chore: cherry-pick 3 changes from 3-M123 (#41854)

* chore: [29-x-y] cherry-pick 3 changes from 3-M123

* a65e511a14b4 from DirectXShaderCompiler
* f6672dbbe223 from angle
* 1b1f34234346 from chromium

* chore: update patches

---------

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>

patches/DirectXShaderCompiler/.patches

@@ -0,0 +1 @@
+cherry-pick-a65e511a14b4.patch

patches/DirectXShaderCompiler/cherry-pick-a65e511a14b4.patch

@@ -0,0 +1,66 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Antonio Maiorano <[email protected]>
+Date: Wed, 3 Apr 2024 15:58:51 -0400
+Subject: Fix ASAN use-after-free on unreferenced self-assignment of struct
+ instance (#6466)
+
+When deleting an unused memcpy, ScalarReplAggregatesHLSL was attempting
+to delete both the target and the source of the memcpy without first
+checking if they were both same, resulting in a double-delete.
+
+Bug: chromium:331123811
+Change-Id: Idaef95a06b10a7fb6f0ca2e662972a44ec662fbc
+Reviewed-on: https://chromium-review.googlesource.com/c/external/github.com/microsoft/DirectXShaderCompiler/+/5419225
+Reviewed-by: David Neto <[email protected]>
+Reviewed-by: dan sinclair <[email protected]>
+Reviewed-by: Ben Clayton <[email protected]>
+
+diff --git a/lib/Transforms/Scalar/ScalarReplAggregatesHLSL.cpp b/lib/Transforms/Scalar/ScalarReplAggregatesHLSL.cpp
+index 59f32a953ac5991e38c44d685f0f8fc589377b4d..3f8ffdbcfa09a96899295fd85291cedb879a248b 100644
+--- a/lib/Transforms/Scalar/ScalarReplAggregatesHLSL.cpp
++++ b/lib/Transforms/Scalar/ScalarReplAggregatesHLSL.cpp
+@@ -1003,9 +1003,11 @@ void DeleteMemcpy(MemCpyInst *MI) {
+     if (op0->user_empty())
+       op0->eraseFromParent();
+   }
+-  if (Instruction *op1 = dyn_cast<Instruction>(Op1)) {
+-    if (op1->user_empty())
+-      op1->eraseFromParent();
++  if (Op0 != Op1) {
++    if (Instruction *op1 = dyn_cast<Instruction>(Op1)) {
++      if (op1->user_empty())
++        op1->eraseFromParent();
++    }
+   }
+ }
+ 
+diff --git a/tools/clang/test/DXC/unreferenced_struct_selft_assignment_crash.hlsl b/tools/clang/test/DXC/unreferenced_struct_selft_assignment_crash.hlsl
+new file mode 100644
+index 0000000000000000000000000000000000000000..81adf71867c9868992372e12dc1ba81aebb48344
+--- /dev/null
++++ b/tools/clang/test/DXC/unreferenced_struct_selft_assignment_crash.hlsl
+@@ -0,0 +1,24 @@
++// RUN: %dxc -T cs_6_0 %s | FileCheck %s
++
++// Validate that self-assignment of a static struct instance that is not
++// referenced does not crash the compiler. This was resulting in an ASAN
++// use-after-free in ScalarReplAggregatesHLSL because DeleteMemcpy would
++// attempt to delete both source and target, even if both were the same.
++// CHECK: define void @main() {
++// CHECK-NEXT:   ret void
++// CHECK-NEXT: }
++
++struct MyStruct {
++  int m0;
++};
++
++static MyStruct s;
++
++void foo() {
++  s = s;
++}
++
++[numthreads(1, 1, 1)]
++void main() {
++  foo();
++}

patches/angle/.patches

@@ -1 +1,2 @@
 m123_vulkan_fix_access_to_inactive_attributes.patch
+cherry-pick-f6672dbbe223.patch

