t req;
  
    int rc = uv_fs_stat(env->event_loop(), &req, file_path.c_str(), nullptr);
-@@ -3656,6 +3668,11 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
+@@ -3663,6 +3675,11 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
    std::optional<std::string> initial_file_path;
    std::string file_path;
  
@@ -95,7 +95,7 @@ index 58476306172433db98a3e3a1ab31d13bf42014f1..ba6ffc2b6565dea500bc8dd4818c8fcb
    if (args.Length() >= 2 && args[1]->IsString()) {
      auto package_config_main = Utf8Value(isolate, args[1]).ToString();
  
-@@ -3676,7 +3693,7 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
+@@ -3683,7 +3700,7 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
        BufferValue buff_file_path(isolate, local_file_path);
        ToNamespacedPath(env, &buff_file_path);
  
@@ -104,7 +104,7 @@ index 58476306172433db98a3e3a1ab31d13bf42014f1..ba6ffc2b6565dea500bc8dd4818c8fcb
          case BindingData::FilePathIsFileReturnType::kIsFile:
            return args.GetReturnValue().Set(i);
          case BindingData::FilePathIsFileReturnType::kIsNotFile:
-@@ -3713,7 +3730,7 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
+@@ -3720,7 +3737,7 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
      BufferValue buff_file_path(isolate, local_file_path);
      ToNamespacedPath(env, &buff_file_path);
  

patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch

@@ -17,7 +17,7 @@ Upstreams:
 - https://github.com/nodejs/node/pull/39136
 
 diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
-index 461819ce0fa732048e4365c40a86ef55d984c35f..fa55c980a9c4f373723a867fd41276d67b0b9413 100644
+index 461819ce0fa732048e4365c40a86ef55d984c35f..f1c85e94cf526d0255f47c003664680d26413ec3 100644
 --- a/deps/ncrypto/ncrypto.cc
 +++ b/deps/ncrypto/ncrypto.cc
 @@ -11,6 +11,7 @@
@@ -28,38 +28,6 @@ index 461819ce0fa732048e4365c40a86ef55d984c35f..fa55c980a9c4f373723a867fd41276d6
  #if OPENSSL_VERSION_MAJOR >= 3
  #include <openssl/core_names.h>
  #include <openssl/params.h>
-@@ -1130,7 +1131,9 @@ int64_t X509View::getValidToTime() const {
-   return tp;
- #else
-   struct tm tp;
--  ASN1_TIME_to_tm(X509_get0_notAfter(cert_), &tp);
-+#ifndef OPENSSL_IS_BORINGSSL
-+   ASN1_TIME_to_tm(X509_get0_notAfter(cert_), &tp);
-+#endif
-   return PortableTimeGM(&tp);
- #endif
- }
-@@ -1142,7 +1145,9 @@ int64_t X509View::getValidFromTime() const {
-   return tp;
- #else
-   struct tm tp;
-+#ifndef OPENSSL_IS_BORINGSSL
-   ASN1_TIME_to_tm(X509_get0_notBefore(cert_), &tp);
-+#endif
-   return PortableTimeGM(&tp);
- #endif
- }
-@@ -2886,10 +2891,6 @@ std::optional<uint32_t> SSLPointer::verifyPeerCertificate() const {
- const char* SSLPointer::getClientHelloAlpn() const {
-   if (ssl_ == nullptr) return {};
- #ifndef OPENSSL_IS_BORINGSSL
--  const unsigned char* buf;
--  size_t len;
--  size_t rem;
--
-   if (!SSL_client_hello_get0_ext(
-           get(),
-           TLSEXT_TYPE_application_layer_protocol_negotiation,
 @@ -3090,9 +3091,11 @@ const Cipher Cipher::AES_256_GCM = Cipher::FromNid(NID_aes_256_gcm);
  const Cipher Cipher::AES_128_KW = Cipher::FromNid(NID_id_aes128_wrap);
  const Cipher Cipher::AES_192_KW = Cipher::FromNid(NID_id_aes192_wrap);

patches/skia/.patches

@@ -1 +1,2 @@
 graphite_add_insertstatus_koutoforderrecording.patch
+cherry-pick-7911bee5d90e.patch

