diff -Nru chromium-browser-62.0.3202.75/build/util/LASTCHANGE chromium-browser-62.0.3202.89/build/util/LASTCHANGE --- chromium-browser-62.0.3202.75/build/util/LASTCHANGE 2017-10-26 19:07:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/build/util/LASTCHANGE 2017-11-06 20:07:18.000000000 +0000 @@ -1 +1 @@ -LASTCHANGE=a81f9fcaaff35205d07ef634bd8fc79e088c68ac- +LASTCHANGE=ba7a0041073a5e9928d277806bfe24c325d113e5- diff -Nru chromium-browser-62.0.3202.75/build/util/LASTCHANGE.blink chromium-browser-62.0.3202.89/build/util/LASTCHANGE.blink --- chromium-browser-62.0.3202.75/build/util/LASTCHANGE.blink 2017-10-26 19:07:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/build/util/LASTCHANGE.blink 2017-11-06 20:07:18.000000000 +0000 @@ -1 +1 @@ -LASTCHANGE=a81f9fcaaff35205d07ef634bd8fc79e088c68ac- +LASTCHANGE=ba7a0041073a5e9928d277806bfe24c325d113e5- diff -Nru chromium-browser-62.0.3202.75/chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappInterceptNavigationDelegate.java chromium-browser-62.0.3202.89/chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappInterceptNavigationDelegate.java --- chromium-browser-62.0.3202.75/chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappInterceptNavigationDelegate.java 2017-10-26 19:05:36.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappInterceptNavigationDelegate.java 2017-11-06 20:05:20.000000000 +0000 @@ -30,6 +30,7 @@ } if (UrlUtilities.isValidForIntentFallbackNavigation(navigationParams.url) + && !navigationParams.isPost && isUrlOutsideWebappScope(mActivity.mWebappInfo, navigationParams.url)) { CustomTabsIntent.Builder intentBuilder = new CustomTabsIntent.Builder(); intentBuilder.setShowTitle(true); diff -Nru chromium-browser-62.0.3202.75/chrome/browser/chromeos/arc/arc_util.cc chromium-browser-62.0.3202.89/chrome/browser/chromeos/arc/arc_util.cc --- chromium-browser-62.0.3202.75/chrome/browser/chromeos/arc/arc_util.cc 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/chromeos/arc/arc_util.cc 2017-11-06 20:05:20.000000000 +0000 @@ -19,7 +19,6 @@ #include "base/threading/thread_restrictions.h" #include "chrome/browser/chromeos/arc/arc_session_manager.h" #include "chrome/browser/chromeos/arc/policy/arc_policy_util.h" -#include "chrome/browser/chromeos/login/session/user_session_manager.h" #include "chrome/browser/chromeos/login/user_flow.h" #include "chrome/browser/chromeos/login/users/chrome_user_manager.h" #include "chrome/browser/chromeos/profiles/profile_helper.h" @@ -225,13 +224,6 @@ return false; } - if (chromeos::UserSessionManager::NeedRestartToApplyPerSessionFlagsForProfile( - profile)) { - // Quickly restarting ARC instance can cause black screen. crbug.com/758820. - VLOG(1) << "Do not start ARC because chrome will restart"; - return false; - } - return true; } diff -Nru chromium-browser-62.0.3202.75/chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.cc chromium-browser-62.0.3202.89/chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.cc --- chromium-browser-62.0.3202.75/chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.cc 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.cc 2017-11-06 20:05:20.000000000 +0000 @@ -234,8 +234,17 @@ void AutoEnrollmentController::StartClient( const std::vector& state_keys) { if (state_keys.empty()) { - LOG(ERROR) << "No state keys available!"; - UpdateState(policy::AUTO_ENROLLMENT_STATE_NO_ENROLLMENT); + LOG(ERROR) << "No state keys available"; + if (fre_requirement_ == EXPLICITLY_REQUIRED) { + g_browser_process->platform_part() + ->browser_policy_connector_chromeos() + ->GetStateKeysBroker() + ->RequestStateKeys( + base::Bind(&AutoEnrollmentController::StartClient, + client_start_weak_factory_.GetWeakPtr())); + } else { + UpdateState(policy::AUTO_ENROLLMENT_STATE_NO_ENROLLMENT); + } return; } diff -Nru chromium-browser-62.0.3202.75/chrome/browser/chromeos/login/session/user_session_manager.cc chromium-browser-62.0.3202.89/chrome/browser/chromeos/login/session/user_session_manager.cc --- chromium-browser-62.0.3202.75/chrome/browser/chromeos/login/session/user_session_manager.cc 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/chromeos/login/session/user_session_manager.cc 2017-11-06 20:05:20.000000000 +0000 @@ -1909,19 +1909,6 @@ callback.Run(); } -// static -bool UserSessionManager::NeedRestartToApplyPerSessionFlagsForProfile( - const Profile* profile) { - if (base::CommandLine::ForCurrentProcess()->HasSwitch(switches::kLoginUser)) - return false; - - const base::CommandLine user_flags( - CreatePerSessionCommandLine(const_cast(profile))); - std::set command_line_difference; - return NeedRestartToApplyPerSessionFlags(user_flags, - &command_line_difference); -} - void UserSessionManager::RemoveProfileForTesting(Profile* profile) { default_ime_states_.erase(profile); } diff -Nru chromium-browser-62.0.3202.75/chrome/browser/chromeos/login/session/user_session_manager.h chromium-browser-62.0.3202.89/chrome/browser/chromeos/login/session/user_session_manager.h --- chromium-browser-62.0.3202.75/chrome/browser/chromeos/login/session/user_session_manager.h 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/chromeos/login/session/user_session_manager.h 2017-11-06 20:05:20.000000000 +0000 @@ -253,9 +253,6 @@ void Shutdown(); - static bool NeedRestartToApplyPerSessionFlagsForProfile( - const Profile* profile); - private: friend class test::UserSessionManagerTestApi; friend struct base::DefaultSingletonTraits; diff -Nru chromium-browser-62.0.3202.75/chrome/browser/chromeos/policy/server_backed_state_keys_broker.cc chromium-browser-62.0.3202.89/chrome/browser/chromeos/policy/server_backed_state_keys_broker.cc --- chromium-browser-62.0.3202.75/chrome/browser/chromeos/policy/server_backed_state_keys_broker.cc 