patches/angle/cherry-pick-f6672dbbe223.patch

@@ -0,0 +1,267 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shahbaz Youssefi <[email protected]>
+Date: Mon, 25 Mar 2024 14:46:56 -0400
+Subject: M123: Translator: Disallow samplers in structs in interface blocks
+
+As disallowed by the spec:
+
+> Types and declarators are the same as for other uniform variable
+> declarations outside blocks, with these exceptions:
+>
+> * opaque types are not allowed
+
+Bug: chromium:328859176
+Change-Id: Ib94977860102329e520e635c3757827c93ca2163
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5391986
+Auto-Submit: Shahbaz Youssefi <[email protected]>
+Reviewed-by: Geoff Lang <[email protected]>
+Commit-Queue: Shahbaz Youssefi <[email protected]>
+(cherry picked from commit a0fa06f6d79ced897c0fe2795551268199d29806)
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5435737
+Reviewed-by: Yuly Novikov <[email protected]>
+
+diff --git a/src/compiler/translator/ParseContext.cpp b/src/compiler/translator/ParseContext.cpp
+index 38bd4ca13a4a8828ebbe64e19bd740639bce5083..98b4dc46fec65269a87ee920d8e63a1d0350fbae 100644
+--- a/src/compiler/translator/ParseContext.cpp
++++ b/src/compiler/translator/ParseContext.cpp
+@@ -34,27 +34,39 @@ namespace
+ 
+ const int kWebGLMaxStructNesting = 4;
+ 
+-bool ContainsSampler(const TStructure *structType);
++struct IsSamplerFunc
++{
++    bool operator()(TBasicType type) { return IsSampler(type); }
++};
++struct IsOpaqueFunc
++{
++    bool operator()(TBasicType type) { return IsOpaqueType(type); }
++};
++
++template <typename OpaqueFunc>
++bool ContainsOpaque(const TStructure *structType);
+ 
+-bool ContainsSampler(const TType &type)
++template <typename OpaqueFunc>
++bool ContainsOpaque(const TType &type)
+ {
+-    if (IsSampler(type.getBasicType()))
++    if (OpaqueFunc{}(type.getBasicType()))
+     {
+         return true;
+     }
+     if (type.getBasicType() == EbtStruct)
+     {
+-        return ContainsSampler(type.getStruct());
++        return ContainsOpaque<OpaqueFunc>(type.getStruct());
+     }
+ 
+     return false;
+ }
+ 
+-bool ContainsSampler(const TStructure *structType)
++template <typename OpaqueFunc>
++bool ContainsOpaque(const TStructure *structType)
+ {
+     for (const auto &field : structType->fields())
+     {
+-        if (ContainsSampler(*field->type()))
++        if (ContainsOpaque<OpaqueFunc>(*field->type()))
+             return true;
+     }
+     return false;
+@@ -1113,7 +1125,7 @@ bool TParseContext::checkIsNotOpaqueType(const TSourceLoc &line,
+ {
+     if (pType.type == EbtStruct)
+     {
+-        if (ContainsSampler(pType.userDef))
++        if (ContainsOpaque<IsSamplerFunc>(pType.userDef))
+         {
+             std::stringstream reasonStream = sh::InitializeStream<std::stringstream>();
+             reasonStream << reason << " (structure contains a sampler)";
+@@ -4979,12 +4991,9 @@ TIntermDeclaration *TParseContext::addInterfaceBlock(
+     {
+         TField *field    = (*fieldList)[memberIndex];
+         TType *fieldType = field->type();
+-        if (IsOpaqueType(fieldType->getBasicType()))
++        if (ContainsOpaque<IsOpaqueFunc>(*fieldType))
+         {
+-            std::string reason("unsupported type - ");
+-            reason += fieldType->getBasicString();
+-            reason += " types are not allowed in interface blocks";
+-            error(field->line(), reason.c_str(), fieldType->getBasicString());
++            error(field->line(), "Opaque types are not allowed in interface blocks", blockName);
+         }
+ 
+         const TQualifier qualifier = fieldType->getQualifier();
+diff --git a/src/tests/gl_tests/GLSLTest.cpp b/src/tests/gl_tests/GLSLTest.cpp
+index ed63153e49b2425a974a497a1fae2f9fdc79afa6..cfe6414d52647db92669be954cadd15344603559 100644
+--- a/src/tests/gl_tests/GLSLTest.cpp
++++ b/src/tests/gl_tests/GLSLTest.cpp
+@@ -6716,7 +6716,34 @@ void main()
+     gl_FragColor = vec4(f(us), 0, 0, 1);
+ })";
+ 
+-    CompileShader(GL_FRAGMENT_SHADER, kFS);
++    GLuint fs = CompileShader(GL_FRAGMENT_SHADER, kFS);
++    EXPECT_NE(fs, 0u);
++    ASSERT_GL_NO_ERROR();
++}
++
++// Test that structs with samplers are not allowed in interface blocks.  This is forbidden per
++// GLES3:
++//
++// > Types and declarators are the same as for other uniform variable declarations outside blocks,
