chore: cherry-pick 7 changes from Release-0-M114 (#38534)

* chore: [22-x-y] cherry-pick 6 changes from Release-0-M114

* c6ec59dcae7d from angle
* 93c6be3a42e7 from chromium
* e6b75a8b4900 from chromium
* 3b0607d14060 from v8
* 9c6dfc733fce from v8
* ea1cd76358e0 from chromium

* chore: remove 2 invalid patches, fix 2 others

* chore: remove unnecessary patch.

* chore: add missing backports.

* chore: further fix a backport

* chore: update patches

---------

Co-authored-by: Pedro Pontes <[email protected]>
Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>

patches/chromium/.patches

@@ -159,5 +159,7 @@ cherry-pick-f58218891f8c.patch
 wayland_ensure_dnd_buffer_size_is_a_multiple_of_scale.patch
 m112_cherry_pick_libxml_cve_fix.patch
 m112_fix_scopedobservation_uaf_in.patch
+cherry-pick-ea1cd76358e0.patch
 cherry-pick-48785f698b1c.patch
 m108-lts_return_after_readycommitnavigation_call_in_commiterrorpage.patch
+m114_merge_fix_a_crash_caused_by_calling_trace_event.patch

patches/chromium/cherry-pick-ea1cd76358e0.patch

@@ -0,0 +1,200 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kevin McNee <[email protected]>
+Date: Tue, 23 May 2023 15:46:16 +0000
+Subject: M114: Compute all webview find options before cloning them
+
+Compute all webview find options before cloning them
+
+In WebViewFindHelper::Find, we're cloning the find options before we've
+set the value for `new_session`. For requests that are part of the same
+session, in WebViewFindHelper::FindReply, we're using the incorrect
+value for `new_session` and we're destroying the FindInfo for what we
+think is a previous session but is actually for the request we're
+currently processing.
+
+We now fully compute the options before cloning them.
+
+(cherry picked from commit bb8e17b942b8b1de0a58b2dce34197e00a3b6525)
+
+Bug: 1443401
+Change-Id: Ife6747aedabaf74f9a4855a173349ffe612b6f95
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4533923
+Reviewed-by: James Maclean <[email protected]>
+Commit-Queue: James Maclean <[email protected]>
+Auto-Submit: Kevin McNee <[email protected]>
+Cr-Original-Commit-Position: refs/heads/main@{#1145265}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4556646
+Commit-Queue: Rubber Stamper <[email protected]>
+Bot-Commit: Rubber Stamper <[email protected]>
+Cr-Commit-Position: refs/branch-heads/5735@{#941}
+Cr-Branched-From: 2f562e4ddbaf79a3f3cb338b4d1bd4398d49eb67-refs/heads/main@{#1135570}
+
+diff --git a/chrome/browser/apps/guest_view/web_view_browsertest.cc b/chrome/browser/apps/guest_view/web_view_browsertest.cc
+index 4e6212397a183fdf494f271a255eaf2d536587e6..7159cf6af5cfd0ad5b9e5ba526043a4407a5399d 100644
+--- a/chrome/browser/apps/guest_view/web_view_browsertest.cc
++++ b/chrome/browser/apps/guest_view/web_view_browsertest.cc
+@@ -3851,6 +3851,11 @@ IN_PROC_BROWSER_TEST_P(WebViewTest, Shim_testFindInMultipleWebViews) {
+   TestHelper("testFindInMultipleWebViews", "web_view/shim", NO_TEST_SERVER);
+ }
+ 
++IN_PROC_BROWSER_TEST_F(WebViewTest, Shim_TestFindAfterTerminate) {
++  content::ScopedAllowRendererCrashes scoped_allow_renderer_crashes;
++  TestHelper("testFindAfterTerminate", "web_view/shim", NO_TEST_SERVER);
++}
++
+ IN_PROC_BROWSER_TEST_P(WebViewTest, Shim_TestLoadDataAPI) {
+   TestHelper("testLoadDataAPI", "web_view/shim", NEEDS_TEST_SERVER);
+ 
+diff --git a/chrome/test/data/extensions/platform_apps/web_view/shim/main.js b/chrome/test/data/extensions/platform_apps/web_view/shim/main.js
+index 5ed4f0223346b01d83cc04c8cda6c0e92e1a72e3..4a1543d1751cc817a511594d0123deacc0e61ebb 100644
+--- a/chrome/test/data/extensions/platform_apps/web_view/shim/main.js
++++ b/chrome/test/data/extensions/platform_apps/web_view/shim/main.js
+@@ -2859,6 +2859,20 @@ function testFindInMultipleWebViews() {
+       });
+ }
+ 
++function testFindAfterTerminate() {
++  let webview = new WebView();
++  webview.src = 'data:text/html,<body><iframe></iframe></body>';
++  webview.addEventListener('loadstop', () => {
++    webview.find('A');
++    webview.terminate();
++    webview.find('B', {'backward': true});
++    webview.find('B', {'backward': true}, (results) => {
++      embedder.test.succeed();
++    });
++  });
++  document.body.appendChild(webview);
++}
++
+ function testLoadDataAPI() {
+   var webview = new WebView();
+   webview.src = 'about:blank';
+@@ -3600,6 +3614,7 @@ embedder.test.testList = {
+   'testFindAPI': testFindAPI,
+   'testFindAPI_findupdate': testFindAPI_findupdate,
+   'testFindInMultipleWebViews': testFindInMultipleWebViews,
++  'testFindAfterTerminate': testFindAfterTerminate,
+   'testLoadDataAPI': testLoadDataAPI,
+   'testLoadDataAPIAccessibleResources': testLoadDataAPIAccessibleResources,
+   'testResizeEvents': testResizeEvents,
+diff --git a/extensions/browser/guest_view/web_view/web_view_find_helper.cc b/extensions/browser/guest_view/web_view/web_view_find_helper.cc
+index 07b8a6975907190741267e3f92c2e9bde5d9c5d6..f7e5c7c6ece05fa59374735cb1757d1918d1597c 100644
+--- a/extensions/browser/guest_view/web_view/web_view_find_helper.cc
++++ b/extensions/browser/guest_view/web_view/web_view_find_helper.cc
+@@ -36,12 +36,12 @@ void WebViewFindHelper::CancelAllFindSessions() {
+ 
+ void WebViewFindHelper::DispatchFindUpdateEvent(bool canceled,
+                                                 bool final_update) {
+-  DCHECK(find_update_event_.get());
++  CHECK(find_update_event_);
+   std::unique_ptr<base::DictionaryValue> args(new base::DictionaryValue());
+   find_update_event_->PrepareResults(args.get());
+   args->SetBoolKey(webview::kFindCanceled, canceled);
+   args->SetBoolKey(webview::kFindFinalUpdate, final_update);
+-  DCHECK(webview_guest_);
++  CHECK(webview_guest_);
+   webview_guest_->DispatchEventToView(std::make_unique<GuestViewEvent>(
+       webview::kEventFindReply, std::move(args)));
+ }
+@@ -94,6 +94,17 @@ void WebViewFindHelper::Find(
+   // Need a new request_id for each new find request.
+   ++current_find_request_id_;
+ 
++  if (current_find_session_) {
++    const std::u16string& current_search_text =
++        current_find_session_->search_text();
++    bool current_match_case = current_find_session_->options()->match_case;
++    options->new_session = current_search_text.empty() ||
++                           current_search_text != search_text ||
++                           current_match_case != options->match_case;
++  } else {
++    options->new_session = true;
++  }
++
+   // Stores the find request information by request_id so that its callback
+   // function can be called when the find results are available.
+   std::pair<FindInfoMap::iterator, bool> insert_result =
+@@ -102,32 +113,19 @@ void WebViewFindHelper::Find(
+           base::MakeRefCounted<FindInfo>(current_find_request_id_, search_text,
+                                          options.Clone(), find_function)));
+   // No duplicate insertions.
+-  DCHECK(insert_result.second);
+-
+-  blink::mojom::FindOptionsPtr full_options =
+-      insert_result.first->second->options().Clone();
+-
+-  if (current_find_session_) {
+-    const std::u16string& current_search_text =
+-        current_find_session_->search_text();
+-    bool current_match_case = current_find_session_->options()->match_case;
+-    full_options->new_session = current_search_text.empty() ||
+-                                current_search_text != search_text ||
+-                                current_match_case != options->match_case;
+-  } else {
+-    full_options->new_session = true;
+-  }
++  CHECK(insert_result.second);
+ 
+   // Link find requests that are a part of the same find session.
+-  if (!full_options->new_session && current_find_session_) {
+-    DCHECK(current_find_request_id_ != current_find_session_->request_id());
++  if (!options->new_session && current_find_session_) {
++    CHECK(current_find_request_id_ != current_find_session_->request_id());
+     current_find_session_->AddFindNextRequest(
+         insert_result.first->second->AsWeakPtr());
+   }
+ 
+   // Update the current find session, if necessary.
+-  if (full_options->new_session)
++  if (options->new_session) {
+     current_find_session_ = insert_result.first->second;
++  }
+ 
+   // Handle the empty |search_text| case internally.
+   if (search_text.empty()) {
+@@ -137,7 +135,7 @@ void WebViewFindHelper::Find(
+   }
+ 
+   guest_web_contents->Find(current_find_request_id_, search_text,
+-                           std::move(full_options), /*skip_delay=*/true);
++                           std::move(options), /*skip_delay=*/true);
+ }
+ 
+ void WebViewFindHelper::FindReply(int request_id,
+@@ -152,14 +150,14 @@ void WebViewFindHelper::FindReply(int request_id,
+     return;
+ 
+   // This find request must be a part of an existing find session.
+-  DCHECK(current_find_session_);
++  CHECK(current_find_session_);
+ 
+   WebViewFindHelper::FindInfo* find_info = find_iterator->second.get();
+   // Handle canceled find requests.
+   if (find_info->options()->new_session &&
+       find_info_map_.begin()->first < request_id) {
+-    DCHECK_NE(current_find_session_->request_id(),
+-              find_info_map_.begin()->first);
++    CHECK_NE(current_find_session_->request_id(),
++             find_info_map_.begin()->first);
+     if (find_update_event_)
+       DispatchFindUpdateEvent(true /* canceled */, true /* final_update */);
+     EndFindSession(find_info_map_.begin()->first, true /* canceled */);
+@@ -174,11 +172,12 @@ void WebViewFindHelper::FindReply(int request_id,
+   // Aggregate the find results.
+   find_info->AggregateResults(number_of_matches, selection_rect,
+                               active_match_ordinal, final_update);
+-  find_update_event_->AggregateResults(number_of_matches, selection_rect,
+-                                      active_match_ordinal, final_update);
+-
+-  // Propagate incremental results to the |findupdate| event.
+-  DispatchFindUpdateEvent(false /* canceled */, final_update);
++  if (find_update_event_) {
++    find_update_event_->AggregateResults(number_of_matches, selection_rect,
++                                         active_match_ordinal, final_update);
++    // Propagate incremental results to the |findupdate| event.
++    DispatchFindUpdateEvent(false /* canceled */, final_update);
++  }
+ 
+   // Call the callback functions of completed find requests.
+   if (final_update)