patches/skia/cherry-pick-7911bee5d90e.patch

@@ -0,0 +1,539 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Greg Daniel <egdaniel@google.com>
+Date: Wed, 11 Mar 2026 15:29:58 -0400
+Subject: Make sure we are getting the correct atlas for glyph mask format.
+
+Bug: b/491421267
+Change-Id: I4eacd46599eca2df8c10a3fc894b9ce890fae1e2
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/1184076
+Commit-Queue: Greg Daniel <egdaniel@google.com>
+Reviewed-by: Michael Ludwig <michaelludwig@google.com>
+(cherry picked from commit 0cab3e4ee34b3bca6ba7df676639d73ffe4b2135)
+Reviewed-on: https://skia-review.googlesource.com/c/skia/+/1184917
+
+diff --git a/bench/GlyphQuadFillBench.cpp b/bench/GlyphQuadFillBench.cpp
+index 6793512e216b00e1f8112f8e681eecf5beee8fe8..4fd0965185f8bab5a55ec63329bf6aa36ad56ed0 100644
+--- a/bench/GlyphQuadFillBench.cpp
++++ b/bench/GlyphQuadFillBench.cpp
+@@ -68,7 +68,7 @@ class DirectMaskGlyphVertexFillBenchmark : public Benchmark {
+         const sktext::gpu::AtlasSubRun* subRun =
+                 sktext::gpu::TextBlobTools::FirstSubRun(fBlob.get());
+         SkASSERT_RELEASE(subRun);
+-        subRun->testingOnly_packedGlyphIDToGlyph(&fCache);
++        subRun->testingOnly_packedGlyphIDToGlyph(&fCache, subRun->maskFormat());
+         fVertices.reset(new char[subRun->vertexStride(drawMatrix) * subRun->glyphCount() * 4]);
+     }
+ 
+diff --git a/gn/tests.gni b/gn/tests.gni
+index 8ae89364ce33f62ced5e8ff5b417a0cf69a3afb1..6286969c91fa9dff8d1e83413ab5b9fd514c5ae9 100644
+--- a/gn/tests.gni
++++ b/gn/tests.gni
+@@ -424,6 +424,7 @@ pathops_tests_sources = [
+ ganesh_tests_sources = [
+   "$_tests/AdvancedBlendTest.cpp",
+   "$_tests/ApplyGammaTest.cpp",
++  "$_tests/AtlasOobTest.cpp",
+   "$_tests/BackendAllocationTest.cpp",
+   "$_tests/BackendSurfaceMutableStateTest.cpp",
+   "$_tests/BlendTest.cpp",
+diff --git a/src/gpu/ganesh/text/GrAtlasManager.cpp b/src/gpu/ganesh/text/GrAtlasManager.cpp
+index 403bfe274e56293bfe2382b02525ae742ba541a7..1e7d9aa0ce14f19e09d79544730c6aa922ae37d6 100644
+--- a/src/gpu/ganesh/text/GrAtlasManager.cpp
++++ b/src/gpu/ganesh/text/GrAtlasManager.cpp
+@@ -178,8 +178,7 @@ GrDrawOpAtlas::ErrorCode GrAtlasManager::addGlyphToAtlas(const SkGlyph& skGlyph,
+     }
+     SkASSERT(glyph != nullptr);
+ 
+-    MaskFormat glyphFormat = Glyph::FormatFromSkGlyph(skGlyph.maskFormat());
+-    MaskFormat expectedMaskFormat = this->resolveMaskFormat(glyphFormat);
++    MaskFormat expectedMaskFormat = this->resolveMaskFormat(glyph->fGlyphEntryKey.fFormat);
+     int bytesPerPixel = MaskFormatBytesPerPixel(expectedMaskFormat);
+ 
+     int padding;
+@@ -299,7 +298,7 @@ std::tuple<bool, int> GlyphVector::regenerateAtlasForGanesh(
+ 
+     uint64_t currentAtlasGen = atlasManager->atlasGeneration(maskFormat);
+ 
+-    this->packedGlyphIDToGlyph(target->strikeCache());
++    this->packedGlyphIDToGlyph(target->strikeCache(), maskFormat);
+ 
+     if (fAtlasGeneration != currentAtlasGen) {
+         // Calculate the texture coordinates for the vertexes during first use (fAtlasGeneration
+@@ -316,9 +315,10 @@ std::tuple<bool, int> GlyphVector::regenerateAtlasForGanesh(
+         for (const Variant& variant : glyphs) {
+             Glyph* gpuGlyph = variant.glyph;
+             SkASSERT(gpuGlyph != nullptr);
+-
++            SkASSERT(gpuGlyph->fGlyphEntryKey.fFormat == maskFormat);
+             if (!atlasManager->hasGlyph(maskFormat, gpuGlyph)) {
+-                const SkGlyph& skGlyph = *metricsAndImages.glyph(gpuGlyph->fPackedID);
++                const SkGlyph& skGlyph =
++                    *metricsAndImages.glyph(gpuGlyph->fGlyphEntryKey.fPackedID);
+                 auto code = atlasManager->addGlyphToAtlas(
+                         skGlyph, gpuGlyph, srcPadding, target->resourceProvider(), uploadTarget);
+                 if (code != GrDrawOpAtlas::ErrorCode::kSucceeded) {
+diff --git a/src/gpu/graphite/Device.cpp b/src/gpu/graphite/Device.cpp
+index 1163eacd741d059b5a782112d9dbeed7080e3207..b069ba5e84bf113f3e1bcff1cd7c8e9ef570722d 100644
+--- a/src/gpu/graphite/Device.cpp
++++ b/src/gpu/graphite/Device.cpp
+@@ -1427,6 +1427,7 @@ void Device::drawAtlasSubRun(const sktext::gpu::AtlasSubRun* subRun,
+                                   int padding) {
+         return glyphs->regenerateAtlasForGraphite(begin, end, maskFormat, padding, fRecorder);
+     };
++
+     for (int subRunCursor = 0; subRunCursor < subRunEnd;) {
+         // For the remainder of the run, add any atlas uploads to the Recorder's TextAtlasManager
+         auto[ok, glyphsRegenerated] = subRun->regenerateAtlas(subRunCursor, subRunEnd,
+diff --git a/src/gpu/graphite/text/TextAtlasManager.cpp b/src/gpu/graphite/text/TextAtlasManager.cpp
+index 6602a76c150bff077666fb91b990d3e45d528ce2..cbb51a66846922995912c3159afba879a2487313 100644
+--- a/src/gpu/graphite/text/TextAtlasManager.cpp
++++ b/src/gpu/graphite/text/TextAtlasManager.cpp
+@@ -207,8 +207,7 @@ DrawAtlas::ErrorCode TextAtlasManager::addGlyphToAtlas(const SkGlyph& skGlyph,
+     }
+     SkASSERT(glyph != nullptr);
+ 
+-    MaskFormat glyphFormat = Glyph::FormatFromSkGlyph(skGlyph.maskFormat());
+-    MaskFormat expectedMaskFormat = this->resolveMaskFormat(glyphFormat);
++    MaskFormat expectedMaskFormat = this->resolveMaskFormat(glyph->fGlyphEntryKey.fFormat);
+     int bytesPerPixel = MaskFormatBytesPerPixel(expectedMaskFormat);
+ 
+     int padding;
+@@ -359,7 +358,7 @@ std::tuple<bool, int> GlyphVector::regenerateAtlasForGraphite(int begin,
+ 
+     uint64_t currentAtlasGen = atlasManager->atlasGeneration(maskFormat);
+ 
+-    this->packedGlyphIDToGlyph(recorder->priv().strikeCache());
++    this->packedGlyphIDToGlyph(recorder->priv().strikeCache(), maskFormat);
+ 
+     if (fAtlasGeneration != currentAtlasGen) {
+         // Calculate the texture coordinates for the vertexes during first use (fAtlasGeneration
+@@ -375,9 +374,10 @@ std::tuple<bool, int> GlyphVector::regenerateAtlasForGraphite(int begin,
+         for (const Variant& variant : glyphs) {
+             Glyph* gpuGlyph = variant.glyph;
+             SkASSERT(gpuGlyph != nullptr);
+-
++            SkASSERT(gpuGlyph->fGlyphEntryKey.fFormat == maskFormat);
+             if (!atlasManager->hasGlyph(maskFormat, gpuGlyph)) {
+-                const SkGlyph& skGlyph = *metricsAndImages.glyph(gpuGlyph->fPackedID);
++                const SkGlyph& skGlyph =
++                    *metricsAndImages.glyph(gpuGlyph->fGlyphEntryKey.fPackedID);
+                 auto code = atlasManager->addGlyphToAtlas(skGlyph, gpuGlyph, srcPadding);
+                 if (code != DrawAtlas::ErrorCode::kSucceeded) {
+                     success = code != DrawAtlas::ErrorCode::kError;
+diff --git a/src/text/gpu/Glyph.h b/src/text/gpu/Glyph.h
+index 821612d68cecfe9dae9518e376e09fdf233395ad..7942006a563bcab925ea2129ab6f6beea438a4c8 100644
+--- a/src/text/gpu/Glyph.h
++++ b/src/text/gpu/Glyph.h
+@@ -14,6 +14,25 @@
+ 
+ namespace sktext::gpu {
+ 
++struct GlyphEntryKey {
++    explicit GlyphEntryKey(SkPackedGlyphID id, skgpu::MaskFormat format)
++            : fPackedID(id), fFormat(format) {}
++
++    const SkPackedGlyphID fPackedID;
++    skgpu::MaskFormat fFormat;
++
++    bool operator==(const GlyphEntryKey& that) const {
++        return fPackedID == that.fPackedID && fFormat == that.fFormat;
++    }
++    bool operator!=(const GlyphEntryKey& that) const {
++        return !(*this == that);
++    }
++
++    uint32_t hash() const {
++        return fPackedID.hash();
++    }
++};
++
+ class Glyph {
+ public:
+     static skgpu::MaskFormat FormatFromSkGlyph(SkMask::Format format) {
+@@ -34,10 +53,11 @@ public:
+         SkUNREACHABLE;
+     }
+ 
+-    explicit Glyph(SkPackedGlyphID packedGlyphID) : fPackedID(packedGlyphID) {}
++    explicit Glyph(SkPackedGlyphID packedGlyphID, skgpu::MaskFormat format)
++             : fGlyphEntryKey(packedGlyphID, format) {}
+ 
+-    const SkPackedGlyphID       fPackedID;
+-    skgpu::AtlasLocator         fAtlasLocator;
++    const GlyphEntryKey fGlyphEntryKey;
++    skgpu::AtlasLocator fAtlasLocator;
+ };
+ 
+ }  // namespace sktext::gpu
+diff --git a/src/text/gpu/GlyphVector.cpp b/src/text/gpu/GlyphVector.cpp
+index 2a8e85f926aa547169f4b85372e9d3fb99816956..7bec7a0b77d8560d5ef978281edd7df6c45cb56f 100644
+--- a/src/text/gpu/GlyphVector.cpp
++++ b/src/text/gpu/GlyphVector.cpp
+@@ -99,14 +99,14 @@ SkSpan<const Glyph*> GlyphVector::glyphs() const {
+ 
+ // packedGlyphIDToGlyph must be run in single-threaded mode.
+ // If fSkStrike is not sk_sp<SkStrike> then the conversion to Glyph* has not happened.
+-void GlyphVector::packedGlyphIDToGlyph(StrikeCache* cache) {
++void GlyphVector::packedGlyphIDToGlyph(StrikeCache* cache, MaskFormat maskFormat) {
+     if (fTextStrike == nullptr) {
+         SkStrike* strike = fStrikePromise.strike();
+         fTextStrike = cache->findOrCreateStrike(strike->strikeSpec());
+ 
+         // Get all the atlas locations for each glyph.
+         for (Variant& variant : fGlyphs) {
+-            variant.glyph = fTextStrike->getGlyph(variant.packedGlyphID);
++            variant.glyph = fTextStrike->getGlyph(variant.packedGlyphID, maskFormat);
+         }
+ 
+         // This must be pinned for the Atlas filling to work.
+diff --git a/src/text/gpu/GlyphVector.h b/src/text/gpu/GlyphVector.h
+index 42b92a93f70cc6d86d0a87dd07c2244e0da1281c..1eec6327d38fb4472b027faae68eecb9ad7509d7 100644
+--- a/src/text/gpu/GlyphVector.h
++++ b/src/text/gpu/GlyphVector.h
+@@ -68,7 +68,7 @@ public:
+     // the sub runs.
+     int unflattenSize() const { return GlyphVectorSize(fGlyphs.size()); }
+ 
+-    void packedGlyphIDToGlyph(StrikeCache* cache);
++    void packedGlyphIDToGlyph(StrikeCache* cache, skgpu::MaskFormat);
+ 
+     static size_t GlyphVectorSize(size_t count) {
+         return sizeof(Variant) * count;
+diff --git a/src/text/gpu/StrikeCache.cpp b/src/text/gpu/StrikeCache.cpp
+index add3127c92fdbfe56d6b56209a2235ce5a9f5acb..19df48329fd500f8682669ec96eb883b58243fdd 100644
+--- a/src/text/gpu/StrikeCache.cpp
++++ b/src/text/gpu/StrikeCache.cpp
+@@ -207,10 +207,11 @@ TextStrike::TextStrike(StrikeCache* strikeCache, const SkStrikeSpec& strikeSpec)
+         : fStrikeCache(strikeCache)
+         , fStrikeSpec{strikeSpec} {}
+ 
+-Glyph* TextStrike::getGlyph(SkPackedGlyphID packedGlyphID) {
+-    Glyph* glyph = fCache.findOrNull(packedGlyphID);
++Glyph* TextStrike::getGlyph(SkPackedGlyphID packedGlyphID, skgpu::MaskFormat format) {
++    GlyphEntryKey localKey(packedGlyphID, format);
++    Glyph* glyph = fCache.findOrNull(localKey);
+     if (glyph == nullptr) {
+-        glyph = fAlloc.make<Glyph>(packedGlyphID);
++        glyph = fAlloc.make<Glyph>(packedGlyphID, format);
+         fCache.set(glyph);
+         fMemoryUsed += sizeof(Glyph);
+         if (!fRemoved) {
+@@ -220,11 +221,11 @@ Glyph* TextStrike::getGlyph(SkPackedGlyphID packedGlyphID) {
+     return glyph;
+ }
+ 
+-const SkPackedGlyphID& TextStrike::HashTraits::GetKey(const Glyph* glyph) {
+-    return glyph->fPackedID;
++const GlyphEntryKey& TextStrike::HashTraits::GetKey(const Glyph* glyph) {
++    return glyph->fGlyphEntryKey;
+ }
+ 
+-uint32_t TextStrike::HashTraits::Hash(SkPackedGlyphID key) {