++// > with these exceptions:
++// > * opaque types are not allowed
++TEST_P(GLSLTest_ES3, StructWithSamplersDisallowedInInterfaceBlock)
++{
++    const char kFS[] = R"(#version 300 es
++precision mediump float;
++struct S { sampler2D samp; bool b; };
++
++layout(std140) uniform Buffer { S s; } buffer;
++
++out vec4 color;
++
++void main()
++{
++    color = texture(buffer.s.samp, vec2(0));
++})";
++
++    GLuint fs = CompileShader(GL_FRAGMENT_SHADER, kFS);
++    EXPECT_EQ(fs, 0u);
+     ASSERT_GL_NO_ERROR();
+ }
+ 
+@@ -18357,6 +18384,116 @@ void main() {
+     EXPECT_EQ(0u, shader);
+ }
+ 
++// Same as TooManyFieldsInStruct, but with samplers in the struct.
++TEST_P(GLSLTest_ES3, TooManySamplerFieldsInStruct)
++{
++    std::ostringstream fs;
++    fs << R"(#version 300 es
++precision highp float;
++struct TooManyFields
++{
++)";
++    for (uint32_t i = 0; i < (1 << 16); ++i)
++    {
++        fs << "    sampler2D field" << i << ";\n";
++    }
++    fs << R"(};
++uniform TooManyFields s;
++out vec4 color;
++void main() {
++    color = texture(s.field0, vec2(0));
++})";
++
++    GLuint shader = CompileShader(GL_FRAGMENT_SHADER, fs.str().c_str());
++    EXPECT_EQ(0u, shader);
++}
++
++// More complex variation of ManySamplerFieldsInStruct.  This one compiles fine.
++TEST_P(GLSLTest_ES3, ManySamplerFieldsInStructComplex)
++{
++    // D3D and OpenGL may be more restrictive about this many samplers.
++    ANGLE_SKIP_TEST_IF(IsD3D() || IsOpenGL());
++
++    std::ostringstream fs;
++    fs << R"(#version 300 es
++precision highp float;
++
++struct X {
++    mediump sampler2D a[0xf00];
++    mediump sampler2D b[0xf00];
++    mediump sampler2D c[0xf000];
++    mediump sampler2D d[0xf00];
++};
++
++struct Y {
++  X s1;
++  mediump sampler2D a[0xf00];
++  mediump sampler2D b[0xf000];
++  mediump sampler2D c[0x14000];
++};
++
++struct S {
++    Y s1;
++};
++
++struct structBuffer { S s; };
++
++uniform structBuffer b;
++
++out vec4 color;
++void main()
++{
++    color = texture(b.s.s1.s1.c[0], vec2(0));
++})";
++
++    GLuint shader = CompileShader(GL_FRAGMENT_SHADER, fs.str().c_str());
++    EXPECT_NE(0u, shader);
++}
++
++// Make sure a large array of samplers works.
++TEST_P(GLSLTest, ManySamplers)
++{
++    // D3D and OpenGL may be more restrictive about this many samplers.
++    ANGLE_SKIP_TEST_IF(IsD3D() || IsOpenGL());
++
++    std::ostringstream fs;
++    fs << R"(precision highp float;
++
++uniform mediump sampler2D c[0x12000];
++
++void main()
++{
++    gl_FragColor = texture2D(c[0], vec2(0));
++})";
++
++    GLuint shader = CompileShader(GL_FRAGMENT_SHADER, fs.str().c_str());
++    EXPECT_NE(0u, shader);
++}
++
++// Make sure a large array of samplers works when declared in a struct.
++TEST_P(GLSLTest, ManySamplersInStruct)
++{
++    // D3D and OpenGL may be more restrictive about this many samplers.
++    ANGLE_SKIP_TEST_IF(IsD3D() || IsOpenGL());
++
++    std::ostringstream fs;
++    fs << R"(precision highp float;
++
++struct X {
++    mediump sampler2D c[0x12000];
++};
++
++uniform X x;
++
++void main()
++{
++    gl_FragColor = texture2D(x.c[0], vec2(0));
++})";
++
++    GLuint shader = CompileShader(GL_FRAGMENT_SHADER, fs.str().c_str());
++    EXPECT_NE(0u, shader);
++}
++
+ // Test that passing large arrays to functions are compiled correctly.  Regression test for the
+ // SPIR-V generator that made a copy of the array to pass to the function, by decomposing and
+ // reconstructing it (in the absence of OpCopyLogical), but the reconstruction instruction has a
+diff --git a/src/tests/gl_tests/PixelLocalStorageTest.cpp b/src/tests/gl_tests/PixelLocalStorageTest.cpp
+index c49ba5741ad565ad9637fb2188a472ccbebc6284..126936271eb25eec601349a560fabc6f0f7d4b75 100644
+--- a/src/tests/gl_tests/PixelLocalStorageTest.cpp
++++ b/src/tests/gl_tests/PixelLocalStorageTest.cpp
+@@ -5573,8 +5573,7 @@ TEST_P(PixelLocalStorageCompilerTest, Declarations)
+     EXPECT_FALSE(log.compileFragmentShader(kPLSInStruct));
+     EXPECT_TRUE(log.has("ERROR: 0:5: 'pixelLocalANGLE' : disallowed type in struct"));
+     EXPECT_TRUE(
+-        log.has("ERROR: 0:10: 'pixelLocalANGLE' : unsupported type - pixelLocalANGLE types are not "
+-                "allowed in interface blocks"));
++        log.has("ERROR: 0:10: 'PLSBlock' : Opaque types are not allowed in interface blocks"));
+ 
+     ASSERT_GL_NO_ERROR();
+ }