patches/chromium/m114_merge_fix_a_crash_caused_by_calling_trace_event.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Maggie Chen <[email protected]>
+Date: Thu, 18 May 2023 00:20:34 +0000
+Subject: Fix a crash caused by calling TRACE_EVENT
+
+Now use literal constant for TRACE_EVENT. Passing a pointer instead of
+string content to TRACE_EVENT causes a crash in ScopedTracer.
+
+(cherry picked from commit 6f2e587807aff2306309025db1c15fc59290eb6f)
+
+Bug: 1444195
+Change-Id: I02aa1148d61e7596e9293ffc866135e99991e42e
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4522164
+Reviewed-by: Sunny Sachanandani <[email protected]>
+Commit-Queue: Maggie Chen <[email protected]>
+Cr-Original-Commit-Position: refs/heads/main@{#1144352}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4544885
+Bot-Commit: Rubber Stamper <[email protected]>
+Cr-Commit-Position: refs/branch-heads/5735@{#749}
+Cr-Branched-From: 2f562e4ddbaf79a3f3cb338b4d1bd4398d49eb67-refs/heads/main@{#1135570}
+
+diff --git a/ui/gl/swap_chain_presenter.cc b/ui/gl/swap_chain_presenter.cc
+index 31deec1168cd438c0a37edc9230484ba2181b525..5cf91faf97a2a6f4f130d9e62678d972f55756ec 100644
+--- a/ui/gl/swap_chain_presenter.cc
++++ b/ui/gl/swap_chain_presenter.cc
+@@ -1635,10 +1635,8 @@ bool SwapChainPresenter::ReallocateSwapChain(
+     }
+   }
+   if (!use_yuv_swap_chain) {
+-    std::ostringstream trace_event_stream;
+-    trace_event_stream << "SwapChainPresenter::ReallocateSwapChain::"
+-                       << DxgiFormatToString(swap_chain_format);
+-    TRACE_EVENT0("gpu", trace_event_stream.str().c_str());
++    TRACE_EVENT1("gpu", "SwapChainPresenter::ReallocateSwapChain::BGRA",
++                 "format", DxgiFormatToString(swap_chain_format));
+ 
+     desc.Format = swap_chain_format;
+     desc.Flags = DXGI_SWAP_CHAIN_FLAG_FULLSCREEN_VIDEO;

patches/pdfium/.patches

@@ -1 +1,4 @@
 cherry-pick-a0d16d18d072.patch
+m114_observe_cpwl_combobox_across_all_on_methods.patch
+m114_observe_widget_across_setoptionselection_calls.patch
+m114_always_check_return_code_from_cpwl_combobox_setpopup.patch