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/chromeos/policy/server_backed_state_keys_broker.cc 2017-11-06 20:05:21.000000000 +0000 @@ -72,12 +72,12 @@ bool send_notification = !initial_retrieval_completed_; requested_ = false; - initial_retrieval_completed_ = true; if (state_keys.empty()) { LOG(WARNING) << "Failed to obtain server-backed state keys."; } else if (base::ContainsValue(state_keys, std::string())) { LOG(WARNING) << "Bad state keys."; } else { + initial_retrieval_completed_ = true; send_notification |= state_keys_ != state_keys; state_keys_ = state_keys; } diff -Nru chromium-browser-62.0.3202.75/chrome/browser/chromeos/tether/tether_service.cc chromium-browser-62.0.3202.89/chrome/browser/chromeos/tether/tether_service.cc --- chromium-browser-62.0.3202.75/chrome/browser/chromeos/tether/tether_service.cc 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/chromeos/tether/tether_service.cc 2017-11-06 20:05:21.000000000 +0000 @@ -481,9 +481,6 @@ if (!GetIsBleAdvertisingSupportedPref()) return BLE_ADVERTISING_NOT_SUPPORTED; - if (session_manager_client_->IsScreenLocked()) - return SCREEN_LOCKED; - if (!HasSyncedTetherHosts()) return NO_AVAILABLE_HOSTS; diff -Nru chromium-browser-62.0.3202.75/chrome/browser/chromeos/tether/tether_service_unittest.cc chromium-browser-62.0.3202.89/chrome/browser/chromeos/tether/tether_service_unittest.cc --- chromium-browser-62.0.3202.75/chrome/browser/chromeos/tether/tether_service_unittest.cc 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/chromeos/tether/tether_service_unittest.cc 2017-11-06 20:05:21.000000000 +0000 @@ -537,31 +537,6 @@ 1 /* expected_count */); } -TEST_F(TetherServiceTest, TestScreenLock) { - CreateTetherService(); - VerifyTetherActiveStatus(true /* expected_active */); - - SetIsScreenLocked(true); - - EXPECT_EQ( - chromeos::NetworkStateHandler::TechnologyState::TECHNOLOGY_UNAVAILABLE, - network_state_handler()->GetTechnologyState( - chromeos::NetworkTypePattern::Tether())); - VerifyTetherActiveStatus(false /* expected_active */); - - SetIsScreenLocked(false); - - EXPECT_EQ(chromeos::NetworkStateHandler::TechnologyState::TECHNOLOGY_ENABLED, - network_state_handler()->GetTechnologyState( - chromeos::NetworkTypePattern::Tether())); - VerifyTetherActiveStatus(true /* expected_active */); - - SetIsScreenLocked(true); - - VerifyTetherFeatureStateRecorded( - TetherService::TetherFeatureState::SCREEN_LOCKED, 2 /* expected_count */); -} - TEST_F(TetherServiceTest, TestFeatureFlagDisabled_CommandLineDisabled) { EXPECT_FALSE(TetherService::Get(profile_.get())); } diff -Nru chromium-browser-62.0.3202.75/chrome/browser/domain_reliability/browsertest.cc chromium-browser-62.0.3202.89/chrome/browser/domain_reliability/browsertest.cc --- chromium-browser-62.0.3202.75/chrome/browser/domain_reliability/browsertest.cc 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/domain_reliability/browsertest.cc 2017-11-06 20:05:21.000000000 +0000 @@ -3,8 +3,11 @@ // found in the LICENSE file. #include "base/command_line.h" +#include "base/json/json_reader.h" #include "base/macros.h" #include "base/memory/ptr_util.h" +#include "base/run_loop.h" +#include "base/test/values_test_util.h" #include "chrome/browser/domain_reliability/service_factory.h" #include "chrome/browser/profiles/profile.h" #include "chrome/browser/ui/browser.h" @@ -13,6 +16,9 @@ #include "chrome/test/base/ui_test_utils.h" #include "components/domain_reliability/service.h" #include "net/base/net_errors.h" +#include "net/test/embedded_test_server/embedded_test_server.h" +#include "net/test/embedded_test_server/http_request.h" +#include "net/test/embedded_test_server/http_response.h" #include "net/test/url_request/url_request_failed_job.h" #include "url/gurl.h" @@ -74,6 +80,94 @@ EXPECT_TRUE(GetService()); } +static const char kUploadPath[] = "/domainreliability/upload"; + +std::unique_ptr TestRequestHandler( + int* request_count_out, + std::string* last_request_content_out, + const base::Closure& quit_closure, + const net::test_server::HttpRequest& request) { + if (request.relative_url != kUploadPath) + return std::unique_ptr(); + + ++*request_count_out; + *last_request_content_out = request.has_content ? request.content : ""; + + quit_closure.Run(); + + auto response = base::MakeUnique(); + response->set_code(net::HTTP_OK); + response->set_content(""); + response->set_content_type("text/plain"); + return std::move(response); +} + +IN_PROC_BROWSER_TEST_F(DomainReliabilityBrowserTest, Upload) { + DomainReliabilityService* service = GetService(); + + base::RunLoop run_loop; + + net::test_server::EmbeddedTestServer test_server( + (net::test_server::EmbeddedTestServer::TYPE_HTTPS)); + + // This is cribbed from //chrome/test/ppapi/ppapi_test.cc; it shouldn't + // matter, as we don't actually use any of the handlers that access the + // filesystem. + base::FilePath document_root; + ASSERT_TRUE(ui_test_utils::GetRelativeBuildDirectory(&document_root)); + test_server.AddDefaultHandlers(document_root); + + // Register a same-origin collector to receive report uploads so we can check + // the full path. (Domain Reliability elides the path for privacy reasons when + // uploading to non-same-origin collectors.) + int request_count = 0; + std::string last_request_content; + test_server.RegisterRequestHandler( + base::Bind(&TestRequestHandler, &request_count, &last_request_content, + run_loop.QuitClosure())); + + ASSERT_TRUE(test_server.Start()); + + GURL error_url = test_server.GetURL("/close-socket"); + GURL upload_url = test_server.GetURL(kUploadPath); + + auto config = base::MakeUnique(); + config->origin = test_server.base_url().GetOrigin(); + config->include_subdomains = false; + config->collectors.push_back(base::MakeUnique(upload_url)); + config->success_sample_rate = 1.0; + config->failure_sample_rate = 1.0; + service->AddContextForTesting(std::move(config)); + + // Trigger an error. + + ui_test_utils::NavigateToURL(browser(), error_url); + + service->ForceUploadsForTesting(); + + run_loop.Run(); + + EXPECT_EQ(1, request_count); + EXPECT_NE("", last_request_content); + + auto body = base::JSONReader::Read(last_request_content); + ASSERT_TRUE(body); + + const base::DictionaryValue* dict; + ASSERT_TRUE(body->GetAsDictionary(&dict)); + + const base::ListValue* entries; + ASSERT_TRUE(dict->GetList("entries", &entries)); + ASSERT_EQ(1u, entries->GetSize()); + + const base::DictionaryValue* entry; + ASSERT_TRUE(entries->GetDictionary(0u, &entry)); + + std::string url; + ASSERT_TRUE(entry->GetString("url", &url)); + EXPECT_EQ(url, error_url.spec()); +} + IN_PROC_BROWSER_TEST_F(DomainReliabilityBrowserTest, UploadAtShutdown) { DomainReliabilityService* service = GetService(); diff -Nru chromium-browser-62.0.3202.75/chrome/browser/net/chrome_network_delegate.h chromium-browser-62.0.3202.89/chrome/browser/net/chrome_network_delegate.h --- chromium-browser-62.0.3202.75/chrome/browser/net/chrome_network_delegate.h 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/net/chrome_network_delegate.h 2017-11-06 20:05:21.000000000 +0000 @@ -114,6 +114,10 @@ domain_reliability_monitor_ = std::move(monitor); } + domain_reliability::DomainReliabilityMonitor* domain_reliability_monitor() { + return domain_reliability_monitor_.get(); + } + void set_data_use_aggregator( data_usage::DataUseAggregator* data_use_aggregator, bool is_data_usage_off_the_record); diff -Nru chromium-browser-62.0.3202.75/chrome/browser/profiles/profile_impl_io_data.cc chromium-browser-62.0.3202.89/chrome/browser/profiles/profile_impl_io_data.cc --- chromium-browser-62.0.3202.75/chrome/browser/profiles/profile_impl_io_data.cc 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/profiles/profile_impl_io_data.cc 2017-11-06 20:05:21.000000000 +0000 @@ -405,15 +405,11 @@ ProfileImplIOData::ProfileImplIOData() : ProfileIOData(Profile::REGULAR_PROFILE), http_server_properties_manager_(NULL), - domain_reliability_monitor_(nullptr), app_cache_max_size_(0), app_media_cache_max_size_(0) { } ProfileImplIOData::~ProfileImplIOData() { - if (domain_reliability_monitor_) - domain_reliability_monitor_->Shutdown(); - DestroyResourceContext(); if (media_request_context_) @@ -425,15 +421,6 @@ IOThread* io_thread, std::unique_ptr chrome_network_delegate) const { if (lazy_params_->domain_reliability_monitor) { - // Hold on to a raw pointer to call Shutdown() in ~ProfileImplIOData. - domain_reliability_monitor_ = - lazy_params_->domain_reliability_monitor.get(); - - domain_reliability_monitor_->InitURLRequestContext(main_request_context()); - domain_reliability_monitor_->AddBakedInConfigs(); - domain_reliability_monitor_->SetDiscardUploads( - !GetMetricsEnabledStateOnIOThread()); - chrome_network_delegate->set_domain_reliability_monitor( std::move(lazy_params_->domain_reliability_monitor)); } diff -Nru chromium-browser-62.0.3202.75/chrome/browser/profiles/profile_impl_io_data.h chromium-browser-62.0.3202.89/chrome/browser/profiles/profile_impl_io_data.h --- chromium-browser-62.0.3202.75/chrome/browser/profiles/profile_impl_io_data.h 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/profiles/profile_impl_io_data.h 2017-11-06 20:05:21.000000000 +0000 @@ -226,10 +226,6 @@ mutable std::unique_ptr media_request_context_; - // Owned by ChromeNetworkDelegate (which is owned by |network_delegate_|). - mutable domain_reliability::DomainReliabilityMonitor* - domain_reliability_monitor_; - // Parameters needed for isolated apps. base::FilePath profile_path_; int app_cache_max_size_; diff -Nru chromium-browser-62.0.3202.75/chrome/browser/profiles/profile_io_data.cc chromium-browser-62.0.3202.89/chrome/browser/profiles/profile_io_data.cc --- chromium-browser-62.0.3202.75/chrome/browser/profiles/profile_io_data.cc 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/profiles/profile_io_data.cc 2017-11-06 20:05:21.000000000 +0000 @@ -65,6 +65,7 @@ #include "components/cookie_config/cookie_store_util.h" #include "components/data_reduction_proxy/core/browser/data_reduction_proxy_io_data.h" #include "components/dom_distiller/core/url_constants.h" +#include "components/domain_reliability/monitor.h" #include "components/metrics/metrics_pref_names.h" #include "components/metrics/metrics_service.h" #include "components/net_log/chrome_net_log.h" @@ -628,6 +629,7 @@ #endif main_request_context_(nullptr), resource_context_(new ResourceContext(this)), + domain_reliability_monitor_unowned_(nullptr), profile_type_(profile_type) { DCHECK_CURRENTLY_ON(BrowserThread::UI); } @@ -678,6 +680,9 @@ static_cast(it->second), sizeof(void*)); } + if (domain_reliability_monitor_unowned_) + domain_reliability_monitor_unowned_->Shutdown(); + if (main_request_context_) { // Prevent the TreeStateTracker from getting any more notifications by // severing the link between it and the CTVerifier and unregistering it from @@ -1059,6 +1064,9 @@ chrome_network_delegate->set_data_use_aggregator( io_thread_globals->data_use_aggregator.get(), IsOffTheRecord()); + ChromeNetworkDelegate* chrome_network_delegate_unowned = + chrome_network_delegate.get(); + std::unique_ptr network_delegate = ConfigureNetworkDelegate(profile_params_->io_thread, std::move(chrome_network_delegate)); @@ -1161,6 +1169,19 @@ std::move(profile_params_->main_network_context_params), std::move(builder), &main_request_context_); + if (chrome_network_delegate_unowned->domain_reliability_monitor()) { + // Save a pointer to shut down Domain Reliability cleanly before the + // URLRequestContext is dismantled. + domain_reliability_monitor_unowned_ = + chrome_network_delegate_unowned->domain_reliability_monitor(); + + domain_reliability_monitor_unowned_->InitURLRequestContext( + main_request_context_); + domain_reliability_monitor_unowned_->AddBakedInConfigs(); + domain_reliability_monitor_unowned_->SetDiscardUploads( + !GetMetricsEnabledStateOnIOThread()); + } + #if BUILDFLAG(ENABLE_EXTENSIONS) extension_cookie_notifier_ = std::move(profile_params_->extension_cookie_notifier); diff -Nru chromium-browser-62.0.3202.75/chrome/browser/profiles/profile_io_data.h chromium-browser-62.0.3202.89/chrome/browser/profiles/profile_io_data.h --- chromium-browser-62.0.3202.75/chrome/browser/profiles/profile_io_data.h 2017-10-26 19:05:37.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/profiles/profile_io_data.h 2017-11-06 20:05:21.000000000 +0000 @@ -68,6 +68,10 @@ class DataReductionProxyIOData; } +namespace domain_reliability { +class DomainReliabilityMonitor; +} + namespace extensions { class ExtensionThrottleManager; class InfoMap; @@ -627,6 +631,12 @@ ct_tree_tracker_; mutable base::Closure ct_tree_tracker_unregistration_; + // Owned by the ChromeNetworkDelegate, which is owned (possibly with one or + // more layers of LayeredNetworkDelegate) by the URLRequestContext, which is + // owned by main_network_context_. + mutable domain_reliability::DomainReliabilityMonitor* + domain_reliability_monitor_unowned_; + const Profile::ProfileType profile_type_; DISALLOW_COPY_AND_ASSIGN(ProfileIOData); diff -Nru chromium-browser-62.0.3202.75/chrome/browser/ui/webui/settings/chromeos/cups_printers_handler.cc chromium-browser-62.0.3202.89/chrome/browser/ui/webui/settings/chromeos/cups_printers_handler.cc --- chromium-browser-62.0.3202.75/chrome/browser/ui/webui/settings/chromeos/cups_printers_handler.cc 2017-10-26 19:05:38.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/browser/ui/webui/settings/chromeos/cups_printers_handler.cc 2017-11-06 20:05:22.000000000 +0000 @@ -184,7 +184,9 @@ return host; } -// Returns a JSON representation of |printer| as a CupsPrinterInfo. +// Returns a JSON representation of |printer| as a CupsPrinterInfo. Note it's +// possible that this function returns a nullptr if the printer url is not in +// the right format. std::unique_ptr GetPrinterInfo(const Printer& printer) { std::unique_ptr printer_info = CreateEmptyPrinterInfo(); @@ -308,7 +310,11 @@ auto printers_list = base::MakeUnique(); for (const Printer& printer : printers) { - printers_list->Append(GetPrinterInfo(printer)); + // TODO(skau): Theoretically |printer_info| should not be a nullptr as we + // should not allow adding an invalid configured printer to PrinterManager. + auto printer_info = GetPrinterInfo(printer); + if (printer_info) + printers_list->Append(std::move(printer_info)); } auto response = base::MakeUnique(); @@ -495,6 +501,14 @@ printer_uri += "/" + printer_queue; } + // Validate uri before continuing. + PrinterUri uri; + if (!ParseUri(printer_uri, &uri)) { + LOG(ERROR) << "Failed to parse printer"; + OnAddPrinterError(); + return; + } + // Read PPD selection if it was used. std::string ppd_manufacturer; std::string ppd_model; @@ -772,10 +786,14 @@ std::unique_ptr printers_list = base::MakeUnique(); for (const Printer& printer : automatic_printers_) { - printers_list->Append(GetPrinterInfo(printer)); + auto printer_info = GetPrinterInfo(printer); + if (printer_info) + printers_list->Append(std::move(printer_info)); } for (const Printer& printer : discovered_printers_) { - printers_list->Append(GetPrinterInfo(printer)); + auto printer_info = GetPrinterInfo(printer); + if (printer_info) + printers_list->Append(std::move(printer_info)); } FireWebUIListener("on-printer-discovered", *printers_list); @@ -790,9 +808,11 @@ CHECK(args->GetString(0, &printer_id)); std::unique_ptr printer = printers_manager_->GetPrinter(printer_id); - if (printer == nullptr) { + PrinterUri uri; + if (printer == nullptr || !ParseUri(printer->uri(), &uri)) { // Printer disappeared, so we don't have information about it anymore and - // can't really do much. Fail the add. + // can't really do much. Or the printer uri was not parsed successfully. + // Fail the add. FireWebUIListener("on-add-cups-printer", base::Value(false), base::Value(printer_id)); return; diff -Nru chromium-browser-62.0.3202.75/chrome/VERSION chromium-browser-62.0.3202.89/chrome/VERSION --- chromium-browser-62.0.3202.75/chrome/VERSION 2017-10-26 19:05:36.000000000 +0000 +++ chromium-browser-62.0.3202.89/chrome/VERSION 2017-11-06 20:05:19.000000000 +0000 @@ -1,4 +1,4 @@ MAJOR=62 MINOR=0 BUILD=3202 -PATCH=75 +PATCH=89 diff -Nru chromium-browser-62.0.3202.75/components/domain_reliability/monitor.cc chromium-browser-62.0.3202.89/components/domain_reliability/monitor.cc --- chromium-browser-62.0.3202.75/components/domain_reliability/monitor.cc 2017-10-26 19:05:41.000000000 +0000 +++ chromium-browser-62.0.3202.89/components/domain_reliability/monitor.cc 2017-11-06 20:05:24.000000000 +0000 @@ -134,6 +134,7 @@ void DomainReliabilityMonitor::InitURLRequestContext( net::URLRequestContext* url_request_context) { + DCHECK(url_request_context); DCHECK(OnNetworkThread()); DCHECK(moved_to_network_thread_); diff -Nru chromium-browser-62.0.3202.75/debian/changelog chromium-browser-62.0.3202.89/debian/changelog --- chromium-browser-62.0.3202.75/debian/changelog 2017-10-27 17:22:48.000000000 +0000 +++ chromium-browser-62.0.3202.89/debian/changelog 2017-11-06 21:49:46.000000000 +0000 @@ -1,3 +1,11 @@ +chromium-browser (62.0.3202.89-0ubuntu0.17.04.1386) zesty; urgency=medium + + * Upstream release: 62.0.3202.89 + - CVE-2017-15398: Stack buffer overflow in QUIC. + - CVE-2017-15399: Use after free in V8. + + -- Olivier Tilloy Mon, 06 Nov 2017 22:49:46 +0100 + chromium-browser (62.0.3202.75-0ubuntu0.17.04.1384) zesty; urgency=medium * Upstream release: 62.0.3202.75 diff -Nru chromium-browser-62.0.3202.75/DEPS chromium-browser-62.0.3202.89/DEPS --- chromium-browser-62.0.3202.75/DEPS 2017-10-26 19:05:35.000000000 +0000 +++ chromium-browser-62.0.3202.89/DEPS 2017-11-06 20:05:19.000000000 +0000 @@ -6,7 +6,7 @@ 'boringssl_revision': 'e3bb51cb2360fca5b87d559fc263b2763bd14739', 'buildspec_platforms': - 'win, linux64, mac64, win64', + 'win, win64, mac64, linux64, ios, android, chromeos', 'buildtools_revision': '84fdc992430562c77356707e9a047c7c691b7c3e', 'catapult_revision': @@ -80,7 +80,7 @@ 'src/third_party/SPIRV-Tools/src': (Var("chromium_git")) + '/external/github.com/KhronosGroup/SPIRV-Tools.git@9166854ac93ef81b026e943ccd230fed6c8b8d3c', 'src/third_party/angle': - (Var("chromium_git")) + '/angle/angle.git@e8ef2bc4bd019fd6080db5a1a5f0dd18bc0ccd25', + (Var("chromium_git")) + '/angle/angle.git@842c43ae67bad842fa0364e625fdee34e8857aa8', 'src/third_party/bidichecker': (Var("chromium_git")) + '/external/bidichecker/lib.git@97f2aa645b74c28c57eca56992235c79850fa9e0', 'src/third_party/boringssl/src': @@ -186,7 +186,7 @@ 'src/tools/swarming_client': (Var("chromium_git")) + '/infra/luci/client-py.git@72b6a2dc604673b84794937cb3da3fd755ccc4cd', 'src/v8': - (Var("chromium_git")) + '/v8/v8.git@00b3838fd8ef0ff5daf4fa2a1b91e39fe0f755f9' + (Var("chromium_git")) + '/v8/v8.git@55d3228db7aa136a99dc06a2c15c511df12a6a91' } deps_os = { diff -Nru chromium-browser-62.0.3202.75/device/bluetooth/bluez/bluetooth_adapter_bluez.cc chromium-browser-62.0.3202.89/device/bluetooth/bluez/bluetooth_adapter_bluez.cc --- chromium-browser-62.0.3202.75/device/bluetooth/bluez/bluetooth_adapter_bluez.cc 2017-10-26 19:05:43.000000000 +0000 +++ chromium-browser-62.0.3202.89/device/bluetooth/bluez/bluetooth_adapter_bluez.cc 2017-11-06 20:05:26.000000000 +0000 @@ -240,6 +240,7 @@ dbus_is_shutdown_(false), num_discovery_sessions_(0), discovery_request_pending_(false), + force_deactivate_discovery_(false), weak_ptr_factory_(this) { ui_task_runner_ = base::ThreadTaskRunnerHandle::Get(); socket_thread_ = device::BluetoothSocketThread::Get(); @@ -1090,11 +1091,21 @@ // If the adapter stopped discovery due to a reason other than a request by // us, reset the count to 0. BLUETOOTH_LOG(EVENT) << "Discovering changed: " << discovering; - if (!discovering && !discovery_request_pending_ && - num_discovery_sessions_ > 0) { - BLUETOOTH_LOG(DEBUG) << "Marking sessions as inactive."; - num_discovery_sessions_ = 0; - MarkDiscoverySessionsAsInactive(); + if (!discovering && num_discovery_sessions_ > 0) { + if (discovery_request_pending_) { + // If there is discovery request pending, this is guaranteed to be a + // Stop() of the last discovery session (num_discovery_sessions_ == 1). + // That last Stop() may fail due to adapter not being present, in which + // case there will be dangling discovery count. So we are setting a flag + // so that the failing Stop() assumes that there is no more discovery + // session. + BLUETOOTH_LOG(DEBUG) << "Forcing to deactivate discovery."; + force_deactivate_discovery_ = true; + } else { + BLUETOOTH_LOG(DEBUG) << "Marking sessions as inactive."; + num_discovery_sessions_ = 0; + MarkDiscoverySessionsAsInactive(); + } } for (auto& observer : observers_) observer.AdapterDiscoveringChanged(this, discovering); @@ -1580,6 +1591,8 @@ num_discovery_sessions_--; callback.Run(); + force_deactivate_discovery_ = false; + current_filter_.reset(); // Try to add a new discovery session for each queued request. @@ -1598,6 +1611,14 @@ DCHECK(discovery_request_pending_); DCHECK_EQ(num_discovery_sessions_, 1); discovery_request_pending_ = false; + + if (force_deactivate_discovery_) { + BLUETOOTH_LOG(DEBUG) << "Forced to mark sessions as inactive"; + force_deactivate_discovery_ = false; + num_discovery_sessions_ = 0; + MarkDiscoverySessionsAsInactive(); + } + error_callback.Run(TranslateDiscoveryErrorToUMA(error_name)); // Try to add a new discovery session for each queued request. diff -Nru chromium-browser-62.0.3202.75/device/bluetooth/bluez/bluetooth_adapter_bluez.h chromium-browser-62.0.3202.89/device/bluetooth/bluez/bluetooth_adapter_bluez.h --- chromium-browser-62.0.3202.75/device/bluetooth/bluez/bluetooth_adapter_bluez.h 2017-10-26 19:05:43.000000000 +0000 +++ chromium-browser-62.0.3202.89/device/bluetooth/bluez/bluetooth_adapter_bluez.h 2017-11-06 20:05:26.000000000 +0000 @@ -448,6 +448,10 @@ // True, if there is a pending request to start or stop discovery. bool discovery_request_pending_; + // If true that means the last pending stop discovery operation should assume + // that the discovery sessions have been deactivated even though it failed. + bool force_deactivate_discovery_; + // List of queued requests to add new discovery sessions. While there is a // pending request to BlueZ to start or stop discovery, many requests from // within Chrome to start or stop discovery sessions may occur. We only diff -Nru chromium-browser-62.0.3202.75/net/quic/core/quic_client_promised_info.cc chromium-browser-62.0.3202.89/net/quic/core/quic_client_promised_info.cc --- chromium-browser-62.0.3202.75/net/quic/core/quic_client_promised_info.cc 2017-10-26 19:05:47.000000000 +0000 +++ chromium-browser-62.0.3202.89/net/quic/core/quic_client_promised_info.cc 2017-11-06 20:05:29.000000000 +0000 @@ -43,7 +43,11 @@ // RFC7540, Section 8.2, requests MUST be safe [RFC7231], Section // 4.2.1. GET and HEAD are the methods that are safe and required. SpdyHeaderBlock::const_iterator it = headers.find(kHttp2MethodHeader); - DCHECK(it != headers.end()); + if (it == headers.end()) { + QUIC_DVLOG(1) << "Promise for stream " << id_ << " has no method"; + Reset(QUIC_INVALID_PROMISE_METHOD); + return; + } if (!