++uint32_t TextStrike::HashTraits::Hash(GlyphEntryKey key) {
+     return key.hash();
+ }
+ 
+diff --git a/src/text/gpu/StrikeCache.h b/src/text/gpu/StrikeCache.h
+index 007c45c6c6feecba3ff031ba3939ad2402e082b9..014afd5286602e3e049d8e48ae328273e599dc41 100644
+--- a/src/text/gpu/StrikeCache.h
++++ b/src/text/gpu/StrikeCache.h
+@@ -13,6 +13,7 @@
+ #include "src/core/SkDescriptor.h"
+ #include "src/core/SkStrikeSpec.h"
+ #include "src/core/SkTHash.h"
++#include "src/gpu/AtlasTypes.h"
+ 
+ #include <cstddef>
+ #include <cstdint>
+@@ -32,6 +33,7 @@ struct SkPackedGlyphID;
+ namespace sktext::gpu {
+ 
+ class Glyph;
++struct GlyphEntryKey;
+ class StrikeCache;
+ 
+ // The TextStrike manages an SkArenaAlloc for Glyphs. The SkStrike is what actually creates
+@@ -43,7 +45,7 @@ public:
+     TextStrike(StrikeCache* strikeCache,
+                const SkStrikeSpec& strikeSpec);
+ 
+-    Glyph* getGlyph(SkPackedGlyphID);
++    Glyph* getGlyph(SkPackedGlyphID, skgpu::MaskFormat format);
+     const SkStrikeSpec& strikeSpec() const { return fStrikeSpec; }
+     const SkDescriptor& getDescriptor() const { return fStrikeSpec.descriptor(); }
+ 
+@@ -54,11 +56,11 @@ private:
+     const SkStrikeSpec fStrikeSpec;
+ 
+     struct HashTraits {
+-        static const SkPackedGlyphID& GetKey(const Glyph* glyph);
+-        static uint32_t Hash(SkPackedGlyphID key);
++        static const GlyphEntryKey& GetKey(const Glyph* glyph);
++        static uint32_t Hash(GlyphEntryKey key);
+     };
+     // Map SkPackedGlyphID -> Glyph*.
+-    skia_private::THashTable<Glyph*, SkPackedGlyphID, HashTraits> fCache;
++    skia_private::THashTable<Glyph*, GlyphEntryKey, HashTraits> fCache;
+ 
+     // Store for the glyph information.
+     SkArenaAlloc fAlloc{512};
+diff --git a/src/text/gpu/SubRunContainer.cpp b/src/text/gpu/SubRunContainer.cpp
+index 3a061a2012cd99de9ee4b3674f78ae99e0385d6c..a19460c82593c6713c047ab19e71caa27e375a6d 100644
+--- a/src/text/gpu/SubRunContainer.cpp
++++ b/src/text/gpu/SubRunContainer.cpp
+@@ -651,8 +651,9 @@ public:
+ 
+     int glyphSrcPadding() const override { return 0; }
+ 
+-    void testingOnly_packedGlyphIDToGlyph(StrikeCache* cache) const override {
+-        fGlyphs.packedGlyphIDToGlyph(cache);
++    void testingOnly_packedGlyphIDToGlyph(StrikeCache* cache,
++                                          skgpu::MaskFormat maskFormat) const override {
++        fGlyphs.packedGlyphIDToGlyph(cache, maskFormat);
+     }
+ 
+     std::tuple<bool, SkRect> deviceRectAndNeedsTransform(
+@@ -755,8 +756,9 @@ public:
+ 
+     const AtlasSubRun* testingOnly_atlasSubRun() const override { return this; }
+ 
+-    void testingOnly_packedGlyphIDToGlyph(StrikeCache *cache) const override {
+-        fGlyphs.packedGlyphIDToGlyph(cache);
++    void testingOnly_packedGlyphIDToGlyph(StrikeCache *cache,
++                                          skgpu::MaskFormat maskFormat) const override {
++        fGlyphs.packedGlyphIDToGlyph(cache, maskFormat);
+     }
+ 
+     int glyphSrcPadding() const override { return 1; }
+@@ -884,8 +886,9 @@ public:
+ 
+     const AtlasSubRun* testingOnly_atlasSubRun() const override { return this; }
+ 
+-    void testingOnly_packedGlyphIDToGlyph(StrikeCache *cache) const override {
+-        fGlyphs.packedGlyphIDToGlyph(cache);
++    void testingOnly_packedGlyphIDToGlyph(StrikeCache *cache,
++                                          skgpu::MaskFormat maskFormat) const override {
++        fGlyphs.packedGlyphIDToGlyph(cache, maskFormat);
+     }
+ 
+     int glyphSrcPadding() const override { return SK_DistanceFieldInset; }
+diff --git a/src/text/gpu/SubRunContainer.h b/src/text/gpu/SubRunContainer.h
+index 2573dbb3964e9ab2cc0e276b60d4ab4f9804f0d9..4d1a3c8c2d55015d3d351d322ef039c45be2a398 100644
+--- a/src/text/gpu/SubRunContainer.h
++++ b/src/text/gpu/SubRunContainer.h
+@@ -167,7 +167,7 @@ public:
+ 
+     const VertexFiller& vertexFiller() const { return fVertexFiller; }
+ 
+-    virtual void testingOnly_packedGlyphIDToGlyph(StrikeCache* cache) const = 0;
++    virtual void testingOnly_packedGlyphIDToGlyph(StrikeCache* cache, skgpu::MaskFormat) const = 0;
+ 
+ protected:
+     const VertexFiller fVertexFiller;
+diff --git a/tests/AtlasOobTest.cpp b/tests/AtlasOobTest.cpp
+new file mode 100644
+index 0000000000000000000000000000000000000000..4e6fb02ee6af6543df285d8112f1a2ced5bd9ac9
+--- /dev/null
++++ b/tests/AtlasOobTest.cpp
+@@ -0,0 +1,201 @@
++/*
++ * Copyright 2026 Google LLC
++ *
++ * Use of this source code is governed by a BSD-style license that can be
++ * found in the LICENSE file.
++ */
++#include "include/core/SkCanvas.h"
++#include "include/core/SkGraphics.h"
++#include "include/core/SkSerialProcs.h"
++#include "include/core/SkSurface.h"
++#include "include/private/chromium/SkChromeRemoteGlyphCache.h"
++#include "include/private/chromium/Slug.h"
++#include "src/core/SkDescriptor.h"
++#include "src/core/SkReadBuffer.h"
++#include "src/core/SkTypeface_remote.h"
++#include "src/core/SkWriteBuffer.h"
++#include "src/gpu/AtlasTypes.h"
++#include "tests/CtsEnforcement.h"
++#include "tests/Test.h"
++#include "tools/ToolUtils.h"
++
++#if defined(SK_GANESH)
++#include "include/gpu/ganesh/GrDirectContext.h"
++#include "include/gpu/ganesh/SkSurfaceGanesh.h"
++#endif
++
++#if defined(SK_GRAPHITE)
++#include "include/gpu/graphite/Context.h"
++#include "include/gpu/graphite/Surface.h"
++#include "tools/graphite/GraphiteTestContext.h"
++#endif  // defined(SK_GRAPHITE)
++
++#include <vector>
++#include <cstring>
++
++namespace {
++class FakeDiscardableManager : public SkStrikeClient::DiscardableHandleManager {
++public:
++    bool deleteHandle(SkDiscardableHandleId) override { return false; }
++    void notifyCacheMiss(SkStrikeClient::CacheMissType, int) override {}
++    void notifyReadFailure(const ReadFailureData&) override {}
++    void assertHandleValid(SkDiscardableHandleId) override {}
++};
++
++unsigned char kStrikeData[] = {
++  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x07, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65,
++  0x00, 0x00, 0x00, 0x65, 0xd8, 0x50, 0xda, 0x99, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
++  0x63, 0x65, 0x72, 0x73, 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x80, 0x41,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x10, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x41,
++  0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
++  0x40, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x41, 0x00, 0x00, 0x00, 0x00,
++  0x08, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x41, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x64, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x20, 0x41, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x41,
++  0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
++  0x40, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0x66, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x41, 0x00, 0x00, 0x00, 0x00,
++  0x08, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x41, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x08, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x00, 0x66, 0x86, 0x07, 0xc2, 0x42,
++  0x4c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x63, 0x65, 0x72, 0x73, 0x38, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x80, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
++  0x99, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x41, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x04, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
++  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00
++};
++
++unsigned char kDrawSlugOp[] = {
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x41,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3f,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3f,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x3f,
++  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x80, 0x3f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41,
++  0x00, 0x00, 0x00, 0x41, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x86, 0x07, 0xc2, 0x42, 0x4c, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x63, 0x65, 0x72, 0x73,
++  0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x00, 0x00, 0x80, 0x41, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff,
++  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x10, 0x00, 0x01, 0x00, 0x00, 0x00,
++  0x99, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
++};
++
++} // namespace
++
++// TODO: We expect this test to correctly hit an SkUnreachable and then crash. That does not work
++// with our current testing framework because we have no to "expect" a crash. So for now we will
++// land this test with only the valid loop enabled, but to test this is working locally, you should
++// change the loop to have both iterations.
++static void run_atlas_oob_test(skiatest::Reporter* reporter, SkCanvas* canvas) {
++    auto discardableManager = sk_make_sp<FakeDiscardableManager>();
++    SkStrikeClient client(discardableManager, false);
++
++    // 1. Prepare Strike Data
++    if (!client.readStrikeData(kStrikeData, sizeof(kStrikeData))) {
++        REPORTER_ASSERT(reporter, false, "Failed to read initial strike data");
++    }
++
++    // 2. Prepare and Execute DrawSlug ops
++    SkPaint paint;
++    for (int idx = 0; idx < 1; ++idx) {
++//    for (int idx = 0; idx < 2; ++idx) {
++        if (idx == 0) {
++                kDrawSlugOp[0x48] = (unsigned char)skgpu::MaskFormat::kARGB;
++        } else if (idx == 1) {
++                kDrawSlugOp[0x48] = (unsigned char)skgpu::MaskFormat::kA8;
++        }
++        kDrawSlugOp[0xd8] = SkMask::kARGB32_Format;
++        kDrawSlugOp[0xe0] = 0x99;
++
++        auto slug = client.deserializeSlugForTest(kDrawSlugOp, sizeof(kDrawSlugOp));
++        if (slug) {
++            slug->draw(canvas, paint);
++        }
++    }
++
++}
++
++#if defined(SK_GANESH)
++DEF_GANESH_TEST_FOR_RENDERING_CONTEXTS(Atlas_Oob_ganesh, reporter, ctxInfo, CtsEnforcement::kNextRelease) {
++    auto dContext = ctxInfo.directContext();
++    SkImageInfo info = SkImageInfo::MakeN32Premul(1024, 1024);
++    auto surface = SkSurfaces::RenderTarget(dContext, skgpu::Budgeted::kNo, info);
++    if (!surface) return;
++    auto canvas = surface->getCanvas();
++
++    run_atlas_oob_test(reporter, canvas);
++
++    dContext->flushAndSubmit();
++}
++#endif // defined(SK_GANESH)
++
++#if defined(SK_GRAPHITE)
++DEF_GRAPHITE_TEST_FOR_RENDERING_CONTEXTS(Atlas_Oob_graphite, reporter, context, CtsEnforcement::kNextRelease) {
++    using namespace skgpu::graphite;
++    std::unique_ptr<Recorder> recorder = context->makeRecorder();
++    SkImageInfo info = SkImageInfo::MakeN32Premul(1024, 1024);
++    auto surface = SkSurfaces::RenderTarget(recorder.get(), info);
++    if (!surface) return;
++    auto canvas = surface->getCanvas();
++
++    run_atlas_oob_test(reporter, canvas);
++
++    std::unique_ptr<Recording> recording = recorder->snap();
++    InsertRecordingInfo recordingInfo;
++    recordingInfo.fRecording = recording.get();
++    context->insertRecording(recordingInfo);
++    context->submit();
++}
++#endif // defined(SK_GRAPHITE)