patches/pdfium/m114_always_check_return_code_from_cpwl_combobox_setpopup.patch

@@ -0,0 +1,236 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tom Sepez <[email protected]>
+Date: Fri, 19 May 2023 18:41:31 +0000
+Subject: Always check return code from CPWL_ComboBox::SetPopup().
+
+Operation must not continue when false is returned.
+
+Bug: chromium:1444238
+Change-Id: Ic8c29653ac185ac80b6248203649ce05d0e10f06
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/107390
+Commit-Queue: Tom Sepez <[email protected]>
+Reviewed-by: Lei Zhang <[email protected]>
+(cherry picked from commit 3eb3c4d77d4f9372f77aa4895b85a1d4e4755c89)
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/107812
+
+diff --git a/fpdfsdk/pwl/cpwl_combo_box.cpp b/fpdfsdk/pwl/cpwl_combo_box.cpp
+index 4d834e698ee1b08bcc81d20e062e029620438b7e..fdcc2ef1b2fba4257aab3835f58c5ec0913663cf 100644
+--- a/fpdfsdk/pwl/cpwl_combo_box.cpp
++++ b/fpdfsdk/pwl/cpwl_combo_box.cpp
+@@ -400,7 +400,9 @@ bool CPWL_ComboBox::OnChar(uint16_t nChar, Mask<FWL_EVENTFLAG> nFlag) {
+   // options.
+   switch (nChar) {
+     case pdfium::ascii::kReturn:
+-      SetPopup(!IsPopup());
++      if (!SetPopup(!IsPopup())) {
++        return false;
++      }
+       SetSelectText();
+       return true;
+     case pdfium::ascii::kSpace:
+@@ -408,7 +410,9 @@ bool CPWL_ComboBox::OnChar(uint16_t nChar, Mask<FWL_EVENTFLAG> nFlag) {
+       // editable
+       if (!HasFlag(PCBS_ALLOWCUSTOMTEXT)) {
+         if (!IsPopup()) {
+-          SetPopup(/*bPopUp=*/true);
++          if (!SetPopup(/*bPopUp=*/true)) {
++            return false;
++          }
+           SetSelectText();
+         }
+         return true;
+@@ -438,7 +442,7 @@ bool CPWL_ComboBox::OnChar(uint16_t nChar, Mask<FWL_EVENTFLAG> nFlag) {
+ 
+ void CPWL_ComboBox::NotifyLButtonDown(CPWL_Wnd* child, const CFX_PointF& pos) {
+   if (child == m_pButton) {
+-    SetPopup(!m_bPopup);
++    (void)SetPopup(!m_bPopup);
+     // Note, |this| may no longer be viable at this point. If more work needs to
+     // be done, check the return value of SetPopup().
+   }
+@@ -451,7 +455,7 @@ void CPWL_ComboBox::NotifyLButtonUp(CPWL_Wnd* child, const CFX_PointF& pos) {
+   SetSelectText();
+   SelectAllText();
+   m_pEdit->SetFocus();
+-  SetPopup(false);
++  (void)SetPopup(false);
+   // Note, |this| may no longer be viable at this point. If more work needs to
+   // be done, check the return value of SetPopup().
+ }
+diff --git a/fpdfsdk/pwl/cpwl_combo_box.h b/fpdfsdk/pwl/cpwl_combo_box.h
+index 0d13b40b7a1fa1410070a14a3f9f4ef5ad625181..4b97394996d0fb1212e8f7e54f3513e1e93b6b80 100644
+--- a/fpdfsdk/pwl/cpwl_combo_box.h
++++ b/fpdfsdk/pwl/cpwl_combo_box.h
+@@ -64,7 +64,7 @@ class CPWL_ComboBox final : public CPWL_Wnd {
+   void CreateListBox(const CreateParams& cp);
+ 
+   // Returns |true| iff this instance is still allocated.
+-  bool SetPopup(bool bPopup);
++  [[nodiscard]] bool SetPopup(bool bPopup);
+ 
+   UnownedPtr<CPWL_Edit> m_pEdit;
+   UnownedPtr<CPWL_CBButton> m_pButton;
+diff --git a/testing/resources/javascript/xfa_specific/bug_1444238.evt b/testing/resources/javascript/xfa_specific/bug_1444238.evt
+new file mode 100644
+index 0000000000000000000000000000000000000000..adca35aa0d756e76eb395c5d60ba41b86c3d0090
+--- /dev/null
++++ b/testing/resources/javascript/xfa_specific/bug_1444238.evt
+@@ -0,0 +1,3 @@
++mousedown,left,91,539
++mouseup,left,91,539
++charcode,32
+diff --git a/testing/resources/javascript/xfa_specific/bug_1444238.in b/testing/resources/javascript/xfa_specific/bug_1444238.in
+new file mode 100644
+index 0000000000000000000000000000000000000000..675178c9446b0181c3633a4b5c9bc664bb4c127d
+--- /dev/null
++++ b/testing/resources/javascript/xfa_specific/bug_1444238.in
+@@ -0,0 +1,149 @@
++{{header}}
++{{object 1 0}} <<
++  /Type /Catalog
++  /Pages 2 0 R
++  /AcroForm 4 0 R
++  /OpenAction 40 0 R
++>>
++endobj
++{{object 2 0}} <<
++  /Type /Pages
++  /Count 2
++  /Kids [
++    32 0 R
++    34 0 R
++  ]
++>>
++endobj
++% Forms
++{{object 4 0}} <<
++  /XFA 43 0 R
++  /Fields [
++    10 0 R
++    11 0 R
++  ]
++>>
++endobj
++% Fields
++{{object 10 0}} <<
++  /Type /Annot
++  /Subtype /Widget
++  /FT /Tx
++  /T (MyField5)
++  /V (myfield_5)
++  /Rect [0 500 600 600]
++>>
++% Fields
++{{object 11 0}} <<
++  /T (MyField3)
++  /Parent 4 0 R
++  /Kids [12 0 R]
++  /Opt [(a) (b) (c) (d)]
++  /V [(a) (b) (c)]
++>>
++endobj
++% Fields
++{{object 12 0}} <<
++  /Type /Annot
++  /Subtype /Widget
++  /FT /Ch
++  /Ff 131072
++  /Parent 11 0 R
++  /Kids [13 0 R]
++>>
++endobj
++% Fields
++{{object 13 0}} <<
++  /Type /Annot
++  /Subtype /Widget
++  /Parent 12 0 R
++  /Rect [0 400 600 600]
++>>
++endobj
++% Fields
++{{object 14 0}} <<
++  /Type /Annot
++  /Subtype /Widget
++  /Parent 12 0 R
++  /Rect [100 400 500 500]
++>>
++endobj
++% Page number 2.
++{{object 32 0}} <<
++  /Type /Page
++  /Parent 2 0 R
++  /MediaBox [0 0 612 792]
++  /Annots [13 0 R]
++
++>>
++endobj
++{{object 34 0}} <<
++  /Type /Page
++  /Parent 2 0 R
++  /MediaBox [0 0 612 792]
++  /Annots [10 0 R]
++>>
++endobj
++% Document JS Action
++{{object 40 0}} <<
++  /Type /Action
++  /S /JavaScript
++  /JS 41 0 R
++>>
++endobj
++% JS program to exexute
++{{object 41 0}} <<
++>>
++stream
++var f5 = this.getField("MyField5");
++var f3 = this.getField("MyField3");
++f3.setFocus();
++this.__defineGetter__("pageNum",function o(){f5.setFocus(); f3.borderStyle="dashed"; f3.setFocus();});
++endstream
++endobj
++{{object 43 0}} <<
++  {{streamlen}}
++>>
++stream
++<?xml version="1.0" encoding="UTF-8"?>
++<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
++<config></config>
++<template xmlns="http://www.xfa.org/schema/xfa-template/2.8/">
++  <subform layout="tb" locale="en_US">
++    <pageSet>
++      <pageArea id="Page1" name="Page1">
++        <contentArea h="268.939mm" w="203.2mm" x="6.35mm" y="6.35mm"/>
++        <medium long="792pt" short="612pt" stock="default"/>
++      </pageArea>
++    </pageSet>
++    <field h="9.0001mm" name="MyField3" w="47.625mm" x="120mm" y="120mm">
++      <ui>
++        <choiceList open="onEntry">
++          <border>
++            <edge/>
++          </border>
++        </choiceList>
++      </ui>
++      <items save="1">
++        <text>apples</text>
++        <text>bananas</text>
++        <text>pears</text>
++      </items>
++      <value>
++        <text>apples</text>
++      </value>
++      <event activity="preOpen">
++        <script contentType="application/x-javascript">
++            var aa = this.pageNum;
++        </script>
++      </event>
++    </field>
++  </subform>
++</template>
++</xdp:xdp>
++endstream
++endobj
++{{xref}}
++{{trailer}}
++{{startxref}}
++%%EOF