(it->second == "GET" || it->second == "HEAD")) { QUIC_DVLOG(1) << "Promise for stream " << id_ << " has invalid method " << it->second; diff -Nru chromium-browser-62.0.3202.75/net/quic/core/quic_client_promised_info_test.cc chromium-browser-62.0.3202.89/net/quic/core/quic_client_promised_info_test.cc --- chromium-browser-62.0.3202.75/net/quic/core/quic_client_promised_info_test.cc 2017-10-26 19:05:47.000000000 +0000 +++ chromium-browser-62.0.3202.89/net/quic/core/quic_client_promised_info_test.cc 2017-11-06 20:05:29.000000000 +0000 @@ -154,6 +154,19 @@ EXPECT_EQ(session_.GetPromisedByUrl(promise_url_), nullptr); } +TEST_F(QuicClientPromisedInfoTest, PushPromiseMissingMethod) { + // Promise with a missing method + push_promise_.erase(":method"); + + EXPECT_CALL(*connection_, + SendRstStream(promise_id_, QUIC_INVALID_PROMISE_METHOD, 0)); + ReceivePromise(promise_id_); + + // Verify that the promise headers were ignored + EXPECT_EQ(session_.GetPromisedById(promise_id_), nullptr); + EXPECT_EQ(session_.GetPromisedByUrl(promise_url_), nullptr); +} + TEST_F(QuicClientPromisedInfoTest, PushPromiseInvalidUrl) { // Remove required header field to make URL invalid push_promise_.erase(":authority"); diff -Nru chromium-browser-62.0.3202.75/sandbox/linux/services/namespace_sandbox.cc chromium-browser-62.0.3202.89/sandbox/linux/services/namespace_sandbox.cc --- chromium-browser-62.0.3202.75/sandbox/linux/services/namespace_sandbox.cc 2017-10-26 19:05:48.000000000 +0000 +++ chromium-browser-62.0.3202.89/sandbox/linux/services/namespace_sandbox.cc 2017-11-06 20:05:30.000000000 +0000 @@ -105,8 +105,7 @@ }; pid_t GetGlibcCachedTid() { - pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; - CHECK_EQ(0, pthread_mutex_init(&lock, nullptr)); + pthread_mutex_t lock = PTHREAD_RECURSIVE_MUTEX_INITIALIZER_NP; CHECK_EQ(0, pthread_mutex_lock(&lock)); pid_t tid = lock.__data.__owner; CHECK_EQ(0, pthread_mutex_unlock(&lock)); diff -Nru chromium-browser-62.0.3202.75/third_party/angle/src/libANGLE/renderer/d3d/d3d11/StateManager11.cpp chromium-browser-62.0.3202.89/third_party/angle/src/libANGLE/renderer/d3d/d3d11/StateManager11.cpp --- chromium-browser-62.0.3202.75/third_party/angle/src/libANGLE/renderer/d3d/d3d11/StateManager11.cpp 2017-10-26 19:07:11.000000000 +0000 +++ chromium-browser-62.0.3202.89/third_party/angle/src/libANGLE/renderer/d3d/d3d11/StateManager11.cpp 2017-11-06 20:06:56.000000000 +0000 @@ -680,6 +680,10 @@ break; case gl::State::DIRTY_BIT_VERTEX_ARRAY_BINDING: invalidateVertexBuffer(); + // Force invalidate the current value attributes, since the VertexArray11 keeps an + // internal cache of TranslatedAttributes, and they CurrentValue attributes are + // owned by the StateManager11/Context. + mDirtyCurrentValueAttribs.set(); break; case gl::State::DIRTY_BIT_PROGRAM_EXECUTABLE: invalidateVertexBuffer(); diff -Nru chromium-browser-62.0.3202.75/third_party/angle/src/tests/gl_tests/StateChangeTest.cpp chromium-browser-62.0.3202.89/third_party/angle/src/tests/gl_tests/StateChangeTest.cpp --- chromium-browser-62.0.3202.75/third_party/angle/src/tests/gl_tests/StateChangeTest.cpp 2017-10-26 19:07:11.000000000 +0000 +++ chromium-browser-62.0.3202.89/third_party/angle/src/tests/gl_tests/StateChangeTest.cpp 2017-11-06 20:06:57.000000000 +0000 @@ -601,6 +601,145 @@ EXPECT_GL_NO_ERROR(); } +// Tests that D3D11 dirty bit updates don't forget about BufferSubData attrib updates. +TEST_P(StateChangeTest, VertexBufferUpdatedAfterDraw) +{ + const std::string vs = + "attribute vec2 position;\n" + "attribute vec4 color;\n" + "varying vec4 outcolor;\n" + "void main()\n" + "{\n" + " gl_Position = vec4(position, 0, 1);\n" + " outcolor = color;\n" + "}"; + const std::string fs = + "varying mediump vec4 outcolor;\n" + "void main()\n" + "{\n" + " gl_FragColor = outcolor;\n" + "}"; + + ANGLE_GL_PROGRAM(program, vs, fs); + glUseProgram(program); + + GLint colorLoc = glGetAttribLocation(program, "color"); + ASSERT_NE(-1, colorLoc); + GLint positionLoc = glGetAttribLocation(program, "position"); + ASSERT_NE(-1, positionLoc); + + setupQuadVertexBuffer(0.5f, 1.0f); + glEnableVertexAttribArray(positionLoc); + glVertexAttribPointer(positionLoc, 3, GL_FLOAT, GL_FALSE, 0, nullptr); + + GLBuffer colorBuf; + glBindBuffer(GL_ARRAY_BUFFER, colorBuf); + glVertexAttribPointer(colorLoc, 4, GL_UNSIGNED_BYTE, GL_TRUE, 0, nullptr); + glEnableVertexAttribArray(colorLoc); + + // Fill with green. + std::vector colorData(6, GLColor::green); + glBufferData(GL_ARRAY_BUFFER, colorData.size() * sizeof(GLColor), colorData.data(), + GL_STATIC_DRAW); + + // Draw, expect green. + glDrawArrays(GL_TRIANGLES, 0, 6); + EXPECT_PIXEL_COLOR_EQ(0, 0, GLColor::green); + ASSERT_GL_NO_ERROR(); + + // Update buffer with red. + std::fill(colorData.begin(), colorData.end(), GLColor::red); + glBufferSubData(GL_ARRAY_BUFFER, 0, colorData.size() * sizeof(GLColor), colorData.data()); + + // Draw, expect red. + glDrawArrays(GL_TRIANGLES, 0, 6); + EXPECT_PIXEL_COLOR_EQ(0, 0, GLColor::red); + ASSERT_GL_NO_ERROR(); +} + +// Test that switching VAOs keeps the disabled "current value" attributes up-to-date. +TEST_P(StateChangeTestES3, VertexArrayObjectAndDisabledAttributes) +{ + const std::string singleVertexShader = + "attribute vec4 position; void main() { gl_Position = position; }"; + const std::string singleFragmentShader = "void main() { gl_FragColor = vec4(1, 0, 0, 