patches/squirrel.mac/.patches

@@ -9,4 +9,4 @@ refactor_use_non-deprecated_nskeyedarchiver_apis.patch
 chore_turn_off_launchapplicationaturl_deprecation_errors_in_squirrel.patch
 fix_crash_when_process_to_extract_zip_cannot_be_launched.patch
 use_uttype_class_instead_of_deprecated_uttypeconformsto.patch
-fix_clean_up_old_staged_updates_before_downloading_new_update.patch
+fix_clean_up_orphaned_staged_updates_before_downloading_new_update.patch

patches/squirrel.mac/fix_clean_up_old_staged_updates_before_downloading_new_update.patch

@@ -1,64 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Andy Locascio <loc@anthropic.com>
-Date: Tue, 6 Jan 2026 08:23:03 -0800
-Subject: fix: clean up old staged updates before downloading new update
-
-When checkForUpdates() is called while an update is already staged,
-Squirrel creates a new temporary directory for the download without
-cleaning up the old one. This can lead to significant disk usage if
-the app keeps checking for updates without restarting.
-
-This change adds a force parameter to pruneUpdateDirectories that
-bypasses the AwaitingRelaunch state check. This is called before
-creating a new temp directory, ensuring old staged updates are
-cleaned up when a new download starts.
-
-diff --git a/Squirrel/SQRLUpdater.m b/Squirrel/SQRLUpdater.m
-index d156616e81e6f25a3bded30e6216b8fc311f31bc..6cd4346bf43b191147aff819cb93387e71275a46 100644
---- a/Squirrel/SQRLUpdater.m
-+++ b/Squirrel/SQRLUpdater.m
-@@ -543,11 +543,17 @@ - (RACSignal *)downloadBundleForUpdate:(SQRLUpdate *)update intoDirectory:(NSURL
- #pragma mark File Management
- 
- - (RACSignal *)uniqueTemporaryDirectoryForUpdate {
--	return [[[RACSignal
-+	// Clean up any old staged update directories before creating a new one.
-+	// This prevents disk usage from growing when checkForUpdates() is called
-+	// multiple times without the app restarting.
-+	return [[[[[self
-+		pruneUpdateDirectoriesWithForce:YES]
-+		ignoreValues]
-+		concat:[RACSignal
- 		defer:^{
- 			SQRLDirectoryManager *directoryManager = [[SQRLDirectoryManager alloc] initWithApplicationIdentifier:SQRLShipItLauncher.shipItJobLabel];
- 			return [directoryManager storageURL];
--		}]
-+		}]]
- 		flattenMap:^(NSURL *storageURL) {
- 			NSURL *updateDirectoryTemplate = [storageURL URLByAppendingPathComponent:[SQRLUpdaterUniqueTemporaryDirectoryPrefix stringByAppendingString:@"XXXXXXX"]];
- 			char *updateDirectoryCString = strdup(updateDirectoryTemplate.path.fileSystemRepresentation);
-@@ -643,7 +649,7 @@ - (BOOL)isRunningOnReadOnlyVolume {
- 
- - (RACSignal *)performHousekeeping {
- 	return [[RACSignal
--		merge:@[ [self pruneUpdateDirectories], [self truncateLogs] ]]
-+		merge:@[ [self pruneUpdateDirectoriesWithForce:NO], [self truncateLogs] ]]
- 		catch:^(NSError *error) {
- 			NSLog(@"Error doing housekeeping: %@", error);
- 			return [RACSignal empty];
-@@ -658,11 +664,12 @@ - (RACSignal *)performHousekeeping {
- ///
- /// Sends each removed directory then completes, or errors, on an unspecified
- /// thread.
--- (RACSignal *)pruneUpdateDirectories {
-+- (RACSignal *)pruneUpdateDirectoriesWithForce:(BOOL)force {
- 	return [[[RACSignal
- 		defer:^{
--			// If we already have updates downloaded we don't wanna prune them.
--			if (self.state == SQRLUpdaterStateAwaitingRelaunch) return [RACSignal empty];
-+			// If we already have updates downloaded we don't wanna prune them,
-+			// unless force is YES (used when starting a new download).
-+			if (!force && self.state == SQRLUpdaterStateAwaitingRelaunch) return [RACSignal empty];
- 
- 			SQRLDirectoryManager *directoryManager = [[SQRLDirectoryManager alloc] initWithApplicationIdentifier:SQRLShipItLauncher.shipItJobLabel];
- 			return [directoryManager storageURL];

patches/squirrel.mac/fix_clean_up_orphaned_staged_updates_before_downloading_new_update.patch

@@ -0,0 +1,130 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andy Locascio <loc@anthropic.com>
+Date: Tue, 6 Jan 2026 08:23:03 -0800
+Subject: fix: clean up orphaned staged updates before downloading new update
+
+When checkForUpdates() is called while an update is already staged,
+Squirrel creates a new temporary directory for the download without
+cleaning up the old one. This can lead to significant disk usage if
+the app keeps checking for updates without restarting.
+
+This change adds a pruneOrphanedUpdateDirectories step before creating
+a new temp directory. Unlike a blanket prune, this reads the current
+ShipItState.plist and preserves the directory it references, deleting
+only truly orphaned update directories. This keeps the on-disk
+footprint bounded (at most 2 dirs) while ensuring quitAndInstall
+remains safe to call even when a new check is in progress.
+
+Refs https://github.com/electron/electron/issues/50200
+
+diff --git a/Squirrel/SQRLUpdater.m b/Squirrel/SQRLUpdater.m
+index d156616e81e6f25a3bded30e6216b8fc311f31bc..41856e5754228d33982db72f97f2ff241615a357 100644
+--- a/Squirrel/SQRLUpdater.m
++++ b/Squirrel/SQRLUpdater.m
+@@ -543,11 +543,19 @@ - (RACSignal *)downloadBundleForUpdate:(SQRLUpdate *)update intoDirectory:(NSURL
+ #pragma mark File Management
+ 
+ - (RACSignal *)uniqueTemporaryDirectoryForUpdate {
+-	return [[[RACSignal
++	// Clean up any orphaned update directories before creating a new one.
++	// This prevents disk usage from growing when checkForUpdates() is called
++	// multiple times without the app restarting. The currently staged update
++	// (referenced by ShipItState.plist) is always preserved so quitAndInstall
++	// remains safe to call while a new check is in progress.
++	return [[[[[self
++		pruneOrphanedUpdateDirectories]
++		ignoreValues]
++		concat:[RACSignal
+ 		defer:^{
+ 			SQRLDirectoryManager *directoryManager = [[SQRLDirectoryManager alloc] initWithApplicationIdentifier:SQRLShipItLauncher.shipItJobLabel];
+ 			return [directoryManager storageURL];
+-		}]
++		}]]
+ 		flattenMap:^(NSURL *storageURL) {
+ 			NSURL *updateDirectoryTemplate = [storageURL URLByAppendingPathComponent:[SQRLUpdaterUniqueTemporaryDirectoryPrefix stringByAppendingString:@"XXXXXXX"]];
+ 			char *updateDirectoryCString = strdup(updateDirectoryTemplate.path.fileSystemRepresentation);
+@@ -668,25 +676,68 @@ - (RACSignal *)pruneUpdateDirectories {
+ 			return [directoryManager storageURL];
+ 		}]
+ 		flattenMap:^(NSURL *storageURL) {
+-			NSFileManager *manager = [[NSFileManager alloc] init];
+-			NSDirectoryEnumerator *enumerator = [manager enumeratorAtURL:storageURL includingPropertiesForKeys:nil options:NSDirectoryEnumerationSkipsSubdirectoryDescendants errorHandler:^(NSURL *URL, NSError *error) {
+-				NSLog(@"Error enumerating item %@ within directory %@: %@", URL, storageURL, error);
+-				return YES;
+-			}];
++			return [self removeUpdateDirectoriesInStorageURL:storageURL excludingURL:nil];
++		}]
++		setNameWithFormat:@"%@ -prunedUpdateDirectories", self];
++}
+ 
+-			return [[enumerator.rac_sequence.signal
+-				filter:^(NSURL *enumeratedURL) {
+-					NSString *name = enumeratedURL.lastPathComponent;
+-					return [name hasPrefix:SQRLUpdaterUniqueTemporaryDirectoryPrefix];
+-				}]
+-				doNext:^(NSURL *directoryURL) {
+-					NSError *error = nil;
+-					if (![manager removeItemAtURL:directoryURL error:&error]) {
+-						NSLog(@"Error removing old update directory at %@: %@", directoryURL, error.sqrl_verboseDescription);
+-					}
++/// Lazily removes orphaned temporary directories upon subscription, always
++/// preserving the directory currently referenced by ShipItState.plist so that
++/// quitAndInstall remains safe to call mid-check.
++///
++/// Safe to call in any state. Sends each removed directory then completes on
++/// an unspecified thread. Errors reading the staged request are swallowed
++/// (treated as "nothing staged").
++- (RACSignal *)pruneOrphanedUpdateDirectories {
++	return [[[[[SQRLShipItRequest
++		readUsingURL:self.shipItStateURL]
++		map:^(SQRLShipItRequest *request) {
++			// The request holds the URL to the staged .app bundle; its parent
++			// is the update.XXXXXXX directory we must preserve.
++			return [request.updateBundleURL URLByDeletingLastPathComponent];
++		}]
++		catch:^(NSError *error) {
++			// No staged request (or unreadable) — nothing to preserve.
++			return [RACSignal return:nil];
++		}]
++		flattenMap:^(NSURL *stagedDirectoryURL) {
++			SQRLDirectoryManager *directoryManager = [[SQRLDirectoryManager alloc] initWithApplicationIdentifier:SQRLShipItLauncher.shipItJobLabel];
++			return [[directoryManager storageURL]
++				flattenMap:^(NSURL *storageURL) {
++					return [self removeUpdateDirectoriesInStorageURL:storageURL excludingURL:stagedDirectoryURL];
+ 				}];
+ 		}]
+-		setNameWithFormat:@"%@ -prunedUpdateDirectories", self];
++		setNameWithFormat:@"%@ -pruneOrphanedUpdateDirectories", self];
++}
++
++/// Shared enumerate-and-delete logic for update temp directories.
++///
++/// storageURL  - The Squirrel storage root to enumerate. Must not be nil.
++/// excludedURL - Directory to skip (compared by standardized path). May be nil.
++- (RACSignal *)removeUpdateDirectoriesInStorageURL:(NSURL *)storageURL excludingURL:(NSURL *)excludedURL {
++	NSParameterAssert(storageURL != nil);
++
++	NSFileManager *manager = [[NSFileManager alloc] init];
++	NSDirectoryEnumerator *enumerator = [manager enumeratorAtURL:storageURL includingPropertiesForKeys:nil options:NSDirectoryEnumerationSkipsSubdirectoryDescendants errorHandler:^(NSURL *URL, NSError *error) {
++		NSLog(@"Error enumerating item %@ within directory %@: %@", URL, storageURL, error);
++		return YES;
++	}];
++
++	NSString *excludedPath = excludedURL.URLByStandardizingPath.path;
++
++	return [[enumerator.rac_sequence.signal
++		filter:^(NSURL *enumeratedURL) {
++			NSString *name = enumeratedURL.lastPathComponent;
++			if (![name hasPrefix:SQRLUpdaterUniqueTemporaryDirectoryPrefix]) return NO;
++			if (excludedPath != nil && [enumeratedURL.URLByStandardizingPath.path isEqualToString:excludedPath]) return NO;
++			return YES;
++		}]
++		doNext:^(NSURL *directoryURL) {
++			NSError *error = nil;
++			if (![manager removeItemAtURL:directoryURL error:&error]) {
++				NSLog(@"Error removing old update directory at %@: %@", directoryURL, error.sqrl_verboseDescription);
++			}
++		}];
+ }
+ 
+ 