patches/pdfium/m114_observe_cpwl_combobox_across_all_on_methods.patch

@@ -0,0 +1,213 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tom Sepez <[email protected]>
+Date: Fri, 19 May 2023 20:05:10 +0000
+Subject: Observe CPWL_ComboBox across all On* methods
+
+Bug: chromium:1445426
+Change-Id: I1d7ebf66fe170ca016c27a0df3ac4574e75c763c
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/107650
+Reviewed-by: Lei Zhang <[email protected]>
+Commit-Queue: Tom Sepez <[email protected]>
+(cherry picked from commit 29c665ea4c61b089746c3f502c30fcb5f4b11486)
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/107811
+
+diff --git a/fpdfsdk/pwl/cpwl_combo_box.cpp b/fpdfsdk/pwl/cpwl_combo_box.cpp
+index 6f89e7df41ea6691e805a4dd3942d5cb89787db3..4d834e698ee1b08bcc81d20e062e029620438b7e 100644
+--- a/fpdfsdk/pwl/cpwl_combo_box.cpp
++++ b/fpdfsdk/pwl/cpwl_combo_box.cpp
+@@ -339,31 +339,42 @@ bool CPWL_ComboBox::OnKeyDown(FWL_VKEYCODE nKeyCode,
+   if (!m_pEdit)
+     return false;
+ 
++  ObservedPtr<CPWL_Wnd> thisObserved(this);
+   m_nSelectItem = -1;
+ 
+   switch (nKeyCode) {
+     case FWL_VKEY_Up:
+       if (m_pList->GetCurSel() > 0) {
+-        if (GetFillerNotify()->OnPopupPreOpen(GetAttachedData(), nFlag))
++        if (GetFillerNotify()->OnPopupPreOpen(GetAttachedData(), nFlag) ||
++            !thisObserved) {
+           return false;
+-        if (GetFillerNotify()->OnPopupPostOpen(GetAttachedData(), nFlag))
++        }
++        if (GetFillerNotify()->OnPopupPostOpen(GetAttachedData(), nFlag) ||
++            !thisObserved) {
+           return false;
++        }
+         if (m_pList->IsMovementKey(nKeyCode)) {
+-          if (m_pList->OnMovementKeyDown(nKeyCode, nFlag))
++          if (m_pList->OnMovementKeyDown(nKeyCode, nFlag) || !thisObserved) {
+             return false;
++          }
+           SetSelectText();
+         }
+       }
+       return true;
+     case FWL_VKEY_Down:
+       if (m_pList->GetCurSel() < m_pList->GetCount() - 1) {
+-        if (GetFillerNotify()->OnPopupPreOpen(GetAttachedData(), nFlag))
++        if (GetFillerNotify()->OnPopupPreOpen(GetAttachedData(), nFlag) ||
++            !thisObserved) {
+           return false;
+-        if (GetFillerNotify()->OnPopupPostOpen(GetAttachedData(), nFlag))
++        }
++        if (GetFillerNotify()->OnPopupPostOpen(GetAttachedData(), nFlag) ||
++            !thisObserved) {
+           return false;
++        }
+         if (m_pList->IsMovementKey(nKeyCode)) {
+-          if (m_pList->OnMovementKeyDown(nKeyCode, nFlag))
++          if (m_pList->OnMovementKeyDown(nKeyCode, nFlag) || !thisObserved) {
+             return false;
++          }
+           SetSelectText();
+         }
+       }
+@@ -411,10 +422,15 @@ bool CPWL_ComboBox::OnChar(uint16_t nChar, Mask<FWL_EVENTFLAG> nFlag) {
+   if (HasFlag(PCBS_ALLOWCUSTOMTEXT))
+     return m_pEdit->OnChar(nChar, nFlag);
+ 
+-  if (GetFillerNotify()->OnPopupPreOpen(GetAttachedData(), nFlag))
++  ObservedPtr<CPWL_Wnd> thisObserved(this);
++  if (GetFillerNotify()->OnPopupPreOpen(GetAttachedData(), nFlag) ||
++      !thisObserved) {
+     return false;
+-  if (GetFillerNotify()->OnPopupPostOpen(GetAttachedData(), nFlag))
++  }
++  if (GetFillerNotify()->OnPopupPostOpen(GetAttachedData(), nFlag) ||
++      !thisObserved) {
+     return false;
++  }
+   if (!m_pList->IsChar(nChar, nFlag))
+     return false;
+   return m_pList->OnCharNotify(nChar, nFlag);
+diff --git a/testing/resources/javascript/bug_1445426.evt b/testing/resources/javascript/bug_1445426.evt
+new file mode 100644
+index 0000000000000000000000000000000000000000..265e85b0471b33509568238ccae30d2395b4b4ab
+--- /dev/null
++++ b/testing/resources/javascript/bug_1445426.evt
+@@ -0,0 +1,3 @@
++mousedown,left,202,697
++mouseup,left,202,697
++keycode,40
+diff --git a/testing/resources/javascript/bug_1445426.in b/testing/resources/javascript/bug_1445426.in
+new file mode 100644
+index 0000000000000000000000000000000000000000..1483da72f5759e9f2c8fdb538d5c6fa0cd1611c5
+--- /dev/null
++++ b/testing/resources/javascript/bug_1445426.in
+@@ -0,0 +1,114 @@
++{{header}}
++{{object 1 0}} <<
++  /Type /Catalog
++  /Pages 2 0 R
++  /AcroForm 4 0 R
++  /OpenAction 40 0 R
++>>
++endobj
++{{object 2 0}} <<
++  /Type /Pages
++  /Count 2
++  /Kids [
++    32 0 R
++    34 0 R
++  ]
++>>
++endobj
++% Forms
++{{object 4 0}} <<
++  /Fields [
++    10 0 R
++    11 0 R
++  ]
++>>
++endobj
++% Fields
++{{object 10 0}} <<
++  /Type /Annot
++  /Subtype /Widget
++  /FT /Tx
++  /T (Field_TextEdit)
++  /Rect [0 0 612 792]
++>>
++{{object 11 0}} <<
++  /T (Field_ComboBox)
++  /Parent 4 0 R
++  /Kids [12 0 R]
++  /Opt [(a) (b) (c) (d)]
++  /V [(a)]
++>>
++endobj
++{{object 12 0}} <<
++  /Type /Annot
++  /Subtype /Widget
++  /FT /Ch
++  /Ff 131072
++  /Parent 11 0 R
++  /Kids [13 0 R]
++>>
++endobj
++{{object 13 0}} <<
++  /Parent 12 0 R
++  /Type /Annot
++  /Subtype /Widget
++  /Rect [0 0 612 792]
++  /AA << /K 20 0 R >>
++>>
++endobj
++% Pages
++{{object 32 0}} <<
++  /Type /Page
++  /Parent 2 0 R
++  /MediaBox [0 0 612 792]
++  /Annots [13 0 R]
++
++>>
++endobj
++{{object 34 0}} <<
++  /Type /Page
++  /Parent 2 0 R
++  /MediaBox [0 0 612 792]
++  /Annots [10 0 R]
++>>
++endobj
++% Document JS Action
++{{object 40 0}} <<
++  /Type /Action
++  /S /JavaScript
++  /JS 41 0 R
++>>
++endobj
++% JS program to exexute
++{{object 41 0}} <<
++  {{streamlen}}
++>>
++stream
++var field_text = this.getField("Field_TextEdit");
++var field_combobox = this.getField("Field_ComboBox");
++field_combobox.setFocus();
++this.__defineGetter__("filesize", function new_getter(){
++                                    field_text.setFocus();
++                                    field_combobox.borderStyle="dashed";
++                                    field_combobox.setFocus();
++                                  });
++endstream
++endobj
++% OpenAction action
++{{object 20 0}} <<
++  /S /JavaScript
++  /JS 21 0 R
++>>
++endobj
++% JS program to exexute
++{{object 21 0}} <<
++  {{streamlen}}
++>>
++stream
++var t = this.filesize;
++endstream
++endobj
++{{xref}}
++{{trailer}}
++{{startxref}}
++%%EOF