patches/chromium/.patches

@@ -133,3 +133,4 @@ fix_getcursorscreenpoint_wrongly_returns_0_0.patch
 fix_add_support_for_skipping_first_2_no-op_refreshes_in_thumb_cap.patch
 remove_dxdiag_telemetry_code.patch
 cherry-pick-2607ddacd643.patch
+cherry-pick-1b1f34234346.patch

patches/chromium/cherry-pick-1b1f34234346.patch

@@ -0,0 +1,42 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: kylechar <[email protected]>
+Date: Tue, 9 Apr 2024 17:14:26 +0000
+Subject: Validate buffer length
+
+The BitmapInSharedMemory mojo traits were only validating row length and
+not total buffer length.
+
+(cherry picked from commit 1a19ff70bd54847d818566bd7a1e7c384c419746)
+
+(cherry picked from commit f15315f1cb7897e208947a40d538aac693283d7f)
+
+Bug: 331237485
+Change-Id: Ia2318899c44e9e7ac72fc7183954e6ce2c702179
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5396796
+Commit-Queue: Kyle Charbonneau <[email protected]>
+Cr-Original-Original-Commit-Position: refs/heads/main@{#1278417}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5420432
+Commit-Queue: danakj <[email protected]>
+Cr-Original-Commit-Position: refs/branch-heads/6312@{#786}
+Cr-Original-Branched-From: 6711dcdae48edaf98cbc6964f90fac85b7d9986e-refs/heads/main@{#1262506}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5433678
+Reviewed-by: danakj <[email protected]>
+Reviewed-by: Kyle Charbonneau <[email protected]>
+Cr-Commit-Position: refs/branch-heads/6099@{#2003}
+Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362}
+
+diff --git a/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc b/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
+index a6e5f45d9e72b9ac48e536c3a7756966b3c263cf..519d554055e5182cdcbae44fafdac339a64a923b 100644
+--- a/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
++++ b/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
+@@ -76,6 +76,10 @@ bool StructTraits<viz::mojom::BitmapInSharedMemoryDataView, SkBitmap>::Read(
+   if (!mapping_ptr->IsValid())
+     return false;
+ 
++  if (mapping_ptr->size() < image_info.computeByteSize(data.row_bytes())) {
++    return false;
++  }
++
+   if (!sk_bitmap->installPixels(image_info, mapping_ptr->memory(),
+                                 data.row_bytes(), &DeleteSharedMemoryMapping,
+                                 mapping_ptr.get())) {

patches/config.json

@@ -12,5 +12,6 @@
   { "patch_dir": "src/electron/patches/ReactiveObjC", "repo": "src/third_party/squirrel.mac/vendor/ReactiveObjC" },
   { "patch_dir": "src/electron/patches/webrtc", "repo": "src/third_party/webrtc" },
   { "patch_dir": "src/electron/patches/reclient-configs", "repo": "src/third_party/engflow-reclient-configs" },
-  { "patch_dir": "src/electron/patches/angle", "repo": "src/third_party/angle" }
+  { "patch_dir": "src/electron/patches/angle", "repo": "src/third_party/angle" },
+  { "patch_dir": "src/electron/patches/DirectXShaderCompiler", "repo": "src/third_party/dawn/third_party/dxc" }
 ]