patches/v8/.patches

@@ -1 +1,3 @@
 chore_allow_customizing_microtask_policy_per_context.patch
+cherry-pick-d5b0cb2acffe.patch
+build_warn_instead_of_abort_on_builtin_pgo_profile_mismatch.patch

patches/v8/build_warn_instead_of_abort_on_builtin_pgo_profile_mismatch.patch

@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sam Attard <sattard@anthropic.com>
+Date: Sun, 22 Mar 2026 10:51:26 +0000
+Subject: build: warn instead of abort on builtin PGO profile mismatch
+
+Electron sets v8_enable_javascript_promise_hooks = true to support
+Node.js async_hooks (see node/src/env.cc SetPromiseHooks usage:
+https://github.com/nodejs/node/blob/abff716eaccd0c4f4949d1315cb057a45979649d/src/env.cc#L223-L236).
+This flag adds conditional branches to builtins-microtask-queue-gen.cc
+and promise-misc.tq, changing the control-flow graph hash of several
+Promise/async builtins. This invalidates V8's pre-generated PGO profile
+for those builtins (built with Chrome defaults where the flag is off).
+
+Rather than disabling builtins PGO entirely, warn and skip mismatched
+builtins so all other builtins still benefit from PGO.
+
+diff --git a/BUILD.gn b/BUILD.gn
+index 1bb7fc93c104805a3733280929a6759bacd399b4..874d6c94b258ab9e85ca13495912f2b7cb01189e 100644
+--- a/BUILD.gn
++++ b/BUILD.gn
+@@ -2649,9 +2649,11 @@ template("run_mksnapshot") {
+         "--turbo-profiling-input",
+         rebase_path(v8_builtins_profiling_log_file, root_build_dir),
+ 
+-        # Replace this with --warn-about-builtin-profile-data to see the full
+-        # list of builtins with incompatible profiles.
+-        "--abort-on-bad-builtin-profile-data",
++        # Electron: Use warn instead of abort so that builtins whose control
++        # flow is changed by Electron's build flags (e.g. RunMicrotasks via
++        # v8_enable_javascript_promise_hooks) are skipped rather than failing
++        # the build. All other builtins still receive PGO.
++        "--warn-about-builtin-profile-data",
+       ]
+ 
+       if (!v8_enable_builtins_profiling && v8_enable_builtins_reordering) {

patches/v8/cherry-pick-d5b0cb2acffe.patch

@@ -0,0 +1,50 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Darius Mercadier <dmercadier@chromium.org>
+Date: Wed, 25 Feb 2026 12:56:18 +0100
+Subject: [M144 Merge] [maglev] fix CanElideWriteBarrier Smi recording for phis
+
+Recording a Tagged use is not enough for 2 reasons:
+
+  * Tagged uses are sometimes ignored, in particular for loop phis
+    where we distinguish in-loop and out-of-loop uses.
+
+  * This Tagged use could only prevent untagging of this specific phi,
+    but none of its inputs. So we could have a Smi phi as input to the
+    current phi which gets untagged and retagged to a non-Smi, all
+    while the current phi doesn't get untagged.
+
+(cherry picked from commit a54bf5cd45e5b119e2afe6019428e81c3d626fb3)
+
+Change-Id: I9b3a2ea339f2c9d81dbb74a44425ba55d8c73871
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7604255
+Auto-Submit: Darius Mercadier <dmercadier@chromium.org>
+Reviewed-by: Leszek Swirski <leszeks@chromium.org>
+Commit-Queue: Darius Mercadier <dmercadier@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#105444}
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7659106
+Auto-Submit: Srinivas Sista <srinivassista@chromium.org>
+Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@chromium.org>
+Commit-Queue: Srinivas Sista <srinivassista@chromium.org>
+Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
+Owners-Override: Srinivas Sista <srinivassista@chromium.org>
+Cr-Commit-Position: refs/branch-heads/14.4@{#64}
+Cr-Branched-From: 80acc26727d5a34e77dabeebe7c9213ec1bd4768-refs/heads/14.4.258@{#1}
+Cr-Branched-From: ce7e597e90f6df3fa4b6df224bc613b80c635450-refs/heads/main@{#104020}
+
+diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
+index bf6a5ab1b41d684c37dd96f7720474c6bb71a4db..c21a41d7da3394bb8f35857e0dcf49a78b218d31 100644
+--- a/src/maglev/maglev-graph-builder.cc
++++ b/src/maglev/maglev-graph-builder.cc
+@@ -4439,7 +4439,11 @@ bool MaglevGraphBuilder::CanElideWriteBarrier(ValueNode* object,
+                                               ValueNode* value) {
+   if (value->Is<RootConstant>() || value->Is<ConsStringMap>()) return true;
+   if (!IsEmptyNodeType(GetType(value)) && CheckType(value, NodeType::kSmi)) {
+-    value->MaybeRecordUseReprHint(UseRepresentation::kTagged);
++    if constexpr (SmiValuesAre31Bits()) {
++      if (Phi* value_as_phi = value->TryCast<Phi>()) {
++        value_as_phi->SetUseRequires31BitValue();
++      }
++    }
+     return true;
+   }
+ 

script/build-stats.mjs

@@ -32,7 +32,8 @@ async function main () {
   }));
   const hitRate = stats.CacheHit / (stats.Remote + stats.CacheHit + stats.LocalFallback);
 
-  console.log(`Effective cache hit rate: ${(hitRate * 100).toFixed(2)}%`);
+  const messagePrefix = process.env.GITHUB_ACTIONS ? '::notice title=Build Stats::' : '';
+  console.log(`${messagePrefix}Effective cache hit rate: ${(hitRate * 100).toFixed(2)}%`);
 
   if (uploadStats) {
     if (!process.env.DD_API_KEY) {

script/codesign/cleanup-identity.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Removes the codesigning keychain created by generate-identity.sh.
+# Safe to run even if generate-identity.sh was never run (each step
+# is guarded).
+
+set -eo pipefail
+
+KEYCHAIN="electron-codesign.keychain-db"
+
+# delete-keychain also removes it from the search list
+if security list-keychains -d user | grep -q "$KEYCHAIN"; then
+  security delete-keychain "$KEYCHAIN"
+  echo "Deleted keychain: $KEYCHAIN"
+else
+  echo "Keychain not found, nothing to delete"
+fi
+
+# Clean up working directory
+rm -rf "$(dirname $0)"/.working
+echo "Cleanup complete"

script/codesign/generate-identity.sh

@@ -3,6 +3,8 @@
 set -eo pipefail
 
 dir="$(dirname $0)"/.working
+KEYCHAIN="electron-codesign.keychain-db"
+KEYCHAIN_TEMP="$(openssl rand -hex 12)"
 
 cleanup() {
     rm -rf "$dir"
@@ -18,30 +20,16 @@ mkdir -p "$dir"
 
 # Generate Certs
 openssl req -new -newkey rsa:2048 -x509 -days 7300 -nodes -config "$(dirname $0)"/codesign.cnf -extensions extended -batch -out "$dir"/certificate.cer -keyout "$dir"/certificate.key
-sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$dir"/certificate.cer
-sudo security import "$dir"/certificate.key -A -k /Library/Keychains/System.keychain
 
-# restart(reload) taskgated daemon
-sudo pkill -f /usr/libexec/taskgated
+# macOS 15+ blocks modifications to the system keychain via SIP/TCC,
+# so we use a custom user-scoped keychain instead.
+# Refs https://github.com/electron/electron/issues/48182
+security create-keychain -p "$KEYCHAIN_TEMP" "$KEYCHAIN"
+security set-keychain-settings -t 3600 -u "$KEYCHAIN"
+security unlock-keychain -p "$KEYCHAIN_TEMP" "$KEYCHAIN"
 
-# need once
-sudo security authorizationdb write system.privilege.taskport allow
-# need once
-DevToolsSecurity -enable
+security list-keychains -d user -s "$KEYCHAIN" $(security list-keychains -d user | tr -d '"')
+security import "$dir"/certificate.cer -k "$KEYCHAIN" -T /usr/bin/codesign
+security import "$dir"/certificate.key -k "$KEYCHAIN" -T /usr/bin/codesign -A
 