patches/pdfium/m114_observe_widget_across_setoptionselection_calls.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tom Sepez <[email protected]>
+Date: Thu, 18 May 2023 18:37:17 +0000
+Subject: Observe widget across SetOptionSelection() calls.
+
+Call may re-enter JavaScript.
+
+Bug: chromium:1444581
+Change-Id: Id7a2f17b3b81f822ca8f4496ac08c19b7794c48a
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/107394
+Commit-Queue: Tom Sepez <[email protected]>
+Reviewed-by: Lei Zhang <[email protected]>
+(cherry picked from commit a9ff918a86d700c3bdf9b5820faed35490c0cd25)
+Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/107735
+Auto-Submit: Tom Sepez <[email protected]>
+
+diff --git a/fpdfsdk/formfiller/cffl_listbox.cpp b/fpdfsdk/formfiller/cffl_listbox.cpp
+index 4bb100014c804adcfc7f1f2023cd1870f81c85e8..6fe5d91a2472a7aaadf13399b4e6075c2a9617c7 100644
+--- a/fpdfsdk/formfiller/cffl_listbox.cpp
++++ b/fpdfsdk/formfiller/cffl_listbox.cpp
+@@ -116,11 +116,18 @@ void CFFL_ListBox::SaveData(const CPDFSDK_PageView* pPageView) {
+   }
+   if (m_pWidget->GetFieldFlags() & pdfium::form_flags::kChoiceMultiSelect) {
+     for (int32_t i = 0, sz = pListBox->GetCount(); i < sz; i++) {
+-      if (pListBox->IsItemSelected(i))
++      if (pListBox->IsItemSelected(i)) {
+         m_pWidget->SetOptionSelection(i);
++        if (!observed_box) {
++          return;
++        }
++      }
+     }
+   } else {
+     m_pWidget->SetOptionSelection(pListBox->GetCurSel());
++    if (!observed_box) {
++      return;
++    }
+   }
+   ObservedPtr<CPDFSDK_Widget> observed_widget(m_pWidget.Get());
+   ObservedPtr<CFFL_ListBox> observed_this(this);

patches/v8/.patches

@@ -15,6 +15,8 @@ cherry-pick-546e00df97ac.patch
 cherry-pick-f6ddbf42b1ea.patch
 cherry-pick-c605df24af3c.patch
 cherry-pick-f4b66ae451c2.patch
+cherry-pick-3b0607d14060.patch
+cherry-pick-9c6dfc733fce.patch
 merged_ic_fix_store_handler_selection_for_arguments_objects.patch
 cherry-pick-73af1a19a901.patch
 merged_regexp_fix_clobbered_register_in_global_unicode_special.patch