1); }"; + ANGLE_GL_PROGRAM(singleProgram, singleVertexShader, singleFragmentShader); + + const std::string dualVertexShader = + "#version 300 es\n" + "in vec4 position;\n" + "in vec4 color;\n" + "out vec4 varyColor;\n" + "void main()\n" + "{\n" + " gl_Position = position;\n" + " varyColor = color;\n" + "}"; + const std::string dualFragmentShader = + "#version 300 es\n" + "precision mediump float;\n" + "in vec4 varyColor;\n" + "out vec4 colorOut;\n" + "void main()\n" + "{\n" + " colorOut = varyColor;\n" + "}"; + ANGLE_GL_PROGRAM(dualProgram, dualVertexShader, dualFragmentShader); + GLint positionLocation = glGetAttribLocation(dualProgram, "position"); + ASSERT_NE(-1, positionLocation); + GLint colorLocation = glGetAttribLocation(dualProgram, "color"); + ASSERT_NE(-1, colorLocation); + + GLint singlePositionLocation = glGetAttribLocation(singleProgram, "position"); + ASSERT_NE(-1, singlePositionLocation); + + glUseProgram(singleProgram); + + // Initialize position vertex buffer. + const auto &quadVertices = GetQuadVertices(); + + GLBuffer vertexBuffer; + glBindBuffer(GL_ARRAY_BUFFER, vertexBuffer); + glBufferData(GL_ARRAY_BUFFER, sizeof(Vector3) * 6, quadVertices.data(), GL_STATIC_DRAW); + + // Initialize a VAO. Draw with single program. + GLVertexArray vertexArray; + glBindVertexArray(vertexArray); + glBindBuffer(GL_ARRAY_BUFFER, vertexBuffer); + glVertexAttribPointer(singlePositionLocation, 3, GL_FLOAT, GL_FALSE, 0, nullptr); + glEnableVertexAttribArray(singlePositionLocation); + + // Should draw red. + glDrawArrays(GL_TRIANGLES, 0, 6); + ASSERT_GL_NO_ERROR(); + EXPECT_PIXEL_COLOR_EQ(0, 0, GLColor::red); + + // Draw with a green buffer attribute, without the VAO. + glBindVertexArray(0); + glUseProgram(dualProgram); + glVertexAttribPointer(positionLocation, 3, GL_FLOAT, GL_FALSE, 0, nullptr); + glEnableVertexAttribArray(positionLocation); + + std::vector greenColors(6, GLColor::green); + GLBuffer greenBuffer; + glBindBuffer(GL_ARRAY_BUFFER, greenBuffer); + glBufferData(GL_ARRAY_BUFFER, sizeof(GLColor) * 6, greenColors.data(), GL_STATIC_DRAW); + + glVertexAttribPointer(colorLocation, 4, GL_UNSIGNED_BYTE, GL_FALSE, 4, nullptr); + glEnableVertexAttribArray(colorLocation); + + glDrawArrays(GL_TRIANGLES, 0, 6); + ASSERT_GL_NO_ERROR(); + EXPECT_PIXEL_COLOR_EQ(0, 0, GLColor::green); + + // Re-bind VAO and try to draw with different program, without changing state. + // Should draw black since current value is not initialized. + glBindVertexArray(vertexArray); + glDrawArrays(GL_TRIANGLES, 0, 6); + ASSERT_GL_NO_ERROR(); + EXPECT_PIXEL_COLOR_EQ(0, 0, GLColor::black); +} + ANGLE_INSTANTIATE_TEST(StateChangeTest, ES2_D3D9(), ES2_D3D11(), ES2_OPENGL()); ANGLE_INSTANTIATE_TEST(StateChangeRenderTest, ES2_D3D9(), diff -Nru chromium-browser-62.0.3202.75/third_party/WebKit/Source/core/paint/PaintLayerClipper.cpp chromium-browser-62.0.3202.89/third_party/WebKit/Source/core/paint/PaintLayerClipper.cpp --- chromium-browser-62.0.3202.75/third_party/WebKit/Source/core/paint/PaintLayerClipper.cpp 2017-10-26 19:06:05.000000000 +0000 +++ chromium-browser-62.0.3202.89/third_party/WebKit/Source/core/paint/PaintLayerClipper.cpp 2017-11-06 20:05:45.000000000 +0000 @@ -304,7 +304,13 @@ ClipRect& foreground_rect, const LayoutPoint* offset_from_root) const { if (use_geometry_mapper_) { - if (!layer_.GetLayoutObject().FirstFragment()) + auto* first_fragment = layer_.GetLayoutObject().FirstFragment(); + auto* local_borderbox = + first_fragment ? first_fragment->LocalBorderBoxProperties() : nullptr; + DCHECK(first_fragment && local_borderbox); + // TODO(chrishtr): find the root cause of not having a fragment and fix + // it. + if (!first_fragment || !local_borderbox) return; CalculateRectsWithGeometryMapper(context, paint_dirty_rect, layer_bounds, background_rect, foreground_rect, @@ -529,6 +535,15 @@ const ClipRectsContext& context, ClipRect& output) const { if (use_geometry_mapper_) { + auto* first_fragment = layer_.GetLayoutObject().FirstFragment(); + auto* local_borderbox = + first_fragment ? first_fragment->LocalBorderBoxProperties() : nullptr; + DCHECK(first_fragment && local_borderbox); + // TODO(chrishtr): find the root cause of not having a fragment and fix + // it. + if (!first_fragment || !local_borderbox) + return; + CalculateBackgroundClipRectWithGeometryMapper(context, output); return; } diff -Nru chromium-browser-62.0.3202.75/v8/include/v8-version.h chromium-browser-62.0.3202.89/v8/include/v8-version.h --- chromium-browser-62.0.3202.75/v8/include/v8-version.h 2017-10-26 19:07:26.000000000 +0000 +++ chromium-browser-62.0.3202.89/v8/include/v8-version.h 2017-11-06 20:07:10.000000000 +0000 @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 6 #define V8_MINOR_VERSION 2 #define V8_BUILD_NUMBER 414 -#define V8_PATCH_LEVEL 36 +#define V8_PATCH_LEVEL 40 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff -Nru chromium-browser-62.0.3202.75/v8/src/asmjs/asm-js.cc chromium-browser-62.0.3202.89/v8/src/asmjs/asm-js.cc --- chromium-browser-62.0.3202.75/v8/src/asmjs/asm-js.cc 2017-10-26 19:07:26.000000000 +0000 +++ chromium-browser-62.0.3202.89/v8/src/asmjs/asm-js.cc 2017-11-06 20:07:10.000000000 +0000 @@ -357,6 +357,7 @@ ReportInstantiationFailure(script, position, "Requires heap buffer"); return MaybeHandle(); } + memory->set_is_growable(false); size_t size = NumberToSize(memory->byte_length()); // TODO(mstarzinger): We currently only limit byte length of the buffer to // be a multiple of 8, we should enforce the stricter spec limits here. diff -Nru chromium-browser-62.0.3202.75/v8/src/flag-definitions.h chromium-browser-62.0.3202.89/v8/src/flag-definitions.h --- chromium-browser-62.0.3202.75/v8/src/flag-definitions.h 2017-10-26 19:07:26.000000000 +0000 +++ chromium-browser-62.0.3202.89/v8/src/flag-definitions.h 2017-11-06 20:07:10.000000000 +0000 @@ -418,7 +418,7 @@ DEFINE_BOOL(trace_turbo_inlining, false, "trace TurboFan inlining") DEFINE_BOOL(inline_accessors, true, "inline JavaScript accessors") DEFINE_BOOL(inline_into_try, true, "inline into try blocks") -DEFINE_BOOL(turbo_inline_array_builtins, true, +DEFINE_BOOL(turbo_inline_array_builtins, false, "inline array builtins in TurboFan code") DEFINE_BOOL(use_osr, true, "use on-stack replacement") DEFINE_BOOL(trace_osr, false, "trace on-stack replacement") diff -Nru chromium-browser-62.0.3202.75/v8/src/objects.h chromium-browser-62.0.3202.89/v8/src/objects.h --- chromium-browser-62.0.3202.75/v8/src/objects.h 2017-10-26 19:07:26.000000000 +0000 +++ chromium-browser-62.0.3202.89/v8/src/objects.h 2017-11-06 20:07:10.000000000 +0000 @@ -6351,10 +6351,8 @@ inline bool has_guard_region() const; inline void set_has_guard_region(bool value); - // TODO(gdeepti): This flag is introduced to disable asm.js optimizations in - // js-typer-lowering.cc, remove when the asm.js case is fixed. - inline bool is_wasm_buffer(); - inline void set_is_wasm_buffer(bool value); + inline bool is_growable(); + inline void set_is_growable(bool value); DECL_CAST(JSArrayBuffer) @@ -6414,7 +6412,7 @@ class WasNeutered : public BitField {}; class IsShared : public BitField {}; class HasGuardRegion : public BitField {}; - class IsWasmBuffer : public BitField {}; + class IsGrowable : public BitField {}; private: DISALLOW_IMPLICIT_CONSTRUCTORS(JSArrayBuffer); diff -Nru chromium-browser-62.0.3202.75/v8/src/objects-inl.h chromium-browser-62.0.3202.89/v8/src/objects-inl.h --- chromium-browser-62.0.3202.75/v8/src/objects-inl.h 2017-10-26 19:07:26.000000000 +0000 +++ chromium-browser-62.0.3202.89/v8/src/objects-inl.h 2017-11-06 20:07:10.000000000 +0000 @@ -5156,12 +5156,12 @@ set_bit_field(HasGuardRegion::update(bit_field(), value)); } -bool JSArrayBuffer::is_wasm_buffer() { - return IsWasmBuffer::decode(bit_field()); +bool JSArrayBuffer::is_growable() { + return IsGrowable::decode(bit_field()); } -void JSArrayBuffer::set_is_wasm_buffer(bool value) { - set_bit_field(IsWasmBuffer::update(bit_field(), value)); +void JSArrayBuffer::set_is_growable(bool value) { + set_bit_field(IsGrowable::update(bit_field(), value)); } Object* JSArrayBufferView::byte_offset() const { diff -Nru chromium-browser-62.0.3202.75/v8/src/objects-printer.cc chromium-browser-62.0.3202.89/v8/src/objects-printer.cc --- chromium-browser-62.0.3202.75/v8/src/objects-printer.cc 2017-10-26 19:07:26.000000000 +0000 +++ chromium-browser-62.0.3202.89/v8/src/objects-printer.cc 2017-11-06 20:07:10.000000000 +0000 @@ -970,7 +970,7 @@ if (was_neutered()) os << "\n - neutered"; if (is_shared()) os << "\n - shared"; if (has_guard_region()) os << "\n - has_guard_region"; - if (is_wasm_buffer()) os << "\n - wasm_buffer"; + if (is_growable()) os << "\n - growable"; JSObjectPrintBody(os, this, !was_neutered()); } diff -Nru chromium-browser-62.0.3202.75/v8/src/wasm/module-compiler.cc chromium-browser-62.0.3202.89/v8/src/wasm/module-compiler.cc --- chromium-browser-62.0.3202.75/v8/src/wasm/module-compiler.cc 2017-10-26 19:07:26.000000000 +0000 +++ chromium-browser-62.0.3202.89/v8/src/wasm/module-compiler.cc 2017-11-06 20:07:10.000000000 +0000 @@ -956,7 +956,6 @@ Handle memory = memory_.ToHandleChecked(); // Set externally passed ArrayBuffer non neuterable. memory->set_is_neuterable(false); - memory->set_is_wasm_buffer(true); DCHECK_IMPLIES(EnableGuardRegions(), module_->is_asm_js() || memory->has_guard_region()); diff -Nru chromium-browser-62.0.3202.75/v8/src/wasm/wasm-js.cc chromium-browser-62.0.3202.89/v8/src/wasm/wasm-js.cc --- chromium-browser-62.0.3202.75/v8/src/wasm/wasm-js.cc 2017-10-26 19:07:26.000000000 +0000 +++ chromium-browser-62.0.3202.89/v8/src/wasm/wasm-js.cc 2017-11-06 20:07:10.000000000 +0000 @@ -751,6 +751,10 @@ max_size64 = i::FLAG_wasm_max_mem_pages; } i::Handle old_buffer(receiver->array_buffer()); + if (!old_buffer->is_growable()) { + thrower.RangeError("This memory cannot be grown"); + return; + } uint32_t old_size = old_buffer->byte_length()->Number() / i::wasm::kSpecMaxWasmMemoryPages; int64_t new_size64 = old_size + delta_size; diff -Nru chromium-browser-62.0.3202.75/v8/src/wasm/wasm-module.cc chromium-browser-62.0.3202.89/v8/src/wasm/wasm-module.cc --- chromium-browser-62.0.3202.75/v8/src/wasm/wasm-module.cc 2017-10-26 19:07:26.000000000 +0000 +++ chromium-browser-62.0.3202.89/v8/src/wasm/wasm-module.cc 2017-11-06 20:07:10.000000000 +0000 @@ -266,7 +266,7 @@ allocation_length, backing_store, static_cast(size), shared); buffer->set_is_neuterable(false); - buffer->set_is_wasm_buffer(true); + buffer->set_is_growable(true); buffer->set_has_guard_region(enable_guard_regions); return buffer; } diff -Nru chromium-browser-62.0.3202.75/v8/src/wasm/wasm-objects.cc chromium-browser-62.0.3202.89/v8/src/wasm/wasm-objects.cc --- chromium-browser-62.0.3202.75/v8/src/wasm/wasm-objects.cc 2017-10-26 19:07:26.000000000 +0000 +++ chromium-browser-62.0.3202.89/v8/src/wasm/wasm-objects.cc 2017-11-06 20:07:10.000000000 +0000 @@ -290,6 +290,7 @@ Address old_mem_start = nullptr; uint32_t old_size = 0; if (!old_buffer.is_null()) { + if (!old_buffer->is_growable()) return Handle::null(); old_mem_start = static_cast
(old_buffer->backing_store()); CHECK(old_buffer->byte_length()->ToUint32(&old_size)); } @@ -392,6 +393,7 @@ Handle memory_object, uint32_t pages) { Handle old_buffer(memory_object->array_buffer()); + if (!old_buffer->is_growable()) return -1; uint32_t old_size = 0; CHECK(old_buffer->byte_length()->ToUint32(&old_size)); Handle new_buffer;