-# openssl req -newkey rsa:2048 -nodes -keyout "$dir"/private.pem -x509 -days 1 -out "$dir"/certificate.pem -extensions extended -config "$(dirname $0)"/codesign.cnf
-# openssl x509 -inform PEM -in "$dir"/certificate.pem -outform DER -out "$dir"/certificate.cer
-# openssl x509 -pubkey -noout -in "$dir"/certificate.pem > "$dir"/public.key
-# rm -f "$dir"/certificate.pem
-
-# Import Certs
-# security import "$dir"/certificate.cer -k $KEY_CHAIN
-# security import "$dir"/private.pem -k $KEY_CHAIN
-# security import "$dir"/public.key -k $KEY_CHAIN
-
-# Generate Trust Settings
-# TODO: Remove NPX
-npm_config_yes=true npx ts-node "$(dirname $0)"/gen-trust.ts "$dir"/certificate.cer "$dir"/trust.xml
-
-# Import Trust Settings
-sudo security trust-settings-import -d "$dir/trust.xml"
+security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_TEMP" "$KEYCHAIN"

script/codesign/get-trusted-identity.sh

@@ -2,7 +2,7 @@
 
 set -e
 
-valid_certs=$(security find-identity -p codesigning -v)
+valid_certs=$(security find-identity -p codesigning)
 if [[ $valid_certs == *"1)"* ]]; then
   first_valid_cert=$(echo $valid_certs | sed 's/ \".*//' | sed 's/.* //')
   echo $first_valid_cert

script/lib/git.py

@@ -128,6 +128,11 @@ def format_patch(repo, since):
         os.path.dirname(os.path.realpath(__file__)),
         'electron.gitattributes',
     ),
+    # Pin rename/copy detection to git's default so that patch output is
+    # deterministic regardless of local or system-level diff.renames config
+    # (e.g. 'copies', which would encode similar new files as copies).
+    '-c',
+    'diff.renames=true',
     # Ensure it is not possible to match anything
     # Disabled for now as we have consistent chunk headers
     # '-c',

script/node-spec-runner.js

@@ -14,6 +14,7 @@ const args = minimist(process.argv.slice(2), {
 
 const BASE = path.resolve(__dirname, '../..');
 
+const ROOT_PACKAGE_JSON = path.resolve(BASE, 'package.json');
 const NODE_DIR = path.resolve(BASE, 'third_party', 'electron_node');
 const JUNIT_DIR = args.jUnitDir ? path.resolve(args.jUnitDir) : null;
 const TAP_FILE_NAME = 'test.tap';
@@ -38,6 +39,18 @@ const defaultOptions = [
   '-J'
 ];
 
+// The root package.json is ESM, which breaks the test runner.
+// Temporarily change it to CommonJS while running the tests, then
+// change it back when done.
+const resetPackageJson = ({ useESM }) => {
+  // This won't always exist in CI.
+  if (!fs.existsSync(ROOT_PACKAGE_JSON)) { return; }
+
+  const packageJson = JSON.parse(fs.readFileSync(ROOT_PACKAGE_JSON, 'utf-8'));
+  packageJson.type = useESM ? 'module' : 'commonjs';
+  fs.writeFileSync(ROOT_PACKAGE_JSON, JSON.stringify(packageJson, null, 2) + '\n');
+};
+
 const getCustomOptions = () => {
   let customOptions = ['tools/test.py'];
 
@@ -79,6 +92,8 @@ async function main () {
 
   const options = args.default ? defaultOptions : getCustomOptions();
 
+  resetPackageJson({ useESM: false });
+
   const testChild = cp.spawn('python3', options, {
     env: {
       ...process.env,
@@ -88,7 +103,10 @@ async function main () {
     cwd: NODE_DIR,
     stdio: 'inherit'
   });
+
   testChild.on('exit', (testCode) => {
+    resetPackageJson({ useESM: true });
+
     if (JUNIT_DIR) {
       fs.mkdirSync(JUNIT_DIR);
       const converterStream = require('tap-xunit')();

shell/browser/api/electron_api_base_window.cc

@@ -317,6 +317,12 @@ void BaseWindow::OnWindowSheetEnd() {
   Emit("sheet-end");
 }
 
+void BaseWindow::OnWindowIsKeyChanged(bool is_key) {
+#if BUILDFLAG(IS_MAC)
+  window()->SetActive(is_key);
+#endif
+}
+
 void BaseWindow::OnWindowEnterHtmlFullScreen() {
   Emit("enter-html-full-screen");
 }

shell/browser/api/electron_api_base_window.h

@@ -85,6 +85,7 @@ class BaseWindow : public gin_helper::TrackableObject<BaseWindow>,
   void OnWindowRotateGesture(float rotation) override;
   void OnWindowSheetBegin() override;
   void OnWindowSheetEnd() override;
+  void OnWindowIsKeyChanged(bool is_key) override;
   void OnWindowEnterFullScreen() override;
   void OnWindowLeaveFullScreen() override;
   void OnWindowEnterHtmlFullScreen() override;

shell/browser/api/electron_api_browser_window.cc

@@ -280,16 +280,22 @@ v8::Local<v8::Value> BrowserWindow::GetWebContents(v8::Isolate* isolate) {
 }
 
 void BrowserWindow::OnWindowShow() {
+  if (!web_contents_shown_) {
+    web_contents()->WasShown();
+    web_contents_shown_ = true;
+  }
   BaseWindow::OnWindowShow();
 }
 
 void BrowserWindow::OnWindowHide() {
   web_contents()->WasOccluded();
+  web_contents_shown_ = false;
   BaseWindow::OnWindowHide();
 }
 
 void BrowserWindow::Show() {
   web_contents()->WasShown();
+  web_contents_shown_ = true;
   BaseWindow::Show();
 }
 
@@ -298,6 +304,7 @@ void BrowserWindow::ShowInactive() {
   if (IsModal())
     return;
   web_contents()->WasShown();
+  web_contents_shown_ = true;
   BaseWindow::ShowInactive();
 }
 

shell/browser/api/electron_api_browser_window.h

@@ -80,6 +80,7 @@ class BrowserWindow : public BaseWindow,
   // Helpers.
 
   v8::Global<v8::Value> web_contents_;
+  bool web_contents_shown_ = false;
   v8::Global<v8::Value> web_contents_view_;
   base::WeakPtr<api::WebContents> api_web_contents_;
 

shell/browser/api/electron_api_content_tracing.cc

@@ -151,7 +151,10 @@ void OnTraceBufferUsageAvailable(
     gin_helper::Promise<gin_helper::Dictionary> promise,
     float percent_full,
     size_t approximate_count) {
-  auto dict = gin_helper::Dictionary::CreateEmpty(promise.isolate());
+  v8::Isolate* isolate = promise.isolate();
+  v8::HandleScope handle_scope(isolate);
+
+  auto dict = gin_helper::Dictionary::CreateEmpty(isolate);
   dict.Set("percentage", percent_full);
   dict.Set("value", approximate_count);
 

shell/browser/api/electron_api_notification.cc

@@ -189,8 +189,23 @@ void Notification::NotificationFailed(const std::string& error) {
 
 void Notification::NotificationDestroyed() {}
 
-void Notification::NotificationClosed() {
-  Emit("close");
+void Notification::NotificationClosed(const std::string& reason) {
+  if (reason.empty()) {
+    Emit("close");
+  } else {
+    v8::Isolate* isolate = JavascriptEnvironment::GetIsolate();
+    v8::HandleScope handle_scope(isolate);
+
+    gin_helper::internal::Event* event =
+        gin_helper::internal::Event::New(isolate);
+    v8::Local<v8::Object> event_object =
+        event->GetWrapper(isolate).ToLocalChecked();
+
+    gin_helper::Dictionary dict(isolate, event_object);
+    dict.Set("reason", reason);
+
+    EmitWithoutEvent("close", event_object);
+  }
 }
 
 void Notification::Close() {

shell/browser/api/electron_api_notification.h

@@ -50,7 +50,7 @@ class Notification final : public gin_helper::DeprecatedWrappable<Notification>,
   void NotificationReplied(const std::string& reply) override;
   void NotificationDisplayed() override;
   void NotificationDestroyed() override;
-  void NotificationClosed() override;
+  void NotificationClosed(const std::string& reason) override;
   void NotificationFailed(const std::string& error) override;
 
   // gin_helper::Wrappable

shell/browser/api/electron_api_power_monitor.cc

@@ -80,6 +80,14 @@ PowerMonitor::PowerMonitor(v8::Isolate* isolate) {
 }
 
 PowerMonitor::~PowerMonitor() {
+#if BUILDFLAG(IS_MAC) || BUILDFLAG(IS_WIN)
+  DestroyPlatformSpecificMonitors();
+#endif
+
+#if BUILDFLAG(IS_MAC)
+  Browser::Get()->SetShutdownHandler(base::RepeatingCallback<bool()>());
+#endif
+
   auto* power_monitor = base::PowerMonitor::GetInstance();
   power_monitor->RemovePowerStateObserver(this);
   power_monitor->RemovePowerSuspendObserver(this);

shell/browser/api/electron_api_power_monitor.h

@@ -49,6 +49,7 @@ class PowerMonitor final : public gin_helper::DeprecatedWrappable<PowerMonitor>,
 
 #if BUILDFLAG(IS_MAC) || BUILDFLAG(IS_WIN)
   void InitPlatformSpecificMonitors();
+  void DestroyPlatformSpecificMonitors();
 #endif
 
   // base::PowerStateObserver implementations:

shell/browser/api/electron_api_power_monitor_mac.mm

@@ -15,6 +15,7 @@
 }
 
 - (void)addEmitter:(electron::api::PowerMonitor*)monitor_;
+- (void)removeEmitter:(electron::api::PowerMonitor*)monitor_;
 
 @end
 
@@ -62,6 +63,10 @@
   self->emitters.push_back(monitor_);
 }
 
+- (void)removeEmitter:(electron::api::PowerMonitor*)monitor_ {
+  std::erase(self->emitters, monitor_);
+}
+
 - (void)onScreenLocked:(NSNotification*)notification {
   for (auto* emitter : self->emitters) {
     emitter->Emit("lock-screen");
@@ -98,4 +103,9 @@ void PowerMonitor::InitPlatformSpecificMonitors() {
   [g_lock_monitor addEmitter:this];
 }
 
+void PowerMonitor::DestroyPlatformSpecificMonitors() {
+  if (g_lock_monitor)
+    [g_lock_monitor removeEmitter:this];
+}
+
 }  // namespace electron::api

shell/browser/api/electron_api_power_monitor_win.cc

@@ -49,6 +49,20 @@ void PowerMonitor::InitPlatformSpecificMonitors() {
                                     DEVICE_NOTIFY_WINDOW_HANDLE);
 }
 