patches/v8/cherry-pick-3b0607d14060.patch

@@ -0,0 +1,186 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Igor Sheludko <[email protected]>
+Date: Wed, 17 May 2023 13:47:36 +0200
+Subject: Merged: [runtime] Remove redundant calls to GetPropertyAttributes
+
+... when defining properties in favour of CheckIfCanDefine.
+
+Drive-by: move JSReceiver::CheckIfCanDefine to
+JSObject::CheckIfCanDefineAsConfigurable and fix handling of
+absent properties.
+
+Bug: chromium:1443452
+(cherry picked from commit e98baa3526426c0219bb0474028ca301b8bd0677)
+
+Change-Id: Ia1fd617778be608accee99dcee37f7d1ce3460b8
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4545762
+Commit-Queue: Igor Sheludko <[email protected]>
+Reviewed-by: Toon Verwaest <[email protected]>
+Cr-Commit-Position: refs/branch-heads/11.4@{#22}
+Cr-Branched-From: 8a8a1e7086dacc426965d3875914efa66663c431-refs/heads/11.4.183@{#1}
+Cr-Branched-From: 5483d8e816e0bbce865cbbc3fa0ab357e6330bab-refs/heads/main@{#87241}
+
+diff --git a/src/ic/ic.cc b/src/ic/ic.cc
+index fff21e90bad3451e2d942ec327cb02f394fecc46..32039f9888d3cb54699c6aefd0bcc3573044995e 100644
+--- a/src/ic/ic.cc
++++ b/src/ic/ic.cc
+@@ -1812,14 +1812,14 @@ MaybeHandle<Object> StoreIC::Store(Handle<Object> object, Handle<Name> name,
+   // been thrown if the private field already exists in the object.
+   if (IsAnyDefineOwn() && !name->IsPrivateName() && !object->IsJSProxy() &&
+       !Handle<JSObject>::cast(object)->HasNamedInterceptor()) {
+-    Maybe<bool> can_define = JSReceiver::CheckIfCanDefine(
++    Maybe<bool> can_define = JSObject::CheckIfCanDefineAsConfigurable(
+         isolate(), &it, value, Nothing<ShouldThrow>());
+     MAYBE_RETURN_NULL(can_define);
+     if (!can_define.FromJust()) {
+       return isolate()->factory()->undefined_value();
+     }
+-    // Restart the lookup iterator updated by CheckIfCanDefine() for
+-    // UpdateCaches() to handle access checks.
++    // Restart the lookup iterator updated by CheckIfCanDefineAsConfigurable()
++    // for UpdateCaches() to handle access checks.
+     if (use_ic && object->IsAccessCheckNeeded()) {
+       it.Restart();
+     }
+diff --git a/src/objects/js-objects.cc b/src/objects/js-objects.cc
+index 15356b6c58d2f7355fa8b0dce4d3ea779a2884f9..e86fdec6a57e08bbcd229b7866f22ba3441f608c 100644
+--- a/src/objects/js-objects.cc
++++ b/src/objects/js-objects.cc
+@@ -243,27 +243,6 @@ Maybe<bool> JSReceiver::CheckPrivateNameStore(LookupIterator* it,
+   return Just(true);
+ }
+ 
+-// static
+-Maybe<bool> JSReceiver::CheckIfCanDefine(Isolate* isolate, LookupIterator* it,
+-                                         Handle<Object> value,
+-                                         Maybe<ShouldThrow> should_throw) {
+-  if (it->IsFound()) {
+-    Maybe<PropertyAttributes> attributes = GetPropertyAttributes(it);
+-    MAYBE_RETURN(attributes, Nothing<bool>());
+-    if ((attributes.FromJust() & DONT_DELETE) != 0) {
+-      RETURN_FAILURE(
+-          isolate, GetShouldThrow(isolate, should_throw),
+-          NewTypeError(MessageTemplate::kRedefineDisallowed, it->GetName()));
+-    }
+-  } else if (!JSObject::IsExtensible(
+-                 Handle<JSObject>::cast(it->GetReceiver()))) {
+-    RETURN_FAILURE(
+-        isolate, GetShouldThrow(isolate, should_throw),
+-        NewTypeError(MessageTemplate::kDefineDisallowed, it->GetName()));
+-  }
+-  return Just(true);
+-}
+-
+ namespace {
+ 
+ bool HasExcludedProperty(
+@@ -3639,7 +3618,7 @@ Maybe<bool> JSObject::DefineOwnPropertyIgnoreAttributes(
+ 
+         if (semantics == EnforceDefineSemantics::kDefine) {
+           it->Restart();
+-          Maybe<bool> can_define = JSReceiver::CheckIfCanDefine(
++          Maybe<bool> can_define = JSObject::CheckIfCanDefineAsConfigurable(
+               it->isolate(), it, value, should_throw);
+           if (can_define.IsNothing() || !can_define.FromJust()) {
+             return can_define;
+@@ -4068,17 +4047,16 @@ Maybe<bool> JSObject::CreateDataProperty(LookupIterator* it,
+                                          Handle<Object> value,
+                                          Maybe<ShouldThrow> should_throw) {
+   DCHECK(it->GetReceiver()->IsJSObject());
+-  MAYBE_RETURN(JSReceiver::GetPropertyAttributes(it), Nothing<bool>());
+   Handle<JSReceiver> receiver = Handle<JSReceiver>::cast(it->GetReceiver());
+   Isolate* isolate = receiver->GetIsolate();
+ 
+-  Maybe<bool> can_define =
+-      JSReceiver::CheckIfCanDefine(isolate, it, value, should_throw);
++  Maybe<bool> can_define = JSObject::CheckIfCanDefineAsConfigurable(
++      isolate, it, value, should_throw);
+   if (can_define.IsNothing() || !can_define.FromJust()) {
+     return can_define;
+   }
+ 
+-  RETURN_ON_EXCEPTION_VALUE(it->isolate(),
++  RETURN_ON_EXCEPTION_VALUE(isolate,
+                             DefineOwnPropertyIgnoreAttributes(it, value, NONE),
+                             Nothing<bool>());
+ 
+@@ -4707,19 +4685,42 @@ MaybeHandle<Object> JSObject::SetAccessor(Handle<JSObject> object,
+     return it.factory()->undefined_value();
+   }
+ 
+-  CHECK(GetPropertyAttributes(&it).IsJust());
+-
+-  // ES5 forbids turning a property into an accessor if it's not
+-  // configurable. See 8.6.1 (Table 5).
+-  if (it.IsFound() && !it.IsConfigurable()) {
+-    return it.factory()->undefined_value();
+-  }
++  Maybe<bool> can_define = JSObject::CheckIfCanDefineAsConfigurable(
++      isolate, &it, info, Nothing<ShouldThrow>());
++  MAYBE_RETURN_NULL(can_define);
++  if (!can_define.FromJust()) return it.factory()->undefined_value();
+ 
+   it.TransitionToAccessorPair(info, attributes);
+ 
+   return object;
+ }
+ 
++// static
++Maybe<bool> JSObject::CheckIfCanDefineAsConfigurable(
++    Isolate* isolate, LookupIterator* it, Handle<Object> value,
++    Maybe<ShouldThrow> should_throw) {
++  DCHECK(it->GetReceiver()->IsJSObject());
++  if (it->IsFound()) {
++    Maybe<PropertyAttributes> attributes = GetPropertyAttributes(it);
++    MAYBE_RETURN(attributes, Nothing<bool>());
++    if (attributes.FromJust() != ABSENT) {
++      if ((attributes.FromJust() & DONT_DELETE) != 0) {
++        RETURN_FAILURE(
++            isolate, GetShouldThrow(isolate, should_throw),
++            NewTypeError(MessageTemplate::kRedefineDisallowed, it->GetName()));
++      }
++      return Just(true);
++    }
++    // Property does not exist, check object extensibility.
++  }
++  if (!JSObject::IsExtensible(Handle<JSObject>::cast(it->GetReceiver()))) {
++    RETURN_FAILURE(
++        isolate, GetShouldThrow(isolate, should_throw),
++        NewTypeError(MessageTemplate::kDefineDisallowed, it->GetName()));
++  }
++  return Just(true);
++}
++
+ Object JSObject::SlowReverseLookup(Object value) {
+   if (HasFastProperties()) {
+     DescriptorArray descs = map().instance_descriptors();
+diff --git a/src/objects/js-objects.h b/src/objects/js-objects.h
+index 06489c2b7bae61ecadbd8f020060e86ef50e11b6..f663af6ed8a445f8ef30a67bac176a1abe6c85f8 100644
+--- a/src/objects/js-objects.h
++++ b/src/objects/js-objects.h
+@@ -167,12 +167,6 @@ class JSReceiver : public TorqueGeneratedJSReceiver<JSReceiver, HeapObject> {
+   V8_WARN_UNUSED_RESULT static Maybe<bool> CheckPrivateNameStore(
+       LookupIterator* it, bool is_define);
+ 
+-  // Check if a data property can be created on the object. It will fail with
+-  // an error when it cannot.
+-  V8_WARN_UNUSED_RESULT static Maybe<bool> CheckIfCanDefine(
+-      Isolate* isolate, LookupIterator* it, Handle<Object> value,
+-      Maybe<ShouldThrow> should_throw);
+-
+   // ES6 7.3.4 (when passed kDontThrow)
+   V8_WARN_UNUSED_RESULT static Maybe<bool> CreateDataProperty(
+       Isolate* isolate, Handle<JSReceiver> object, Handle<Name> key,
+@@ -544,6 +538,12 @@ class JSObject : public TorqueGeneratedJSObject<JSObject, JSReceiver> {
+       Handle<JSObject> object, Handle<Name> name, Handle<AccessorInfo> info,
+       PropertyAttributes attributes);
+ 
++  // Check if a data property can be created on the object. It will fail with
++  // an error when it cannot.
++  V8_WARN_UNUSED_RESULT static Maybe<bool> CheckIfCanDefineAsConfigurable(
++      Isolate* isolate, LookupIterator* it, Handle<Object> value,
++      Maybe<ShouldThrow> should_throw);
++
+   // The result must be checked first for exceptions. If there's no exception,
+   // the output parameter |done| indicates whether the interceptor has a result
+   // or not.

patches/v8/cherry-pick-73af1a19a901.patch

@@ -17,10 +17,10 @@ Cr-Branched-From: 8a8a1e7086dacc426965d3875914efa66663c431-refs/heads/11.4.183@{
 Cr-Branched-From: 5483d8e816e0bbce865cbbc3fa0ab357e6330bab-refs/heads/main@{#87241}
 
 diff --git a/src/objects/lookup-inl.h b/src/objects/lookup-inl.h
-index ff30fcc4f211f49d244e8431cfdb5cba29484329..579a195f06beec657271b8f84b5d92bc8c908d55 100644
+index 642d83ff070d6b631a755af78627989878f685a2..22960729c64062b9e8a4abaf6b5ed8d44ccaa2de 100644
 --- a/src/objects/lookup-inl.h
 +++ b/src/objects/lookup-inl.h
-@@ -167,7 +167,7 @@ Handle<Name> PropertyKey::GetName(Isolate* isolate) {
+@@ -190,7 +190,7 @@ Handle<Name> PropertyKey::GetName(Isolate* isolate) {
  }
  
  Handle<Name> LookupIterator::name() const {
@@ -29,7 +29,7 @@ index ff30fcc4f211f49d244e8431cfdb5cba29484329..579a195f06beec657271b8f84b5d92bc
    return name_;
  }
  
-@@ -254,6 +254,7 @@ void LookupIterator::UpdateProtector() {
+@@ -281,6 +281,7 @@ void LookupIterator::UpdateProtector() {
  }
  
  InternalIndex LookupIterator::descriptor_number() const {
@@ -37,7 +37,7 @@ index ff30fcc4f211f49d244e8431cfdb5cba29484329..579a195f06beec657271b8f84b5d92bc
    DCHECK(!IsElement(*holder_));
    DCHECK(has_property_);
    DCHECK(holder_->HasFastProperties(isolate_));
-@@ -261,6 +262,7 @@ InternalIndex LookupIterator::descriptor_number() const {
+@@ -288,6 +289,7 @@ InternalIndex LookupIterator::descriptor_number() const {
  }
  
  InternalIndex LookupIterator::dictionary_entry() const {
@@ -45,7 +45,7 @@ index ff30fcc4f211f49d244e8431cfdb5cba29484329..579a195f06beec657271b8f84b5d92bc
    DCHECK(!IsElement(*holder_));
    DCHECK(has_property_);
    DCHECK(!holder_->HasFastProperties(isolate_));
-@@ -275,13 +277,14 @@ LookupIterator::Configuration LookupIterator::ComputeConfiguration(
+@@ -302,13 +304,14 @@ LookupIterator::Configuration LookupIterator::ComputeConfiguration(
  }
  
  // static
@@ -181,10 +181,10 @@ index e08ebaff089f8ab0a1b347f9eb5befd85e3c115b..920d28ffa81798c2e5fe9e15db016501
    Handle<JSGlobalObject> holder = GetHolder<JSGlobalObject>();
    return handle(holder->global_dictionary(isolate_, kAcquireLoad)
 diff --git a/src/objects/lookup.h b/src/objects/lookup.h
-index 782a09225c17a92ee8f08d20ede0902613158c27..15bcda75f2493bf4800d250e37f4273de36a6334 100644
+index 67a8bac22e6e29df2d7df36937565e4cc0acde45..78a00d7ca0fab1ab8b2b1e49e3ffb92473b21cc9 100644
 --- a/src/objects/lookup.h
 +++ b/src/objects/lookup.h
-@@ -214,11 +214,6 @@ class V8_EXPORT_PRIVATE LookupIterator final {
+@@ -222,11 +222,6 @@ class V8_EXPORT_PRIVATE LookupIterator final {
                          Handle<Object> lookup_start_object,
                          Configuration configuration);
  
@@ -196,7 +196,7 @@ index 782a09225c17a92ee8f08d20ede0902613158c27..15bcda75f2493bf4800d250e37f4273d
    static void InternalUpdateProtector(Isolate* isolate, Handle<Object> receiver,
                                        Handle<Name> name);
  
-@@ -278,12 +273,12 @@ class V8_EXPORT_PRIVATE LookupIterator final {
+@@ -286,12 +281,12 @@ class V8_EXPORT_PRIVATE LookupIterator final {
                                                     Configuration configuration,
                                                     Handle<Name> name);
  

patches/v8/cherry-pick-9c6dfc733fce.patch

@@ -0,0 +1,150 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Igor Sheludko <[email protected]>
+Date: Tue, 16 May 2023 16:01:49 +0200
+Subject: Merged: [runtime] Fix handling of interceptors
+
+Drive-by: simplify creation of LookupIterator copies.
+
+Bug: chromium:1440695
+(cherry picked from commit d125c7329f6e22af4523de3c55de3a22f168acc9)
+
+Change-Id: I58416531b9af3456f53264566ec1eb7457328f94
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4545763
+Reviewed-by: Toon Verwaest <[email protected]>
+Commit-Queue: Igor Sheludko <[email protected]>
+Cr-Commit-Position: refs/branch-heads/11.4@{#23}
+Cr-Branched-From: 8a8a1e7086dacc426965d3875914efa66663c431-refs/heads/11.4.183@{#1}
+Cr-Branched-From: 5483d8e816e0bbce865cbbc3fa0ab357e6330bab-refs/heads/main@{#87241}
+
+diff --git a/src/objects/js-objects.cc b/src/objects/js-objects.cc
+index e86fdec6a57e08bbcd229b7866f22ba3441f608c..b938d82667498d4ff3505d455a7ed3a299cd5247 100644
+--- a/src/objects/js-objects.cc
++++ b/src/objects/js-objects.cc
+@@ -3629,10 +3629,8 @@ Maybe<bool> JSObject::DefineOwnPropertyIgnoreAttributes(
+         // own property without the interceptor.
+         Isolate* isolate = it->isolate();
+         Handle<Object> receiver = it->GetReceiver();
+-        LookupIterator::Configuration c = LookupIterator::OWN_SKIP_INTERCEPTOR;
+-        LookupIterator own_lookup =
+-            it->IsElement() ? LookupIterator(isolate, receiver, it->index(), c)
+-                            : LookupIterator(isolate, receiver, it->name(), c);
++        LookupIterator own_lookup(isolate, receiver, it->GetKey(),
++                                  LookupIterator::OWN_SKIP_INTERCEPTOR);
+         return JSObject::DefineOwnPropertyIgnoreAttributes(
+             &own_lookup, value, attributes, should_throw, handling, semantics,
+             store_origin);
+diff --git a/src/objects/lookup-inl.h b/src/objects/lookup-inl.h
+index ff30fcc4f211f49d244e8431cfdb5cba29484329..642d83ff070d6b631a755af78627989878f685a2 100644
+--- a/src/objects/lookup-inl.h
++++ b/src/objects/lookup-inl.h
+@@ -130,6 +130,29 @@ PropertyKey::PropertyKey(Isolate* isolate, double index) {
+ #endif
+ }
+ 
++PropertyKey::PropertyKey(Isolate* isolate, Handle<Name> name, size_t index)
++    : name_(name), index_(index) {
++  DCHECK_IMPLIES(index_ == LookupIterator::kInvalidIndex, !name_.is_null());
++#if V8_TARGET_ARCH_32_BIT
++  DCHECK_IMPLIES(index_ != LookupIterator::kInvalidIndex,
++                 index_ <= JSObject::kMaxElementIndex);
++#endif
++#if DEBUG
++  if (index_ != LookupIterator::kInvalidIndex && !name_.is_null()) {
++    // If both valid index and name are given then the name is a string
++    // representation of the same index.
++    size_t integer_index;
++    CHECK(name_->AsIntegerIndex(&integer_index));
++    CHECK_EQ(index_, integer_index);
++  } else if (index_ == LookupIterator::kInvalidIndex) {
++    // If only name is given it must not be a string representing an integer
++    // index.
++    size_t integer_index;
++    CHECK(!name_->AsIntegerIndex(&integer_index));
++  }
++#endif
++}
++
+ PropertyKey::PropertyKey(Isolate* isolate, Handle<Name> name) {
+   if (name->AsIntegerIndex(&index_)) {
+     name_ = name;
+@@ -179,6 +202,10 @@ Handle<Name> LookupIterator::GetName() {
+   return name_;
+ }
+ 
++PropertyKey LookupIterator::GetKey() const {
++  return PropertyKey(isolate_, name_, index_);
++}
++
+ bool LookupIterator::IsElement(JSReceiver object) const {
+   return index_ <= JSObject::kMaxElementIndex ||
+          (index_ != kInvalidIndex &&
+diff --git a/src/objects/lookup.h b/src/objects/lookup.h
+index 782a09225c17a92ee8f08d20ede0902613158c27..67a8bac22e6e29df2d7df36937565e4cc0acde45 100644
+--- a/src/objects/lookup.h
++++ b/src/objects/lookup.h
+@@ -36,6 +36,11 @@ class PropertyKey {
+   inline Handle<Name> GetName(Isolate* isolate);
+ 
+  private:
++  friend LookupIterator;
++
++  // Shortcut for constructing PropertyKey from an active LookupIterator.
++  inline PropertyKey(Isolate* isolate, Handle<Name> name, size_t index);
++
+   Handle<Name> name_;
+   size_t index_;
+ };
+@@ -108,6 +113,9 @@ class V8_EXPORT_PRIVATE LookupIterator final {
+     return static_cast<uint32_t>(index_);
+   }
+ 
++  // Helper method for creating a copy of of the iterator.
++  inline PropertyKey GetKey() const;
++
+   // Returns true if this LookupIterator has an index in the range
+   // [0, size_t::max).
+   bool IsElement() const { return index_ != kInvalidIndex; }
+diff --git a/src/objects/objects.cc b/src/objects/objects.cc
+index c15ac8656adeaf92773a0c4049f7e903ecd2e07f..a7e1833f730e6e5869cd4925cca6dc908859000c 100644
+--- a/src/objects/objects.cc
++++ b/src/objects/objects.cc
+@@ -2668,11 +2668,8 @@ Maybe<bool> Object::SetSuperProperty(LookupIterator* it, Handle<Object> value,
+ 
+   // Note, the callers rely on the fact that this code is redoing the full own
+   // lookup from scratch.
+-  LookupIterator::Configuration c = LookupIterator::OWN;
+-  LookupIterator own_lookup =
+-      it->IsElement() ? LookupIterator(isolate, receiver, it->index(), c)
+-                      : LookupIterator(isolate, receiver, it->name(), c);
+-
++  LookupIterator own_lookup(isolate, receiver, it->GetKey(),
++                            LookupIterator::OWN);
+   for (; own_lookup.IsFound(); own_lookup.Next()) {
+     switch (own_lookup.state()) {
+       case LookupIterator::ACCESS_CHECK:
+@@ -2709,6 +2706,8 @@ Maybe<bool> Object::SetSuperProperty(LookupIterator* it, Handle<Object> value,
+             JSReceiver::GetOwnPropertyDescriptor(&own_lookup, &desc);
+         MAYBE_RETURN(owned, Nothing<bool>());
+         if (!owned.FromJust()) {
++          // |own_lookup| might become outdated at this point anyway.
++          own_lookup.Restart();
+           if (!CheckContextualStoreToJSGlobalObject(&own_lookup,
+                                                     should_throw)) {
+             return Nothing<bool>();
+diff --git a/test/unittests/api/interceptor-unittest.cc b/test/unittests/api/interceptor-unittest.cc
+index 635bf6a0b72f8d49591be333b1314846c9c47269..416f9bd1eb4c59160eb03031e6011ae02dcf021e 100644
+--- a/test/unittests/api/interceptor-unittest.cc
++++ b/test/unittests/api/interceptor-unittest.cc
+@@ -174,8 +174,10 @@ TEST_F(InterceptorLoggingTest, DispatchTest) {
+   EXPECT_EQ(Run("obj.foo"), "named getter");
+   EXPECT_EQ(Run("obj[42]"), "indexed getter");
+ 
+-  EXPECT_EQ(Run("obj.foo = null"), "named setter, named descriptor");
+-  EXPECT_EQ(Run("obj[42] = null"), "indexed setter, indexed descriptor");
++  EXPECT_EQ(Run("obj.foo = null"),
++            "named setter, named descriptor, named query");
++  EXPECT_EQ(Run("obj[42] = null"),
++            "indexed setter, indexed descriptor, indexed query");
+ 
+   EXPECT_EQ(Run("Object.getOwnPropertyDescriptor(obj, 'foo')"),
+             "named descriptor");

patches/v8/m108-lts_api_fix_v8_object_setaccessorproperty.patch

@@ -219,10 +219,10 @@ index fc7b17d582e79b956362e0db46a7aefebd594ed0..8a81c4acda9a92b1d25491aa00278a0e
  
    return getter;
 diff --git a/src/objects/js-objects.cc b/src/objects/js-objects.cc
-index 15356b6c58d2f7355fa8b0dce4d3ea779a2884f9..834f83c0b0e68b9dcbe3fd0595dc2861cdd2c017 100644
+index b938d82667498d4ff3505d455a7ed3a299cd5247..e51264eef22c9fc91c89ef6fe0d223c97ccf7fa9 100644
 --- a/src/objects/js-objects.cc
 +++ b/src/objects/js-objects.cc
-@@ -1519,7 +1519,8 @@ Maybe<bool> JSReceiver::ValidateAndApplyPropertyDescriptor(
+@@ -1498,7 +1498,8 @@ Maybe<bool> JSReceiver::ValidateAndApplyPropertyDescriptor(
                  ? desc->set()
                  : Handle<Object>::cast(isolate->factory()->null_value()));
          MaybeHandle<Object> result =
@@ -232,7 +232,7 @@ index 15356b6c58d2f7355fa8b0dce4d3ea779a2884f9..834f83c0b0e68b9dcbe3fd0595dc2861
          if (result.is_null()) return Nothing<bool>();
        }
      }
-@@ -1700,8 +1701,8 @@ Maybe<bool> JSReceiver::ValidateAndApplyPropertyDescriptor(
+@@ -1679,8 +1680,8 @@ Maybe<bool> JSReceiver::ValidateAndApplyPropertyDescriptor(
                : current->has_set()
                      ? current->set()
                      : Handle<Object>::cast(isolate->factory()->null_value()));
@@ -243,7 +243,7 @@ index 15356b6c58d2f7355fa8b0dce4d3ea779a2884f9..834f83c0b0e68b9dcbe3fd0595dc2861
        if (result.is_null()) return Nothing<bool>();
      }
    }
-@@ -4635,22 +4636,19 @@ bool JSObject::HasEnumerableElements() {
+@@ -4611,22 +4612,19 @@ bool JSObject::HasEnumerableElements() {
    UNREACHABLE();
  }
  
@@ -274,10 +274,10 @@ index 15356b6c58d2f7355fa8b0dce4d3ea779a2884f9..834f83c0b0e68b9dcbe3fd0595dc2861
  
    it->UpdateProtector();
 diff --git a/src/objects/js-objects.h b/src/objects/js-objects.h
-index 06489c2b7bae61ecadbd8f020060e86ef50e11b6..ff96bd4be2ff8d2fe03f75b6bca35a744e2084af 100644
+index f663af6ed8a445f8ef30a67bac176a1abe6c85f8..5e7326eb1c99115829c358cd4069e1f6835f972b 100644
 --- a/src/objects/js-objects.h
 +++ b/src/objects/js-objects.h
-@@ -531,13 +531,14 @@ class JSObject : public TorqueGeneratedJSObject<JSObject, JSReceiver> {
+@@ -525,13 +525,14 @@ class JSObject : public TorqueGeneratedJSObject<JSObject, JSReceiver> {
    GetPropertyAttributesWithFailedAccessCheck(LookupIterator* it);
  
    // Defines an AccessorPair property on the given object.

patches/v8/merged_ic_fix_store_handler_selection_for_arguments_objects.patch

@@ -59,7 +59,7 @@ index 43511407e0eb54e2ce22ee132d8a4d37c52b13a7..cd6d834d6b7ec84c1d46105449ca775c
  }
  
 diff --git a/src/ic/ic.cc b/src/ic/ic.cc
-index fff21e90bad3451e2d942ec327cb02f394fecc46..f86d9acf9073aba1662de103c5dd5d6056df19bf 100644
+index 32039f9888d3cb54699c6aefd0bcc3573044995e..0a7794de93dc6ba2a20f106ccf2d5f4b30319167 100644
 --- a/src/ic/ic.cc
 +++ b/src/ic/ic.cc
 @@ -2296,10 +2296,18 @@ Handle<Object> KeyedStoreIC::StoreElementHandler(