+void PowerMonitor::DestroyPlatformSpecificMonitors() {
+  if (window_) {
+    WTSUnRegisterSessionNotification(window_);
+    UnregisterSuspendResumeNotification(static_cast<HANDLE>(window_));
+    gfx::SetWindowUserData(window_, nullptr);
+    DestroyWindow(window_);
+    window_ = nullptr;
+  }
+  if (atom_) {
+    UnregisterClass(MAKEINTATOM(atom_), instance_);
+    atom_ = 0;
+  }
+}
+
 LRESULT CALLBACK PowerMonitor::WndProcStatic(HWND hwnd,
                                              UINT message,
                                              WPARAM wparam,
@@ -76,7 +90,7 @@ LRESULT CALLBACK PowerMonitor::WndProc(HWND hwnd,
     }
     if (should_treat_as_current_session) {
       if (wparam == WTS_SESSION_LOCK) {
-        // Unretained is OK because this object is eternally pinned.
+        // SelfKeepAlive prevents GC of this object, so Unretained is safe.
         content::GetUIThreadTaskRunner({})->PostTask(
             FROM_HERE,
             base::BindOnce([](PowerMonitor* pm) { pm->Emit("lock-screen"); },

shell/browser/api/electron_api_screen.cc

@@ -32,10 +32,6 @@
 #include "shell/browser/linux/x11_util.h"
 #endif
 
-#if defined(USE_OZONE)
-#include "ui/ozone/public/ozone_platform.h"
-#endif
-
 namespace electron::api {
 
 gin::DeprecatedWrapperInfo Screen::kWrapperInfo = {gin::kEmbedderNativeGin};
@@ -81,16 +77,9 @@ Screen::~Screen() {
 }
 
 gfx::Point Screen::GetCursorScreenPoint(v8::Isolate* isolate) {
-#if defined(USE_OZONE)
-  // Wayland will crash unless a window is created prior to calling
-  // GetCursorScreenPoint.
-  if (!ui::OzonePlatform::IsInitialized()) {
-    gin_helper::ErrorThrower thrower(isolate);
-    thrower.ThrowError(
-        "screen.getCursorScreenPoint() cannot be called before a window has "
-        "been created.");
+#if BUILDFLAG(IS_LINUX)
+  if (x11_util::IsWayland())
     return {};
-  }
 #endif
   return screen_->GetCursorScreenPoint();
 }

shell/browser/api/electron_api_utility_process.cc

@@ -258,7 +258,7 @@ void UtilityProcessWrapper::OnServiceProcessLaunch(
   EmitWithoutEvent("spawn");
 }
 
-void UtilityProcessWrapper::HandleTermination(uint64_t exit_code) {
+void UtilityProcessWrapper::HandleTermination(uint32_t exit_code) {
   // HandleTermination is called from multiple callsites,
   // we need to ensure we only process it for the first callsite.
   if (terminated_)
@@ -326,7 +326,7 @@ void UtilityProcessWrapper::CloseConnectorPort() {
   }
 }
 
-void UtilityProcessWrapper::Shutdown(uint64_t exit_code) {
+void UtilityProcessWrapper::Shutdown(uint32_t exit_code) {
   node_service_remote_.reset();
   HandleTermination(exit_code);
 }

shell/browser/api/electron_api_utility_process.h

@@ -57,7 +57,7 @@ class UtilityProcessWrapper final
   static gin_helper::Handle<UtilityProcessWrapper> Create(gin::Arguments* args);
   static raw_ptr<UtilityProcessWrapper> FromProcessId(base::ProcessId pid);
 
-  void Shutdown(uint64_t exit_code);
+  void Shutdown(uint32_t exit_code);
 
   // gin_helper::Wrappable
   static gin::DeprecatedWrapperInfo kWrapperInfo;
@@ -77,7 +77,7 @@ class UtilityProcessWrapper final
   void OnServiceProcessLaunch(const base::Process& process);
   void CloseConnectorPort();
 
-  void HandleTermination(uint64_t exit_code);
+  void HandleTermination(uint32_t exit_code);
 
   void PostMessage(gin::Arguments* args);
   bool Kill();

shell/browser/api/electron_api_web_contents.cc

@@ -2201,6 +2201,11 @@ void WebContents::DidUpdateFaviconURL(
         iter->icon_url.is_valid())
       unique_urls.insert(iter->icon_url);
   }
+  // Only emit if favicon URLs actually changed
+  if (unique_urls == last_favicon_urls_)
+    return;
+  last_favicon_urls_ = unique_urls;
+
   Emit("page-favicon-updated", unique_urls);
 }
 

shell/browser/api/electron_api_web_contents.h

@@ -11,6 +11,7 @@
 #include <string>
 #include <vector>
 
+#include "base/containers/flat_set.h"
 #include "base/functional/callback_forward.h"
 #include "base/memory/raw_ptr.h"
 #include "base/memory/raw_ptr_exclusion.h"
@@ -462,6 +463,9 @@ class WebContents final : public ExclusiveAccessContext,
   WebContents& operator=(const WebContents&) = delete;
 
  private:
+  // Store last emitted favicon URLs to avoid duplicate page-favicon-updated
+  // events
+  base::flat_set<GURL> last_favicon_urls_;
   // Does not manage lifetime of |web_contents|.
   WebContents(v8::Isolate* isolate, content::WebContents* web_contents);
   // Takes over ownership of |web_contents|.

shell/browser/api/electron_api_web_contents_view.cc

@@ -83,13 +83,17 @@ void WebContentsView::ApplyBorderRadius() {
 
 int WebContentsView::NonClientHitTest(const gfx::Point& point) {
   if (api_web_contents_) {
+    auto* iwc = api_web_contents_->inspectable_web_contents();
+    if (!iwc)
+      return HTNOWHERE;
     // Convert the point to the contents view's coordinate space rather than
     // the InspectableWebContentsView's coordinate space, because the draggable
     // region is relative to the web content area. When DevTools is docked
     // (e.g. to the left), the contents view is offset within the parent,
     // so we need to account for that offset.
-    auto* inspectable_view =
-        api_web_contents_->inspectable_web_contents()->GetView();
+    auto* inspectable_view = iwc->GetView();
+    if (!inspectable_view)
+      return HTNOWHERE;
     auto* contents_view = inspectable_view->GetContentsView();
     gfx::Point local_point(point);
     views::View::ConvertPointFromWidget(contents_view, &local_point);

shell/browser/browser.cc

@@ -9,7 +9,9 @@
 #include <utility>
 
 #include "base/files/file_util.h"
+#include "base/logging.h"
 #include "base/path_service.h"
+#include "base/strings/string_util.h"
 #include "base/task/single_thread_task_runner.h"
 #include "base/threading/thread_restrictions.h"
 #include "chrome/common/chrome_paths.h"
@@ -71,6 +73,29 @@ Browser* Browser::Get() {
   return ElectronBrowserMainParts::Get()->browser();
 }
 
+// static
+bool Browser::IsValidProtocolScheme(const std::string& scheme) {
+  // RFC 3986 Section 3.1:
+  // scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
+  if (scheme.empty()) {
+    LOG(ERROR) << "Protocol scheme must not be empty";
+    return false;
+  }
+  if (!base::IsAsciiAlpha(scheme[0])) {
+    LOG(ERROR) << "Protocol scheme must start with an ASCII letter";
+    return false;
+  }
+  for (size_t i = 1; i < scheme.size(); ++i) {
+    const char c = scheme[i];
+    if (!base::IsAsciiAlpha(c) && !base::IsAsciiDigit(c) && c != '+' &&
+        c != '-' && c != '.') {
+      LOG(ERROR) << "Protocol scheme contains invalid character: '" << c << "'";
+      return false;
+    }
+  }
+  return true;
+}
+
 #if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_LINUX)
 void Browser::Focus(gin::Arguments* args) {
   // Focus on the first visible window.

shell/browser/browser.h

@@ -134,6 +134,10 @@ class Browser : private WindowListObserver {
   void SetAppUserModelID(const std::wstring& name);
 #endif
 
+  // Validate that a protocol scheme conforms to RFC 3986:
+  // scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
+  static bool IsValidProtocolScheme(const std::string& scheme);
+
   // Remove the default protocol handler registry key
   bool RemoveAsDefaultProtocolClient(const std::string& protocol,
                                      gin::Arguments* args);

shell/browser/browser_linux.cc

@@ -103,16 +103,19 @@ void Browser::ClearRecentDocuments() {}
 
 bool Browser::SetAsDefaultProtocolClient(const std::string& protocol,
                                          gin::Arguments* args) {
+  if (!IsValidProtocolScheme(protocol))
+    return false;
+
   return SetDefaultWebClient(protocol);
 }
 
 bool Browser::IsDefaultProtocolClient(const std::string& protocol,
                                       gin::Arguments* args) {
-  auto env = base::Environment::Create();
-
-  if (protocol.empty())
+  if (!IsValidProtocolScheme(protocol))
     return false;
 
+  auto env = base::Environment::Create();
+
   std::vector<std::string> argv = {kXdgSettings, "check",
                                    kXdgSettingsDefaultSchemeHandler, protocol};
   if (std::optional<std::string> desktop_name = env->GetVar("CHROME_DESKTOP")) {

shell/browser/browser_mac.mm

@@ -233,7 +233,7 @@ bool Browser::RemoveAsDefaultProtocolClient(const std::string& protocol,
 
 bool Browser::SetAsDefaultProtocolClient(const std::string& protocol,
                                          gin::Arguments* args) {
-  if (protocol.empty())
+  if (!IsValidProtocolScheme(protocol))
     return false;
 
   NSString* identifier = [base::apple::MainBundle() bundleIdentifier];
@@ -249,7 +249,7 @@ bool Browser::SetAsDefaultProtocolClient(const std::string& protocol,
 
 bool Browser::IsDefaultProtocolClient(const std::string& protocol,
                                       gin::Arguments* args) {
-  if (protocol.empty())
+  if (!IsValidProtocolScheme(protocol))
     return false;
 
   NSString* identifier = [base::apple::MainBundle() bundleIdentifier];

shell/browser/browser_win.cc

@@ -37,6 +37,7 @@
 #include "shell/browser/ui/win/jump_list.h"
 #include "shell/browser/window_list.h"
 #include "shell/common/application_info.h"
+#include "shell/common/command_line_util_win.h"
 #include "shell/common/gin_converters/file_path_converter.h"
 #include "shell/common/gin_converters/image_converter.h"
 #include "shell/common/gin_converters/login_item_settings_converter.h"
@@ -79,13 +80,22 @@ bool GetProtocolLaunchPath(gin::Arguments* args, std::wstring* exe) {
     return false;
   }
 
+  // Strip surrounding double quotes before re-quoting with AddQuoteForArg.
+  if (exe->size() >= 2 && exe->front() == L'"' && exe->back() == L'"') {
+    *exe = exe->substr(1, exe->size() - 2);
+  }
+
   // Read in optional args arg
   std::vector<std::wstring> launch_args;
   if (args->GetNext(&launch_args) && !launch_args.empty()) {
-    std::wstring joined_args = base::JoinString(launch_args, L"\" \"");
-    *exe = base::StrCat({L"\"", *exe, L"\" \"", joined_args, L"\" \"%1\""});
+    std::wstring result = electron::AddQuoteForArg(*exe);
+    for (const auto& arg : launch_args) {
+      result += L' ';
+      result += electron::AddQuoteForArg(arg);
+    }
+    *exe = base::StrCat({result, L" \"%1\""});
   } else {
-    *exe = base::StrCat({L"\"", *exe, L"\" \"%1\""});
+    *exe = base::StrCat({electron::AddQuoteForArg(*exe), L" \"%1\""});
   }
 
   return true;
@@ -153,9 +163,18 @@ bool FormatCommandLineString(std::wstring* exe,
     return false;
   }
 
+  // Strip surrounding double quotes before re-quoting with AddQuoteForArg.
+  if (exe->size() >= 2 && exe->front() == L'"' && exe->back() == L'"') {
+    *exe = exe->substr(1, exe->size() - 2);
+  }
+
+  *exe = electron::AddQuoteForArg(*exe);
+
   if (!launch_args.empty()) {
-    std::u16string joined_launch_args = base::JoinString(launch_args, u" ");
-    *exe = base::StrCat({*exe, L" ", base::AsWStringView(joined_launch_args)});
+    for (const auto& arg : launch_args) {
+      *exe += L' ';
+      *exe += electron::AddQuoteForArg(std::wstring(base::AsWStringView(arg)));
+    }
   }
 
   return true;
@@ -410,7 +429,7 @@ bool Browser::SetUserTasks(const std::vector<UserTask>& tasks) {
 
 bool Browser::RemoveAsDefaultProtocolClient(const std::string& protocol,
                                             gin::Arguments* args) {
-  if (protocol.empty())
+  if (!IsValidProtocolScheme(protocol))
     return false;
 
   // Main Registry Key
@@ -489,7 +508,7 @@ bool Browser::SetAsDefaultProtocolClient(const std::string& protocol,
   // Software\Classes", which is inherited by "HKEY_CLASSES_ROOT"
   // anyway, and can be written by unprivileged users.
 
-  if (protocol.empty())
+  if (!IsValidProtocolScheme(protocol))
     return false;
 
   std::wstring exe;
@@ -519,7 +538,7 @@ bool Browser::SetAsDefaultProtocolClient(const std::string& protocol,
 
 bool Browser::IsDefaultProtocolClient(const std::string& protocol,
                                       gin::Arguments* args) {
-  if (protocol.empty())
+  if (!IsValidProtocolScheme(protocol))
     return false;
 
   std::wstring exe;

shell/browser/hid/hid_chooser_controller.cc

@@ -88,13 +88,9 @@ HidChooserController::HidChooserController(
       exclusion_filters_(std::move(exclusion_filters)),
       callback_(std::move(callback)),
       initiator_document_(render_frame_host->GetWeakDocumentPtr()),
-      origin_(content::WebContents::FromRenderFrameHost(render_frame_host)
-                  ->GetPrimaryMainFrame()
-                  ->GetLastCommittedOrigin()),
+      origin_(render_frame_host->GetLastCommittedOrigin()),
       hid_delegate_(hid_delegate),
       render_frame_host_id_(render_frame_host->GetGlobalId()) {
-  // The use above of GetMainFrame is safe as content::HidService instances are
-  // not created for fenced frames.
   DCHECK(!render_frame_host->IsNestedWithinFencedFrame());
 
   chooser_context_ = HidChooserContextFactory::GetForBrowserContext(

shell/browser/linux/x11_util.cc

@@ -4,13 +4,27 @@
 
 #include "shell/browser/linux/x11_util.h"
 
+#include "build/build_config.h"
 #include "ui/ozone/platform_selection.h"  // nogncheck
 
 namespace x11_util {
 
 bool IsX11() {
-  static const bool is_x11 = ui::GetOzonePlatformId() == ui::kPlatformX11;
-  return is_x11;
+#if BUILDFLAG(IS_LINUX)
+  static const bool is = ui::GetOzonePlatformId() == ui::kPlatformX11;
+  return is;
+#else
+  return false;
+#endif
+}
+
+bool IsWayland() {
+#if BUILDFLAG(IS_LINUX)
+  static const bool is = ui::GetOzonePlatformId() == ui::kPlatformWayland;
+  return is;
+#else
+  return false;
+#endif
 }
 
 }  // namespace x11_util

shell/browser/linux/x11_util.h

@@ -7,7 +7,8 @@
 
 namespace x11_util {
 
-bool IsX11();
+[[nodiscard]] bool IsX11();
+[[nodiscard]] bool IsWayland();
 
 }  // namespace x11_util
 

shell/browser/native_window_mac.h

@@ -170,6 +170,12 @@ class NativeWindowMac : public NativeWindow,
   void NotifyWindowDidFailToEnterFullScreen();
   void NotifyWindowWillLeaveFullScreen();
 
+  // Hide/show traffic light buttons around miniaturize/deminiaturize to
+  // prevent them from flashing at the default position during the restore
+  // animation when a custom trafficLightPosition is configured.
+  void HideTrafficLights();
+  void RestoreTrafficLights();
+
   // Cleanup observers when window is getting closed. Note that the destructor
   // can be called much later after window gets closed, so we should not do
   // cleanup in destructor.

shell/browser/native_window_mac.mm

@@ -1498,6 +1498,18 @@ void NativeWindowMac::RedrawTrafficLights() {
     [buttons_proxy_ redraw];
 }
 
+void NativeWindowMac::HideTrafficLights() {
+  if (buttons_proxy_)
+    [buttons_proxy_ setVisible:NO];
+}
+
+void NativeWindowMac::RestoreTrafficLights() {
+  if (buttons_proxy_ && window_button_visibility_.value_or(true)) {
+    [buttons_proxy_ redraw];
+    [buttons_proxy_ setVisible:YES];
+  }
+}
+
 // In simpleFullScreen mode, update the frame for new bounds.
 void NativeWindowMac::UpdateFrame() {
   NSWindow* window = GetNativeWindow().GetNativeNSWindow();

shell/browser/native_window_views.cc

@@ -999,17 +999,13 @@ void NativeWindowViews::MoveTop() {
 
 bool NativeWindowViews::CanResize() const {
 #if BUILDFLAG(IS_WIN)
-  return resizable_ && thick_frame_;
+  return has_frame() ? resizable_ && thick_frame_ : resizable_;
 #else
   return resizable_;
 #endif
 }
 
 bool NativeWindowViews::IsResizable() const {
-#if BUILDFLAG(IS_WIN)
-  if (has_frame())
-    return ::GetWindowLong(GetAcceleratedWidget(), GWL_STYLE) & WS_THICKFRAME;
-#endif
   return CanResize();
 }
 

shell/browser/net/electron_url_loader_factory.cc

@@ -24,6 +24,7 @@
 #include "net/base/filename_util.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_status_code.h"
+#include "net/http/http_util.h"
 #include "net/url_request/redirect_util.h"
 #include "services/network/public/cpp/resource_request.h"
 #include "services/network/public/cpp/shared_url_loader_factory.h"
@@ -138,13 +139,17 @@ network::mojom::URLResponseHeadPtr ToResponseHead(
   base::Value::Dict headers;
   if (dict.Get("headers", &headers)) {
     for (const auto iter : headers) {
+      if (!net::HttpUtil::IsValidHeaderName(iter.first))
+        continue;
       if (iter.second.is_string()) {
         // key, value
-        head->headers->AddHeader(iter.first, iter.second.GetString());
+        if (net::HttpUtil::IsValidHeaderValue(iter.second.GetString()))
+          head->headers->AddHeader(iter.first, iter.second.GetString());
       } else if (iter.second.is_list()) {
         // key: [values...]
         for (const auto& item : iter.second.GetList()) {
-          if (item.is_string())
+          if (item.is_string() &&
+              net::HttpUtil::IsValidHeaderValue(item.GetString()))
             head->headers->AddHeader(iter.first, item.GetString());
         }
       } else {

shell/browser/notifications/notification.cc

@@ -46,9 +46,10 @@ void Notification::NotificationClicked() {
   Destroy();
 }
 
-void Notification::NotificationDismissed(bool should_destroy) {
+void Notification::NotificationDismissed(bool should_destroy,
+                                         const std::string& close_reason) {
   if (delegate())
-    delegate()->NotificationClosed();
+    delegate()->NotificationClosed(close_reason);
 
   set_is_dismissed(true);
 

shell/browser/notifications/notification.h

@@ -76,7 +76,8 @@ class Notification {
 
   // Should be called by derived classes.
   void NotificationClicked();
-  void NotificationDismissed(bool should_destroy = true);
+  void NotificationDismissed(bool should_destroy = true,
+                             const std::string& close_reason = "");
   void NotificationFailed(const std::string& error = "");
 
   // delete this.

shell/browser/notifications/notification_delegate.h

@@ -24,7 +24,7 @@ class NotificationDelegate {
   virtual void NotificationAction(int action_index, int selection_index = -1) {}
 
   virtual void NotificationClick() {}
-  virtual void NotificationClosed() {}
+  virtual void NotificationClosed(const std::string& reason = "") {}
   virtual void NotificationDisplayed() {}
 
  protected: