chore: bump Chromium to 126.0.6478.261

DEPS

@@ -2,7 +2,7 @@ gclient_gn_args_from = 'src'
 
 vars = {
   'chromium_version':
-    '126.0.6478.234',
+    '126.0.6478.261',
   'node_version':
     'v20.18.0',
   'nan_version':

patches/chromium/.patches

@@ -132,17 +132,6 @@ feat_enable_passing_exit_code_on_service_process_crash.patch
 x11_use_localized_display_label_only_for_browser_process.patch
 feat_enable_customizing_symbol_color_in_framecaptionbutton.patch
 cherry-pick-99cafbf4b4b9.patch
-cherry-pick-44b7fbf35b10.patch
 fix_potential_draggable_region_crash_when_no_mainframeimpl.patch
-cherry-pick-c333ed995449.patch
-m126-lts_fix_a_range_check_for_when_it_overflows.patch
-m126-lts_check_string_range_in_shapesegment.patch
-m126-lts_reland_fix_stringview_to_crash_when_offset_length.patch
-m126-lts_protect_automation_rate_from_non-deterministic_change.patch
-m126-lts_don_t_perform_pseudo-element_ident_parsing_on_non-ascii.patch
-m130_extensions_serviceworker_skip_worker_for_isolated_world.patch
-cherry-pick-923797bac925.patch
-cherry-pick-e699ac35ac6c.patch
 cherry-pick-3a6ff45cc3f4.patch
-cherry-pick-a51e7ebb7663.patch
-cherry-pick-f3300abe2fcd.patch
+cherry-pick-f3300abe2fcd.patch

patches/chromium/build_do_not_depend_on_packed_resource_integrity.patch

@@ -33,10 +33,10 @@ index c13bf8667c6996ec8ad4a3149993b266cea446bf..da2704e283bbaad9110ca57fb5bef786
            "//base",
            "//build:branding_buildflags",
 diff --git a/chrome/browser/BUILD.gn b/chrome/browser/BUILD.gn
-index 0be27cd41b86673d7c8a4a8d7211a19ad8c8e36c..e67d70e81cbad7520616e5d19565d59dde1491c2 100644
+index aa9bd9c38d2d9e256e0af1b03016f4f39c122c24..607c7f9e036708ab44c6c5023b6e23eaff0d14cd 100644
 --- a/chrome/browser/BUILD.gn
 +++ b/chrome/browser/BUILD.gn
-@@ -4926,7 +4926,7 @@ static_library("browser") {
+@@ -4928,7 +4928,7 @@ static_library("browser") {
  
      # On Windows, the hashes are embedded in //chrome:chrome_initial rather
      # than here in :chrome_dll.
@@ -46,10 +46,10 @@ index 0be27cd41b86673d7c8a4a8d7211a19ad8c8e36c..e67d70e81cbad7520616e5d19565d59d
        sources += [ "certificate_viewer_stub.cc" ]
      }
 diff --git a/chrome/test/BUILD.gn b/chrome/test/BUILD.gn
-index be760daff67da63b569dd4a523f9d0cef23a38aa..4e56d76c60fccbe5b63c974ffbefe3905f20f112 100644
+index 25ffa1ddfb1346c9a695b4107622a2280581f163..e97d6b846e0a5f43ab2a0981d4e7672fd91a043b 100644
 --- a/chrome/test/BUILD.gn
 +++ b/chrome/test/BUILD.gn
-@@ -7321,9 +7321,12 @@ test("unit_tests") {
+@@ -7322,9 +7322,12 @@ test("unit_tests") {
        "//chrome/browser/safe_browsing/incident_reporting/verifier_test:verifier_test_dll_2",
      ]
  
@@ -63,7 +63,7 @@ index be760daff67da63b569dd4a523f9d0cef23a38aa..4e56d76c60fccbe5b63c974ffbefe390
        "//chrome//services/util_win:unit_tests",
        "//chrome/app:chrome_dll_resources",
        "//chrome/app:win_unit_tests",
-@@ -8322,6 +8325,10 @@ test("unit_tests") {
+@@ -8323,6 +8326,10 @@ test("unit_tests") {
        "../browser/performance_manager/policies/background_tab_loading_policy_unittest.cc",
      ]
  
@@ -74,7 +74,7 @@ index be760daff67da63b569dd4a523f9d0cef23a38aa..4e56d76c60fccbe5b63c974ffbefe390
      sources += [
        # The importer code is not used on Android.
        "../common/importer/firefox_importer_utils_unittest.cc",
-@@ -8398,7 +8405,6 @@ test("unit_tests") {
+@@ -8399,7 +8406,6 @@ test("unit_tests") {
      }
  
      deps += [

patches/chromium/cherry-pick-3a6ff45cc3f4.patch

@@ -1,7 +1,7 @@
-From 3a6ff45cc3f48a359772f81c512c512b4f2d2643 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Stefan Zager <[email protected]>
 Date: Sat, 14 Dec 2024 11:06:00 -0800
-Subject: [PATCH] [M130] Prevent ImageData from being reclaimed while in use
+Subject: Prevent ImageData from being reclaimed while in use
 
 Cherry-picked from:
   https://chromium-review.googlesource.com/c/chromium/src/+/5990752
@@ -14,13 +14,12 @@ Owners-Override: Prudhvikumar Bommana <[email protected]>
 Commit-Queue: Prudhvikumar Bommana <[email protected]>
 Cr-Commit-Position: refs/branch-heads/6723@{#2713}
 Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013}
----
 
 diff --git a/cc/tiles/gpu_image_decode_cache.cc b/cc/tiles/gpu_image_decode_cache.cc
-index df1d24b..39fa3ff 100644
+index 93892bae834e596aa71d824d87d6614e143a9e5c..584789095c749bee6732d89c78d2a8eb61be7082 100644
 --- a/cc/tiles/gpu_image_decode_cache.cc
 +++ b/cc/tiles/gpu_image_decode_cache.cc
-@@ -2401,6 +2401,9 @@
+@@ -2400,6 +2400,9 @@ void GpuImageDecodeCache::DecodeImageIfNecessary(
  
    image_data->decode.ResetData();
  
@@ -30,7 +29,7 @@ index df1d24b..39fa3ff 100644
    // Decode the image into `aux_image_data` while the lock is not held.
    DecodedAuxImageData aux_image_data[kAuxImageCount];
    {
-@@ -2728,6 +2731,9 @@
+@@ -2727,6 +2730,9 @@ void GpuImageDecodeCache::UploadImageIfNecessary_GpuCpu_YUVA(
    sk_sp<SkImage> uploaded_v_image =
        image_data->decode.image(2, AuxImage::kDefault);
  
@@ -40,7 +39,7 @@ index df1d24b..39fa3ff 100644
    // For kGpu, we upload and color convert (if necessary).
    if (image_data->mode == DecodedDataMode::kGpu) {
      DCHECK(!use_transfer_cache_);
-@@ -2815,6 +2821,9 @@
+@@ -2814,6 +2820,9 @@ void GpuImageDecodeCache::UploadImageIfNecessary_GpuCpu_RGBA(
    DCHECK(!use_transfer_cache_);
    DCHECK(!image_data->info.yuva.has_value());
  

patches/chromium/cherry-pick-44b7fbf35b10.patch

@@ -1,288 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hiroshige Hayashizaki <[email protected]>
-Date: Tue, 16 Jul 2024 03:44:29 +0000
-Subject: Handle ThrottlingURLLoader deletion during throttle calls
-
-Theoretically `ThrottlingURLLoader` can be deleted during
-throttle calls and some call sites have already protection
-for such cases. This CL adds the protection for more call sites.
-
-This CL also adds more unit tests for cancelling/deleting
-`ThrottlingURLLoader` during throttle calls.
-
-(cherry picked from commit c40f8866cfd6438725cc58e5db2d792e6d9f869b)
-
-Bug: 349342289
-Change-Id: I80d64be9ba1a3ac920315f5b4012b29c9737e414
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5665925
-Commit-Queue: Hiroshige Hayashizaki <[email protected]>
-Reviewed-by: Tsuyoshi Horo <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#1323986}
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5710951
-Bot-Commit: Rubber Stamper <[email protected]>
-Reviewed-by: Kouhei Ueno <[email protected]>
-Cr-Commit-Position: refs/branch-heads/6533@{#1515}
-Cr-Branched-From: 7e0b87ec6b8cb5cb2969e1479fc25776e582721d-refs/heads/main@{#1313161}
-
-diff --git a/third_party/blink/common/loader/throttling_url_loader.cc b/third_party/blink/common/loader/throttling_url_loader.cc
-index b4924e7441f45881ad1e33aaab61a49400832f54..eeed93d8e7791b51bf17b4b6243251823824872b 100644
---- a/third_party/blink/common/loader/throttling_url_loader.cc
-+++ b/third_party/blink/common/loader/throttling_url_loader.cc
-@@ -660,8 +660,12 @@ void ThrottlingURLLoader::OnReceiveResponse(
-     for (auto& entry : throttles_) {
-       auto* throttle = entry.throttle.get();
-       base::Time start = base::Time::Now();
-+      auto weak_ptr = weak_factory_.GetWeakPtr();
-       throttle->BeforeWillProcessResponse(response_url_, *response_head,
-                                           &has_pending_restart);
-+      if (!weak_ptr) {
-+        return;
-+      }
-       RecordExecutionTimeHistogram("BeforeWillProcessResponse", start);
-       if (!HandleThrottleResult(throttle)) {
-         return;
-@@ -681,8 +685,12 @@ void ThrottlingURLLoader::OnReceiveResponse(
-       auto* throttle = entry.throttle.get();
-       bool throttle_deferred = false;
-       base::Time start = base::Time::Now();
-+      auto weak_ptr = weak_factory_.GetWeakPtr();
-       throttle->WillProcessResponse(response_url_, response_head.get(),
-                                     &throttle_deferred);
-+      if (!weak_ptr) {
-+        return;
-+      }
-       RecordExecutionTimeHistogram(GetStageNameForHistogram(DEFERRED_RESPONSE),
-                                    start);
-       if (!HandleThrottleResult(throttle, throttle_deferred, &deferred))
-@@ -852,7 +860,11 @@ void ThrottlingURLLoader::OnComplete(
-     for (auto& entry : throttles_) {
-       auto* throttle = entry.throttle.get();
-       base::Time start = base::Time::Now();
-+      auto weak_ptr = weak_factory_.GetWeakPtr();
-       throttle->WillOnCompleteWithError(status);
-+      if (!weak_ptr) {
-+        return;
-+      }
-       RecordExecutionTimeHistogram("WillOnCompleteWithError", start);
-       if (!HandleThrottleResult(throttle)) {
-         return;
-diff --git a/third_party/blink/common/loader/throttling_url_loader_unittest.cc b/third_party/blink/common/loader/throttling_url_loader_unittest.cc
-index 2c73705d12445c13067e937b4bfae1c99290da09..a7e037b2dde9390d9cc15d863ed926809f9afccf 100644
---- a/third_party/blink/common/loader/throttling_url_loader_unittest.cc
-+++ b/third_party/blink/common/loader/throttling_url_loader_unittest.cc
-@@ -338,9 +338,9 @@ class TestURLLoaderThrottle : public blink::URLLoaderThrottle {
-                            network::mojom::URLResponseHead* response_head,
-                            bool* defer) override {
-     will_process_response_called_++;
-+    response_url_ = response_url;
-     if (will_process_response_callback_)
-       will_process_response_callback_.Run(delegate_.get(), defer);
--    response_url_ = response_url;
-   }
- 
-   void BeforeWillProcessResponse(
-@@ -422,6 +422,11 @@ class ThrottlingURLLoaderTest : public testing::Test {
-     factory_.factory_remote().FlushForTesting();
-   }
- 
-+  void ResetLoader() {
-+    ResetThrottleRawPointer();
-+    loader_.reset();
-+  }
-+
-   void ResetThrottleRawPointer() { throttle_ = nullptr; }
- 
-   // Be the first member so it is destroyed last.
-@@ -467,6 +472,25 @@ TEST_F(ThrottlingURLLoaderTest, CancelBeforeStart) {
-   EXPECT_EQ(1u, client_.on_complete_called());
- }
- 
-+TEST_F(ThrottlingURLLoaderTest, DeleteBeforeStart) {
-+  base::RunLoop run_loop;
-+  throttle_->set_will_start_request_callback(base::BindLambdaForTesting(
-+      [this, &run_loop](blink::URLLoaderThrottle::Delegate* delegate,
-+                        bool* defer) {
-+        ResetLoader();
-+        run_loop.Quit();
-+      }));
-+
-+  CreateLoaderAndStart();
-+  run_loop.Run();
-+
-+  EXPECT_EQ(1u, factory_.create_loader_and_start_called());
-+
-+  EXPECT_EQ(0u, client_.on_received_response_called());
-+  EXPECT_EQ(0u, client_.on_received_redirect_called());
-+  EXPECT_EQ(0u, client_.on_complete_called());
-+}
-+
- TEST_F(ThrottlingURLLoaderTest, DeferBeforeStart) {
-   throttle_->set_will_start_request_callback(base::BindLambdaForTesting(
-       [](blink::URLLoaderThrottle::Delegate* delegate, bool* defer) {
-@@ -667,6 +691,88 @@ TEST_F(ThrottlingURLLoaderTest, CancelBeforeRedirect) {
-   EXPECT_EQ(1u, client_.on_complete_called());
- }
- 
-+TEST_F(ThrottlingURLLoaderTest, DeleteBeforeRedirect) {
-+  base::RunLoop run_loop;
-+  throttle_->set_will_redirect_request_callback(base::BindLambdaForTesting(
-+      [this, &run_loop](
-+          blink::URLLoaderThrottle::Delegate* delegate, bool* /* defer */,
-+          std::vector<std::string>* /* removed_headers */,
-+          net::HttpRequestHeaders* /* modified_headers */,
-+          net::HttpRequestHeaders* /* modified_cors_exempt_headers */) {
-+        ResetLoader();
-+        run_loop.Quit();
-+      }));
-+
-+  CreateLoaderAndStart();
-+
-+  factory_.NotifyClientOnReceiveRedirect();
-+
-+  run_loop.Run();
-+
-+  EXPECT_EQ(0u, client_.on_received_response_called());
-+  EXPECT_EQ(0u, client_.on_received_redirect_called());
-+  EXPECT_EQ(0u, client_.on_complete_called());
-+}
-+
-+TEST_F(ThrottlingURLLoaderTest, CancelBeforeWillRedirect) {
-+  throttle_->set_before_will_redirect_request_callback(
-+      base::BindLambdaForTesting(
-+          [](blink::URLLoaderThrottle::Delegate* delegate,
-+             RestartWithURLReset* restart_with_url_reset,
-+             std::vector<std::string>* /* removed_headers */,
-+             net::HttpRequestHeaders* /* modified_headers */,
-+             net::HttpRequestHeaders* /* modified_cors_exempt_headers */) {
-+            delegate->CancelWithError(net::ERR_ACCESS_DENIED);
-+          }));
-+
-+  base::RunLoop run_loop;
-+  client_.set_on_complete_callback(
-+      base::BindLambdaForTesting([&run_loop](int error) {
-+        EXPECT_EQ(net::ERR_ACCESS_DENIED, error);
-+        run_loop.Quit();
-+      }));
-+
-+  CreateLoaderAndStart();
-+
-+  factory_.NotifyClientOnReceiveRedirect();
-+
-+  run_loop.Run();
-+
-+  EXPECT_EQ(1u, throttle_->will_start_request_called());
-+  EXPECT_EQ(1u, throttle_->will_redirect_request_called());
-+  EXPECT_EQ(0u, throttle_->before_will_process_response_called());
-+  EXPECT_EQ(0u, throttle_->will_process_response_called());
-+
-+  EXPECT_EQ(0u, client_.on_received_response_called());
-+  EXPECT_EQ(0u, client_.on_received_redirect_called());
-+  EXPECT_EQ(1u, client_.on_complete_called());
-+}
-+
-+TEST_F(ThrottlingURLLoaderTest, DeleteBeforeWillRedirect) {
-+  base::RunLoop run_loop;
-+  throttle_->set_before_will_redirect_request_callback(
-+      base::BindLambdaForTesting(
-+          [this, &run_loop](
-+              blink::URLLoaderThrottle::Delegate* delegate,
-+              RestartWithURLReset* restart_with_url_reset,
-+              std::vector<std::string>* /* removed_headers */,
-+              net::HttpRequestHeaders* /* modified_headers */,
-+              net::HttpRequestHeaders* /* modified_cors_exempt_headers */) {
-+            ResetLoader();
-+            run_loop.Quit();
-+          }));
-+
-+  CreateLoaderAndStart();
-+
-+  factory_.NotifyClientOnReceiveRedirect();
-+
-+  run_loop.Run();
-+
-+  EXPECT_EQ(0u, client_.on_received_response_called());
-+  EXPECT_EQ(0u, client_.on_received_redirect_called());
-+  EXPECT_EQ(0u, client_.on_complete_called());
-+}
-+
- TEST_F(ThrottlingURLLoaderTest, DeferBeforeRedirect) {
-   base::RunLoop run_loop1;
-   throttle_->set_will_redirect_request_callback(base::BindLambdaForTesting(
-@@ -880,6 +986,77 @@ TEST_F(ThrottlingURLLoaderTest, CancelBeforeResponse) {
-   EXPECT_EQ(1u, client_.on_complete_called());
- }
- 
-+TEST_F(ThrottlingURLLoaderTest, DeleteBeforeResponse) {
-+  base::RunLoop run_loop;
-+  throttle_->set_will_process_response_callback(base::BindLambdaForTesting(
-+      [this, &run_loop](blink::URLLoaderThrottle::Delegate* delegate,
-+                        bool* defer) {
-+        ResetLoader();
-+        run_loop.Quit();
-+      }));
-+
-+  CreateLoaderAndStart();
-+
-+  factory_.NotifyClientOnReceiveResponse();
-+
-+  run_loop.Run();
-+
-+  EXPECT_EQ(0u, client_.on_received_response_called());
-+  EXPECT_EQ(0u, client_.on_received_redirect_called());
-+  EXPECT_EQ(0u, client_.on_complete_called());
-+}
-+
-+TEST_F(ThrottlingURLLoaderTest, CancelBeforeWillProcessResponse) {
-+  throttle_->set_before_will_process_response_callback(
-+      base::BindLambdaForTesting(
-+          [](blink::URLLoaderThrottle::Delegate* delegate,
-+             RestartWithURLReset* restart_with_url_reset) {
-+            delegate->CancelWithError(net::ERR_ACCESS_DENIED);
-+          }));
-+
-+  base::RunLoop run_loop;
-+  client_.set_on_complete_callback(
-+      base::BindLambdaForTesting([&run_loop](int error) {
-+        EXPECT_EQ(net::ERR_ACCESS_DENIED, error);
-+        run_loop.Quit();
-+      }));
-+
-+  CreateLoaderAndStart();
-+
-+  factory_.NotifyClientOnReceiveResponse();
-+
-+  run_loop.Run();
-+
-+  EXPECT_EQ(1u, throttle_->will_start_request_called());
-+  EXPECT_EQ(0u, throttle_->will_redirect_request_called());
-+  EXPECT_EQ(1u, throttle_->before_will_process_response_called());
-+  EXPECT_EQ(0u, throttle_->will_process_response_called());
-+  EXPECT_EQ(0u, client_.on_received_response_called());
-+  EXPECT_EQ(0u, client_.on_received_redirect_called());
-+  EXPECT_EQ(1u, client_.on_complete_called());
-+}
-+
-+TEST_F(ThrottlingURLLoaderTest, DeleteBeforeWillProcessResponse) {
-+  base::RunLoop run_loop;
-+  throttle_->set_before_will_process_response_callback(
-+      base::BindLambdaForTesting(
-+          [this, &run_loop](blink::URLLoaderThrottle::Delegate* delegate,
-+                            RestartWithURLReset* restart_with_url_reset) {
-+            ResetLoader();
-+            run_loop.Quit();
-+          }));
-+
-+  CreateLoaderAndStart();
-+
-+  factory_.NotifyClientOnReceiveResponse();
-+
-+  run_loop.Run();
-+
-+  EXPECT_EQ(0u, client_.on_received_response_called());
-+  EXPECT_EQ(0u, client_.on_received_redirect_called());
-+  EXPECT_EQ(0u, client_.on_complete_called());
-+}
-+
- TEST_F(ThrottlingURLLoaderTest, DeferBeforeResponse) {
-   base::RunLoop run_loop1;
-   throttle_->set_will_process_response_callback(base::BindRepeating(

patches/chromium/cherry-pick-923797bac925.patch

@@ -1,178 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Yoshisato Yanagisawa <[email protected]>
-Date: Thu, 7 Nov 2024 10:14:59 +0000
-Subject: [M131] Make GetCacheIdentifier() respect GetSkipServiceWorker().
-
-Since the current GetCacheIdentifier() ignores GetSkipServiceWorker(),
-GetCacheIdentifier() returns ServiceWorkerId even if GetSkipServiceWorker()
-is true if the ServiceWorker has a fetch handler.
-
-To make the isolated world respected as an isolated world, the cache
-identifier should not be shared with a page under a ServiceWorker control.
-
-(cherry picked from commit 75f322ad1f64c0bc56fa77ab877b48d72cdb903c)
-
-Bug: 372512079, 373263969
-Change-Id: Idd2d8900f2f720e0a4dc9837e2eb56474c60b587
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5961018
-Reviewed-by: Justin Lulejian <[email protected]>
-Reviewed-by: Kouhei Ueno <[email protected]>
-Commit-Queue: Yoshisato Yanagisawa <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#1376006}
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6002191
-Auto-Submit: Yoshisato Yanagisawa <[email protected]>
-Commit-Queue: Kouhei Ueno <[email protected]>
-Cr-Commit-Position: refs/branch-heads/6778@{#1849}
-Cr-Branched-From: b21671ca172dcfd1566d41a770b2808e7fa7cd88-refs/heads/main@{#1368529}
-
-diff --git a/third_party/blink/renderer/core/html/parser/html_srcset_parser.cc b/third_party/blink/renderer/core/html/parser/html_srcset_parser.cc
-index 05a51f69a45a051f533db57ebf18a49e7295fab5..c7310f2178900b8d78724e44b176f79d1396cc47 100644
---- a/third_party/blink/renderer/core/html/parser/html_srcset_parser.cc
-+++ b/third_party/blink/renderer/core/html/parser/html_srcset_parser.cc
-@@ -413,7 +413,9 @@ static unsigned AvoidDownloadIfHigherDensityResourceIsInCache(
-     KURL url = document->CompleteURL(
-         StripLeadingAndTrailingHTMLSpaces(image_candidates[i]->Url()));
-     auto* resource = MemoryCache::Get()->ResourceForURL(
--        url, document->Fetcher()->GetCacheIdentifier(url));
-+        url,
-+        document->Fetcher()->GetCacheIdentifier(url,
-+                                                /*skip_service_worker=*/false));
-     if ((resource && resource->IsLoaded()) || url.ProtocolIsData()) {
-       return i;
-     }
-diff --git a/third_party/blink/renderer/core/inspector/inspector_network_agent.cc b/third_party/blink/renderer/core/inspector/inspector_network_agent.cc
-index 8ec24db596ab9b3c93d2f6d691fa0bcd87006307..f5937485e4a02ed190e16077356ccde448e0c9ce 100644
---- a/third_party/blink/renderer/core/inspector/inspector_network_agent.cc
-+++ b/third_party/blink/renderer/core/inspector/inspector_network_agent.cc
-@@ -2406,7 +2406,8 @@ bool InspectorNetworkAgent::FetchResourceContent(Document* document,
-   Resource* cached_resource = document->Fetcher()->CachedResource(url);
-   if (!cached_resource) {
-     cached_resource = MemoryCache::Get()->ResourceForURL(
--        url, document->Fetcher()->GetCacheIdentifier(url));
-+        url, document->Fetcher()->GetCacheIdentifier(
-+                 url, /*skip_service_worker=*/false));
-   }
-   if (cached_resource && InspectorPageAgent::CachedResourceContent(
-                              cached_resource, content, base64_encoded)) {
-diff --git a/third_party/blink/renderer/core/inspector/inspector_page_agent.cc b/third_party/blink/renderer/core/inspector/inspector_page_agent.cc
-index 62a5d9b831f11d6d74b1a8a0b51d2a436f0eb8c5..9678233733e1f4be9b4647bc7b0c2b7f173521d1 100644
---- a/third_party/blink/renderer/core/inspector/inspector_page_agent.cc
-+++ b/third_party/blink/renderer/core/inspector/inspector_page_agent.cc
-@@ -171,7 +171,8 @@ Resource* CachedResource(LocalFrame* frame,
-   Resource* cached_resource = document->Fetcher()->CachedResource(url);
-   if (!cached_resource) {
-     cached_resource = MemoryCache::Get()->ResourceForURL(
--        url, document->Fetcher()->GetCacheIdentifier(url));
-+        url, document->Fetcher()->GetCacheIdentifier(
-+                 url, /*skip_service_worker=*/false));
-   }
-   if (!cached_resource)
-     cached_resource = loader->ResourceForURL(url);
-diff --git a/third_party/blink/renderer/core/loader/image_loader.cc b/third_party/blink/renderer/core/loader/image_loader.cc
-index 5986a8a358f97515d91bb4bfb6cf8719cac93948..e141443809783ef7140e2a48f30a1079a6913248 100644
---- a/third_party/blink/renderer/core/loader/image_loader.cc
-+++ b/third_party/blink/renderer/core/loader/image_loader.cc
-@@ -743,7 +743,8 @@ bool ImageLoader::ShouldLoadImmediately(const KURL& url) const {
-   // content when style recalc is over and DOM mutation is allowed again.
-   if (!url.IsNull()) {
-     Resource* resource = MemoryCache::Get()->ResourceForURL(
--        url, element_->GetDocument().Fetcher()->GetCacheIdentifier(url));
-+        url, element_->GetDocument().Fetcher()->GetCacheIdentifier(
-+                 url, /*skip_service_worker=*/false));
- 
-     if (resource && !resource->ErrorOccurred() &&
-         CanReuseFromListOfAvailableImages(
-diff --git a/third_party/blink/renderer/core/testing/internals.cc b/third_party/blink/renderer/core/testing/internals.cc
-index 184e1795bc084e4702b4d077a880279a3663a674..f13bb7bdd2c15831e03a49f5a34c9aafb04dedff 100644
---- a/third_party/blink/renderer/core/testing/internals.cc
-+++ b/third_party/blink/renderer/core/testing/internals.cc
-@@ -915,8 +915,8 @@ bool Internals::isLoading(const String& url) {
-   if (!document_)
-     return false;
-   const KURL full_url = document_->CompleteURL(url);
--  const String cache_identifier =
--      document_->Fetcher()->GetCacheIdentifier(full_url);
-+  const String cache_identifier = document_->Fetcher()->GetCacheIdentifier(
-+      full_url, /*skip_service_worker=*/false);
-   Resource* resource =
-       MemoryCache::Get()->ResourceForURL(full_url, cache_identifier);
-   // We check loader() here instead of isLoading(), because a multipart
-@@ -928,8 +928,8 @@ bool Internals::isLoadingFromMemoryCache(const String& url) {
-   if (!document_)
-     return false;
-   const KURL full_url = document_->CompleteURL(url);
--  const String cache_identifier =
--      document_->Fetcher()->GetCacheIdentifier(full_url);
-+  const String cache_identifier = document_->Fetcher()->GetCacheIdentifier(
-+      full_url, /*skip_service_worker=*/false);
-   Resource* resource =
-       MemoryCache::Get()->ResourceForURL(full_url, cache_identifier);
-   return resource && resource->GetStatus() == ResourceStatus::kCached;
-diff --git a/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc b/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc
-index 6656da73d48a197eb58f1be3811ac558510bb54a..f2c6b3518f8aaa0ddd72acfa7586928e11151b1d 100644
---- a/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc
-+++ b/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc
-@@ -957,7 +957,8 @@ Resource* ResourceFetcher::CreateResourceForStaticData(
-   if (!archive_ && factory.GetType() == ResourceType::kRaw)
-     return nullptr;
- 
--  const String cache_identifier = GetCacheIdentifier(url);
-+  const String cache_identifier = GetCacheIdentifier(
-+      url, params.GetResourceRequest().GetSkipServiceWorker());
-   // Most off-main-thread resource fetches use Resource::kRaw and don't reach
-   // this point, but off-main-thread module fetches might.
-   if (IsMainThread()) {
-@@ -1320,7 +1321,10 @@ Resource* ResourceFetcher::RequestResource(FetchParameters& params,
-         resource = nullptr;
-       } else {
-         resource = MemoryCache::Get()->ResourceForURL(
--            params.Url(), GetCacheIdentifier(params.Url()));
-+            params.Url(),
-+          GetCacheIdentifier(
-+              params.Url(),
-+              params.GetResourceRequest().GetSkipServiceWorker()));
-       }
-       if (resource) {
-         policy = DetermineRevalidationPolicy(resource_type, params, *resource,
-@@ -1614,7 +1618,8 @@ Resource* ResourceFetcher::CreateResourceForLoading(
-     const FetchParameters& params,
-     const ResourceFactory& factory) {
-   const String cache_identifier =
--      GetCacheIdentifier(params.GetResourceRequest().Url());
-+      GetCacheIdentifier(params.GetResourceRequest().Url(),
-+                         params.GetResourceRequest().GetSkipServiceWorker());
-   if (!base::FeatureList::IsEnabled(
-           blink::features::kScopeMemoryCachePerContext)) {
-     DCHECK(!IsMainThread() || params.IsStaleRevalidation() ||
-@@ -2672,9 +2677,11 @@ void ResourceFetcher::UpdateAllImageResourcePriorities() {
-   to_be_removed.clear();
- }
- 
--String ResourceFetcher::GetCacheIdentifier(const KURL& url) const {
--  if (properties_->GetControllerServiceWorkerMode() !=
--      mojom::ControllerServiceWorkerMode::kNoController) {
-+String ResourceFetcher::GetCacheIdentifier(const KURL& url,
-+                                           bool skip_service_worker) const {
-+  if (!skip_service_worker &&
-+      properties_->GetControllerServiceWorkerMode() !=
-+          mojom::ControllerServiceWorkerMode::kNoController) {
-     return String::Number(properties_->ServiceWorkerId());
-   }
- 
-diff --git a/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h b/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h
-index 04f985ee491e87a6cbabaa1c1ff6f513a8e14384..14c92ee2411d88c32079c6765a047ed0da655b47 100644
---- a/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h
-+++ b/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h
-@@ -274,7 +274,11 @@ class PLATFORM_EXPORT ResourceFetcher
-                          uint32_t inflight_keepalive_bytes);
-   blink::mojom::ControllerServiceWorkerMode IsControlledByServiceWorker() const;
- 
--  String GetCacheIdentifier(const KURL& url) const;
-+  // Returns a cache identifier for MemoryCache.
-+  // `url` is used for finding a matching WebBundle.
-+  // If `skip_service_worker` is true, the identifier won't be a ServiceWorker's
-+  // identifier to keep the cache separated.
-+  String GetCacheIdentifier(const KURL& url, bool skip_service_worker) const;
- 
-   // If `url` exists as a resource in a subresource bundle in this frame,
-   // returns its UnguessableToken; otherwise, returns std::nullopt.

patches/chromium/cherry-pick-a51e7ebb7663.patch

@@ -1,184 +0,0 @@
-From a51e7ebb7663b40ed070e91669f69c64fb9179d9 Mon Sep 17 00:00:00 2001
-From: Guido Urdaneta <[email protected]>
-Date: Wed, 18 Dec 2024 15:21:59 -0800
-Subject: [PATCH] [M126-LTS][VideoCaptureManager] Replace raw pointers with scoped_refptr
-
-VCM used VideoCaptureController raw pointers in a number of places,
-including as a field in VCM::CaptureDeviceStartRequest.
-
-This CL replaces the field and some other usages with a scoped_refptr
-to prevent dangling pointers.
-
-(cherry picked from commit 3524ce528548d1d743a6aa6e339ecb5a186c22bc)
-
-Bug: 382135228
-Change-Id: I1bd5f95bdf57631227034beb8bb076f258606378
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6088073
-Commit-Queue: Guido Urdaneta <[email protected]>
-Reviewed-by: Dale Curtis <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#1396301}
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6099792
-Reviewed-by: Guido Urdaneta <[email protected]>
-Commit-Queue: Gyuyoung Kim (xWF) <[email protected]>
-Cr-Commit-Position: refs/branch-heads/6478@{#2009}
-Cr-Branched-From: e6143acc03189c5e52959545b110d6d17ecd5286-refs/heads/main@{#1300313}
----
-
-diff --git a/content/browser/renderer_host/media/video_capture_manager.cc b/content/browser/renderer_host/media/video_capture_manager.cc
-index 3db89a04..11b6caf 100644
---- a/content/browser/renderer_host/media/video_capture_manager.cc
-+++ b/content/browser/renderer_host/media/video_capture_manager.cc
-@@ -15,6 +15,7 @@
- #include "base/location.h"
- #include "base/logging.h"
- #include "base/memory/raw_ptr.h"
-+#include "base/memory/scoped_refptr.h"
- #include "base/metrics/histogram_functions.h"
- #include "base/observer_list.h"
- #include "base/ranges/algorithm.h"
-@@ -61,12 +62,14 @@
- class VideoCaptureManager::CaptureDeviceStartRequest {
-  public:
-   CaptureDeviceStartRequest(
--      VideoCaptureController* controller,
-+      scoped_refptr<VideoCaptureController> controller,
-       const media::VideoCaptureSessionId& session_id,
-       const media::VideoCaptureParams& params,
-       mojo::PendingRemote<video_effects::mojom::VideoEffectsProcessor>
-           video_effects_processor);
--  VideoCaptureController* controller() const { return controller_; }
-+  scoped_refptr<VideoCaptureController> controller() const {
-+    return controller_;
-+  }
-   const base::UnguessableToken& session_id() const { return session_id_; }
-   media::VideoCaptureParams params() const { return params_; }
- 
-@@ -76,7 +79,7 @@
-   }
- 
-  private:
--  const raw_ptr<VideoCaptureController> controller_;
-+  const scoped_refptr<VideoCaptureController> controller_;
-   const base::UnguessableToken session_id_;
-   const media::VideoCaptureParams params_;
-   mojo::PendingRemote<video_effects::mojom::VideoEffectsProcessor>
-@@ -84,12 +87,12 @@
- };
- 
- VideoCaptureManager::CaptureDeviceStartRequest::CaptureDeviceStartRequest(
--    VideoCaptureController* controller,
-+    scoped_refptr<VideoCaptureController> controller,
-     const media::VideoCaptureSessionId& session_id,
-     const media::VideoCaptureParams& params,
-     mojo::PendingRemote<video_effects::mojom::VideoEffectsProcessor>
-         video_effects_processor)
--    : controller_(controller),
-+    : controller_(std::move(controller)),
-       session_id_(session_id),
-       params_(params),
-       video_effects_processor_(std::move(video_effects_processor)) {}
-@@ -258,14 +261,15 @@
- 
- void VideoCaptureManager::QueueStartDevice(
-     const media::VideoCaptureSessionId& session_id,
--    VideoCaptureController* controller,
-+    scoped_refptr<VideoCaptureController> controller,
-     const media::VideoCaptureParams& params,
-     mojo::PendingRemote<video_effects::mojom::VideoEffectsProcessor>
-         video_effects_processor) {
-   DCHECK_CURRENTLY_ON(BrowserThread::IO);
-   DCHECK(lock_time_.is_null());
--  device_start_request_queue_.push_back(CaptureDeviceStartRequest(
--      controller, session_id, params, std::move(video_effects_processor)));
-+  device_start_request_queue_.push_back(
-+      CaptureDeviceStartRequest(std::move(controller), session_id, params,
-+                                std::move(video_effects_processor)));
-   if (device_start_request_queue_.size() == 1)
-     ProcessDeviceStartRequestQueue();
- }
-@@ -311,7 +315,8 @@
-   if (request == device_start_request_queue_.end())
-     return;
- 
--  VideoCaptureController* const controller = request->controller();
-+  scoped_refptr<VideoCaptureController> const controller =
-+      request->controller();
- 
-   EmitLogMessage("VideoCaptureManager::ProcessDeviceStartRequestQueue", 3);
-   // The unit test VideoCaptureManagerTest.OpenNotExisting requires us to fail
-@@ -329,7 +334,7 @@
-         GetDeviceInfoById(controller->device_id());
-     if (!device_info) {
-       OnDeviceLaunchFailed(
--          controller,
-+          controller.get(),
-           media::VideoCaptureError::
-               kVideoCaptureManagerProcessDeviceStartQueueDeviceInfoNotFound);
-       return;
-@@ -350,7 +355,7 @@
-       base::BindOnce([](scoped_refptr<VideoCaptureManager>,
-                         scoped_refptr<VideoCaptureController>) {},
-                      scoped_refptr<VideoCaptureManager>(this),
--                     GetControllerSharedRef(controller)),
-+                     std::move(controller)),
-       request->TakeVideoEffectsProcessor());
- }
- 
-@@ -434,7 +439,7 @@
-     EmitLogMessage(string_stream.str(), 1);
-   }
- 
--  VideoCaptureController* controller =
-+  scoped_refptr<VideoCaptureController> controller =
-       GetOrCreateController(session_id, params);
-   if (!controller) {
-     std::move(done_cb).Run(nullptr);
-@@ -908,7 +913,8 @@
-   return nullptr;
- }
- 
--VideoCaptureController* VideoCaptureManager::GetOrCreateController(
-+scoped_refptr<VideoCaptureController>
-+VideoCaptureManager::GetOrCreateController(
-     const media::VideoCaptureSessionId& capture_session_id,
-     const media::VideoCaptureParams& params) {
-   DCHECK_CURRENTLY_ON(BrowserThread::IO);
-@@ -930,10 +936,12 @@
-     return existing_device;
-   }
- 
--  VideoCaptureController* new_controller = new VideoCaptureController(
--      device_info.id, device_info.type, params,
--      video_capture_provider_->CreateDeviceLauncher(), emit_log_message_cb_);
--  controllers_.emplace_back(new_controller);
-+  scoped_refptr<VideoCaptureController> new_controller =
-+      base::MakeRefCounted<VideoCaptureController>(
-+          device_info.id, device_info.type, params,
-+          video_capture_provider_->CreateDeviceLauncher(),
-+          emit_log_message_cb_);
-+  controllers_.push_back(new_controller);
-   return new_controller;
- }
- 
-diff --git a/content/browser/renderer_host/media/video_capture_manager.h b/content/browser/renderer_host/media/video_capture_manager.h
-index a93c6bb..b88052a4 100644
---- a/content/browser/renderer_host/media/video_capture_manager.h
-+++ b/content/browser/renderer_host/media/video_capture_manager.h
-@@ -297,7 +297,7 @@
-   // Finds a VideoCaptureController for the indicated |capture_session_id|,
-   // creating a fresh one if necessary. Returns nullptr if said
-   // |capture_session_id| is invalid.
--  VideoCaptureController* GetOrCreateController(
-+  scoped_refptr<VideoCaptureController> GetOrCreateController(
-       const media::VideoCaptureSessionId& capture_session_id,
-       const media::VideoCaptureParams& params);
- 
-@@ -309,7 +309,7 @@
-   // another request pending start.
-   void QueueStartDevice(
-       const media::VideoCaptureSessionId& session_id,
--      VideoCaptureController* controller,
-+      scoped_refptr<VideoCaptureController> controller,
-       const media::VideoCaptureParams& params,
-       mojo::PendingRemote<video_effects::mojom::VideoEffectsProcessor>
-           video_effects_processor);

patches/chromium/cherry-pick-c333ed995449.patch

@@ -1,188 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Ken Rockot <[email protected]>
-Date: Mon, 30 Sep 2024 06:33:13 +0000
-Subject: ipcz: Validate link state fragment before adoption
-
-(cherry picked from commit c333ed99544992f66e6e03621fa938d75ad01f70)
-
-Fixed: 368208152
-Change-Id: I0e2ece4b0857b225d229134b2e55abc3e08348ee
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5876623
-Commit-Queue: Ken Rockot <[email protected]>
-Reviewed-by: Daniel Cheng <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#1358968}
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5893005
-Bot-Commit: Rubber Stamper <[email protected]>
-Auto-Submit: Ken Rockot <[email protected]>
-Cr-Commit-Position: refs/branch-heads/6613@{#2136}
-Cr-Branched-From: 03c1799e6f9c7239802827eab5e935b9e14fceae-refs/heads/main@{#1331488}
-
-diff --git a/third_party/ipcz/src/ipcz/node_link.cc b/third_party/ipcz/src/ipcz/node_link.cc
-index 420377ac3d0c5a1f745e8c5d0030c21b5d3639f2..412cedc59eaabd79a35d7e299e42f720de9ac148 100644
---- a/third_party/ipcz/src/ipcz/node_link.cc
-+++ b/third_party/ipcz/src/ipcz/node_link.cc
-@@ -37,21 +37,6 @@
- 
- namespace ipcz {
- 
--namespace {
--
--template <typename T>
--FragmentRef<T> MaybeAdoptFragmentRef(NodeLinkMemory& memory,
--                                     const FragmentDescriptor& descriptor) {
--  if (descriptor.is_null() || descriptor.size() < sizeof(T) ||
--      descriptor.offset() % 8 != 0) {
--    return {};
--  }
--
--  return memory.AdoptFragmentRef<T>(memory.GetFragment(descriptor));
--}
--
--}  // namespace
--
- // static
- Ref<NodeLink> NodeLink::CreateActive(Ref<Node> node,
-                                      LinkSide link_side,
-@@ -721,8 +706,8 @@ bool NodeLink::OnAcceptBypassLink(msg::AcceptBypassLink& accept) {
-     return true;
-   }
- 
--  auto link_state = MaybeAdoptFragmentRef<RouterLinkState>(
--      memory(), accept.v0()->new_link_state_fragment);
-+  auto link_state = memory().AdoptFragmentRefIfValid<RouterLinkState>(
-+      accept.v0()->new_link_state_fragment);
-   if (link_state.is_null()) {
-     // Bypass links must always come with a valid fragment for their
-     // RouterLinkState. If one has not been provided, that's a validation
-@@ -764,8 +749,8 @@ bool NodeLink::OnBypassPeerWithLink(msg::BypassPeerWithLink& bypass) {
-     return true;
-   }
- 
--  auto link_state = MaybeAdoptFragmentRef<RouterLinkState>(
--      memory(), bypass.v0()->new_link_state_fragment);
-+  auto link_state = memory().AdoptFragmentRefIfValid<RouterLinkState>(
-+      bypass.v0()->new_link_state_fragment);
-   if (link_state.is_null()) {
-     return false;
-   }
-diff --git a/third_party/ipcz/src/ipcz/node_link_memory.h b/third_party/ipcz/src/ipcz/node_link_memory.h
-index c5e3d6494580412abf71e75f0736ad5a82abe95c..f457757cb703d56b8dd7d152b10f3fe6f8f8c84e 100644
---- a/third_party/ipcz/src/ipcz/node_link_memory.h
-+++ b/third_party/ipcz/src/ipcz/node_link_memory.h
-@@ -98,14 +98,29 @@ class NodeLinkMemory : public RefCounted<NodeLinkMemory> {
-   // with the same BufferId and dimensions as `descriptor`.
-   Fragment GetFragment(const FragmentDescriptor& descriptor);
- 
--  // Adopts an existing reference to a RefCountedFragment within `fragment`.
--  // This does NOT increment the ref count of the RefCountedFragment.
-+  // Adopts an existing reference to a RefCountedFragment within `fragment`,
-+  // which must be a valid, properly aligned, and sufficiently sized fragment to
-+  // hold a T. This does NOT increment the ref count of the RefCountedFragment.
-   template <typename T>
-   FragmentRef<T> AdoptFragmentRef(const Fragment& fragment) {
-     ABSL_ASSERT(sizeof(T) <= fragment.size());
-     return FragmentRef<T>(kAdoptExistingRef, WrapRefCounted(this), fragment);
-   }
- 
-+  // Attempts to adopt an existing reference to a RefCountedFragment located at
-+  // `fragment`. Returns null if the fragment descriptor is null, misaligned,
-+  // or of insufficient size. This does NOT increment the ref count of the
-+  // RefCountedFragment.
-+  template <typename T>
-+  FragmentRef<T> AdoptFragmentRefIfValid(const FragmentDescriptor& descriptor) {
-+    if (descriptor.is_null() || descriptor.size() < sizeof(T) ||
-+        descriptor.offset() % 8 != 0) {
-+      return {};
-+    }
-+
-+    return AdoptFragmentRef<T>(GetFragment(descriptor));
-+  }
-+
-   // Adds a new buffer to the underlying BufferPool to use as additional
-   // allocation capacity for blocks of size `block_size`. Note that the
-   // contents of the mapped region must already be initialized as a
-diff --git a/third_party/ipcz/src/ipcz/node_link_memory_test.cc b/third_party/ipcz/src/ipcz/node_link_memory_test.cc
-index bcdd45ee866ec39d557ee1c762af04ae0af26b6a..fd51b78a2a4475b54f047310da4c91e40a61342e 100644
---- a/third_party/ipcz/src/ipcz/node_link_memory_test.cc
-+++ b/third_party/ipcz/src/ipcz/node_link_memory_test.cc
-@@ -306,5 +306,54 @@ TEST_F(NodeLinkMemoryTest, ParcelDataAllocation) {
-   node_c->Close();
- }
- 
-+struct TestObject : public RefCountedFragment {
-+ public:
-+  int x;
-+  int y;
-+};
-+
-+TEST_F(NodeLinkMemoryTest, AdoptFragmentRefIfValid) {
-+  auto object = memory_a().AdoptFragmentRef<TestObject>(
-+      memory_a().AllocateFragment(sizeof(TestObject)));
-+  object->x = 5;
-+  object->y = 42;
-+
-+  const FragmentDescriptor valid_descriptor(object.fragment().buffer_id(),
-+                                            object.fragment().offset(),
-+                                            sizeof(TestObject));
-+
-+  const FragmentDescriptor null_descriptor(
-+      kInvalidBufferId, valid_descriptor.offset(), valid_descriptor.size());
-+  EXPECT_TRUE(memory_a()
-+                  .AdoptFragmentRefIfValid<TestObject>(null_descriptor)
-+                  .is_null());
-+
-+  const FragmentDescriptor empty_descriptor(
-+      valid_descriptor.buffer_id(), valid_descriptor.offset(), /*size=*/0);
-+  EXPECT_TRUE(memory_a()
-+                  .AdoptFragmentRefIfValid<TestObject>(empty_descriptor)
-+                  .is_null());
-+
-+  const FragmentDescriptor short_descriptor(valid_descriptor.buffer_id(),
-+                                            valid_descriptor.offset(),
-+                                            sizeof(TestObject) - 4);
-+  EXPECT_TRUE(memory_a()
-+                  .AdoptFragmentRefIfValid<TestObject>(short_descriptor)
-+                  .is_null());
-+
-+  const FragmentDescriptor unaligned_descriptor(valid_descriptor.buffer_id(),
-+                                                valid_descriptor.offset() + 2,
-+                                                valid_descriptor.size() - 2);
-+  EXPECT_TRUE(memory_a()
-+                  .AdoptFragmentRefIfValid<TestObject>(unaligned_descriptor)
-+                  .is_null());
-+
-+  const auto adopted_object =
-+      memory_a().AdoptFragmentRefIfValid<TestObject>(valid_descriptor);
-+  ASSERT_TRUE(adopted_object.is_addressable());
-+  EXPECT_EQ(5, adopted_object->x);
-+  EXPECT_EQ(42, adopted_object->y);
-+}
-+
- }  // namespace
- }  // namespace ipcz
-diff --git a/third_party/ipcz/src/ipcz/router.cc b/third_party/ipcz/src/ipcz/router.cc
-index 79c443d942c6613ea8a52990b93c1811e2d3d166..b1dc593427ecae67b6758edd82257f88daefcde1 100644
---- a/third_party/ipcz/src/ipcz/router.cc
-+++ b/third_party/ipcz/src/ipcz/router.cc
-@@ -765,12 +765,16 @@ Ref<Router> Router::Deserialize(const RouterDescriptor& descriptor,
-               ? descriptor.decaying_incoming_sequence_length
-               : descriptor.next_incoming_sequence_number);
- 
-+      auto link_state =
-+          from_node_link.memory().AdoptFragmentRefIfValid<RouterLinkState>(
-+              descriptor.new_link_state_fragment);
-+      if (link_state.is_null()) {
-+        // Central links require a valid link state fragment.
-+        return nullptr;
-+      }
-       new_outward_link = from_node_link.AddRemoteRouterLink(
--          context, descriptor.new_sublink,
--          from_node_link.memory().AdoptFragmentRef<RouterLinkState>(
--              from_node_link.memory().GetFragment(
--                  descriptor.new_link_state_fragment)),
--          LinkType::kCentral, LinkSide::kB, router);
-+          context, descriptor.new_sublink, std::move(link_state), LinkType::kCentral,
-+          LinkSide::kB, router);
-       if (!new_outward_link) {
-         return nullptr;
-       }

patches/chromium/cherry-pick-e699ac35ac6c.patch

@@ -1,104 +0,0 @@
-From e699ac35ac6c565f6cc24cb98719b922a319e600 Mon Sep 17 00:00:00 2001
-From: Reilly Grant <[email protected]>
-Date: Tue, 29 Oct 2024 22:45:33 +0000
-Subject: [PATCH] [M-130] serial: Cancel mojo::SimpleWatcher when source/sink become garbage
-
-SerialPortUnderlyingSink and SerialPortUnderlyingSource need
-prefinalizers so that when they become garbage the mojo::SimpleWatcher
-is disarmed so that it doesn't invoke its callback on a garbage object.
-
-(cherry picked from commit 8ecbee8becf25733afa6dde28c3fde6a1ee2498e)
-
-Bug: 375065084
-Change-Id: Ifc847d61fa530532783d47d5749db45091fdeb96
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5957129
-Reviewed-by: Alvin Ji <[email protected]>
-Auto-Submit: Reilly Grant <[email protected]>
-Commit-Queue: Alvin Ji <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#1373408}
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5976472
-Commit-Queue: Reilly Grant <[email protected]>
-Cr-Commit-Position: refs/branch-heads/6723@{#1569}
-Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013}
----
-
-diff --git a/third_party/blink/renderer/modules/serial/serial_port_underlying_sink.cc b/third_party/blink/renderer/modules/serial/serial_port_underlying_sink.cc
-index 6aefbb5..a469a00c 100644
---- a/third_party/blink/renderer/modules/serial/serial_port_underlying_sink.cc
-+++ b/third_party/blink/renderer/modules/serial/serial_port_underlying_sink.cc
-@@ -268,4 +268,10 @@
-   abort_handle_.Clear();
- }
- 
-+void SerialPortUnderlyingSink::Dispose() {
-+  // Ensure that `watcher_` is disarmed so that `OnHandleReady()` is not called
-+  // after this object becomes garbage.
-+  PipeClosed();
-+}
-+
- }  // namespace blink
-diff --git a/third_party/blink/renderer/modules/serial/serial_port_underlying_sink.h b/third_party/blink/renderer/modules/serial/serial_port_underlying_sink.h
-index a32b0421..b4e664a 100644
---- a/third_party/blink/renderer/modules/serial/serial_port_underlying_sink.h
-+++ b/third_party/blink/renderer/modules/serial/serial_port_underlying_sink.h
-@@ -20,6 +20,8 @@
- class WritableStreamDefaultController;
- 
- class SerialPortUnderlyingSink final : public UnderlyingSinkBase {
-+  USING_PRE_FINALIZER(SerialPortUnderlyingSink, Dispose);
-+
-  public:
-   SerialPortUnderlyingSink(SerialPort*, mojo::ScopedDataPipeProducerHandle);
- 
-@@ -46,6 +48,7 @@
-   void OnFlushOrDrain();
-   void WriteData();
-   void PipeClosed();
-+  void Dispose();
- 
-   mojo::ScopedDataPipeProducerHandle data_pipe_;
-   mojo::SimpleWatcher watcher_;
-diff --git a/third_party/blink/renderer/modules/serial/serial_port_underlying_source.cc b/third_party/blink/renderer/modules/serial/serial_port_underlying_source.cc
-index 6d2911c..6753be0 100644
---- a/third_party/blink/renderer/modules/serial/serial_port_underlying_source.cc
-+++ b/third_party/blink/renderer/modules/serial/serial_port_underlying_source.cc
-@@ -224,4 +224,10 @@
-   data_pipe_.reset();
- }
- 
-+void SerialPortUnderlyingSource::Dispose() {
-+  // Ensure that `watcher_` is disarmed so that `OnHandleReady()` is not called
-+  // after this object becomes garbage.
-+  Close();
-+}
-+
- }  // namespace blink
-diff --git a/third_party/blink/renderer/modules/serial/serial_port_underlying_source.h b/third_party/blink/renderer/modules/serial/serial_port_underlying_source.h
-index 4066e98..0de89d2d 100644
---- a/third_party/blink/renderer/modules/serial/serial_port_underlying_source.h
-+++ b/third_party/blink/renderer/modules/serial/serial_port_underlying_source.h
-@@ -12,6 +12,7 @@
- #include "third_party/blink/renderer/bindings/core/v8/script_value.h"
- #include "third_party/blink/renderer/core/execution_context/execution_context_lifecycle_observer.h"
- #include "third_party/blink/renderer/core/streams/underlying_byte_source_base.h"
-+#include "third_party/blink/renderer/platform/heap/prefinalizer.h"
- 
- namespace blink {
- 
-@@ -20,6 +21,8 @@
- 
- class SerialPortUnderlyingSource : public UnderlyingByteSourceBase,
-                                    ExecutionContextLifecycleObserver {
-+  USING_PRE_FINALIZER(SerialPortUnderlyingSource, Dispose);
-+
-  public:
-   SerialPortUnderlyingSource(ScriptState*,
-                              SerialPort*,
-@@ -47,6 +50,7 @@
-   void OnFlush(ScriptPromiseResolver<IDLUndefined>*);
-   void PipeClosed();
-   void Close();
-+  void Dispose();
- 
-   // TODO(crbug.com/1457493) : Remove when debugging is done.
-   MojoResult invalid_data_pipe_read_result_ = MOJO_RESULT_OK;

patches/chromium/cherry-pick-f3300abe2fcd.patch

@@ -1,7 +1,7 @@
-From f3300abe2fcd0164794d7a782cc221d10c17f322 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Yoshisato Yanagisawa <[email protected]>
-Date: Mon, 06 Jan 2025 05:34:49 -0800
-Subject: [PATCH] [M130] Make AcceptLanguagesWatcher a weak persistent object
+Date: Mon, 6 Jan 2025 05:34:49 -0800
+Subject: Make AcceptLanguagesWatcher a weak persistent object
 
 DedicatedWorkerOrSharedWorkerFetchContext keeps on having a pointer
 to the AcceptLanguagesWatcher as a raw_ptr.  Even if the implementing
@@ -28,13 +28,12 @@ Auto-Submit: Daniel Yip <[email protected]>
 Owners-Override: Daniel Yip <[email protected]>
 Cr-Commit-Position: refs/branch-heads/6723@{#2761}
 Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013}
----
 
 diff --git a/third_party/blink/public/platform/web_worker_fetch_context.h b/third_party/blink/public/platform/web_worker_fetch_context.h
-index 6f2a2e9..cf8bfce4 100644
+index 83f6773cf4d8542d042b74697e36aa2ea3329bbf..c41e1aa452994a66c58e40c8e936134dd6375071 100644
 --- a/third_party/blink/public/platform/web_worker_fetch_context.h
 +++ b/third_party/blink/public/platform/web_worker_fetch_context.h
-@@ -33,19 +33,12 @@
+@@ -33,19 +33,12 @@ class SiteForCookies;
  
  namespace blink {
  
@@ -56,10 +55,10 @@ index 6f2a2e9..cf8bfce4 100644
  // passed to a worker (dedicated, shared and service worker) and initialized on
  // the worker thread by InitializeOnWorkerThread(). It contains information
 diff --git a/third_party/blink/renderer/core/workers/worker_navigator.cc b/third_party/blink/renderer/core/workers/worker_navigator.cc
-index 344382b..a4159a4 100644
+index 998721cf2ddda195c5695b947787a25fc1ecf15a..399d97209b4ddc1757764111879156ca451291ed 100644
 --- a/third_party/blink/renderer/core/workers/worker_navigator.cc
 +++ b/third_party/blink/renderer/core/workers/worker_navigator.cc
-@@ -61,4 +61,9 @@
+@@ -54,4 +54,9 @@ void WorkerNavigator::NotifyUpdate() {
        *Event::Create(event_type_names::kLanguagechange));
  }
  
@@ -70,7 +69,7 @@ index 344382b..a4159a4 100644
 +
  }  // namespace blink
 diff --git a/third_party/blink/renderer/core/workers/worker_navigator.h b/third_party/blink/renderer/core/workers/worker_navigator.h
-index ea07a96..ab622f8e 100644
+index ea07a96390fbcf06853d80b7b20cf50128494e9a..ab622f8ebc6a5f68ceb9f867876b6bf696d3fc30 100644
 --- a/third_party/blink/renderer/core/workers/worker_navigator.h
 +++ b/third_party/blink/renderer/core/workers/worker_navigator.h
 @@ -29,6 +29,7 @@
@@ -81,7 +80,7 @@ index ea07a96..ab622f8e 100644
  #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
  
  namespace blink {
-@@ -46,6 +47,9 @@
+@@ -46,6 +47,9 @@ class CORE_EXPORT WorkerNavigator final : public NavigatorBase,
  
    // AcceptLanguagesWatcher override
    void NotifyUpdate() override;
@@ -92,10 +91,10 @@ index ea07a96..ab622f8e 100644
  
  }  // namespace blink
 diff --git a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc
-index 0815877..4930962 100644
+index f8a2bdd424da2cd45114c75cc4d37d6c400b38fe..b11d013b13865758acc5b5f0c64dbd3e8dad5609 100644
 --- a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc
 +++ b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.cc
-@@ -18,6 +18,7 @@
+@@ -16,6 +16,7 @@
  #include "third_party/blink/public/platform/url_loader_throttle_provider.h"
  #include "third_party/blink/public/platform/web_url_request_extra_data.h"
  #include "third_party/blink/public/platform/websocket_handshake_throttle_provider.h"
@@ -103,7 +102,7 @@ index 0815877..4930962 100644
  #include "third_party/blink/renderer/platform/loader/fetch/url_loader/url_loader_factory.h"
  #include "third_party/blink/renderer/platform/loader/internet_disconnected_url_loader.h"
  
-@@ -226,9 +227,12 @@
+@@ -220,9 +221,12 @@ void WebServiceWorkerFetchContextImpl::UpdateSubresourceLoaderFactories(
  
  void WebServiceWorkerFetchContextImpl::NotifyUpdate(
      const RendererPreferences& new_prefs) {
@@ -120,7 +119,7 @@ index 0815877..4930962 100644
  }
  
 diff --git a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h
-index a7c897de..c2f1c9d 100644
+index c59acba074327eb609ae40c069873272a3aa0e71..dad815728a335e5e0de77b95f0dcae871fb6a9ce 100644
 --- a/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h
 +++ b/third_party/blink/renderer/modules/service_worker/web_service_worker_fetch_context_impl.h
 @@ -6,16 +6,16 @@
@@ -142,7 +141,7 @@ index a7c897de..c2f1c9d 100644
  #include "third_party/blink/renderer/platform/weborigin/kurl.h"
  #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
  #include "third_party/blink/renderer/platform/wtf/vector.h"
-@@ -135,7 +135,7 @@
+@@ -135,7 +135,7 @@ class BLINK_EXPORT WebServiceWorkerFetchContextImpl final
    // This is owned by ThreadedMessagingProxyBase on the main thread.
    raw_ptr<base::WaitableEvent> terminate_sync_load_event_ = nullptr;
  
@@ -152,10 +151,10 @@ index a7c897de..c2f1c9d 100644
    Vector<String> cors_exempt_header_list_;
    bool is_offline_mode_ = false;
 diff --git a/third_party/blink/renderer/platform/BUILD.gn b/third_party/blink/renderer/platform/BUILD.gn
-index 5b8e391..12da20f 100644
+index 5f304abbb561e1bc368c50eef329e949855b89b0..bb0471e78f3284fe325d581c2d55e3b90ef486f1 100644
 --- a/third_party/blink/renderer/platform/BUILD.gn
 +++ b/third_party/blink/renderer/platform/BUILD.gn
-@@ -341,6 +341,7 @@
+@@ -335,6 +335,7 @@ component("platform") {
    output_name = "blink_platform"
  
    sources = [
@@ -165,7 +164,7 @@ index 5b8e391..12da20f 100644
      "animation/compositor_animation.cc",
 diff --git a/third_party/blink/renderer/platform/accept_languages_watcher.h b/third_party/blink/renderer/platform/accept_languages_watcher.h
 new file mode 100644
-index 0000000..7fd5de07f
+index 0000000000000000000000000000000000000000..7fd5de07fb26863deab3f921f678f0628f496f2d
 --- /dev/null
 +++ b/third_party/blink/renderer/platform/accept_languages_watcher.h
 @@ -0,0 +1,22 @@
@@ -192,10 +191,10 @@ index 0000000..7fd5de07f
 +
 +#endif  // THIRD_PARTY_BLINK_RENDERER_PLATFORM_ACCEPT_LANGUAGES_WATCHER_H_
 diff --git a/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS b/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS
-index c8a92c06..7886b02 100644
+index c8a92c0641ddbe972239acbc44593058ddea7159..7886b02241bd44edfeea7a5af7a0d8dd545308f3 100644
 --- a/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS
 +++ b/third_party/blink/renderer/platform/loader/fetch/url_loader/DEPS
-@@ -28,4 +28,7 @@
+@@ -28,4 +28,7 @@ specific_include_rules = {
      "web_url_loader_unittest.cc": [
          "+net/test/cert_test_util.h"
      ],
@@ -204,7 +203,7 @@ index c8a92c06..7886b02 100644
 +    ],
  }
 diff --git a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc
-index cc1954f6..c9f96ff 100644
+index 67ff2f5b0c2305df53ba07f51714cd40412710f6..5471967992e4b6d9c362974cb01254331db23ceb 100644
 --- a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc
 +++ b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.cc
 @@ -28,6 +28,7 @@
@@ -215,7 +214,7 @@ index cc1954f6..c9f96ff 100644
  #include "third_party/blink/renderer/platform/loader/fetch/url_loader/url_loader.h"
  #include "third_party/blink/renderer/platform/loader/fetch/url_loader/url_loader_factory.h"
  #include "url/url_constants.h"
-@@ -605,9 +606,13 @@
+@@ -600,9 +601,13 @@ void DedicatedOrSharedWorkerFetchContextImpl::UpdateSubresourceLoaderFactories(
  
  void DedicatedOrSharedWorkerFetchContextImpl::NotifyUpdate(
      const RendererPreferences& new_prefs) {
@@ -233,7 +232,7 @@ index cc1954f6..c9f96ff 100644
    for (auto& watcher : child_preference_watchers_)
      watcher->NotifyUpdate(new_prefs);
 diff --git a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h
-index b95a25fe..d0387cf 100644
+index 113e65b3154981dd16f0e8839ad8dc9add33d392..33814865741bd0d1e2b73142f384f7024e119ca6 100644
 --- a/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h
 +++ b/third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h
 @@ -23,6 +23,7 @@
@@ -244,7 +243,7 @@ index b95a25fe..d0387cf 100644
  #include "third_party/blink/renderer/platform/wtf/casting.h"
  #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
  #include "third_party/blink/renderer/platform/wtf/vector.h"
-@@ -301,7 +302,7 @@
+@@ -300,7 +301,7 @@ class BLINK_PLATFORM_EXPORT DedicatedOrSharedWorkerFetchContextImpl final
    std::unique_ptr<WeakWrapperResourceLoadInfoNotifier>
        weak_wrapper_resource_load_info_notifier_;
  

patches/chromium/fix_move_autopipsettingshelper_behind_branding_buildflag.patch

@@ -9,7 +9,7 @@ to support content settings UI. The support pulls in chrome content settings
 and UI code which are not valid in the scope of Electron.
 
 diff --git a/chrome/browser/picture_in_picture/picture_in_picture_window_manager.cc b/chrome/browser/picture_in_picture/picture_in_picture_window_manager.cc
-index ceced82cbd23b2dcd7fabf7d63028423f86e05c3..27d0b61a7b67d1c9d7e0699e287b78332d9dce26 100644
+index b8f881cf962a309c627ccac835051c33f17727d3..57078588290fcbd1bab67efb1c591b69c11bcb15 100644
 --- a/chrome/browser/picture_in_picture/picture_in_picture_window_manager.cc
 +++ b/chrome/browser/picture_in_picture/picture_in_picture_window_manager.cc
 @@ -6,6 +6,7 @@
@@ -39,7 +39,7 @@ index ceced82cbd23b2dcd7fabf7d63028423f86e05c3..27d0b61a7b67d1c9d7e0699e287b7833
  // Returns true if a document picture-in-picture window should be focused upon
  // opening it.
  bool ShouldFocusPictureInPictureWindow(const NavigateParams& params) {
-@@ -177,7 +180,7 @@ bool PictureInPictureWindowManager::ExitPictureInPictureViaWindowUi(
+@@ -187,7 +190,7 @@ bool PictureInPictureWindowManager::ExitPictureInPictureViaWindowUi(
      return false;
    }
  
@@ -48,7 +48,7 @@ index ceced82cbd23b2dcd7fabf7d63028423f86e05c3..27d0b61a7b67d1c9d7e0699e287b7833
    // The user manually closed the pip window, so let the tab helper know in case
    // the auto-pip permission dialog was visible.
    if (auto* tab_helper = AutoPictureInPictureTabHelper::FromWebContents(
-@@ -373,7 +376,7 @@ gfx::Size PictureInPictureWindowManager::GetMaximumWindowSize(
+@@ -383,7 +386,7 @@ gfx::Size PictureInPictureWindowManager::GetMaximumWindowSize(
  
  // static
  void PictureInPictureWindowManager::SetWindowParams(NavigateParams& params) {
@@ -57,7 +57,7 @@ index ceced82cbd23b2dcd7fabf7d63028423f86e05c3..27d0b61a7b67d1c9d7e0699e287b7833
    // Always show document picture-in-picture in a new window. When this is
    // not opened via the AutoPictureInPictureTabHelper, focus the window.
    params.window_action = ShouldFocusPictureInPictureWindow(params)
-@@ -452,6 +455,7 @@ PictureInPictureWindowManager::GetOverlayView(
+@@ -472,6 +475,7 @@ PictureInPictureWindowManager::GetOverlayView(
      return nullptr;
    }
  
@@ -65,7 +65,7 @@ index ceced82cbd23b2dcd7fabf7d63028423f86e05c3..27d0b61a7b67d1c9d7e0699e287b7833
    // It would be nice to create this in `EnterPictureInPicture*`, but detecting
    // auto-pip while pip is in the process of opening doesn't work.
    //
-@@ -490,6 +494,8 @@ PictureInPictureWindowManager::GetOverlayView(
+@@ -510,6 +514,8 @@ PictureInPictureWindowManager::GetOverlayView(
    }
  
    return overlay_view;

patches/chromium/m126-lts_check_string_range_in_shapesegment.patch

@@ -1,75 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Koji Ishii <[email protected]>
-Date: Thu, 12 Sep 2024 06:00:02 +0000
-Subject: Check string range in `ShapeSegment`
-
-crrev.com/c/5776342 fixed a range `CHECK` in
-`CollectFallbackHintChars`, but depends on the CSS and font
-configurations, it's possible that the code doesn't go to
-`CollectFallbackHintChars` and the following code may hit
-the same issue.
-
-This patch adds another `CHECK` for the case.
-
-(cherry picked from commit ef6f7b4521bb9e8d0235550c93acf885e198abdb)
-
-Bug: 355731798, 357622693
-Change-Id: Ieb4ada7699c80564e8a4b866cb6a6ffbc665ebc7
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5776204
-Commit-Queue: Kent Tamura <[email protected]>
-Auto-Submit: Koji Ishii <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#1340006}
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5806849
-Auto-Submit: Roger Felipe Zanoni da Silva (xWF) <[email protected]>
-Commit-Queue: Koji Ishii <[email protected]>
-Reviewed-by: Fernando Serboncini <[email protected]>
-Reviewed-by: Fahad Mansoor <[email protected]>
-Reviewed-by: Koji Ishii <[email protected]>
-Cr-Commit-Position: refs/branch-heads/6478@{#1959}
-Cr-Branched-From: e6143acc03189c5e52959545b110d6d17ecd5286-refs/heads/main@{#1300313}
-
-diff --git a/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc b/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc
-index 7731bd142f1352d0bbc67a1f9a3742de0adc11ad..be09f8302145e71c42899aa17dfc765037413a2c 100644
---- a/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc
-+++ b/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc
-@@ -492,6 +492,12 @@ inline void HarfBuzzShaper::CheckTextLen(unsigned start,
-   CHECK_LE(length, text_.length() - start);
- }
- 
-+inline void HarfBuzzShaper::CheckTextEnd(unsigned start, unsigned end) const {
-+  CHECK_LE(start, end);
-+  CHECK_LE(start, text_.length());
-+  CHECK_LE(end, text_.length());
-+}
-+
- void HarfBuzzShaper::CommitGlyphs(RangeContext* range_data,
-                                   const SimpleFontData* current_font,
-                                   UScriptCode current_run_script,
-@@ -942,12 +948,13 @@ void HarfBuzzShaper::ShapeSegment(
- 
-     // Clamp the start and end offsets of the queue item to the offsets
-     // representing the shaping window.
--    unsigned shape_start =
-+    const unsigned shape_start =
-         std::max(range_data->start, current_queue_item.start_index_);
--    unsigned shape_end =
-+    const unsigned shape_end =
-         std::min(range_data->end, current_queue_item.start_index_ +
-                                       current_queue_item.num_characters_);
-     DCHECK_GT(shape_end, shape_start);
-+    CheckTextEnd(shape_start, shape_end);
- 
-     CaseMapIntend case_map_intend = CaseMapIntend::kKeepSameCase;
-     if (needs_caps_handling) {
-diff --git a/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.h b/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.h
-index 102b6bb08105db6f9327acf6250c961d0b322170..f97e92a26fcde1aa533869dfad9eaf20ae65dd95 100644
---- a/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.h
-+++ b/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.h
-@@ -173,6 +173,7 @@ class PLATFORM_EXPORT HarfBuzzShaper final {
-                     ShapeResult*) const;
- 
-   void CheckTextLen(unsigned start, unsigned length) const;
-+  void CheckTextEnd(unsigned start, unsigned end) const;
- 
-   const String text_;
-   EmojiMetricsCallback emoji_metrics_reporter_for_testing_;

patches/chromium/m126-lts_don_t_perform_pseudo-element_ident_parsing_on_non-ascii.patch

@@ -1,50 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Gyuyoung Kim <[email protected]>
-Date: Tue, 1 Oct 2024 02:11:48 +0000
-Subject: Don't perform pseudo-element ident parsing on non-ASCII
-
-ParsePseudoType crashes on ASAN when given non-ASCII characters,
-so returning early if those are present.
-
-(cherry picked from commit f50b84cf5edf9a3ef09ddee9a24aeae5da55c630)
-
-Bug: 350779647
-Change-Id: Ic77351a1c95437a226dce66c7826b7b8481b8d91
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5686295
-Commit-Queue: Noam Rosenthal <[email protected]>
-Reviewed-by: Rune Lillesveen <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#1346768}
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5872266
-Owners-Override: Victor Gabriel Savu <[email protected]>
-Reviewed-by: Victor Gabriel Savu <[email protected]>
-Commit-Queue: Gyuyoung Kim (xWF) <[email protected]>
-Cr-Commit-Position: refs/branch-heads/6478@{#1974}
-Cr-Branched-From: e6143acc03189c5e52959545b110d6d17ecd5286-refs/heads/main@{#1300313}
-
-diff --git a/third_party/blink/renderer/core/css/parser/css_selector_parser.cc b/third_party/blink/renderer/core/css/parser/css_selector_parser.cc
-index a14ef80a98838036649215d47054b86132e08bc7..991fef25fb349f46ed2ccb9e02fe02d1fc75ae41 100644
---- a/third_party/blink/renderer/core/css/parser/css_selector_parser.cc
-+++ b/third_party/blink/renderer/core/css/parser/css_selector_parser.cc
-@@ -962,7 +962,7 @@ PseudoId CSSSelectorParser::ParsePseudoElement(const String& selector_string,
- 
-   CSSParserToken selector_name_token = range.Peek(ident_start);
-   if (selector_name_token.GetType() == kIdentToken) {
--    if (!selector_name_token.Value().Is8Bit()) {
-+    if (!selector_name_token.Value().ContainsOnlyASCIIOrEmpty()) {
-       return kPseudoIdInvalid;
-     }
-     if (range.Peek(ident_start + 1).GetType() != kEOFToken) {
-diff --git a/third_party/blink/web_tests/external/wpt/css/cssom/getComputedStyle-special-chars-crash.html b/third_party/blink/web_tests/external/wpt/css/cssom/getComputedStyle-special-chars-crash.html
-new file mode 100644
-index 0000000000000000000000000000000000000000..a9c1dd9976af10efb197bf9bdb0bef47516db7c3
---- /dev/null
-+++ b/third_party/blink/web_tests/external/wpt/css/cssom/getComputedStyle-special-chars-crash.html
-@@ -0,0 +1,7 @@
-+<!DOCTYPE html>
-+<body>
-+<script>
-+    window.getComputedStyle(document.body, String.fromCharCode( 92, 109, 107, 78, 80, 113, 90, 102, 76, 49));
-+</script>
-+This test shouldn't crash.
-+</body>
-\ No newline at end of file

patches/chromium/m126-lts_fix_a_range_check_for_when_it_overflows.patch

@@ -1,63 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Koji Ishii <[email protected]>
-Date: Thu, 12 Sep 2024 05:51:00 +0000
-Subject: Fix a range `CHECK` for when it overflows
-
-This patch fixes a `CHECK` for a range of a string when
-`offset + length` overflows the `unsigned`.
-
-(cherry picked from commit 59c286e8419f07143ce859342f0fe9ddea36392d)
-
-Bug: 355731798
-Change-Id: If04222f10f2b73b6dcd6b412cf4d82fa5b71bbe2
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5776342
-Commit-Queue: Kent Tamura <[email protected]>
-Auto-Submit: Koji Ishii <[email protected]>
-Commit-Queue: Koji Ishii <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#1339526}
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5804713
-Reviewed-by: Koji Ishii <[email protected]>
-Reviewed-by: Fahad Mansoor <[email protected]>
-Auto-Submit: Roger Felipe Zanoni da Silva (xWF) <[email protected]>
-Cr-Commit-Position: refs/branch-heads/6478@{#1958}
-Cr-Branched-From: e6143acc03189c5e52959545b110d6d17ecd5286-refs/heads/main@{#1300313}
-
-diff --git a/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc b/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc
-index 427fbb617742c7690338ad6729be720826955b1f..7731bd142f1352d0bbc67a1f9a3742de0adc11ad 100644
---- a/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc
-+++ b/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.cc
-@@ -486,6 +486,12 @@ CanvasRotationInVertical CanvasRotationForRun(
- 
- }  // namespace
- 
-+inline void HarfBuzzShaper::CheckTextLen(unsigned start,
-+                                         unsigned length) const {
-+  CHECK_LE(start, text_.length());
-+  CHECK_LE(length, text_.length() - start);
-+}
-+
- void HarfBuzzShaper::CommitGlyphs(RangeContext* range_data,
-                                   const SimpleFontData* current_font,
-                                   UScriptCode current_run_script,
-@@ -697,7 +703,7 @@ bool HarfBuzzShaper::CollectFallbackHintChars(
-       break;
-     }
- 
--    CHECK_LE((it->start_index_ + it->num_characters_), text_.length());
-+    CheckTextLen(it->start_index_, it->num_characters_);
-     if (text_.Is8Bit()) {
-       for (unsigned i = 0; i < it->num_characters_; i++) {
-         const UChar hint_char = text_[it->start_index_ + i];
-diff --git a/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.h b/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.h
-index 6ad434d4586c3f82a11a215f27bbb2e548b5bce9..102b6bb08105db6f9327acf6250c961d0b322170 100644
---- a/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.h
-+++ b/third_party/blink/renderer/platform/fonts/shaping/harfbuzz_shaper.h
-@@ -172,6 +172,8 @@ class PLATFORM_EXPORT HarfBuzzShaper final {
-                     const BufferSlice&,
-                     ShapeResult*) const;
- 
-+  void CheckTextLen(unsigned start, unsigned length) const;
-+
-   const String text_;
-   EmojiMetricsCallback emoji_metrics_reporter_for_testing_;
- };

patches/chromium/m126-lts_protect_automation_rate_from_non-deterministic_change.patch

@@ -1,205 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Hongchan Choi <[email protected]>
-Date: Tue, 17 Sep 2024 17:04:42 +0000
-Subject: Protect automation_rate_ from non-deterministic change
-
-This CL fixes non-deterministic (racy) data change on
-AudioParamHandler::automation_rate_. It also revises incorrect logic
-in the DelayHandler's process function; the process function
-needs to process all the channels in the delay kernel in the same
-rate. However, the previous code allowed the automation rate to
-change any time even in the middle of processing.
-
-This fix is locally confirmed with the provided repro case,
-and also a test was added to verify other related API surfaces.
-
-(cherry picked from commit ec85a32bb5d736637c934088c14b2b6a42457467)
-
-Bug: 357391257
-Change-Id: I7ce953837edd818e435e3a1b917f6b3c6147d95b
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5767447
-Commit-Queue: Hongchan Choi <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#1345091}
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5854511
-Reviewed-by: Giovanni Pezzino <[email protected]>
-Reviewed-by: Hongchan Choi <[email protected]>
-Reviewed-by: Michael Wilson <[email protected]>
-Commit-Queue: Roger Felipe Zanoni da Silva (xWF) <[email protected]>
-Cr-Commit-Position: refs/branch-heads/6478@{#1962}
-Cr-Branched-From: e6143acc03189c5e52959545b110d6d17ecd5286-refs/heads/main@{#1300313}
-
-diff --git a/third_party/blink/renderer/modules/webaudio/audio_param_handler.h b/third_party/blink/renderer/modules/webaudio/audio_param_handler.h
-index 6343c4863b5d325a360489a3f3aab3df860d870c..128f283f8d6150cf8b9062ae034d1112930892fc 100644
---- a/third_party/blink/renderer/modules/webaudio/audio_param_handler.h
-+++ b/third_party/blink/renderer/modules/webaudio/audio_param_handler.h
-@@ -123,8 +123,12 @@ class AudioParamHandler final : public ThreadSafeRefCounted<AudioParamHandler>,
-   float Value();
-   void SetValue(float);
- 
--  AutomationRate GetAutomationRate() const { return automation_rate_; }
-+  AutomationRate GetAutomationRate() const {
-+    base::AutoLock rate_locker(RateLock());
-+    return automation_rate_;
-+  }
-   void SetAutomationRate(AutomationRate automation_rate) {
-+    base::AutoLock rate_locker(RateLock());
-     automation_rate_ = automation_rate;
-   }
- 
-@@ -163,6 +167,8 @@ class AudioParamHandler final : public ThreadSafeRefCounted<AudioParamHandler>,
-     return intrinsic_value_.load(std::memory_order_relaxed);
-   }
- 
-+  base::Lock& RateLock() const { return rate_lock_; }
-+
-  private:
-   AudioParamHandler(BaseAudioContext&,
-                     AudioParamType,
-@@ -195,8 +201,12 @@ class AudioParamHandler final : public ThreadSafeRefCounted<AudioParamHandler>,
- 
-   float default_value_;
- 
-+  // Protects `automation_rate_`.
-+  mutable base::Lock rate_lock_;
-+
-   // The automation rate of the AudioParam (k-rate or a-rate)
-   AutomationRate automation_rate_;
-+
-   // `rate_mode_` determines if the user can change the automation rate to a
-   // different value.
-   const AutomationRateMode rate_mode_;
-diff --git a/third_party/blink/renderer/modules/webaudio/delay_handler.cc b/third_party/blink/renderer/modules/webaudio/delay_handler.cc
-index ff3a2ffac5ebeb3841bdbf21bc95981f182358d3..5548e27689acba1c3b301a19567256bf138ebb7f 100644
---- a/third_party/blink/renderer/modules/webaudio/delay_handler.cc
-+++ b/third_party/blink/renderer/modules/webaudio/delay_handler.cc
-@@ -59,21 +59,27 @@ void DelayHandler::Process(uint32_t frames_to_process) {
-       source_bus->Zero();
-     }
- 
--    base::AutoTryLock try_locker(process_lock_);
--    if (try_locker.is_acquired()) {
-+    base::AutoTryLock process_try_locker(process_lock_);
-+    base::AutoTryLock rate_try_locker(delay_time_->RateLock());
-+    if (process_try_locker.is_acquired() && rate_try_locker.is_acquired()) {
-       DCHECK_EQ(source_bus->NumberOfChannels(),
-                 destination_bus->NumberOfChannels());
-       DCHECK_EQ(source_bus->NumberOfChannels(), kernels_.size());
- 
--      for (unsigned i = 0; i < kernels_.size(); ++i) {
--        if (delay_time_->HasSampleAccurateValues() &&
--            delay_time_->IsAudioRate()) {
-+      if (delay_time_->IsAudioRate()) {
-+        for (unsigned i = 0; i < kernels_.size(); ++i) {
-+          // Assumes that the automation rate cannot change in the middle of
-+          // the process function. (See crbug.com/357391257)
-+          CHECK(delay_time_->IsAudioRate());
-           delay_time_->CalculateSampleAccurateValues(kernels_[i]->DelayTimes(),
-                                                      frames_to_process);
-           kernels_[i]->ProcessARate(source_bus->Channel(i)->Data(),
-                                     destination_bus->Channel(i)->MutableData(),
-                                     frames_to_process);
--        } else {
-+        }
-+      } else {
-+        for (unsigned i = 0; i < kernels_.size(); ++i) {
-+          CHECK(!delay_time_->IsAudioRate());
-           kernels_[i]->SetDelayTime(delay_time_->FinalValue());
-           kernels_[i]->ProcessKRate(source_bus->Channel(i)->Data(),
-                                     destination_bus->Channel(i)->MutableData(),
-diff --git a/third_party/blink/web_tests/webaudio/AudioParam/audioparam-rate-change-357391257.html b/third_party/blink/web_tests/webaudio/AudioParam/audioparam-rate-change-357391257.html
-new file mode 100644
-index 0000000000000000000000000000000000000000..e2d8b9aacd25e86a9b0a5f28524777590280c305
---- /dev/null
-+++ b/third_party/blink/web_tests/webaudio/AudioParam/audioparam-rate-change-357391257.html
-@@ -0,0 +1,91 @@
-+<!DOCTYPE html>
-+<html>
-+<head>
-+  <meta name="timeout" content="long"/>
-+  <title>
-+    AudioParam automateRate property change - crbug.com/357391257
-+  </title>
-+  <script src="../../resources/testharness.js"></script>
-+  <script src="../../resources/testharnessreport.js"></script>
-+</head>
-+<body>
-+  <script>
-+    const t = async_test('audio-param-rate-change-357391257');
-+
-+    // The problematic value used in the reproduction code.
-+    const testValue = 5;
-+
-+    // Number of iterations for triggering the issue. A high value can strain
-+    // testing resources. Empirically determined: the reported repro case was
-+    // aboe to crash in 3 iterations on average.
-+    const maxIteration = 3;
-+
-+    // The original repro only has setValueAtTime() but the fix/test covers
-+    // all methods.
-+    const subtestTypes = [
-+      'setValueAtTime',
-+      'linearRampToValueAtTime',
-+      'exponentialRampToValueAtTime',
-+      'linearRampToValueAtTime',
-+      'setTargetAtTime',
-+      'setValueCurveAtTime'
-+    ];
-+
-+    let subtestsCompleted = 0;
-+
-+    const runTest = (iteration, subtestType) => {
-+      const context = new AudioContext({sampleRate: 768000});
-+      const scriptNode = context.createScriptProcessor();
-+      const delayNode = context.createDelay(1);
-+
-+      scriptNode.onaudioprocess = () => {
-+        delayNode.delayTime.automationRate = 'k-rate';
-+        delayNode.delayTime.automationRate = 'a-rate';
-+      };
-+      delayNode.delayTime.linearRampToValueAtTime(1, 2);
-+      scriptNode.connect(delayNode).connect(context.destination);
-+
-+      switch (subtestTypes[subtestType]) {
-+        case 'setValueAtTime':
-+          delayNode.delayTime.setValueAtTime(testValue, context.currentTime);
-+          break;
-+        case 'linearRampToValueAtTime':
-+          delayNode.delayTime.linearRampToValueAtTime(
-+              testValue, context.currentTime);
-+          break;
-+        case 'exponentialRampToValueAtTime':
-+          delayNode.delayTime.exponentialRampToValueAtTime(
-+              testValue, context.currentTime);
-+          break;
-+        case 'setTargetAtTime':
-+          delayNode.delayTime.setTargetAtTime(
-+              testValue, context.currentTime, 0);
-+          break;
-+        case 'setValueCurveAtTime':
-+          const curve = new Float32Array(2);
-+          curve[0] = testValue;
-+          curve[1] = 0;
-+          // To avoid the schedule overlap with setValueAtTime() above, start
-+          // the automation at 2.5s.
-+          delayNode.delayTime.setValueCurveAtTime(curve, 2.5, 1);
-+          break;
-+        defaut:
-+          assert_unreached('invalid method test type');
-+      }
-+
-+      if (iteration < maxIteration) {
-+        setTimeout(() => runTest(iteration + 1, subtestType), 100);
-+      } else {
-+        if (++subtestsCompleted === subtestTypes.length) {
-+          context.close();
-+          t.done();
-+        }
-+      }
-+    };
-+
-+    window.addEventListener('load', t.step_func(() => {
-+      subtestTypes.forEach((_, subtestType) => runTest(0, subtestType));
-+    }));
-+  </script>
-+</body>
-+</html>

patches/chromium/m126-lts_reland_fix_stringview_to_crash_when_offset_length.patch

@@ -1,89 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Koji Ishii <[email protected]>
-Date: Thu, 12 Sep 2024 06:17:42 +0000
-Subject: Reland "Fix `StringView` to crash when `offset + length` overflows"
-
-This is a reland of commit ba40b993a6b700a2ad0fd092e141783fb1f60e70
-
-The original change failed on mac11-arm64-rel and reverted at
-crrev.com/c/5776005. This is because the unit tests assumed
-that the `SECURITY_DCHECK` is always enabled, but it's
-actually enabled only for DCHECK-enabled builds.
-
-This patch fixes it by wrapping the unit tests by `#if`.
-
-Original change's description:
-> Fix `StringView` to crash when `offset + length` overflows
->
-> This patch fixes `SECURITY_DCHECK` in `StringView` for when
-> `offset + length` overflows the `unsigned`.
->
-> Bug: 357622693, 355731798
-> Change-Id: I5a7a7979192fe132496661b1272c5902cdbdb09a
-> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5775486
-> Auto-Submit: Koji Ishii <[email protected]>
-> Commit-Queue: Kent Tamura <[email protected]>
-> Cr-Commit-Position: refs/heads/main@{#1340005}
-
-(cherry picked from commit 5fe8d13101707cfe668bab004fe705241a12b11d)
-
-Bug: 357622693, 355731798
-Change-Id: I5402234a5fe54bf8dec2c986ab0ab388e1bc783d
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5782718
-Commit-Queue: Koji Ishii <[email protected]>
-Auto-Submit: Koji Ishii <[email protected]>
-Commit-Queue: Kentaro Hara <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#1340817}
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5807454
-Auto-Submit: Roger Felipe Zanoni da Silva (xWF) <[email protected]>
-Reviewed-by: Michael Lippautz <[email protected]>
-Reviewed-by: Fahad Mansoor <[email protected]>
-Reviewed-by: Koji Ishii <[email protected]>
-Cr-Commit-Position: refs/branch-heads/6478@{#1960}
-Cr-Branched-From: e6143acc03189c5e52959545b110d6d17ecd5286-refs/heads/main@{#1300313}
-
-diff --git a/third_party/blink/renderer/platform/wtf/text/string_view.h b/third_party/blink/renderer/platform/wtf/text/string_view.h
-index ba3ea1a57f44a51cc3d7b23efc40880e3c421175..96ff7f092c12bceaa8f603fdca10582f988e56d5 100644
---- a/third_party/blink/renderer/platform/wtf/text/string_view.h
-+++ b/third_party/blink/renderer/platform/wtf/text/string_view.h
-@@ -284,7 +284,8 @@ inline StringView::StringView(const StringView& view,
-                               unsigned offset,
-                               unsigned length)
-     : impl_(view.impl_), length_(length) {
--  SECURITY_DCHECK(offset + length <= view.length());
-+  SECURITY_DCHECK(offset <= view.length());
-+  SECURITY_DCHECK(length <= view.length() - offset);
-   if (Is8Bit())
-     bytes_ = view.Characters8() + offset;
-   else
-@@ -330,7 +331,8 @@ inline void StringView::Clear() {
- inline void StringView::Set(const StringImpl& impl,
-                             unsigned offset,
-                             unsigned length) {
--  SECURITY_DCHECK(offset + length <= impl.length());
-+  SECURITY_DCHECK(offset <= impl.length());
-+  SECURITY_DCHECK(length <= impl.length() - offset);
-   length_ = length;
-   impl_ = const_cast<StringImpl*>(&impl);
-   if (impl.Is8Bit())
-diff --git a/third_party/blink/renderer/platform/wtf/text/string_view_test.cc b/third_party/blink/renderer/platform/wtf/text/string_view_test.cc
-index d8eb2afaa2ecb8a1fd0fbcc04c4c9b8b3b6cb821..efadac6e98a05ede6270d576dfcdb78dab196431 100644
---- a/third_party/blink/renderer/platform/wtf/text/string_view_test.cc
-+++ b/third_party/blink/renderer/platform/wtf/text/string_view_test.cc
-@@ -374,6 +374,16 @@ TEST(StringViewTest, ConstructionLiteral16) {
-   EXPECT_EQ(String("12"), StringView(kChars16, 2u));
- }
- 
-+#if ENABLE_SECURITY_ASSERT
-+TEST(StringViewTest, OverflowInConstructor) {
-+  EXPECT_DEATH_IF_SUPPORTED(StringView(StringView("12"), 2, -1), "");
-+}
-+
-+TEST(StringViewTest, OverflowInSet) {
-+  EXPECT_DEATH_IF_SUPPORTED(StringView(String("12"), 2, -1), "");
-+}
-+#endif  // ENABLE_SECURITY_ASSERT
-+
- TEST(StringViewTest, IsEmpty) {
-   EXPECT_FALSE(StringView(kChars).empty());
-   EXPECT_TRUE(StringView(kChars, 0).empty());

patches/chromium/m130_extensions_serviceworker_skip_worker_for_isolated_world.patch

@@ -1,57 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Justin Lulejian <[email protected]>
-Date: Fri, 18 Oct 2024 21:34:12 +0000
-Subject: [M130][Extensions][ServiceWorker] Skip worker for isolated world
- module fetch
-
-Before this change, an isolated world (e.g. extension content script,
-but also others) could dynamically import a script from an accessible
-resource (for extensions this is possible with web accessible
-resources and a matching site). When this occurs a web service worker
-could intercept that request and respond with arbitrary content.
-
-After this change, isolated world module requests skip triggering the
-worker fetch handler. This includes extension content scripts, but also
-includes any other scripts that execute in the isolated world context.
-
-(cherry picked from commit 2c501634c1191be1e509720103f06d51b94e6311)
-
-Bug: 371011220
-Change-Id: I37eda47324b6933a93d2a44792a06ff91399981f
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5917013
-Auto-Submit: Justin Lulejian <[email protected]>
-Reviewed-by: Hiroshige Hayashizaki <[email protected]>
-Commit-Queue: Justin Lulejian <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#1365918}
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5940150
-Owners-Override: Daniel Yip <[email protected]>
-Bot-Commit: Rubber Stamper <[email protected]>
-Cr-Commit-Position: refs/branch-heads/6723@{#1432}
-Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013}
-
-diff --git a/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc b/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc
-index b3d861555d8ecb4295c8f57414784a9b7f8e1745..fe2ac5f0d5157c735ed00cee6d2b330be6d9a9ca 100644
---- a/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc
-+++ b/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc
-@@ -153,12 +153,20 @@ void ModuleScriptLoader::FetchInternal(
-   url_ = module_request.Url();
- #endif
- 
-+  DOMWrapperWorld& request_world = modulator_->GetScriptState()->World();
-+
-+  // Prevents web service workers from intercepting isolated world dynamic
-+  // script imports requests and responding with different contents.
-+  // TODO(crbug.com/1296102): Link to documentation that describes the criteria
-+  // where module imports are handled by service worker fetch handler.
-+  resource_request.SetSkipServiceWorker(request_world.IsIsolatedWorld());
-+
-   // <spec step="9">Set request 's destination to the result of running the
-   // fetch destination from module type steps given destination and
-   // moduleType.</spec>
-   SetFetchDestinationFromModuleType(resource_request, module_request);
- 
--  ResourceLoaderOptions options(&modulator_->GetScriptState()->World());
-+  ResourceLoaderOptions options(&request_world);
- 
-   // <spec step="11">Set request's initiator type to "script".</spec>
-   options.initiator_info.name = fetch_initiator_type_names::kScript;

patches/dawn/.patches

@@ -1,4 +1,2 @@
-tint_validate_that_align_is_large_enough.patch
-ir_fix_robustness_transform_on_textureload_of_sampled_and_depth.patch
 tint_validate_layout_constraints_for_all_address_spaces.patch
 msl_use_packed_vec3_for_workgroup_storage.patch

patches/dawn/ir_fix_robustness_transform_on_textureload_of_sampled_and_depth.patch

@@ -1,680 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Antonio Maiorano <[email protected]>
-Date: Fri, 15 Nov 2024 20:09:59 +0000
-Subject: IR: Fix robustness transform on textureLoad of sampled and depth
- textures
-
-For sampled and depth textures, which contain a 'level' argument, the
-robustness transform is supposed to clamp 'coords' using the dimensions
-at the clamped level, but it was looking up dimensions at level 0
-instead.
-
-Bug: 42250751
-Bug: 42251045
-Bug: 378541479
-Change-Id: I0e7fd6148417b248a9b584ae19818e9027306b63
-Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/214514
-Reviewed-by: James Price <[email protected]>
-Commit-Queue: dan sinclair <[email protected]>
-Commit-Queue: James Price <[email protected]>
-Auto-Submit: Antonio Maiorano <[email protected]>
-Reviewed-by: dan sinclair <[email protected]>
-Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/215154
-Commit-Queue: David Neto <[email protected]>
-Reviewed-by: David Neto <[email protected]>
-
-diff --git a/src/tint/lang/core/ir/transform/robustness.cc b/src/tint/lang/core/ir/transform/robustness.cc
-index 9284b9a48e896865ca3d6c0d19d39777139809a2..5b1acf92c24e26dc4bafdb95b24b12a594626a9d 100644
---- a/src/tint/lang/core/ir/transform/robustness.cc
-+++ b/src/tint/lang/core/ir/transform/robustness.cc
-@@ -321,7 +321,6 @@ struct State {
-                 break;
-             }
-             case core::BuiltinFn::kTextureLoad: {
--                clamp_coords(1u);
-                 uint32_t next_arg = 2u;
-                 if (type::IsTextureArray(texture->dim())) {
-                     clamp_array_index(next_arg++);
-@@ -329,6 +328,7 @@ struct State {
-                 if (texture->IsAnyOf<type::SampledTexture, type::DepthTexture>()) {
-                     clamp_level(next_arg++);
-                 }
-+                clamp_coords(1u);  // Must run after clamp_level
-                 break;
-             }
-             case core::BuiltinFn::kTextureStore: {
-diff --git a/src/tint/lang/core/ir/transform/robustness_test.cc b/src/tint/lang/core/ir/transform/robustness_test.cc
-index 1829c79b817f93d038cb4d8ab2cca86ae185e639..56540bf530ace7e335be1580ed7a0a049cae8b57 100644
---- a/src/tint/lang/core/ir/transform/robustness_test.cc
-+++ b/src/tint/lang/core/ir/transform/robustness_test.cc
-@@ -2103,28 +2103,28 @@ $B1: {  # root
- %load_signed = func(%coords:i32, %level:i32):vec4<f32> {
-   $B2: {
-     %5:texture_1d<f32> = load %texture
--    %6:u32 = textureDimensions %5
-+    %6:u32 = textureNumLevels %5
-     %7:u32 = sub %6, 1u
--    %8:u32 = convert %coords
-+    %8:u32 = convert %level
-     %9:u32 = min %8, %7
--    %10:u32 = textureNumLevels %5
-+    %10:u32 = textureDimensions %5, %9
-     %11:u32 = sub %10, 1u
--    %12:u32 = convert %level
-+    %12:u32 = convert %coords
-     %13:u32 = min %12, %11
--    %14:vec4<f32> = textureLoad %5, %9, %13
-+    %14:vec4<f32> = textureLoad %5, %13, %9
-     ret %14
-   }
- }
- %load_unsigned = func(%coords_1:u32, %level_1:u32):vec4<f32> {  # %coords_1: 'coords', %level_1: 'level'
-   $B3: {
-     %18:texture_1d<f32> = load %texture
--    %19:u32 = textureDimensions %18
-+    %19:u32 = textureNumLevels %18
-     %20:u32 = sub %19, 1u
--    %21:u32 = min %coords_1, %20
--    %22:u32 = textureNumLevels %18
-+    %21:u32 = min %level_1, %20
-+    %22:u32 = textureDimensions %18, %21
-     %23:u32 = sub %22, 1u
--    %24:u32 = min %level_1, %23
--    %25:vec4<f32> = textureLoad %18, %21, %24
-+    %24:u32 = min %coords_1, %23
-+    %25:vec4<f32> = textureLoad %18, %24, %21
-     ret %25
-   }
- }
-@@ -2200,28 +2200,28 @@ $B1: {  # root
- %load_signed = func(%coords:vec2<i32>, %level:i32):vec4<f32> {
-   $B2: {
-     %5:texture_2d<f32> = load %texture
--    %6:vec2<u32> = textureDimensions %5
--    %7:vec2<u32> = sub %6, vec2<u32>(1u)
--    %8:vec2<u32> = convert %coords
--    %9:vec2<u32> = min %8, %7
--    %10:u32 = textureNumLevels %5
--    %11:u32 = sub %10, 1u
--    %12:u32 = convert %level
--    %13:u32 = min %12, %11
--    %14:vec4<f32> = textureLoad %5, %9, %13
-+    %6:u32 = textureNumLevels %5
-+    %7:u32 = sub %6, 1u
-+    %8:u32 = convert %level
-+    %9:u32 = min %8, %7
-+    %10:vec2<u32> = textureDimensions %5, %9
-+    %11:vec2<u32> = sub %10, vec2<u32>(1u)
-+    %12:vec2<u32> = convert %coords
-+    %13:vec2<u32> = min %12, %11
-+    %14:vec4<f32> = textureLoad %5, %13, %9
-     ret %14
-   }
- }
- %load_unsigned = func(%coords_1:vec2<u32>, %level_1:u32):vec4<f32> {  # %coords_1: 'coords', %level_1: 'level'
-   $B3: {
-     %18:texture_2d<f32> = load %texture
--    %19:vec2<u32> = textureDimensions %18
--    %20:vec2<u32> = sub %19, vec2<u32>(1u)
--    %21:vec2<u32> = min %coords_1, %20
--    %22:u32 = textureNumLevels %18
--    %23:u32 = sub %22, 1u
--    %24:u32 = min %level_1, %23
--    %25:vec4<f32> = textureLoad %18, %21, %24
-+    %19:u32 = textureNumLevels %18
-+    %20:u32 = sub %19, 1u
-+    %21:u32 = min %level_1, %20
-+    %22:vec2<u32> = textureDimensions %18, %21
-+    %23:vec2<u32> = sub %22, vec2<u32>(1u)
-+    %24:vec2<u32> = min %coords_1, %23
-+    %25:vec4<f32> = textureLoad %18, %24, %21
-     ret %25
-   }
- }
-@@ -2300,35 +2300,35 @@ $B1: {  # root
- %load_signed = func(%coords:vec2<i32>, %layer:i32, %level:i32):vec4<f32> {
-   $B2: {
-     %6:texture_2d_array<f32> = load %texture
--    %7:vec2<u32> = textureDimensions %6
--    %8:vec2<u32> = sub %7, vec2<u32>(1u)
--    %9:vec2<u32> = convert %coords
--    %10:vec2<u32> = min %9, %8
--    %11:u32 = textureNumLayers %6
-+    %7:u32 = textureNumLayers %6
-+    %8:u32 = sub %7, 1u
-+    %9:u32 = convert %layer
-+    %10:u32 = min %9, %8
-+    %11:u32 = textureNumLevels %6
-     %12:u32 = sub %11, 1u
--    %13:u32 = convert %layer
-+    %13:u32 = convert %level
-     %14:u32 = min %13, %12
--    %15:u32 = textureNumLevels %6
--    %16:u32 = sub %15, 1u
--    %17:u32 = convert %level
--    %18:u32 = min %17, %16
--    %19:vec4<f32> = textureLoad %6, %10, %14, %18
-+    %15:vec2<u32> = textureDimensions %6, %14
-+    %16:vec2<u32> = sub %15, vec2<u32>(1u)
-+    %17:vec2<u32> = convert %coords
-+    %18:vec2<u32> = min %17, %16
-+    %19:vec4<f32> = textureLoad %6, %18, %10, %14
-     ret %19
-   }
- }
- %load_unsigned = func(%coords_1:vec2<u32>, %layer_1:u32, %level_1:u32):vec4<f32> {  # %coords_1: 'coords', %layer_1: 'layer', %level_1: 'level'
-   $B3: {
-     %24:texture_2d_array<f32> = load %texture
--    %25:vec2<u32> = textureDimensions %24
--    %26:vec2<u32> = sub %25, vec2<u32>(1u)
--    %27:vec2<u32> = min %coords_1, %26
--    %28:u32 = textureNumLayers %24
-+    %25:u32 = textureNumLayers %24
-+    %26:u32 = sub %25, 1u
-+    %27:u32 = min %layer_1, %26
-+    %28:u32 = textureNumLevels %24
-     %29:u32 = sub %28, 1u
--    %30:u32 = min %layer_1, %29
--    %31:u32 = textureNumLevels %24
--    %32:u32 = sub %31, 1u
--    %33:u32 = min %level_1, %32
--    %34:vec4<f32> = textureLoad %24, %27, %30, %33
-+    %30:u32 = min %level_1, %29
-+    %31:vec2<u32> = textureDimensions %24, %30
-+    %32:vec2<u32> = sub %31, vec2<u32>(1u)
-+    %33:vec2<u32> = min %coords_1, %32
-+    %34:vec4<f32> = textureLoad %24, %33, %27, %30
-     ret %34
-   }
- }
-@@ -2404,28 +2404,28 @@ $B1: {  # root
- %load_signed = func(%coords:vec3<i32>, %level:i32):vec4<f32> {
-   $B2: {
-     %5:texture_3d<f32> = load %texture
--    %6:vec3<u32> = textureDimensions %5
--    %7:vec3<u32> = sub %6, vec3<u32>(1u)
--    %8:vec3<u32> = convert %coords
--    %9:vec3<u32> = min %8, %7
--    %10:u32 = textureNumLevels %5
--    %11:u32 = sub %10, 1u
--    %12:u32 = convert %level
--    %13:u32 = min %12, %11
--    %14:vec4<f32> = textureLoad %5, %9, %13
-+    %6:u32 = textureNumLevels %5
-+    %7:u32 = sub %6, 1u
-+    %8:u32 = convert %level
-+    %9:u32 = min %8, %7
-+    %10:vec3<u32> = textureDimensions %5, %9
-+    %11:vec3<u32> = sub %10, vec3<u32>(1u)
-+    %12:vec3<u32> = convert %coords
-+    %13:vec3<u32> = min %12, %11
-+    %14:vec4<f32> = textureLoad %5, %13, %9
-     ret %14
-   }
- }
- %load_unsigned = func(%coords_1:vec3<u32>, %level_1:u32):vec4<f32> {  # %coords_1: 'coords', %level_1: 'level'
-   $B3: {
-     %18:texture_3d<f32> = load %texture
--    %19:vec3<u32> = textureDimensions %18
--    %20:vec3<u32> = sub %19, vec3<u32>(1u)
--    %21:vec3<u32> = min %coords_1, %20
--    %22:u32 = textureNumLevels %18
--    %23:u32 = sub %22, 1u
--    %24:u32 = min %level_1, %23
--    %25:vec4<f32> = textureLoad %18, %21, %24
-+    %19:u32 = textureNumLevels %18
-+    %20:u32 = sub %19, 1u
-+    %21:u32 = min %level_1, %20
-+    %22:vec3<u32> = textureDimensions %18, %21
-+    %23:vec3<u32> = sub %22, vec3<u32>(1u)
-+    %24:vec3<u32> = min %coords_1, %23
-+    %25:vec4<f32> = textureLoad %18, %24, %21
-     ret %25
-   }
- }
-@@ -2589,28 +2589,28 @@ $B1: {  # root
- %load_signed = func(%coords:vec2<i32>, %level:i32):f32 {
-   $B2: {
-     %5:texture_depth_2d = load %texture
--    %6:vec2<u32> = textureDimensions %5
--    %7:vec2<u32> = sub %6, vec2<u32>(1u)
--    %8:vec2<u32> = convert %coords
--    %9:vec2<u32> = min %8, %7
--    %10:u32 = textureNumLevels %5
--    %11:u32 = sub %10, 1u
--    %12:u32 = convert %level
--    %13:u32 = min %12, %11
--    %14:f32 = textureLoad %5, %9, %13
-+    %6:u32 = textureNumLevels %5
-+    %7:u32 = sub %6, 1u
-+    %8:u32 = convert %level
-+    %9:u32 = min %8, %7
-+    %10:vec2<u32> = textureDimensions %5, %9
-+    %11:vec2<u32> = sub %10, vec2<u32>(1u)
-+    %12:vec2<u32> = convert %coords
-+    %13:vec2<u32> = min %12, %11
-+    %14:f32 = textureLoad %5, %13, %9
-     ret %14
-   }
- }
- %load_unsigned = func(%coords_1:vec2<u32>, %level_1:u32):f32 {  # %coords_1: 'coords', %level_1: 'level'
-   $B3: {
-     %18:texture_depth_2d = load %texture
--    %19:vec2<u32> = textureDimensions %18
--    %20:vec2<u32> = sub %19, vec2<u32>(1u)
--    %21:vec2<u32> = min %coords_1, %20
--    %22:u32 = textureNumLevels %18
--    %23:u32 = sub %22, 1u
--    %24:u32 = min %level_1, %23
--    %25:f32 = textureLoad %18, %21, %24
-+    %19:u32 = textureNumLevels %18
-+    %20:u32 = sub %19, 1u
-+    %21:u32 = min %level_1, %20
-+    %22:vec2<u32> = textureDimensions %18, %21
-+    %23:vec2<u32> = sub %22, vec2<u32>(1u)
-+    %24:vec2<u32> = min %coords_1, %23
-+    %25:f32 = textureLoad %18, %24, %21
-     ret %25
-   }
- }
-@@ -2688,35 +2688,35 @@ $B1: {  # root
- %load_signed = func(%coords:vec2<i32>, %layer:i32, %level:i32):f32 {
-   $B2: {
-     %6:texture_depth_2d_array = load %texture
--    %7:vec2<u32> = textureDimensions %6
--    %8:vec2<u32> = sub %7, vec2<u32>(1u)
--    %9:vec2<u32> = convert %coords
--    %10:vec2<u32> = min %9, %8
--    %11:u32 = textureNumLayers %6
-+    %7:u32 = textureNumLayers %6
-+    %8:u32 = sub %7, 1u
-+    %9:u32 = convert %layer
-+    %10:u32 = min %9, %8
-+    %11:u32 = textureNumLevels %6
-     %12:u32 = sub %11, 1u
--    %13:u32 = convert %layer
-+    %13:u32 = convert %level
-     %14:u32 = min %13, %12
--    %15:u32 = textureNumLevels %6
--    %16:u32 = sub %15, 1u
--    %17:u32 = convert %level
--    %18:u32 = min %17, %16
--    %19:f32 = textureLoad %6, %10, %14, %18
-+    %15:vec2<u32> = textureDimensions %6, %14
-+    %16:vec2<u32> = sub %15, vec2<u32>(1u)
-+    %17:vec2<u32> = convert %coords
-+    %18:vec2<u32> = min %17, %16
-+    %19:f32 = textureLoad %6, %18, %10, %14
-     ret %19
-   }
- }
- %load_unsigned = func(%coords_1:vec2<u32>, %layer_1:u32, %level_1:u32):f32 {  # %coords_1: 'coords', %layer_1: 'layer', %level_1: 'level'
-   $B3: {
-     %24:texture_depth_2d_array = load %texture
--    %25:vec2<u32> = textureDimensions %24
--    %26:vec2<u32> = sub %25, vec2<u32>(1u)
--    %27:vec2<u32> = min %coords_1, %26
--    %28:u32 = textureNumLayers %24
-+    %25:u32 = textureNumLayers %24
-+    %26:u32 = sub %25, 1u
-+    %27:u32 = min %layer_1, %26
-+    %28:u32 = textureNumLevels %24
-     %29:u32 = sub %28, 1u
--    %30:u32 = min %layer_1, %29
--    %31:u32 = textureNumLevels %24
--    %32:u32 = sub %31, 1u
--    %33:u32 = min %level_1, %32
--    %34:f32 = textureLoad %24, %27, %30, %33
-+    %30:u32 = min %level_1, %29
-+    %31:vec2<u32> = textureDimensions %24, %30
-+    %32:vec2<u32> = sub %31, vec2<u32>(1u)
-+    %33:vec2<u32> = min %coords_1, %32
-+    %34:f32 = textureLoad %24, %33, %27, %30
-     ret %34
-   }
- }
-@@ -3148,28 +3148,28 @@ $B1: {  # root
- %load_signed = func(%coords:vec2<i32>, %layer:i32):vec4<f32> {
-   $B2: {
-     %5:texture_storage_2d_array<rgba8unorm, read_write> = load %texture
--    %6:vec2<u32> = textureDimensions %5
--    %7:vec2<u32> = sub %6, vec2<u32>(1u)
--    %8:vec2<u32> = convert %coords
--    %9:vec2<u32> = min %8, %7
--    %10:u32 = textureNumLayers %5
--    %11:u32 = sub %10, 1u
--    %12:u32 = convert %layer
--    %13:u32 = min %12, %11
--    %14:vec4<f32> = textureLoad %5, %9, %13
-+    %6:u32 = textureNumLayers %5
-+    %7:u32 = sub %6, 1u
-+    %8:u32 = convert %layer
-+    %9:u32 = min %8, %7
-+    %10:vec2<u32> = textureDimensions %5
-+    %11:vec2<u32> = sub %10, vec2<u32>(1u)
-+    %12:vec2<u32> = convert %coords
-+    %13:vec2<u32> = min %12, %11
-+    %14:vec4<f32> = textureLoad %5, %13, %9
-     ret %14
-   }
- }
- %load_unsigned = func(%coords_1:vec2<u32>, %layer_1:u32):vec4<f32> {  # %coords_1: 'coords', %layer_1: 'layer'
-   $B3: {
-     %18:texture_storage_2d_array<rgba8unorm, read_write> = load %texture
--    %19:vec2<u32> = textureDimensions %18
--    %20:vec2<u32> = sub %19, vec2<u32>(1u)
--    %21:vec2<u32> = min %coords_1, %20
--    %22:u32 = textureNumLayers %18
--    %23:u32 = sub %22, 1u
--    %24:u32 = min %layer_1, %23
--    %25:vec4<f32> = textureLoad %18, %21, %24
-+    %19:u32 = textureNumLayers %18
-+    %20:u32 = sub %19, 1u
-+    %21:u32 = min %layer_1, %20
-+    %22:vec2<u32> = textureDimensions %18
-+    %23:vec2<u32> = sub %22, vec2<u32>(1u)
-+    %24:vec2<u32> = min %coords_1, %23
-+    %25:vec4<f32> = textureLoad %18, %24, %21
-     ret %25
-   }
- }
-diff --git a/src/tint/lang/spirv/writer/texture_builtin_test.cc b/src/tint/lang/spirv/writer/texture_builtin_test.cc
-index 773dd2f34fb20fb4e32bced1d454410f587909bf..293f44f17705118886b9e1eada589d46cf1afd6d 100644
---- a/src/tint/lang/spirv/writer/texture_builtin_test.cc
-+++ b/src/tint/lang/spirv/writer/texture_builtin_test.cc
-@@ -1998,14 +1998,14 @@ TEST_F(SpirvWriterTest, TextureLoad_WithRobustness) {
- 
-     ASSERT_TRUE(Generate()) << Error() << output_;
-     EXPECT_INST(R"(
--         %13 = OpImageQuerySizeLod %v2uint %texture %uint_0
--         %15 = OpISub %v2uint %13 %16
--         %18 = OpExtInst %v2uint %19 UMin %coords %15
--         %20 = OpImageQueryLevels %uint %texture
--         %21 = OpISub %uint %20 %uint_1
--         %22 = OpBitcast %uint %level
--         %23 = OpExtInst %uint %19 UMin %22 %21
--     %result = OpImageFetch %v4float %texture %18 Lod %23
-+         %13 = OpImageQueryLevels %uint %texture
-+         %14 = OpISub %uint %13 %uint_1
-+         %16 = OpBitcast %uint %level
-+         %17 = OpExtInst %uint %18 UMin %16 %14
-+         %19 = OpImageQuerySizeLod %v2uint %texture %17
-+         %20 = OpISub %v2uint %19 %21
-+         %22 = OpExtInst %v2uint %18 UMin %coords %20
-+     %result = OpImageFetch %v4float %texture %22 Lod %17
- )");
- }
- 
-diff --git a/test/tint/bug/chromium/378541479.wgsl b/test/tint/bug/chromium/378541479.wgsl
-new file mode 100644
-index 0000000000000000000000000000000000000000..8badf526405196915d0575f3ea08d4848f65a27a
---- /dev/null
-+++ b/test/tint/bug/chromium/378541479.wgsl
-@@ -0,0 +1,10 @@
-+// flags: --transform robustness
-+
-+@group(0) @binding(0) var<uniform> level : u32;
-+@group(0) @binding(1) var<uniform> coords : vec2<u32>;
-+@group(0) @binding(2) var tex: texture_depth_2d;
-+
-+@compute @workgroup_size(1)
-+fn compute_main() {
-+  var res: f32 = textureLoad(tex, coords, level);
-+}
-diff --git a/test/tint/bug/chromium/378541479.wgsl.expected.dxc.hlsl b/test/tint/bug/chromium/378541479.wgsl.expected.dxc.hlsl
-new file mode 100644
-index 0000000000000000000000000000000000000000..6ceba9a82be1ab9cf41228c22cf93df0a4350ba0
---- /dev/null
-+++ b/test/tint/bug/chromium/378541479.wgsl.expected.dxc.hlsl
-@@ -0,0 +1,13 @@
-+cbuffer cbuffer_level : register(b0) {
-+  uint4 level[1];
-+};
-+cbuffer cbuffer_coords : register(b1) {
-+  uint4 coords[1];
-+};
-+Texture2D tex : register(t2);
-+
-+[numthreads(1, 1, 1)]
-+void compute_main() {
-+  float res = tex.Load(uint3(coords[0].xy, level[0].x)).x;
-+  return;
-+}
-diff --git a/test/tint/bug/chromium/378541479.wgsl.expected.fxc.hlsl b/test/tint/bug/chromium/378541479.wgsl.expected.fxc.hlsl
-new file mode 100644
-index 0000000000000000000000000000000000000000..6ceba9a82be1ab9cf41228c22cf93df0a4350ba0
---- /dev/null
-+++ b/test/tint/bug/chromium/378541479.wgsl.expected.fxc.hlsl
-@@ -0,0 +1,13 @@
-+cbuffer cbuffer_level : register(b0) {
-+  uint4 level[1];
-+};
-+cbuffer cbuffer_coords : register(b1) {
-+  uint4 coords[1];
-+};
-+Texture2D tex : register(t2);
-+
-+[numthreads(1, 1, 1)]
-+void compute_main() {
-+  float res = tex.Load(uint3(coords[0].xy, level[0].x)).x;
-+  return;
-+}
-diff --git a/test/tint/bug/chromium/378541479.wgsl.expected.glsl b/test/tint/bug/chromium/378541479.wgsl.expected.glsl
-new file mode 100644
-index 0000000000000000000000000000000000000000..bb0ee27a7ae0168c30efb22dc787a20658a1a315
---- /dev/null
-+++ b/test/tint/bug/chromium/378541479.wgsl.expected.glsl
-@@ -0,0 +1,27 @@
-+#version 310 es
-+
-+
-+struct TintTextureUniformData {
-+  uint tint_builtin_value_0;
-+};
-+
-+layout(binding = 0, std140)
-+uniform level_block_1_ubo {
-+  uint inner;
-+} v;
-+layout(binding = 1, std140)
-+uniform coords_block_1_ubo {
-+  uvec2 inner;
-+} v_1;
-+layout(binding = 0, std140)
-+uniform tint_symbol_1_ubo {
-+  TintTextureUniformData inner;
-+} v_2;
-+uniform highp sampler2D tex;
-+layout(local_size_x = 1, local_size_y = 1, local_size_z = 1) in;
-+void main() {
-+  uvec2 v_3 = v_1.inner;
-+  uint v_4 = min(v.inner, (v_2.inner.tint_builtin_value_0 - 1u));
-+  ivec2 v_5 = ivec2(min(v_3, (uvec2(textureSize(tex, int(v_4))) - uvec2(1u))));
-+  float res = texelFetch(tex, v_5, int(v_4)).x;
-+}
-diff --git a/test/tint/bug/chromium/378541479.wgsl.expected.ir.dxc.hlsl b/test/tint/bug/chromium/378541479.wgsl.expected.ir.dxc.hlsl
-new file mode 100644
-index 0000000000000000000000000000000000000000..b53ce0e96375575c83a5b6e9c0d3fd85639ed49e
---- /dev/null
-+++ b/test/tint/bug/chromium/378541479.wgsl.expected.ir.dxc.hlsl
-@@ -0,0 +1,22 @@
-+
-+cbuffer cbuffer_level : register(b0) {
-+  uint4 level[1];
-+};
-+cbuffer cbuffer_coords : register(b1) {
-+  uint4 coords[1];
-+};
-+Texture2D tex : register(t2);
-+[numthreads(1, 1, 1)]
-+void compute_main() {
-+  Texture2D v = tex;
-+  uint2 v_1 = coords[0u].xy;
-+  uint v_2 = level[0u].x;
-+  uint3 v_3 = (0u).xxx;
-+  v.GetDimensions(0u, v_3[0u], v_3[1u], v_3[2u]);
-+  uint v_4 = min(v_2, (v_3.z - 1u));
-+  uint3 v_5 = (0u).xxx;
-+  v.GetDimensions(uint(v_4), v_5[0u], v_5[1u], v_5[2u]);
-+  int2 v_6 = int2(min(v_1, (v_5.xy - (1u).xx)));
-+  float res = v.Load(int3(v_6, int(v_4))).x;
-+}
-+
-diff --git a/test/tint/bug/chromium/378541479.wgsl.expected.ir.fxc.hlsl b/test/tint/bug/chromium/378541479.wgsl.expected.ir.fxc.hlsl
-new file mode 100644
-index 0000000000000000000000000000000000000000..b53ce0e96375575c83a5b6e9c0d3fd85639ed49e
---- /dev/null
-+++ b/test/tint/bug/chromium/378541479.wgsl.expected.ir.fxc.hlsl
-@@ -0,0 +1,22 @@
-+
-+cbuffer cbuffer_level : register(b0) {
-+  uint4 level[1];
-+};
-+cbuffer cbuffer_coords : register(b1) {
-+  uint4 coords[1];
-+};
-+Texture2D tex : register(t2);
-+[numthreads(1, 1, 1)]
-+void compute_main() {
-+  Texture2D v = tex;
-+  uint2 v_1 = coords[0u].xy;
-+  uint v_2 = level[0u].x;
-+  uint3 v_3 = (0u).xxx;
-+  v.GetDimensions(0u, v_3[0u], v_3[1u], v_3[2u]);
-+  uint v_4 = min(v_2, (v_3.z - 1u));
-+  uint3 v_5 = (0u).xxx;
-+  v.GetDimensions(uint(v_4), v_5[0u], v_5[1u], v_5[2u]);
-+  int2 v_6 = int2(min(v_1, (v_5.xy - (1u).xx)));
-+  float res = v.Load(int3(v_6, int(v_4))).x;
-+}
-+
-diff --git a/test/tint/bug/chromium/378541479.wgsl.expected.ir.msl b/test/tint/bug/chromium/378541479.wgsl.expected.ir.msl
-new file mode 100644
-index 0000000000000000000000000000000000000000..b1edc576c7891f4a58b7bd1af1bb8597d59a558a
---- /dev/null
-+++ b/test/tint/bug/chromium/378541479.wgsl.expected.ir.msl
-@@ -0,0 +1,17 @@
-+#include <metal_stdlib>
-+using namespace metal;
-+
-+struct tint_module_vars_struct {
-+  const constant uint* level;
-+  const constant uint2* coords;
-+  depth2d<float, access::sample> tex;
-+};
-+
-+kernel void compute_main(const constant uint* level [[buffer(1)]], const constant uint2* coords [[buffer(0)]], depth2d<float, access::sample> tex [[texture(0)]]) {
-+  tint_module_vars_struct const tint_module_vars = tint_module_vars_struct{.level=level, .coords=coords, .tex=tex};
-+  uint2 const v = (*tint_module_vars.coords);
-+  uint const v_1 = (*tint_module_vars.level);
-+  uint const v_2 = min(v_1, (tint_module_vars.tex.get_num_mip_levels() - 1u));
-+  uint const v_3 = tint_module_vars.tex.get_width(v_2);
-+  float res = tint_module_vars.tex.read(min(v, (uint2(v_3, tint_module_vars.tex.get_height(v_2)) - uint2(1u))), v_2);
-+}
-diff --git a/test/tint/bug/chromium/378541479.wgsl.expected.msl b/test/tint/bug/chromium/378541479.wgsl.expected.msl
-new file mode 100644
-index 0000000000000000000000000000000000000000..0ac2d2a5f299070a369eee1fd6e0ff4a02cf1bde
---- /dev/null
-+++ b/test/tint/bug/chromium/378541479.wgsl.expected.msl
-@@ -0,0 +1,9 @@
-+#include <metal_stdlib>
-+
-+using namespace metal;
-+kernel void compute_main(const constant uint* tint_symbol [[buffer(1)]], depth2d<float, access::sample> tint_symbol_1 [[texture(0)]], const constant uint2* tint_symbol_2 [[buffer(0)]]) {
-+  uint const level_idx = min(uint(*(tint_symbol)), (tint_symbol_1.get_num_mip_levels() - 1u));
-+  float res = tint_symbol_1.read(uint2(min(*(tint_symbol_2), (uint2(tint_symbol_1.get_width(level_idx), tint_symbol_1.get_height(level_idx)) - uint2(1u)))), level_idx);
-+  return;
-+}
-+
-diff --git a/test/tint/bug/chromium/378541479.wgsl.expected.spvasm b/test/tint/bug/chromium/378541479.wgsl.expected.spvasm
-new file mode 100644
-index 0000000000000000000000000000000000000000..b8a3b11612016e7575c948bb6d83902ad6357cc9
---- /dev/null
-+++ b/test/tint/bug/chromium/378541479.wgsl.expected.spvasm
-@@ -0,0 +1,70 @@
-+; SPIR-V
-+; Version: 1.3
-+; Generator: Google Tint Compiler; 1
-+; Bound: 39
-+; Schema: 0
-+               OpCapability Shader
-+               OpCapability ImageQuery
-+         %29 = OpExtInstImport "GLSL.std.450"
-+               OpMemoryModel Logical GLSL450
-+               OpEntryPoint GLCompute %compute_main "compute_main"
-+               OpExecutionMode %compute_main LocalSize 1 1 1
-+               OpMemberName %level_block 0 "inner"
-+               OpName %level_block "level_block"
-+               OpMemberName %coords_block 0 "inner"
-+               OpName %coords_block "coords_block"
-+               OpName %tex "tex"
-+               OpName %compute_main "compute_main"
-+               OpName %res "res"
-+               OpMemberDecorate %level_block 0 Offset 0
-+               OpDecorate %level_block Block
-+               OpDecorate %1 DescriptorSet 0
-+               OpDecorate %1 Binding 0
-+               OpDecorate %1 NonWritable
-+               OpMemberDecorate %coords_block 0 Offset 0
-+               OpDecorate %coords_block Block
-+               OpDecorate %5 DescriptorSet 0
-+               OpDecorate %5 Binding 1
-+               OpDecorate %5 NonWritable
-+               OpDecorate %tex DescriptorSet 0
-+               OpDecorate %tex Binding 2
-+       %uint = OpTypeInt 32 0
-+%level_block = OpTypeStruct %uint
-+%_ptr_Uniform_level_block = OpTypePointer Uniform %level_block
-+          %1 = OpVariable %_ptr_Uniform_level_block Uniform
-+     %v2uint = OpTypeVector %uint 2
-+%coords_block = OpTypeStruct %v2uint
-+%_ptr_Uniform_coords_block = OpTypePointer Uniform %coords_block
-+          %5 = OpVariable %_ptr_Uniform_coords_block Uniform
-+      %float = OpTypeFloat 32
-+         %11 = OpTypeImage %float 2D 0 0 0 1 Unknown
-+%_ptr_UniformConstant_11 = OpTypePointer UniformConstant %11
-+        %tex = OpVariable %_ptr_UniformConstant_11 UniformConstant
-+       %void = OpTypeVoid
-+         %15 = OpTypeFunction %void
-+%_ptr_Uniform_v2uint = OpTypePointer Uniform %v2uint
-+     %uint_0 = OpConstant %uint 0
-+%_ptr_Uniform_uint = OpTypePointer Uniform %uint
-+     %uint_1 = OpConstant %uint 1
-+         %32 = OpConstantComposite %v2uint %uint_1 %uint_1
-+    %v4float = OpTypeVector %float 4
-+%_ptr_Function_float = OpTypePointer Function %float
-+%compute_main = OpFunction %void None %15
-+         %16 = OpLabel
-+        %res = OpVariable %_ptr_Function_float Function
-+         %17 = OpLoad %11 %tex None
-+         %18 = OpAccessChain %_ptr_Uniform_v2uint %5 %uint_0
-+         %21 = OpLoad %v2uint %18 None
-+         %22 = OpAccessChain %_ptr_Uniform_uint %1 %uint_0
-+         %24 = OpLoad %uint %22 None
-+         %25 = OpImageQueryLevels %uint %17
-+         %26 = OpISub %uint %25 %uint_1
-+         %28 = OpExtInst %uint %29 UMin %24 %26
-+         %30 = OpImageQuerySizeLod %v2uint %17 %28
-+         %31 = OpISub %v2uint %30 %32
-+         %33 = OpExtInst %v2uint %29 UMin %21 %31
-+         %34 = OpImageFetch %v4float %17 %33 Lod %28
-+         %36 = OpCompositeExtract %float %34 0
-+               OpStore %res %36
-+               OpReturn
-+               OpFunctionEnd
-diff --git a/test/tint/bug/chromium/378541479.wgsl.expected.wgsl b/test/tint/bug/chromium/378541479.wgsl.expected.wgsl
-new file mode 100644
-index 0000000000000000000000000000000000000000..705ce781e50f7668bd3c559562f12f5d0aaa66d4
---- /dev/null
-+++ b/test/tint/bug/chromium/378541479.wgsl.expected.wgsl
-@@ -0,0 +1,10 @@
-+@group(0) @binding(0) var<uniform> level : u32;
-+
-+@group(0) @binding(1) var<uniform> coords : vec2<u32>;
-+
-+@group(0) @binding(2) var tex : texture_depth_2d;
-+
-+@compute @workgroup_size(1)
-+fn compute_main() {
-+  var res : f32 = textureLoad(tex, coords, level);
-+}

patches/dawn/msl_use_packed_vec3_for_workgroup_storage.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: James Price <[email protected]>
 Date: Wed, 20 Nov 2024 22:41:04 +0000
-Subject: [msl] Use packed_vec3 for workgroup storage
+Subject: Use packed_vec3 for workgroup storage
 
 This makes sure that the threadgroup allocation sizes that Tint
 reflects to Dawn match the sizes of the types used in the generated

patches/dawn/tint_validate_layout_constraints_for_all_address_spaces.patch

@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: James Price <[email protected]>
 Date: Wed, 20 Nov 2024 19:06:01 +0000
-Subject: [tint] Validate layout constraints for all address spaces
+Subject: Validate layout constraints for all address spaces
 
 The WGSL spec has a non-normative note that the layout constraints
 should be validated for all non-host-shareable address spaces, using

patches/dawn/tint_validate_that_align_is_large_enough.patch

@@ -1,217 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: James Price <[email protected]>
-Date: Mon, 28 Oct 2024 16:57:46 +0000
-Subject: Validate that `@align()` is large enough
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Make sure that `n = k × RequiredAlignOf(T,C)` as per the spec, when
-`@align(n)` is applied to the member of a structure that is used in a
-host-shareable address space.
-
-Suppress some CTS tests until they are updated upstream.
-
-Fixed: 375123371
-Include-Ci-Only-Tests: true
-Change-Id: I3240b9ab0a42986e918a1c6a86268844861b9fed
-Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/212315
-Commit-Queue: James Price <[email protected]>
-Reviewed-by: dan sinclair <[email protected]>
-(cherry picked from commit ed15f8542825f25131c5a186e7de3737d49d327e)
-Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/212714
-Reviewed-by: Corentin Wallez <[email protected]>
-Auto-Submit: James Price <[email protected]>
-Commit-Queue: Alan Baker <[email protected]>
-Reviewed-by: Alan Baker <[email protected]>
-
-diff --git a/src/tint/lang/wgsl/resolver/address_space_layout_validation_test.cc b/src/tint/lang/wgsl/resolver/address_space_layout_validation_test.cc
-index 96b1340db2ba115755bff5ce58c6948c7f75aadb..f1e14a36a3cdea07f5fc7735c3d9483515d754f1 100644
---- a/src/tint/lang/wgsl/resolver/address_space_layout_validation_test.cc
-+++ b/src/tint/lang/wgsl/resolver/address_space_layout_validation_test.cc
-@@ -216,7 +216,7 @@ TEST_F(ResolverAddressSpaceLayoutValidationTest, UniformBuffer_UnalignedMember_A
- // multiple of 16 bytes
- TEST_F(ResolverAddressSpaceLayoutValidationTest, UniformBuffer_MembersOffsetNotMultipleOf16) {
-     // struct Inner {
--    //   @align(1) @size(5) scalar : i32;
-+    //   @align(4) @size(5) scalar : i32;
-     // };
-     //
-     // struct Outer {
-@@ -229,7 +229,7 @@ TEST_F(ResolverAddressSpaceLayoutValidationTest, UniformBuffer_MembersOffsetNotM
- 
-     Structure(Ident(Source{{12, 34}}, "Inner"),
-               Vector{
--                  Member("scalar", ty.i32(), Vector{MemberAlign(1_i), MemberSize(5_a)}),
-+                  Member("scalar", ty.i32(), Vector{MemberAlign(4_i), MemberSize(5_a)}),
-               });
- 
-     Structure(Source{{34, 56}}, "Outer",
-@@ -247,13 +247,13 @@ TEST_F(ResolverAddressSpaceLayoutValidationTest, UniformBuffer_MembersOffsetNotM
-         R"(78:90 error: 'uniform' storage requires that the number of bytes between the start of the previous member of type struct and the current member be a multiple of 16 bytes, but there are currently 8 bytes between 'inner' and 'scalar'. Consider setting '@align(16)' on this member
- note: see layout of struct:
- /*            align(4) size(12) */ struct Outer {
--/* offset( 0) align(1) size( 5) */   inner : Inner,
--/* offset( 5) align(1) size( 3) */   // -- implicit field alignment padding --
-+/* offset( 0) align(4) size( 8) */   inner : Inner,
- /* offset( 8) align(4) size( 4) */   scalar : i32,
- /*                              */ };
- 12:34 note: and layout of previous member struct:
--/*           align(1) size(5) */ struct Inner {
--/* offset(0) align(1) size(5) */   scalar : i32,
-+/*           align(4) size(8) */ struct Inner {
-+/* offset(0) align(4) size(5) */   scalar : i32,
-+/* offset(5) align(1) size(3) */   // -- implicit struct size padding --
- /*                            */ };
- 22:24 note: 'Outer' used in address space 'uniform' here)");
- }
-@@ -265,7 +265,7 @@ TEST_F(ResolverAddressSpaceLayoutValidationTest,
-     //   a : i32;
-     //   b : i32;
-     //   c : i32;
--    //   @align(1) @size(5) scalar : i32;
-+    //   @align(4) @size(5) scalar : i32;
-     // };
-     //
-     // struct Outer {
-@@ -281,7 +281,7 @@ TEST_F(ResolverAddressSpaceLayoutValidationTest,
-                   Member("a", ty.i32()),
-                   Member("b", ty.i32()),
-                   Member("c", ty.i32()),
--                  Member("scalar", ty.i32(), Vector{MemberAlign(1_i), MemberSize(5_a)}),
-+                  Member("scalar", ty.i32(), Vector{MemberAlign(4_i), MemberSize(5_a)}),
-               });
- 
-     Structure(Source{{34, 56}}, "Outer",
-@@ -307,7 +307,7 @@ note: see layout of struct:
- /* offset( 0) align(4) size( 4) */   a : i32,
- /* offset( 4) align(4) size( 4) */   b : i32,
- /* offset( 8) align(4) size( 4) */   c : i32,
--/* offset(12) align(1) size( 5) */   scalar : i32,
-+/* offset(12) align(4) size( 5) */   scalar : i32,
- /* offset(17) align(1) size( 3) */   // -- implicit struct size padding --
- /*                              */ };
- 22:24 note: 'Outer' used in address space 'uniform' here)");
-@@ -316,7 +316,7 @@ note: see layout of struct:
- TEST_F(ResolverAddressSpaceLayoutValidationTest,
-        UniformBuffer_MembersOffsetNotMultipleOf16_SuggestedFix) {
-     // struct Inner {
--    //   @align(1) @size(5) scalar : i32;
-+    //   @align(4) @size(5) scalar : i32;
-     // };
-     //
-     // struct Outer {
-@@ -328,7 +328,7 @@ TEST_F(ResolverAddressSpaceLayoutValidationTest,
-     // var<uniform> a : Outer;
- 
-     Structure("Inner", Vector{
--                           Member("scalar", ty.i32(), Vector{MemberAlign(1_i), MemberSize(5_a)}),
-+                           Member("scalar", ty.i32(), Vector{MemberAlign(4_i), MemberSize(5_a)}),
-                        });
- 
-     Structure("Outer", Vector{
-@@ -659,7 +659,7 @@ TEST_F(ResolverAddressSpaceLayoutValidationTest, RelaxedUniformLayout_MemberOffs
-     // enable chromium_internal_relaxed_uniform_layout;
-     //
-     // struct Inner {
--    //   @align(1) @size(5) scalar : i32;
-+    //   @align(4) @size(5) scalar : i32;
-     // };
-     //
-     // struct Outer {
-@@ -673,7 +673,7 @@ TEST_F(ResolverAddressSpaceLayoutValidationTest, RelaxedUniformLayout_MemberOffs
-     Enable(wgsl::Extension::kChromiumInternalRelaxedUniformLayout);
- 
-     Structure("Inner", Vector{
--                           Member("scalar", ty.i32(), Vector{MemberAlign(1_i), MemberSize(5_a)}),
-+                           Member("scalar", ty.i32(), Vector{MemberAlign(4_i), MemberSize(5_a)}),
-                        });
- 
-     Structure("Outer", Vector{
-@@ -730,5 +730,29 @@ TEST_F(ResolverAddressSpaceLayoutValidationTest, RelaxedUniformLayout_ArrayStrid
-     EXPECT_TRUE(r()->Resolve()) << r()->error();
- }
- 
-+TEST_F(ResolverAddressSpaceLayoutValidationTest, AlignAttributeTooSmall) {
-+    // struct S {
-+    //   @align(4) vector : vec4u;
-+    //   scalar : u32;
-+    // };
-+    //
-+    // @group(0) @binding(0)
-+    // var<storage, read_write> a : array<S>;
-+    Structure(
-+        "S", Vector{
-+                 Member("vector", ty.vec4<u32>(), Vector{MemberAlign(Expr(Source{{12, 34}}, 4_a))}),
-+                 Member("scalar", ty.u32()),
-+             });
-+
-+    GlobalVar(Source{{56, 78}}, "a", ty("S"), core::AddressSpace::kStorage,
-+              core::Access::kReadWrite, Group(0_a), Binding(0_a));
-+
-+    ASSERT_FALSE(r()->Resolve());
-+    EXPECT_EQ(
-+        r()->error(),
-+        R"(12:34 error: alignment must be a multiple of '16' bytes for the 'storage' address space
-+56:78 note: 'S' used in address space 'storage' here)");
-+}
-+
- }  // namespace
- }  // namespace tint::resolver
-diff --git a/src/tint/lang/wgsl/resolver/validator.cc b/src/tint/lang/wgsl/resolver/validator.cc
-index 155aaf11379909d24e98e96c96cb49f226233b8c..0d62d474780542a79a67698375319b6ab7c4560d 100644
---- a/src/tint/lang/wgsl/resolver/validator.cc
-+++ b/src/tint/lang/wgsl/resolver/validator.cc
-@@ -583,6 +583,22 @@ bool Validator::AddressSpaceLayout(const core::type::Type* store_ty,
-                     return false;
-                 }
-             }
-+
-+            // If an alignment was explicitly specified, we need to validate that it satisfies the
-+            // alignment requirement of the address space.
-+            auto* align_attr =
-+                ast::GetAttribute<ast::StructMemberAlignAttribute>(m->Declaration()->attributes);
-+            if (align_attr && !enabled_extensions_.Contains(
-+                                  wgsl::Extension::kChromiumInternalRelaxedUniformLayout)) {
-+                auto align = sem_.GetVal(align_attr->expr)->ConstantValue()->ValueAs<uint32_t>();
-+                if (align % required_align != 0) {
-+                    AddError(align_attr->expr->source)
-+                        << "alignment must be a multiple of " << style::Literal(required_align)
-+                        << " bytes for the " << style::Enum(address_space) << " address space";
-+                    note_usage();
-+                    return false;
-+                }
-+            }
-         }
-     }
- 
-diff --git a/webgpu-cts/compat-expectations.txt b/webgpu-cts/compat-expectations.txt
-index a04b759f3ed62a9c759a791a8e8d62f5db958e2d..834024d0b5e15fa954794495f4d571f64d679200 100644
---- a/webgpu-cts/compat-expectations.txt
-+++ b/webgpu-cts/compat-expectations.txt
-@@ -173,6 +173,10 @@ crbug.com/dawn/2086 webgpu:api,operation,adapter,requestAdapter:requestAdapter:p
- crbug.com/dawn/2086 webgpu:web_platform,canvas,configure:usage:* [ Failure ]
- crbug.com/dawn/2086 webgpu:web_platform,canvas,configure:viewFormats:* [ Failure ]
- 
-+# Failures due to change in `@align()` validation.
-+crbug.com/375467276 webgpu:shader,execution,expression,access,structure,index:buffer_align:* [ Failure ]
-+crbug.com/375467276 webgpu:shader,validation,shader_io,align:* [ Failure ]
-+
- ### This section represents things that will require Compat validation
- ### These tests will never pass, but should be skipped in CTS once Compat
- ### validation has been added
-diff --git a/webgpu-cts/expectations.txt b/webgpu-cts/expectations.txt
-index aa5b9a871b53ecfc9f73330dfc4b0a50c1c51518..069a5eabb86a0ccebedda313a125c560d2d2ba7b 100644
---- a/webgpu-cts/expectations.txt
-+++ b/webgpu-cts/expectations.txt
-@@ -1503,6 +1503,10 @@ crbug.com/dawn/0000 [ win10 ] webgpu:shader,execution,expression,constructor,non
- crbug.com/dawn/0000 [ win10 ] webgpu:shader,execution,expression,constructor,non_zero:abstract_vector_elements:abstract_type="abstract-int";concrete_type="u32";width=3 [ Failure ]
- crbug.com/dawn/0000 [ win10 ] webgpu:shader,execution,expression,constructor,non_zero:abstract_vector_elements:abstract_type="abstract-int";concrete_type="u32";width=4 [ Failure ]
- 
-+# Failures due to change in `@align()` validation.
-+crbug.com/375467276 webgpu:shader,execution,expression,access,structure,index:buffer_align:* [ Failure ]
-+crbug.com/375467276 webgpu:shader,validation,shader_io,align:* [ Failure ]
-+
- ################################################################################
- # New flakes. Please triage:
- ################################################################################

patches/skia/.patches

@@ -1,6 +1 @@
 disallow_sksl_when_deserializing_drawables_in_custom_typefaces.patch
-m126-lts_sksl_rp_prevent_overflow_when_computing_slot_allocation.patch
-m126-lts_ganesh_avoid_int_overflow_when_combining_regionops.patch
-m126-lts_ganesh_fix_meshop_index_combination_logic.patch
-ganesh_avoid_int_overflow_in_patternhelper.patch
-m126-lts_ganesh_avoid_int_overflow_in_drawatlasopimpl.patch

patches/skia/ganesh_avoid_int_overflow_in_patternhelper.patch

@@ -1,158 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: James Godfrey-Kittle <[email protected]>
-Date: Wed, 28 Aug 2024 10:48:21 -0400
-Subject: [ganesh] Avoid int overflow in PatternHelper
-
-The callers of PatternHelper which are not updated here pass in a TArray
-size as repeatCount, which already prevents overflow:
-https://crsrc.org/c/third_party/skia/include/private/base/SkTArray.h?q=kMaxCapacity
-
-Bug: b/361461526
-Change-Id: I86c494cb00223f0bb8d68540d33d7230b60c9486
-Reviewed-on: https://skia-review.googlesource.com/c/skia/+/893916
-Reviewed-by: Brian Osman <[email protected]>
-Commit-Queue: James Godfrey-Kittle <[email protected]>
-(cherry picked from commit 07fcb9a00233cace0b6cc19ed4bcec6770e0315f)
-Reviewed-on: https://skia-review.googlesource.com/c/skia/+/896478
-
-diff --git a/src/gpu/ganesh/ops/DashOp.cpp b/src/gpu/ganesh/ops/DashOp.cpp
-index 6f12cc38aa36fb779375b187ea72138397adcf43..56303cd9e87d56973b00dd0c81b803e48a7d8479 100644
---- a/src/gpu/ganesh/ops/DashOp.cpp
-+++ b/src/gpu/ganesh/ops/DashOp.cpp
-@@ -8,6 +8,7 @@
- #include "src/gpu/ganesh/ops/DashOp.h"
- 
- #include "include/gpu/GrRecordingContext.h"
-+#include "src/base/SkSafeMath.h"
- #include "src/core/SkMatrixPriv.h"
- #include "src/core/SkPointPriv.h"
- #include "src/gpu/BufferWriter.h"
-@@ -354,6 +355,7 @@ private:
-         STArray<kNumStackDashes, SkRect, true> rects;
-         STArray<kNumStackDashes, DashDraw, true> draws;
- 
-+        SkSafeMath safeMath;
-         int totalRectCount = 0;
-         int rectOffset = 0;
-         rects.push_back_n(3 * instanceCount);
-@@ -520,9 +522,9 @@ private:
-                 devIntervals[0] = lineLength;
-             }
- 
--            totalRectCount += !lineDone ? 1 : 0;
--            totalRectCount += hasStartRect ? 1 : 0;
--            totalRectCount += hasEndRect ? 1 : 0;
-+            totalRectCount = safeMath.addInt(totalRectCount, !lineDone ? 1 : 0);
-+            totalRectCount = safeMath.addInt(totalRectCount, hasStartRect ? 1 : 0);
-+            totalRectCount = safeMath.addInt(totalRectCount, hasEndRect ? 1 : 0);
- 
-             if (SkPaint::kRound_Cap == cap && 0 != args.fSrcStrokeWidth) {
-                 // need to adjust this for round caps to correctly set the dashPos attrib on
-@@ -562,7 +564,7 @@ private:
-             draw.fHasEndRect = hasEndRect;
-         }
- 
--        if (!totalRectCount) {
-+        if (!totalRectCount || !safeMath) {
-             return;
-         }
- 
-diff --git a/src/gpu/ganesh/ops/DrawAtlasOp.cpp b/src/gpu/ganesh/ops/DrawAtlasOp.cpp
-index 065011699f755b3c87f6cf9a9b19e4d5d42e91df..a3d7e4ddabb1a29ec50b5e1aab88cabcf1445104 100644
---- a/src/gpu/ganesh/ops/DrawAtlasOp.cpp
-+++ b/src/gpu/ganesh/ops/DrawAtlasOp.cpp
-@@ -10,6 +10,7 @@
- #include "include/core/SkRSXform.h"
- #include "include/gpu/GrRecordingContext.h"
- #include "src/base/SkRandom.h"
-+#include "src/base/SkSafeMath.h"
- #include "src/core/SkMatrixPriv.h"
- #include "src/core/SkRectPriv.h"
- #include "src/gpu/ganesh/GrCaps.h"
-@@ -280,8 +281,14 @@ GrOp::CombineResult DrawAtlasOpImpl::onCombineIfPossible(GrOp* t,
-         return CombineResult::kCannotCombine;
-     }
- 
-+    SkSafeMath safeMath;
-+    int newQuadCount = safeMath.addInt(fQuadCount, that->quadCount());
-+    if (!safeMath) {
-+        return CombineResult::kCannotCombine;
-+    }
-+
-     fGeoData.push_back_n(that->fGeoData.size(), that->fGeoData.begin());
--    fQuadCount += that->quadCount();
-+    fQuadCount = newQuadCount;
- 
-     return CombineResult::kMerged;
- }
-diff --git a/src/gpu/ganesh/ops/GrMeshDrawOp.cpp b/src/gpu/ganesh/ops/GrMeshDrawOp.cpp
-index 4fdf90b0381996609773e952674aad149b29b98d..5b885f0fd1cae6602d7f0982b91cc2a0af7a8b3b 100644
---- a/src/gpu/ganesh/ops/GrMeshDrawOp.cpp
-+++ b/src/gpu/ganesh/ops/GrMeshDrawOp.cpp
-@@ -7,6 +7,7 @@
- 
- #include "src/gpu/ganesh/ops/GrMeshDrawOp.h"
- 
-+#include "include/private/base/SkMath.h"
- #include "src/gpu/ganesh/GrOpFlushState.h"
- #include "src/gpu/ganesh/GrOpsRenderPass.h"
- #include "src/gpu/ganesh/GrRecordingContextPriv.h"
-@@ -81,6 +82,12 @@ void GrMeshDrawOp::PatternHelper::init(GrMeshDrawTarget* target, GrPrimitiveType
-     if (!indexBuffer) {
-         return;
-     }
-+
-+    // Bail out when we get overflow from really large draws.
-+    if (repeatCount < 0 || repeatCount > SK_MaxS32 / verticesPerRepetition) {
-+        return;
-+    }
-+
-     sk_sp<const GrBuffer> vertexBuffer;
-     int firstVertex;
-     int vertexCount = verticesPerRepetition * repeatCount;
-diff --git a/src/gpu/ganesh/ops/LatticeOp.cpp b/src/gpu/ganesh/ops/LatticeOp.cpp
-index d1ae7ad1fa8e06f5fd862867118bd7688ccf209b..ce9d08ac89ee801177fbf7d8fb1466dd68713915 100644
---- a/src/gpu/ganesh/ops/LatticeOp.cpp
-+++ b/src/gpu/ganesh/ops/LatticeOp.cpp
-@@ -9,6 +9,7 @@
- 
- #include "include/core/SkBitmap.h"
- #include "include/core/SkRect.h"
-+#include "src/base/SkSafeMath.h"
- #include "src/core/SkLatticeIter.h"
- #include "src/core/SkMatrixPriv.h"
- #include "src/gpu/BufferWriter.h"
-@@ -240,11 +241,13 @@ private:
- 
-         int patchCnt = fPatches.size();
-         int numRects = 0;
-+
-+        SkSafeMath safeMath;
-         for (int i = 0; i < patchCnt; i++) {
--            numRects += fPatches[i].fIter->numRectsToDraw();
-+            numRects = safeMath.addInt(numRects, fPatches[i].fIter->numRectsToDraw());
-         }
- 
--        if (!numRects) {
-+        if (!numRects || !safeMath) {
-             return;
-         }
- 
-diff --git a/src/gpu/ganesh/ops/RegionOp.cpp b/src/gpu/ganesh/ops/RegionOp.cpp
-index 58383775bc8bdd0e98125df01c538e03ef1ebc69..2ff9d648db32ad9b115c39c7321d3491fb13ae04 100644
---- a/src/gpu/ganesh/ops/RegionOp.cpp
-+++ b/src/gpu/ganesh/ops/RegionOp.cpp
-@@ -122,12 +122,8 @@ private:
-         for (int i = 0; i < numRegions; i++) {
-             numRects = safeMath.addInt(numRects, fRegions[i].fRegion.computeRegionComplexity());
-         }
--        if (!safeMath) {
--            // This is a nonsensical draw, so we can just drop it.
--            return;
--        }
- 
--        if (!numRects) {
-+        if (!numRects || !safeMath) {
-             return;
-         }
- 

patches/skia/m126-lts_ganesh_avoid_int_overflow_in_drawatlasopimpl.patch

@@ -1,42 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: James Godfrey-Kittle <[email protected]>
-Date: Wed, 11 Sep 2024 16:18:40 -0400
-Subject: Avoid int overflow in DrawAtlasOpImpl
-
-Bug: b/365884464
-Change-Id: I4dc9f259165c88c1d7ae5dc38c6cae02ca18f509
-Reviewed-on: https://skia-review.googlesource.com/c/skia/+/898756
-Commit-Queue: James Godfrey-Kittle <[email protected]>
-Reviewed-by: Brian Osman <[email protected]>
-(cherry picked from commit 2b40b50ea423e11073b742b3bd785975a6019046)
-Reviewed-on: https://skia-review.googlesource.com/c/skia/+/901177
-Reviewed-by: Michael Ludwig <[email protected]>
-(cherry picked from commit dda581d538cb6532cda841444e7b4ceacde01ec9)
-Reviewed-on: https://skia-review.googlesource.com/c/skia/+/901496
-Commit-Queue: Gyuyoung Kim (xWF) <[email protected]>
-Reviewed-by: James Godfrey-Kittle <[email protected]>
-
-diff --git a/src/gpu/ganesh/ops/DrawAtlasOp.cpp b/src/gpu/ganesh/ops/DrawAtlasOp.cpp
-index 065011699f755b3c87f6cf9a9b19e4d5d42e91df..edf201a8bf9e26cda3e80e9c142bb777beb9549a 100644
---- a/src/gpu/ganesh/ops/DrawAtlasOp.cpp
-+++ b/src/gpu/ganesh/ops/DrawAtlasOp.cpp
-@@ -111,6 +111,7 @@ DrawAtlasOpImpl::DrawAtlasOpImpl(GrProcessorSet* processorSet, const SkPMColor4f
-         : GrMeshDrawOp(ClassID()), fHelper(processorSet, aaType), fColor(color) {
-     SkASSERT(xforms);
-     SkASSERT(rects);
-+    SkASSERT(spriteCount >= 0);
- 
-     fViewMatrix = viewMatrix;
-     Geometry& installedGeo = fGeoData.push_back();
-@@ -126,6 +127,11 @@ DrawAtlasOpImpl::DrawAtlasOpImpl(GrProcessorSet* processorSet, const SkPMColor4f
-         vertexStride += sizeof(GrColor);
-     }
- 
-+    // Bail out if we'd overflow from a really large draw
-+    if (spriteCount > SK_MaxS32 / static_cast<int>(4 * vertexStride)) {
-+        return;
-+    }
-+
-     // Compute buffer size and alloc buffer
-     fQuadCount = spriteCount;
-     int allocSize = static_cast<int>(4 * vertexStride * spriteCount);

patches/skia/m126-lts_ganesh_avoid_int_overflow_when_combining_regionops.patch

@@ -1,44 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: James Godfrey-Kittle <[email protected]>
-Date: Tue, 20 Aug 2024 14:35:00 -0400
-Subject: [M126-LTS][ganesh] Avoid int overflow when combining RegionOps
-
-M126 merge issues:
-  Conflicting includes
-
-Bug: b/360758697
-Change-Id: I46eb92ac6ed71646fb05a910f8d577ec851e3b3f
-Reviewed-on: https://skia-review.googlesource.com/c/skia/+/891636
-Commit-Queue: James Godfrey-Kittle <[email protected]>
-Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894463
-Commit-Queue: Roger Felipe Zanoni da Silva (xWF) <[email protected]>
-Reviewed-by: James Godfrey-Kittle <[email protected]>
-
-diff --git a/src/gpu/ganesh/ops/RegionOp.cpp b/src/gpu/ganesh/ops/RegionOp.cpp
-index eb4975052aeef3ca1f1f9e2e078b44b44d951e9d..58383775bc8bdd0e98125df01c538e03ef1ebc69 100644
---- a/src/gpu/ganesh/ops/RegionOp.cpp
-+++ b/src/gpu/ganesh/ops/RegionOp.cpp
-@@ -8,6 +8,7 @@
- #include "src/gpu/ganesh/ops/RegionOp.h"
- 
- #include "include/core/SkRegion.h"
-+#include "src/base/SkSafeMath.h"
- #include "src/core/SkMatrixPriv.h"
- #include "src/gpu/BufferWriter.h"
- #include "src/gpu/ganesh/GrCaps.h"
-@@ -116,8 +117,14 @@ private:
- 
-         int numRegions = fRegions.size();
-         int numRects = 0;
-+
-+        SkSafeMath safeMath;
-         for (int i = 0; i < numRegions; i++) {
--            numRects += fRegions[i].fRegion.computeRegionComplexity();
-+            numRects = safeMath.addInt(numRects, fRegions[i].fRegion.computeRegionComplexity());
-+        }
-+        if (!safeMath) {
-+            // This is a nonsensical draw, so we can just drop it.
-+            return;
-         }
- 
-         if (!numRects) {

patches/skia/m126-lts_ganesh_fix_meshop_index_combination_logic.patch

@@ -1,33 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Michael Ludwig <[email protected]>
-Date: Mon, 19 Aug 2024 10:12:20 -0400
-Subject: [M126-LTS][ganesh] Fix MeshOp index combination logic
-
-Check total index count in onCombineIfPossible.
-
-Bug: b/360265320
-Change-Id: I02f04593b60dcd2470580110d0a555ed4bf47280
-Reviewed-on: https://skia-review.googlesource.com/c/skia/+/890322
-Commit-Queue: Michael Ludwig <[email protected]>
-(cherry picked from commit fdc8c2d593f7dc95b3a98216ec6a4ffa23489516)
-Reviewed-on: https://skia-review.googlesource.com/c/skia/+/894464
-Reviewed-by: Michael Ludwig <[email protected]>
-Commit-Queue: Roger Felipe Zanoni da Silva (xWF) <[email protected]>
-
-diff --git a/src/gpu/ganesh/ops/DrawMeshOp.cpp b/src/gpu/ganesh/ops/DrawMeshOp.cpp
-index ff5fb0aeffdd447eb581ba7199ee699a81527c07..5061feffd5102a8e72760d0f41b7510038bcac50 100644
---- a/src/gpu/ganesh/ops/DrawMeshOp.cpp
-+++ b/src/gpu/ganesh/ops/DrawMeshOp.cpp
-@@ -1179,7 +1179,11 @@ GrOp::CombineResult MeshOp::onCombineIfPossible(GrOp* t, SkArenaAlloc*, const Gr
-     if (SkToBool(fIndexCount) != SkToBool(that->fIndexCount)) {
-         return CombineResult::kCannotCombine;
-     }
--    if (SkToBool(fIndexCount) && fVertexCount > SkToInt(UINT16_MAX) - that->fVertexCount) {
-+    if (SkToBool(fIndexCount) &&
-+         // Index count would overflow
-+        (fIndexCount > INT32_MAX - that->fIndexCount ||
-+         // *or* combined vertex count would not be referenceable by uint16 indices
-+         fVertexCount > SkToInt(UINT16_MAX) - that->fVertexCount)) {
-         return CombineResult::kCannotCombine;
-     }
- 

patches/skia/m126-lts_sksl_rp_prevent_overflow_when_computing_slot_allocation.patch

@@ -1,202 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Brian Osman <[email protected]>
-Date: Fri, 9 Aug 2024 14:50:21 -0400
-Subject: [M126-LTS][SkSL:RP] Prevent overflow when computing slot allocation
- size
-
-Bug: 355465305
-Change-Id: Ife25289f7b3489701c67b7dc5d30e473019a1193
-Reviewed-on: https://skia-review.googlesource.com/c/skia/+/888376
-Commit-Queue: Brian Osman <[email protected]>
-(cherry picked from commit d1b243ba90f0698ced6fadc460adb9d66c248946)
-Reviewed-on: https://skia-review.googlesource.com/c/skia/+/896658
-Commit-Queue: Roger Felipe Zanoni da Silva (xWF) <[email protected]>
-Reviewed-by: Michael Ludwig <[email protected]>
-
-diff --git a/src/sksl/codegen/SkSLRasterPipelineBuilder.cpp b/src/sksl/codegen/SkSLRasterPipelineBuilder.cpp
-index e8c5c56fa27b633a2be95d1e878a0a2976ecafd8..fab86abd2889bc7397e09b7ef006a8a5c2485f5c 100644
---- a/src/sksl/codegen/SkSLRasterPipelineBuilder.cpp
-+++ b/src/sksl/codegen/SkSLRasterPipelineBuilder.cpp
-@@ -6,11 +6,15 @@
-  */
- 
- #include "src/sksl/codegen/SkSLRasterPipelineBuilder.h"
-+#include <cstdint>
-+#include <optional>
- 
- #include "include/core/SkStream.h"
- #include "include/private/base/SkMalloc.h"
-+#include "include/private/base/SkTFitsIn.h"
- #include "include/private/base/SkTo.h"
- #include "src/base/SkArenaAlloc.h"
-+#include "src/base/SkSafeMath.h"
- #include "src/core/SkOpts.h"
- #include "src/core/SkRasterPipelineContextUtils.h"
- #include "src/core/SkRasterPipelineOpContexts.h"
-@@ -1631,13 +1635,17 @@ static void* context_bit_pun(intptr_t val) {
-     return sk_bit_cast<void*>(val);
- }
- 
--Program::SlotData Program::allocateSlotData(SkArenaAlloc* alloc) const {
-+std::optional<Program::SlotData> Program::allocateSlotData(SkArenaAlloc* alloc) const {
-     // Allocate a contiguous slab of slot data for immutables, values, and stack entries.
-     const int N = SkOpts::raster_pipeline_highp_stride;
-     const int scalarWidth = 1 * sizeof(float);
-     const int vectorWidth = N * sizeof(float);
--    const int allocSize = vectorWidth * (fNumValueSlots + fNumTempStackSlots) +
--                          scalarWidth * fNumImmutableSlots;
-+    SkSafeMath safe;
-+    size_t allocSize = safe.add(safe.mul(vectorWidth, safe.add(fNumValueSlots, fNumTempStackSlots)),
-+                                safe.mul(scalarWidth, fNumImmutableSlots));
-+    if (!safe || !SkTFitsIn<int>(allocSize)) {
-+        return std::nullopt;
-+    }
-     float* slotPtr = static_cast<float*>(alloc->makeBytesAlignedTo(allocSize, vectorWidth));
-     sk_bzero(slotPtr, allocSize);
- 
-@@ -1658,8 +1666,11 @@ bool Program::appendStages(SkRasterPipeline* pipeline,
- #else
-     // Convert our Instruction list to an array of ProgramOps.
-     TArray<Stage> stages;
--    SlotData slotData = this->allocateSlotData(alloc);
--    this->makeStages(&stages, alloc, uniforms, slotData);
-+    std::optional<SlotData> slotData = this->allocateSlotData(alloc);
-+    if (!slotData) {
-+        return false;
-+    }
-+    this->makeStages(&stages, alloc, uniforms, *slotData);
- 
-     // Allocate buffers for branch targets and labels; these are needed to convert labels into
-     // actual offsets into the pipeline and fix up branches.
-@@ -1673,7 +1684,7 @@ bool Program::appendStages(SkRasterPipeline* pipeline,
-     auto resetBasePointer = [&]() {
-         // Whenever we hand off control to another shader, we have to assume that it might overwrite
-         // the base pointer (if it uses SkSL, it will!), so we reset it on return.
--        pipeline->append(SkRasterPipelineOp::set_base_pointer, slotData.values.data());
-+        pipeline->append(SkRasterPipelineOp::set_base_pointer, (*slotData).values.data());
-     };
- 
-     resetBasePointer();
-@@ -2844,7 +2855,7 @@ void Program::Dumper::dump(SkWStream* out, bool writeInstructionCount) {
-     // executed. The program requires pointer ranges for managing its data, and ASAN will report
-     // errors if those pointers are pointing at unallocated memory.
-     SkArenaAlloc alloc(/*firstHeapAllocation=*/1000);
--    fSlots = fProgram.allocateSlotData(&alloc);
-+    fSlots = fProgram.allocateSlotData(&alloc).value();
-     float* uniformPtr = alloc.makeArray<float>(fProgram.fNumUniformSlots);
-     fUniforms = SkSpan(uniformPtr, fProgram.fNumUniformSlots);
- 
-diff --git a/src/sksl/codegen/SkSLRasterPipelineBuilder.h b/src/sksl/codegen/SkSLRasterPipelineBuilder.h
-index e73543b777d078fa629864a5aad97b75fb829220..acb35c6cc35d0e33e045010b8d571a8c973bbea3 100644
---- a/src/sksl/codegen/SkSLRasterPipelineBuilder.h
-+++ b/src/sksl/codegen/SkSLRasterPipelineBuilder.h
-@@ -19,6 +19,7 @@
- #include <cstddef>
- #include <cstdint>
- #include <memory>
-+#include <optional>
- 
- class SkArenaAlloc;
- class SkRasterPipeline;
-@@ -176,7 +177,7 @@ private:
-         SkSpan<float> stack;
-         SkSpan<float> immutable;
-     };
--    SlotData allocateSlotData(SkArenaAlloc* alloc) const;
-+    std::optional<SlotData> allocateSlotData(SkArenaAlloc* alloc) const;
- 
-     struct Stage {
-         ProgramOp op;
-diff --git a/tests/RasterPipelineCodeGeneratorTest.cpp b/tests/RasterPipelineCodeGeneratorTest.cpp
-index 9da6e61a36fa59fc6ecf067d5643cc839d0e254f..24903c787414558864b4b9e1ef2c90c24f95f436 100644
---- a/tests/RasterPipelineCodeGeneratorTest.cpp
-+++ b/tests/RasterPipelineCodeGeneratorTest.cpp
-@@ -22,6 +22,7 @@
- 
- #include <memory>
- #include <optional>
-+#include <sstream>
- #include <string>
- 
- //#define DUMP_PROGRAMS 1
-@@ -250,3 +251,80 @@ DEF_TEST(SkSLRasterPipelineCodeGeneratorComparisonIntrinsicTest, r) {
-          /*startingColor=*/SkColor4f{0.0, 0.0, 0.0, 0.0},
-          /*expectedResult=*/SkColor4f{0.0, 1.0, 0.0, 1.0});
- }
-+
-+DEF_TEST(SkSLRasterPipelineSlotOverflow_355465305, r) {
-+    constexpr int kStructMembers1 = 6200;
-+    constexpr int kStructMembers2 = 433;
-+    std::stringstream str;
-+    str << "struct M { float4x4 m";
-+    for (int i = 1; i < kStructMembers1; ++i) {
-+        str << ",m" << i;
-+    }
-+    str << ";};";
-+    str << "struct M2 { float4x4 m";
-+    for (int i = 1; i < kStructMembers2; ++i) {
-+        str << ",m" << i;
-+    }
-+    str << ";};";
-+    str << "M f() { M m; return m; }";
-+    constexpr int kConstMembers = 40;
-+    str << "struct T { float4x4 m0";
-+    for (int i = 1; i < kConstMembers; ++i) {
-+        str << ",m" << i;
-+    }
-+    str << ";};";
-+    str << "const T K = T(";
-+    for (int i = 0; i < kConstMembers; ++i) {
-+        if (i > 0) {
-+            str << ",";
-+        }
-+        str << "mat4x4(1337)";
-+    }
-+    str << ");";
-+    str << "half4 main(half4 color) {";
-+    str << "float4x4 a = M2(";
-+    for (int j = 0; j < kStructMembers2; ++j) {
-+        if (j > 0) {
-+            str << ",";
-+        }
-+        const int numAddOps = (j == kStructMembers1 - 1) ? 23 : 25;
-+        for (int i = 0; i < numAddOps; ++i) {
-+            if (i > 0) {
-+                str << "+";
-+            }
-+            str << "f().m";
-+        }
-+    }
-+    str << ").m;";
-+    str << "return half4(a[0]+(K.m0+K.m1+K.m2+K.m3)[0]);";
-+    str << "}";
-+    std::string src = str.str();
-+
-+    SkSL::Compiler compiler;
-+    std::unique_ptr<SkSL::Program> program =
-+            compiler.convertProgram(SkSL::ProgramKind::kRuntimeColorFilter, src, {});
-+    if (!program) {
-+        ERRORF(r, "Unexpected error compiling %s\n%s", src.c_str(), compiler.errorText().c_str());
-+        return;
-+    }
-+    const SkSL::FunctionDeclaration* main = program->getFunction("main");
-+    if (!main) {
-+        ERRORF(r, "Program must have a 'main' function");
-+        return;
-+    }
-+    SkArenaAlloc alloc(1000);
-+    SkRasterPipeline pipeline(&alloc);
-+    pipeline.appendConstantColor(&alloc, SkColors::kWhite);
-+    std::unique_ptr<SkSL::RP::Program> rasterProg =
-+            SkSL::MakeRasterPipelineProgram(*program, *main->definition());
-+    // Ideally, this program would fail in the front-end, because of the number of slots needed
-+    // for expression evaluation. For now, it succeeds (but then fails in appendStages).
-+    if (!rasterProg) {
-+        ERRORF(r, "MakeRasterPipelineProgram failed");
-+        return;
-+    }
-+
-+    // Append the SkSL program to the raster pipeline.
-+    bool success = rasterProg->appendStages(&pipeline, &alloc, /*callbacks=*/nullptr, {});
-+    REPORTER_ASSERT(r, !success, "appendStages should fail for very large program");
-+}

patches/v8/.patches

@@ -2,20 +2,10 @@ chore_allow_customizing_microtask_policy_per_context.patch
 deps_add_v8_object_setinternalfieldfornodecore.patch
 revert_heap_add_checks_position_info.patch
 revert_api_cleanup_remove_setaccessor_and_setnativedataproperty.patch
-spill_all_loop_inputs_before_entering_loop.patch
-cherry-pick-9542895cdd3d.patch
-cherry-pick-81155a8f3b20.patch
 cherry-pick-a7766feb0a90.patch
-cherry-pick-f612d9a40b19.patch
-m126-lts_compiler_clear_stale_data_for_zeroextendsword32toword64.patch
 merged_turbofan_handle_type_none_in_samevalue.patch
-m126-lts_wasm_don_t_catch_uncatchable_exceptions_in_the_jspi.patch
-merged_heap_sandbox_update_ept_s_evacuation_entries_in_scavenger.patch
-merged_don_t_assume_all_turbofan_frames_are_javascript.patch
 merged_wasm_do_not_inline_wrappers_with_ref_extern_parameter.patch
-merged_wasm_fix_default_externref_exnref_reference.patch
-m126-lts_liftoff_fix_clobbered_scratch_register.patch
 cherry-pick-aad648bd2af9.patch
 merged_wasm_arm_tail-call_free_scratch_register_earlier.patch
 merged_turboshaft_wasm_wasmgctypeanalyzer_fix_phi_input_for.patch
-merged_turboshaft_wasm_wasmgctypeanalyzer_fix_single-block_loops.patch
+merged_turboshaft_wasm_wasmgctypeanalyzer_fix_single-block_loops.patch

patches/v8/cherry-pick-81155a8f3b20.patch

@@ -1,282 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Victor Gomes <[email protected]>
-Date: Wed, 2 Oct 2024 10:59:42 +0200
-Subject: Consider WasmStruct in InferHasInPrototypeChain
-
-Drive-by: add some CHECKs in not _clearly_ safe uses of AsJSObject
-to turn possible vulnerablities into crashes.
-
-Fixed: 367818758
-Change-Id: Ib0464658152ce87141fa137dc6562f17b84bb6be
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5901846
-Reviewed-by: Nico Hartmann <[email protected]>
-Auto-Submit: Victor Gomes <[email protected]>
-Commit-Queue: Nico Hartmann <[email protected]>
-Cr-Commit-Position: refs/heads/main@{#96386}
-
-diff --git a/src/compiler/access-info.cc b/src/compiler/access-info.cc
-index a81a8e80a9b6b838037c6dcc5e9b6845e9a35f7e..beefe70ecc2e2b6e2c60757d441c67e5c137159b 100644
---- a/src/compiler/access-info.cc
-+++ b/src/compiler/access-info.cc
-@@ -926,6 +926,7 @@ PropertyAccessInfo AccessInfoFactory::ComputePropertyAccessInfo(
-       return PropertyAccessInfo::NotFound(zone(), receiver_map, holder);
-     }
- 
-+    CHECK(prototype.IsJSObject());
-     holder = prototype.AsJSObject();
-     map = map_prototype_map;
- 
-diff --git a/src/compiler/heap-refs.cc b/src/compiler/heap-refs.cc
-index 205d13587589724d3525928be7172f2e157811a6..bb3b5f10b037ac8cb25fc6305adcaed317c9f86d 100644
---- a/src/compiler/heap-refs.cc
-+++ b/src/compiler/heap-refs.cc
-@@ -1655,6 +1655,7 @@ HolderLookupResult FunctionTemplateInfoRef::LookupHolderOfExpectedType(
-   if (!expected_receiver_type->IsTemplateFor(prototype.object()->map())) {
-     return not_found;
-   }
-+  CHECK(prototype.IsJSObject());
-   return HolderLookupResult(CallOptimization::kHolderFound,
-                             prototype.AsJSObject());
- }
-diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc
-index b5de19c7e945badb8d5c1d5e07117b43f5b12870..45ec96a66f9826a773beb250ae924af9b98a3897 100644
---- a/src/compiler/js-native-context-specialization.cc
-+++ b/src/compiler/js-native-context-specialization.cc
-@@ -880,7 +880,9 @@ JSNativeContextSpecialization::InferHasInPrototypeChain(
-       // might be a different object each time, so it's much simpler to include
-       // {prototype}. That does, however, mean that we must check {prototype}'s
-       // map stability.
--      if (!prototype.map(broker()).is_stable()) return kMayBeInPrototypeChain;
-+      if (!prototype.IsJSObject() || !prototype.map(broker()).is_stable()) {
-+        return kMayBeInPrototypeChain;
-+      }
-       last_prototype = prototype.AsJSObject();
-     }
-     WhereToStart start = result == NodeProperties::kUnreliableMaps
-diff --git a/test/mjsunit/wasm/regress-367818758.js b/test/mjsunit/wasm/regress-367818758.js
-new file mode 100644
-index 0000000000000000000000000000000000000000..69e8290c88d85699f9845ed5dddb767f1be40441
---- /dev/null
-+++ b/test/mjsunit/wasm/regress-367818758.js
-@@ -0,0 +1,221 @@
-+// Copyright 2024 the V8 project authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style license that can be
-+// found in the LICENSE file.
-+//
-+// Flags: --allow-natives-syntax
-+
-+var kWasmH0 = 0;
-+var kWasmH1 = 0x61;
-+var kWasmH2 = 0x73;
-+var kWasmH3 = 0x6d;
-+var kWasmV0 = 0x1;
-+var kWasmV1 = 0;
-+var kWasmV2 = 0;
-+var kWasmV3 = 0;
-+let kTypeSectionCode = 1;        // Function signature declarations
-+let kFunctionSectionCode = 3;    // Function declarations
-+let kExportSectionCode = 7;      // Exports
-+let kCodeSectionCode = 10;       // Function code
-+let kWasmFunctionTypeForm = 0x60;
-+let kWasmStructTypeForm = 0x5f;
-+let kNoSuperType = 0xFFFFFFFF;
-+let kWasmI32 = 0x7f;
-+let kWasmExternRef = -0x11;
-+let kLeb128Mask = 0x7f;
-+let kExternalFunction = 0;
-+function makeSig(params, results) {
-+  return {params: params, results: results};
-+}
-+const kWasmOpcodes = {
-+  'End': 0x0b,
-+  'I32Const': 0x41,
-+};
-+function defineWasmOpcode(name, value) {
-+  Object.defineProperty(globalThis, name, {value: value});
-+}
-+for (let name in kWasmOpcodes) {
-+  defineWasmOpcode(`kExpr${name}`, kWasmOpcodes[name]);
-+}
-+const kPrefixOpcodes = {
-+  'GC': 0xfb,
-+};
-+for (let prefix in kPrefixOpcodes) {
-+  defineWasmOpcode(`k${prefix}Prefix`, kPrefixOpcodes[prefix]);
-+}
-+let kExprStructNew = 0x00;
-+let kExprExternConvertAny = 0x1b;
-+class Binary {
-+  constructor() {
-+    this.length = 0;
-+    this.buffer = new Uint8Array(8192);
-+  }
-+  trunc_buffer() {
-+    return new Uint8Array(this.buffer.buffer, 0, this.length);
-+  }
-+  emit_u8(val) {
-+    this.buffer[this.length++] = val;
-+  }
-+  emit_leb_u(val) {
-+      let v = val & 0xff;
-+        this.buffer[this.length++] = v;
-+  }
-+  emit_u32v(val) {
-+    this.emit_leb_u(val);
-+  }
-+  emit_bytes(data) {
-+    this.buffer.set(data, this.length);
-+    this.length += data.length;
-+  }
-+  emit_string(string) {
-+    let string_utf8 = string;
-+    this.emit_u32v(string_utf8.length);
-+    for (let i = 0; i < string_utf8.length; i++) {
-+      this.emit_u8(string_utf8.charCodeAt(i));
-+    }
-+  }
-+  emit_type(type) {
-+      this.emit_u8(type >= 0 ? type : type & kLeb128Mask);
-+  }
-+  emit_header() {
-+    this.emit_bytes([
-+      kWasmH0, kWasmH1, kWasmH2, kWasmH3, kWasmV0, kWasmV1, kWasmV2, kWasmV3
-+    ]);
-+  }
-+  emit_section(section_code, content_generator) {
-+    this.emit_u8(section_code);
-+    const section = new Binary;
-+    content_generator(section);
-+    this.emit_u32v(section.length);
-+    this.emit_bytes(section.trunc_buffer());
-+  }
-+}
-+class WasmFunctionBuilder {
-+  constructor(module, name, type_index, arg_names) {
-+    this.module = module;
-+    this.name = name;
-+    this.type_index = type_index;
-+  }
-+  exportAs(name) {
-+    this.module.addExport(name, this.index);
-+  }
-+  exportFunc() {
-+    this.exportAs(this.name);
-+    return this;
-+  }
-+  addBody(body) {
-+    this.body = body.concat([kExprEnd]);
-+  }
-+}
-+function makeField(type, mutability) {
-+  return {type: type, mutability: mutability};
-+}
-+class WasmStruct {
-+  constructor(fields) {
-+    this.fields = fields;
-+  }
-+}
-+class WasmModuleBuilder {
-+  constructor() {
-+    this.types = [];
-+    this.exports = [];
-+    this.functions = [];
-+  }
-+  addType(type, supertype_idx = kNoSuperType, is_final = true,
-+      is_shared = false) {
-+    var type_copy = {params: type.params, results: type.results,
-+                     is_final: is_final, is_shared: is_shared,
-+                     supertype: supertype_idx};
-+    this.types.push(type_copy);
-+    return this.types.length - 1;
-+  }
-+  addStruct(fields = kNoSuperType = false, is_shared = false) {
-+    this.types.push(new WasmStruct(fields));
-+  }
-+  addFunction(name, type, arg_names) {
-+    let type_index =typeof type == 'number' ? type : this.addType(type);
-+    let func = new WasmFunctionBuilder(this, name, type_index);
-+    this.functions.push(func);
-+    return func;
-+  }
-+  addExport(name, index) {
-+    this.exports.push({name: name, kind: kExternalFunction, index: index});
-+  }
-+  toBuffer() {
-+    let binary = new Binary;
-+    let wasm = this;
-+    binary.emit_header();
-+      binary.emit_section(kTypeSectionCode, section => {
-+        let length_with_groups = wasm.types.length;
-+        section.emit_u32v(length_with_groups);
-+        for (let i = 0; i < wasm.types.length; i++) {
-+          let type = wasm.types[i];
-+          if (type instanceof WasmStruct) {
-+            section.emit_u8(kWasmStructTypeForm);
-+            section.emit_u32v(type.fields.length);
-+            for (let field of type.fields) {
-+              section.emit_type(field.type);
-+              section.emit_u8();
-+            }
-+          } else {
-+            section.emit_u8(kWasmFunctionTypeForm);
-+            section.emit_u32v();
-+            section.emit_u32v(type.results.length);
-+            for (let result of type.results) {
-+              section.emit_type(result);
-+            }
-+          }
-+        }
-+      });
-+      binary.emit_section(kFunctionSectionCode, section => {
-+        section.emit_u32v(wasm.functions.length);
-+        for (let func of wasm.functions) {
-+          section.emit_u32v(func.type_index);
-+        }
-+      });
-+    var exports_count = wasm.exports.length;
-+      binary.emit_section(kExportSectionCode, section => {
-+        section.emit_u32v(exports_count);
-+        for (let exp of wasm.exports) {
-+          section.emit_string(exp.name);
-+          section.emit_u8();
-+          section.emit_u32v();
-+        }
-+      });
-+      binary.emit_section(kCodeSectionCode, section => {
-+        section.emit_u32v(wasm.functions.length);
-+        for (let func of wasm.functions) {
-+            section.emit_u32v(func.body.length + 1);
-+            section.emit_u8();  // 0 locals.
-+          section.emit_bytes(func.body);
-+        }
-+      });
-+    return binary.trunc_buffer();
-+  }
-+  instantiate() {
-+    let module = this.toModule();
-+    let instance = new WebAssembly.Instance(module);
-+    return instance;
-+  }
-+  toModule() {
-+    return new WebAssembly.Module(this.toBuffer());
-+  }
-+}
-+let builder = new WasmModuleBuilder();
-+let struct_type = builder.addStruct([makeField(kWasmI32)]);
-+builder.addFunction('MakeStruct', makeSig([], [kWasmExternRef])).exportFunc()
-+       .addBody([kExprI32Const, 42, kGCPrefix, kExprStructNew, struct_type,
-+                 kGCPrefix, kExprExternConvertAny]);
-+let instance = builder.instantiate();
-+let evil_wasm_object = instance.exports.MakeStruct();
-+function evil_ctor(){
-+}
-+function evil_cast_jit(evil_o){
-+    global_collect_node_info = evil_o; // get nodeinfo from PropertyCellStore
-+    return evil_o instanceof evil_ctor;
-+}
-+evil_ctor.prototype = evil_wasm_object;
-+%PrepareFunctionForOptimization(evil_cast_jit);
-+evil_cast_jit(new evil_ctor());
-+evil_cast_jit(new evil_ctor());
-+%OptimizeFunctionOnNextCall(evil_cast_jit);
-+evil_cast_jit();

patches/v8/cherry-pick-9542895cdd3d.patch

@@ -1,145 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Jakob Kummerow <[email protected]>
-Date: Tue, 24 Sep 2024 17:34:49 +0200
-Subject: Properly check max module size
-
-and allow d8-based tests for it.
-
-Fixed: 368241697
-Change-Id: Iddc9f7e669de7a1d79dccbc99bcc5fb43dad67a1
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5886728
-Reviewed-by: Clemens Backes <[email protected]>
-Reviewed-by: Matthias Liedtke <[email protected]>
-Auto-Submit: Jakob Kummerow <[email protected]>
-Commit-Queue: Jakob Kummerow <[email protected]>
-Cr-Commit-Position: refs/heads/main@{#96272}
-
-diff --git a/src/wasm/streaming-decoder.cc b/src/wasm/streaming-decoder.cc
-index 786c5aa250f055a0f69ca28403bfa679638e6465..9eb2d2fb9f1e973b04c8cf7829cc7b2849b632f9 100644
---- a/src/wasm/streaming-decoder.cc
-+++ b/src/wasm/streaming-decoder.cc
-@@ -294,6 +294,10 @@ void AsyncStreamingDecoder::Finish(bool can_use_compiled_module) {
-   if (!full_wire_bytes_.back().empty()) {
-     size_t total_length = 0;
-     for (auto& bytes : full_wire_bytes_) total_length += bytes.size();
-+    if (ok()) {
-+      // {DecodeSectionLength} enforces this with graceful error reporting.
-+      CHECK_LE(total_length, max_module_size());
-+    }
-     auto all_bytes = base::OwnedVector<uint8_t>::NewForOverwrite(total_length);
-     uint8_t* ptr = all_bytes.begin();
-     for (auto& bytes : full_wire_bytes_) {
-@@ -627,6 +631,18 @@ std::unique_ptr<AsyncStreamingDecoder::DecodingState>
- AsyncStreamingDecoder::DecodeSectionLength::NextWithValue(
-     AsyncStreamingDecoder* streaming) {
-   TRACE_STREAMING("DecodeSectionLength(%zu)\n", value_);
-+  // Check if this section fits into the overall module length limit.
-+  // Note: {this->module_offset_} is the position of the section ID byte,
-+  // {streaming->module_offset_} is the start of the section's payload (i.e.
-+  // right after the just-decoded section length varint).
-+  // The latter can already exceed the max module size, when the previous
-+  // section barely fit into it, and this new section's ID or length crossed
-+  // the threshold.
-+  uint32_t payload_start = streaming->module_offset();
-+  size_t max_size = max_module_size();
-+  if (payload_start > max_size || max_size - payload_start < value_) {
-+    return streaming->ToErrorState();
-+  }
-   SectionBuffer* buf =
-       streaming->CreateNewBuffer(module_offset_, section_id_, value_,
-                                  buffer().SubVector(0, bytes_consumed_));
-diff --git a/src/wasm/wasm-engine.cc b/src/wasm/wasm-engine.cc
-index 6b668b111c9d801e13f4d74f227c02029c4e80ec..8a3a855924fee296fd85e8b98d976e0c9f4c74c9 100644
---- a/src/wasm/wasm-engine.cc
-+++ b/src/wasm/wasm-engine.cc
-@@ -2009,10 +2009,11 @@ uint32_t max_table_init_entries() {
- 
- // {max_module_size} is declared in wasm-limits.h.
- size_t max_module_size() {
--  // Clamp the value of --wasm-max-module-size between 16 and just below 2GB.
-+  // Clamp the value of --wasm-max-module-size between 16 and the maximum
-+  // that the implementation supports.
-   constexpr size_t kMin = 16;
--  constexpr size_t kMax = RoundDown<kSystemPointerSize>(size_t{kMaxInt});
--  static_assert(kMin <= kV8MaxWasmModuleSize && kV8MaxWasmModuleSize <= kMax);
-+  constexpr size_t kMax = kV8MaxWasmModuleSize;
-+  static_assert(kMin <= kV8MaxWasmModuleSize);
-   return std::clamp(v8_flags.wasm_max_module_size.value(), kMin, kMax);
- }
- 
-diff --git a/src/wasm/wasm-js.cc b/src/wasm/wasm-js.cc
-index d8cff07657d4dd0e71a4c677b27e96fd67cd00a3..ae04f27efb30f2bf086bd4fe4bf9a3594c38c581 100644
---- a/src/wasm/wasm-js.cc
-+++ b/src/wasm/wasm-js.cc
-@@ -195,8 +195,8 @@ GET_FIRST_ARGUMENT_AS(Tag)
- #undef GET_FIRST_ARGUMENT_AS
- 
- i::wasm::ModuleWireBytes GetFirstArgumentAsBytes(
--    const v8::FunctionCallbackInfo<v8::Value>& info, ErrorThrower* thrower,
--    bool* is_shared) {
-+    const v8::FunctionCallbackInfo<v8::Value>& info, size_t max_length,
-+    ErrorThrower* thrower, bool* is_shared) {
-   DCHECK(i::ValidateCallbackInfo(info));
-   const uint8_t* start = nullptr;
-   size_t length = 0;
-@@ -227,7 +227,6 @@ i::wasm::ModuleWireBytes GetFirstArgumentAsBytes(
-   if (length == 0) {
-     thrower->CompileError("BufferSource argument is empty");
-   }
--  size_t max_length = i::wasm::max_module_size();
-   if (length > max_length) {
-     // The spec requires a CompileError for implementation-defined limits, see
-     // https://webassembly.github.io/spec/js-api/index.html#limits.
-@@ -624,7 +623,8 @@ void WebAssemblyCompileImpl(const v8::FunctionCallbackInfo<v8::Value>& info) {
-       new AsyncCompilationResolver(isolate, context, promise_resolver));
- 
-   bool is_shared = false;
--  auto bytes = GetFirstArgumentAsBytes(info, &thrower, &is_shared);
-+  auto bytes = GetFirstArgumentAsBytes(info, i::wasm::max_module_size(),
-+                                       &thrower, &is_shared);
-   if (thrower.error()) {
-     resolver->OnCompilationFailed(thrower.Reify());
-     return;
-@@ -656,8 +656,11 @@ void WasmStreamingCallbackForTesting(
-       v8::WasmStreaming::Unpack(info.GetIsolate(), info.Data());
- 
-   bool is_shared = false;
-+  // We don't check the buffer length up front, to allow d8 to test that the
-+  // streaming decoder implementation handles overly large inputs correctly.
-+  size_t unlimited = std::numeric_limits<size_t>::max();
-   i::wasm::ModuleWireBytes bytes =
--      GetFirstArgumentAsBytes(info, &thrower, &is_shared);
-+      GetFirstArgumentAsBytes(info, unlimited, &thrower, &is_shared);
-   if (thrower.error()) {
-     streaming->Abort(Utils::ToLocal(thrower.Reify()));
-     return;
-@@ -759,7 +762,8 @@ void WebAssemblyValidateImpl(const v8::FunctionCallbackInfo<v8::Value>& info) {
-   ErrorThrower thrower(i_isolate, "WebAssembly.validate()");
- 
-   bool is_shared = false;
--  auto bytes = GetFirstArgumentAsBytes(info, &thrower, &is_shared);
-+  auto bytes = GetFirstArgumentAsBytes(info, i::wasm::max_module_size(),
-+                                       &thrower, &is_shared);
- 
-   v8::ReturnValue<v8::Value> return_value = info.GetReturnValue();
- 
-@@ -838,7 +842,8 @@ void WebAssemblyModuleImpl(const v8::FunctionCallbackInfo<v8::Value>& info) {
-   }
- 
-   bool is_shared = false;
--  auto bytes = GetFirstArgumentAsBytes(info, &thrower, &is_shared);
-+  auto bytes = GetFirstArgumentAsBytes(info, i::wasm::max_module_size(),
-+                                       &thrower, &is_shared);
- 
-   if (thrower.error()) {
-     return;
-@@ -1156,7 +1161,8 @@ void WebAssemblyInstantiateImpl(
-   }
- 
-   bool is_shared = false;
--  auto bytes = GetFirstArgumentAsBytes(info, &thrower, &is_shared);
-+  auto bytes = GetFirstArgumentAsBytes(info, i::wasm::max_module_size(),
-+                                       &thrower, &is_shared);
-   if (thrower.error()) {
-     resolver->OnInstantiationFailed(thrower.Reify());
-     return;

patches/v8/cherry-pick-aad648bd2af9.patch

@@ -1,7 +1,10 @@
-From aad648bd2af9815d0c48eeb78cbf3d8e6471d094 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Darius Mercadier <[email protected]>
-Date: Thu, 05 Dec 2024 16:03:33 +0100
-Subject: [PATCH] Merged: [maglev] Avoid retagging loop phi backedges too early
+Date: Thu, 5 Dec 2024 16:03:33 +0100
+Subject: Merged: [maglev] Avoid retagging loop phi backedges too early
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
 
 When we decide that a loop phi should remain tagged, we call
 EnsurePhiInputsTagged to ensures that it only has tagged inputs, which
@@ -32,13 +35,12 @@ Reviewed-by: Camillo Bruni <[email protected]>
 Cr-Commit-Position: refs/branch-heads/13.0@{#41}
 Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
 Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
----
 
 diff --git a/src/maglev/maglev-phi-representation-selector.cc b/src/maglev/maglev-phi-representation-selector.cc
-index c03974e..b4d913d 100644
+index 8d6aa0e4ff3be654ca32c824a6e076885092a5cc..29bbaf417e668fa906f05ba9a269b9f6446ef27e 100644
 --- a/src/maglev/maglev-phi-representation-selector.cc
 +++ b/src/maglev/maglev-phi-representation-selector.cc
-@@ -334,7 +334,8 @@
+@@ -329,7 +329,8 @@ void MaglevPhiRepresentationSelector::EnsurePhiInputsTagged(Phi* phi) {
    // should be tagged. We'll thus insert tagging operation on the untagged phi
    // inputs of {phi}.
  
@@ -50,7 +52,7 @@ index c03974e..b4d913d 100644
        phi->change_input(i, EnsurePhiTagged(phi_input, phi->predecessor_at(i),
 diff --git a/test/mjsunit/maglev/regress-382190919.js b/test/mjsunit/maglev/regress-382190919.js
 new file mode 100644
-index 0000000..773f442
+index 0000000000000000000000000000000000000000..773f442cb98b914328cdd6e24a8eca1ef6d8a9d6
 --- /dev/null
 +++ b/test/mjsunit/maglev/regress-382190919.js
 @@ -0,0 +1,39 @@

patches/v8/cherry-pick-f612d9a40b19.patch

@@ -1,29 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thibaud Michaud <[email protected]>
-Date: Tue, 17 Sep 2024 16:49:30 +0200
-Subject: Check strict type equality for Tag imports
-
[email protected]
-
-Fixed: 365802567
-Change-Id: I38d70f157f9a78fe56eb0c377776dfe794872473
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5868875
-Commit-Queue: Thibaud Michaud <[email protected]>
-Reviewed-by: Manos Koukoutos <[email protected]>
-Cr-Commit-Position: refs/heads/main@{#96143}
-
-diff --git a/src/wasm/wasm-objects.cc b/src/wasm/wasm-objects.cc
-index 85dca1183a22039732def26e473b42645c497856..9b24adc335fc0326041cf60117212134ae955762 100644
---- a/src/wasm/wasm-objects.cc
-+++ b/src/wasm/wasm-objects.cc
-@@ -1843,8 +1843,8 @@ Handle<WasmTagObject> WasmTagObject::New(Isolate* isolate,
- }
- 
- bool WasmTagObject::MatchesSignature(uint32_t expected_canonical_type_index) {
--  return wasm::GetWasmEngine()->type_canonicalizer()->IsCanonicalSubtype(
--      this->canonical_type_index(), expected_canonical_type_index);
-+  return static_cast<uint32_t>(this->canonical_type_index()) ==
-+         expected_canonical_type_index;
- }
- 
- const wasm::FunctionSig* WasmCapiFunction::GetSignature(Zone* zone) const {

patches/v8/deps_add_v8_object_setinternalfieldfornodecore.patch

@@ -46,7 +46,7 @@ index c2ea59d3652a2e8a2ff6435982624996ef35ab17..4636df9df1fc2feb9aff2634140edf11
    V8_INLINE static void* GetAlignedPointerFromInternalField(
        const BasicTracedReference<Object>& object, int index) {
 diff --git a/src/api/api.cc b/src/api/api.cc
-index 82dc80ad3d1546e9ee2e976a43a510a8f8b2d73c..498582940eb4e279c17c832f3bda395764a60231 100644
+index ede25d4d87039ceb51d6845e982a6d3d67dfc2b3..cc4c4a9c10797d763ecd808aef5e9893856a0fcc 100644
 --- a/src/api/api.cc
 +++ b/src/api/api.cc
 @@ -6293,14 +6293,33 @@ Local<Data> v8::Object::SlowGetInternalField(int index) {

patches/v8/m126-lts_compiler_clear_stale_data_for_zeroextendsword32toword64.patch

@@ -1,58 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Seth Brenith <[email protected]>
-Date: Tue, 6 Aug 2024 23:08:34 -0700
-Subject: Clear stale data for ZeroExtendsWord32ToWord64
-
-The first call to ZeroExtendsWord32ToWord64 produces a correct result,
-but leaves some incorrect values in phi_states_. To avoid incorrect
-behavior, we should clear those values when starting anew.
-
-I think that the performance impact of this change on compilation time
-should be small, because calls to ZeroExtendsWord32ToWord64 are
-infrequent. Here is a histogram showing, per function compiled in
-Octane, how often this new code is run:
-
-0: 74.7%
-1: 13.1%
-2: 6.3%
-3: 2.5%
-4 or 5: 1.7%
-6 to 9: 0.9%
-11 to 33: 0.8%
-
-(cherry picked from commit 780d5608bb8ab63a3cd4b5c4846a3ec41e21c1a8)
-
-Bug: 356196918
-Change-Id: I00a9e74652025bf8a32cb083a6e01c0273e44043
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5766478
-Commit-Queue: Seth Brenith <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#95528}
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5807474
-Auto-Submit: Roger Felipe Zanoni da Silva (xWF) <[email protected]>
-Reviewed-by: Thibaud Michaud <[email protected]>
-Reviewed-by: Seth Brenith <[email protected]>
-Reviewed-by: Nico Hartmann <[email protected]>
-Commit-Queue: Thibaud Michaud <[email protected]>
-Cr-Commit-Position: refs/branch-heads/12.6@{#60}
-Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
-Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}
-
-diff --git a/src/compiler/backend/instruction-selector.cc b/src/compiler/backend/instruction-selector.cc
-index 053e8a449ec1ad7ecf2ebf13f548978d7cfafeed..c7a0a4d8cd37ca98f7dc7a8f6dc910e19d515603 100644
---- a/src/compiler/backend/instruction-selector.cc
-+++ b/src/compiler/backend/instruction-selector.cc
-@@ -5633,6 +5633,14 @@ bool InstructionSelectorT<Adapter>::ZeroExtendsWord32ToWord64(
-   const int kMaxRecursionDepth = 100;
- 
-   if (this->IsPhi(node)) {
-+    // Intermediate results from previous calls are not necessarily correct.
-+    if (recursion_depth == 0) {
-+      static_assert(sizeof(Upper32BitsState) == 1);
-+      memset(phi_states_.data(),
-+             static_cast<int>(Upper32BitsState::kNotYetChecked),
-+             phi_states_.size());
-+    }
-+
-     Upper32BitsState current = phi_states_[this->id(node)];
-     if (current != Upper32BitsState::kNotYetChecked) {
-       return current == Upper32BitsState::kUpperBitsGuaranteedZero;

patches/v8/m126-lts_liftoff_fix_clobbered_scratch_register.patch

@@ -1,80 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Clemens Backes <[email protected]>
-Date: Fri, 15 Nov 2024 16:00:15 +0100
-Subject: Fix clobbered scratch register
-
-`GetMemOp` returns an `Operand` which can contain `kScratchRegister`. We
-should hence not clobber that register until after the last use of the
-`Operand`.
-
-This CL changes the scratch register to `kScratchRegister2` which has
-much fewer uses, and in particular none which collides with `GetMemOp`.
-
[email protected]
-
-(cherry picked from commit 57a017e611a5abfb0e4b59f6de028bc4070a3615)
-
-Fixed: 378779897, 378701682
-Change-Id: Id1ed25edfe76200d069ac2ab54e5000eed313c8f
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6022072
-Reviewed-by: Matthias Liedtke <[email protected]>
-Commit-Queue: Clemens Backes <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#97224}
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6056706
-Reviewed-by: Clemens Backes <[email protected]>
-Commit-Queue: Gyuyoung Kim (xWF) <[email protected]>
-Reviewed-by: Daniel Lehmann <[email protected]>
-Cr-Commit-Position: refs/branch-heads/12.6@{#82}
-Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
-Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}
-
-diff --git a/src/wasm/baseline/x64/liftoff-assembler-x64-inl.h b/src/wasm/baseline/x64/liftoff-assembler-x64-inl.h
-index b20867d7ec2a5724653ebe9baca8c8949d70cd74..be01772c27382e2c10314777e4058cf326327ba3 100644
---- a/src/wasm/baseline/x64/liftoff-assembler-x64-inl.h
-+++ b/src/wasm/baseline/x64/liftoff-assembler-x64-inl.h
-@@ -50,6 +50,8 @@ constexpr Operand kInstanceDataOperand =
- 
- constexpr Operand kOSRTargetSlot = GetStackSlot(kOSRTargetOffset);
- 
-+// Note: The returned Operand might contain {kScratchRegister2}; make sure not
-+// to clobber that until after the last use of the Operand.
- inline Operand GetMemOp(LiftoffAssembler* assm, Register addr,
-                         Register offset_reg, uintptr_t offset_imm,
-                         ScaleFactor scale_factor = times_1) {
-@@ -60,7 +62,7 @@ inline Operand GetMemOp(LiftoffAssembler* assm, Register addr,
-                : Operand(addr, offset_reg, scale_factor, offset_imm32);
-   }
-   // Offset immediate does not fit in 31 bits.
--  Register scratch = kScratchRegister;
-+  Register scratch = kScratchRegister2;
-   assm->MacroAssembler::Move(scratch, offset_imm);
-   if (offset_reg != no_reg) assm->addq(scratch, offset_reg);
-   return Operand(addr, scratch, scale_factor, 0);
-diff --git a/test/mjsunit/regress/wasm/regress-378779897.js b/test/mjsunit/regress/wasm/regress-378779897.js
-new file mode 100644
-index 0000000000000000000000000000000000000000..fed1bc807165e1b9e83195a2df30aac33a544470
---- /dev/null
-+++ b/test/mjsunit/regress/wasm/regress-378779897.js
-@@ -0,0 +1,22 @@
-+// Copyright 2024 the V8 project authors. All rights reserved.
-+// Use of this source code is governed by a BSD-style license that can be
-+// found in the LICENSE file.
-+
-+d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
-+
-+const builder = new WasmModuleBuilder();
-+builder.addMemory(49149);
-+
-+builder.addFunction('main', kSig_i_v).addBody([
-+  ...wasmI32Const(-1118406780),
-+  ...wasmI32Const(-1),
-+  kAtomicPrefix, kExprI32AtomicOr8U, 0, 0
-+]).exportFunc();
-+
-+let instance;
-+try {
-+  instance = builder.instantiate();
-+} catch (e) {
-+  assertException(e, RangeError, /Out of memory/);
-+}
-+if (instance) instance.exports.main();

patches/v8/m126-lts_wasm_don_t_catch_uncatchable_exceptions_in_the_jspi.patch

@@ -1,81 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thibaud Michaud <[email protected]>
-Date: Tue, 3 Sep 2024 11:50:45 +0200
-Subject: Don't catch uncatchable exceptions in the JSPI wrapper
-
-M126 merge issues:
-  The HandleStackSwitch function doesn't exist in the LTS branch.
-
-... And forward the exception to the parent stack instead.
-
[email protected]
-
-(cherry picked from commit 9495e79f82f60da191211669e9de1b210d2af1c9)
-
-Fixed: 361717714
-Change-Id: I7c6a75b53bc7732546ec6a7a1425ac50b9b1756b
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5817264
-Commit-Queue: Thibaud Michaud <[email protected]>
-Cr-Original-Commit-Position: refs/heads/main@{#95847}
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5831578
-Reviewed-by: Thibaud Michaud <[email protected]>
-Reviewed-by: Igor Sheludko <[email protected]>
-Commit-Queue: Roger Felipe Zanoni da Silva (xWF) <[email protected]>
-Cr-Commit-Position: refs/branch-heads/12.6@{#62}
-Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
-Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}
-
-diff --git a/src/execution/isolate.cc b/src/execution/isolate.cc
-index c3db834a8b8a9f28d32860336347df169b808043..bf4d6b90626a6e8eb98913fb2e524c9e87dd6e3c 100644
---- a/src/execution/isolate.cc
-+++ b/src/execution/isolate.cc
-@@ -2049,6 +2049,14 @@ Tagged<Object> Isolate::UnwindAndFindHandler() {
-     return exception;
-   };
- 
-+#if V8_ENABLE_WEBASSEMBLY
-+  Tagged<Object> maybe_continuation = root(RootIndex::kActiveContinuation);
-+  Tagged<WasmContinuationObject> continuation;
-+  if (!IsUndefined(maybe_continuation)) {
-+    continuation = WasmContinuationObject::cast(maybe_continuation);
-+  }
-+#endif
-+
-   // Special handling of termination exceptions, uncatchable by JavaScript and
-   // Wasm code, we unwind the handlers until the top ENTRY handler is found.
-   bool catchable_by_js = is_catchable_by_javascript(exception);
-@@ -2067,15 +2075,25 @@ Tagged<Object> Isolate::UnwindAndFindHandler() {
-   for (StackFrameIterator iter(this);; iter.Advance(), visited_frames++) {
- #if V8_ENABLE_WEBASSEMBLY
-     if (iter.frame()->type() == StackFrame::STACK_SWITCH) {
--      Tagged<Code> code =
--          builtins()->code(Builtin::kWasmReturnPromiseOnSuspendAsm);
--      HandlerTable table(code);
--      Address instruction_start =
--          code->InstructionStart(this, iter.frame()->pc());
--      int handler_offset = table.LookupReturn(0);
--      return FoundHandler(Context(), instruction_start, handler_offset,
--                          kNullAddress, iter.frame()->sp(), iter.frame()->fp(),
--                          visited_frames);
-+      if (catchable_by_js) {
-+        Tagged<Code> code =
-+            builtins()->code(Builtin::kWasmReturnPromiseOnSuspendAsm);
-+        HandlerTable table(code);
-+        Address instruction_start =
-+            code->InstructionStart(this, iter.frame()->pc());
-+        int handler_offset = table.LookupReturn(0);
-+        return FoundHandler(Context(), instruction_start, handler_offset,
-+                            kNullAddress, iter.frame()->sp(),
-+                            iter.frame()->fp(), visited_frames);
-+      } else {
-+        // We reached the base of the wasm stack. Follow the chain of
-+        // continuations to find the parent stack and reset the iterator.
-+        DCHECK(!continuation.is_null());
-+        continuation = WasmContinuationObject::cast(continuation->parent());
-+        wasm::StackMemory* stack =
-+            Managed<wasm::StackMemory>::cast(continuation->stack())->raw();
-+        iter.Reset(thread_local_top(), stack);
-+      }
-     }
- #endif
-     // Handler must exist.

patches/v8/merged_don_t_assume_all_turbofan_frames_are_javascript.patch

@@ -1,35 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Eric Leese <[email protected]>
-Date: Mon, 30 Sep 2024 15:43:41 +0000
-Subject: Merged: Don't assume all turbofan frames are JavaScript
-
-(cherry picked from commit 969cea30e86cf1b004ab2c739f9798cc8c633e9e)
-
-Bug: 367734947
-Change-Id: I61ccc3b0d0c87bd0fc5b3aa03308897d6c472ce7
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5912942
-Reviewed-by: Leszek Swirski <[email protected]>
-Commit-Queue: Leszek Swirski <[email protected]>
-Auto-Submit: Eric Leese <[email protected]>
-Cr-Commit-Position: refs/branch-heads/12.9@{#55}
-Cr-Branched-From: 64a21d7ad7fca1ddc73a9264132f703f35000b69-refs/heads/12.9.202@{#1}
-Cr-Branched-From: da4200b2cfe6eb1ad73c457ed27cf5b7ff32614f-refs/heads/main@{#95679}
-
-diff --git a/src/execution/isolate.cc b/src/execution/isolate.cc
-index bf4d6b90626a6e8eb98913fb2e524c9e87dd6e3c..f16814a22242aff2134dcb7294d26f0eb34404ac 100644
---- a/src/execution/isolate.cc
-+++ b/src/execution/isolate.cc
-@@ -2481,6 +2481,13 @@ HandlerTable::CatchPrediction PredictExceptionFromBytecode(
- 
- HandlerTable::CatchPrediction PredictException(const FrameSummary& summary,
-                                                Isolate* isolate) {
-+  if (!summary.IsJavaScript()) {
-+    // This can happen when WASM is inlined by TurboFan. For now we ignore
-+    // frames that are not JavaScript.
-+    // TODO(https://crbug.com/349588762): We should also check Wasm code
-+    // for exception handling.
-+    return HandlerTable::UNCAUGHT;
-+  }
-   PtrComprCageBase cage_base(isolate);
-   Handle<AbstractCode> code = summary.AsJavaScript().abstract_code();
-   if (code->kind(cage_base) == CodeKind::BUILTIN) {

patches/v8/merged_heap_sandbox_update_ept_s_evacuation_entries_in_scavenger.patch

@@ -1,226 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Anton Bikineev <[email protected]>
-Date: Tue, 27 Aug 2024 11:24:48 +0200
-Subject: Merged: heap,sandbox: Update EPT's evacuation entries in Scavenger.
-
-If Scavenger interleaves MarkCompact that performs compaction on EPT,
-there may be some evacuation entries allocated in the young EPT that
-would back-point to the Scavenger's from-space. Add a new phase that
-updates all the evacuation entries in the young EPT up until
-`start_of_evacation_area`.
-
-Bug: 358485426
-
-(cherry picked from commit 1a2b08edbec1a8ebcf3d4adc91da4f2569fb744a)
-
-Change-Id: Iadabe3ded39b32d8908e5d4e8fbff593b977940c
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5827960
-Auto-Submit: Deepti Gandluri <[email protected]>
-Reviewed-by: Matthias Liedtke <[email protected]>
-Commit-Queue: Deepti Gandluri <[email protected]>
-Cr-Commit-Position: refs/branch-heads/12.8@{#50}
-Cr-Branched-From: 70cbb397b153166027e34c75adf8e7993858222e-refs/heads/12.8.374@{#1}
-Cr-Branched-From: 451b63ed4251c2b21c56144d8428f8be3331539b-refs/heads/main@{#95151}
-
-diff --git a/src/heap/incremental-marking.cc b/src/heap/incremental-marking.cc
-index 909817c5afb8deb8c09bee4c11a3459082c75818..94bfd80c085fe21a9fab2ad8887f23cd95748515 100644
---- a/src/heap/incremental-marking.cc
-+++ b/src/heap/incremental-marking.cc
-@@ -532,6 +532,68 @@ void IncrementalMarking::UpdateMarkingWorklistAfterScavenge() {
-   weak_objects_->UpdateAfterScavenge();
- }
- 
-+void IncrementalMarking::UpdateExternalPointerTableAfterScavenge() {
-+#ifdef V8_COMPRESS_POINTERS
-+  if (!IsMajorMarking()) return;
-+  DCHECK(!v8_flags.separate_gc_phases);
-+
-+  heap_->isolate()->external_pointer_table().UpdateAllEvacuationEntries(
-+      heap_->young_external_pointer_space(), [](Address old_handle_location) {
-+        // 1) Resolve object start from the marking bitmap. Note that it's safe
-+        //    since there is no black allocation for the young space (and hence
-+        //    no range or page marking).
-+        // 2) Get a relocated object from the forwaring reference stored in the
-+        //    map.
-+        // 3) Compute offset from the original object start to the handle
-+        //    location.
-+        // 4) Compute and return the new handle location.
-+        //
-+        // Please note that instead of updating the evacuation entries, we
-+        // could simply clobber them all, which would still work, but limit
-+        // compaction to some extent. We can reconsider this in the future, if
-+        // relying on the marking bitmap becomes an issue (e.g. with inlined
-+        // mark-bits).
-+        const MemoryChunk* chunk =
-+            MemoryChunk::FromAddress(old_handle_location);
-+        if (!chunk->InYoungGeneration()) {
-+          return old_handle_location;
-+        }
-+        // TODO(358485426): Check that the page is not black.
-+
-+        Address base = MarkingBitmap::FindPreviousValidObject(
-+            static_cast<const PageMetadata*>(chunk->Metadata()),
-+            old_handle_location);
-+        Tagged<HeapObject> object(HeapObject::FromAddress(base));
-+
-+        MapWord map_word = object->map_word(kRelaxedLoad);
-+        if (!map_word.IsForwardingAddress()) {
-+      // There may be objects in the EPT that do not exist anymore. If these
-+      // objects are dead at scavenging time, their marking deque entries will
-+      // not point to forwarding addresses. Hence, we can discard them.
-+#if DEBUG
-+          // Check that the handle did reside inside the original dead object.
-+          const int object_size = object->Size();
-+          // Map slots can never contain external pointers.
-+          DCHECK_LT(object.address(), old_handle_location);
-+          DCHECK_LT(old_handle_location, object.address() + object_size);
-+#endif  // DEBUG
-+          return kNullAddress;
-+        }
-+
-+        Tagged<HeapObject> moved_object = map_word.ToForwardingAddress(object);
-+#if DEBUG
-+        const int object_size = moved_object->Size();
-+        // Map slots can never contain external pointers.
-+        DCHECK_LT(object.address(), old_handle_location);
-+        DCHECK_LT(old_handle_location, object.address() + object_size);
-+#endif  // DEBUG
-+
-+        const ptrdiff_t handle_offset = old_handle_location - base;
-+        return moved_object.address() + handle_offset;
-+      });
-+#endif  // V8_COMPRESS_POINTERS
-+}
-+
- void IncrementalMarking::UpdateMarkedBytesAfterScavenge(
-     size_t dead_bytes_in_new_space) {
-   if (!IsMajorMarking()) return;
-diff --git a/src/heap/incremental-marking.h b/src/heap/incremental-marking.h
-index d61a43d782f8e565d6823ff87ccd50aa384201ba..b32596db5f9dffb047ac1ce089e4adef6453925c 100644
---- a/src/heap/incremental-marking.h
-+++ b/src/heap/incremental-marking.h
-@@ -99,6 +99,7 @@ class V8_EXPORT_PRIVATE IncrementalMarking final {
-   bool Stop();
- 
-   void UpdateMarkingWorklistAfterScavenge();
-+  void UpdateExternalPointerTableAfterScavenge();
-   void UpdateMarkedBytesAfterScavenge(size_t dead_bytes_in_new_space);
- 
-   // Performs incremental marking step and finalizes marking if complete.
-diff --git a/src/heap/scavenger.cc b/src/heap/scavenger.cc
-index e335c8c067aa884e94d30230cafddff82ece280f..892b5880c98a30bb94d16c97292f2b86774974e0 100644
---- a/src/heap/scavenger.cc
-+++ b/src/heap/scavenger.cc
-@@ -496,6 +496,7 @@ void ScavengerCollector::CollectGarbage() {
-         &Heap::UpdateYoungReferenceInExternalStringTableEntry);
- 
-     heap_->incremental_marking()->UpdateMarkingWorklistAfterScavenge();
-+    heap_->incremental_marking()->UpdateExternalPointerTableAfterScavenge();
- 
-     if (V8_UNLIKELY(v8_flags.track_retaining_path)) {
-       heap_->UpdateRetainersAfterScavenge();
-diff --git a/src/sandbox/compactible-external-entity-table.h b/src/sandbox/compactible-external-entity-table.h
-index b90abf0277381f430646cf2f1759ecab9ef32905..5fc3de392e7eb1a98598ab69b1074b7f69aac8b9 100644
---- a/src/sandbox/compactible-external-entity-table.h
-+++ b/src/sandbox/compactible-external-entity-table.h
-@@ -42,7 +42,7 @@ enum class ExternalEntityTableCompactionOutcome {
-  *    compacted. This decision is mostly based on the absolute and relative
-  *    size of the freelist.
-  *  - If compaction is needed, this algorithm determines by how many segments
-- *    it would like to shrink the space (N). It will then attempts to move all
-+ *    it would like to shrink the space (N). It will then attempt to move all
-  *    live entries out of these segments so that they can be deallocated
-  *    afterwards during sweeping.
-  *  - The algorithm then simply selects the last N segments for evacuation, and
-diff --git a/src/sandbox/external-pointer-table.cc b/src/sandbox/external-pointer-table.cc
-index 21298edd3b6c03fb8ffa51359642c1f1da64466a..c5e90dc31addc1a25e20020ad202d04db332d9ea 100644
---- a/src/sandbox/external-pointer-table.cc
-+++ b/src/sandbox/external-pointer-table.cc
-@@ -42,7 +42,7 @@ class SegmentsIterator {
-   using const_iterator = typename std::set<Segment>::const_reverse_iterator;
- 
-  public:
--  SegmentsIterator() {}
-+  SegmentsIterator() = default;
- 
-   void AddSegments(const std::set<Segment>& segments, Data data) {
-     streams_.emplace_back(segments.rbegin(), segments.rend(), data);
-@@ -126,7 +126,7 @@ uint32_t ExternalPointerTable::EvacuateAndSweepAndCompact(Space* space,
-     segments_iter.AddSegments(from_space_segments, from_space_compaction);
- 
-     FreelistHead empty_freelist;
--    from_space->freelist_head_.store(empty_freelist, std::memory_order_release);
-+    from_space->freelist_head_.store(empty_freelist, std::memory_order_relaxed);
- 
-     for (Address field : from_space->invalidated_fields_)
-       space->invalidated_fields_.push_back(field);
-@@ -176,6 +176,13 @@ uint32_t ExternalPointerTable::EvacuateAndSweepAndCompact(Space* space,
-         Address handle_location =
-             payload.ExtractEvacuationEntryHandleLocation();
- 
-+        // The evacuation entry may be invalidated by the Scavenger that has
-+        // freed the object.
-+        if (handle_location == kNullAddress) {
-+          AddToFreelist(i);
-+          continue;
-+        }
-+
-         // The external pointer field may have been invalidated in the meantime
-         // (for example if the host object has been in-place converted to a
-         // different type of object). In that case, the field no longer
-@@ -295,6 +302,40 @@ void ExternalPointerTable::ResolveEvacuationEntryDuringSweeping(
-   }
- }
- 
-+void ExternalPointerTable::UpdateAllEvacuationEntries(
-+    Space* space, std::function<Address(Address)> function) {
-+  DCHECK(space->BelongsTo(this));
-+  DCHECK(!space->is_internal_read_only_space());
-+
-+  if (!space->IsCompacting()) return;
-+
-+  // Lock the space. Technically this is not necessary since no other thread can
-+  // allocate entries at this point, but some of the methods we call on the
-+  // space assert that the lock is held.
-+  base::MutexGuard guard(&space->mutex_);
-+  // Same for the invalidated fields mutex.
-+  base::MutexGuard invalidated_fields_guard(&space->invalidated_fields_mutex_);
-+
-+  const uint32_t start_of_evacuation_area =
-+      space->start_of_evacuation_area_.load(std::memory_order_relaxed);
-+
-+  // Iterate until the start of evacuation area.
-+  for (auto& segment : space->segments_) {
-+    if (segment.first_entry() == start_of_evacuation_area) return;
-+    for (uint32_t i = segment.first_entry(); i < segment.last_entry() + 1;
-+         ++i) {
-+      ExternalPointerTableEntry& entry = at(i);
-+      ExternalPointerTableEntry::Payload payload = entry.GetRawPayload();
-+      if (!payload.ContainsEvacuationEntry()) {
-+        continue;
-+      }
-+      Address new_location =
-+          function(payload.ExtractEvacuationEntryHandleLocation());
-+      entry.MakeEvacuationEntry(new_location);
-+    }
-+  }
-+}
-+
- }  // namespace internal
- }  // namespace v8
- 
-diff --git a/src/sandbox/external-pointer-table.h b/src/sandbox/external-pointer-table.h
-index 0527057b6afeccf8f70a7d88510502b40919a974..4ed4195c7d5d7699978a6d6aee67cf2322d2101f 100644
---- a/src/sandbox/external-pointer-table.h
-+++ b/src/sandbox/external-pointer-table.h
-@@ -401,6 +401,10 @@ class V8_EXPORT_PRIVATE ExternalPointerTable
-   uint32_t SweepAndCompact(Space* space, Counters* counters);
-   uint32_t Sweep(Space* space, Counters* counters);
- 
-+  // Updates all evacuation entries with new handle locations. The function
-+  // takes the old hanlde location and returns the new one.
-+  void UpdateAllEvacuationEntries(Space*, std::function<Address(Address)>);
-+
-   inline bool Contains(Space* space, ExternalPointerHandle handle) const;
- 
-   // A resource outside of the V8 heap whose lifetime is tied to something

patches/v8/merged_wasm_fix_default_externref_exnref_reference.patch

@@ -1,39 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Thibaud Michaud <[email protected]>
-Date: Thu, 10 Oct 2024 18:54:04 +0200
-Subject: Merged: [wasm] Fix default externref/exnref reference
-
-- The default nullexternref should be null instead of undefined
-- The default exnref/nullexnref should be null instead of wasm_null
-
-(cherry picked from commit e7ccf0af1bdddd20dc58e1790a94739dba0209a3)
-
-Change-Id: I5b32e80f2eb59b29113232f9e2f59a8803915cb3
-Fixed: 372285204,372269618
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5937812
-Reviewed-by: Thibaud Michaud <[email protected]>
-Auto-Submit: Matthias Liedtke <[email protected]>
-Commit-Queue: Thibaud Michaud <[email protected]>
-Cr-Commit-Position: refs/branch-heads/13.0@{#35}
-Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
-Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
-
-diff --git a/src/wasm/wasm-js.cc b/src/wasm/wasm-js.cc
-index ae04f27efb30f2bf086bd4fe4bf9a3594c38c581..8bdc146c672416b05b07d8b6a1d2af1629428536 100644
---- a/src/wasm/wasm-js.cc
-+++ b/src/wasm/wasm-js.cc
-@@ -1303,9 +1303,12 @@ i::Handle<i::HeapObject> DefaultReferenceValue(i::Isolate* isolate,
-   DCHECK(type.is_object_reference());
-   // Use undefined for JS type (externref) but null for wasm types as wasm does
-   // not know undefined.
--  if (type.heap_representation() == i::wasm::HeapType::kExtern ||
--      type.heap_representation() == i::wasm::HeapType::kNoExtern) {
-+  if (type.heap_representation() == i::wasm::HeapType::kExtern) {
-     return isolate->factory()->undefined_value();
-+  } else if (type.heap_representation() == i::wasm::HeapType::kNoExtern ||
-+             type.heap_representation() == i::wasm::HeapType::kExn ||
-+             type.heap_representation() == i::wasm::HeapType::kNoExn) {
-+    return isolate->factory()->null_value();
-   }
-   return isolate->factory()->wasm_null();
- }

patches/v8/revert_api_cleanup_remove_setaccessor_and_setnativedataproperty.patch

@@ -58,7 +58,7 @@ index 4d8386865e6ac7dfb300477a456632c8565ab4c5..7946d61daa79f292d7568578852e19db
    void SetAccessor(
        Local<Name> name, AccessorNameGetterCallback getter,
 diff --git a/src/api/api.cc b/src/api/api.cc
-index 498582940eb4e279c17c832f3bda395764a60231..923be64f52d108d68b22e71514764313b6d6adb6 100644
+index cc4c4a9c10797d763ecd808aef5e9893856a0fcc..ca1804e5bccc781bbe9ce2726218894bbbc3e661 100644
 --- a/src/api/api.cc
 +++ b/src/api/api.cc
 @@ -1588,6 +1588,41 @@ void TemplateSetAccessor(Template* template_obj, v8::Local<Name> name,

patches/v8/spill_all_loop_inputs_before_entering_loop.patch

@@ -1,104 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Clemens Backes <[email protected]>
-Date: Tue, 20 Aug 2024 12:25:40 +0200
-Subject: Spill all loop inputs before entering loop
-
-This avoids having to load the value back into a register if it was
-spilled inside of the loop.
-
[email protected]
-
-Fixed: chromium:360700873
-Change-Id: I24f5deacebc893293e8a3c007e9f070c7fa0ccd2
-Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5797073
-Reviewed-by: Jakob Kummerow <[email protected]>
-Commit-Queue: Clemens Backes <[email protected]>
-Cr-Commit-Position: refs/heads/main@{#95711}
-
-diff --git a/src/wasm/baseline/liftoff-assembler.cc b/src/wasm/baseline/liftoff-assembler.cc
-index 36f5dade90e251b57c42f24242fec2a0c7fbcdb9..e2dda9b6d684cdf951cc5a23f05fc1b008830fa9 100644
---- a/src/wasm/baseline/liftoff-assembler.cc
-+++ b/src/wasm/baseline/liftoff-assembler.cc
-@@ -445,29 +445,10 @@ void LiftoffAssembler::DropExceptionValueAtOffset(int offset) {
-   cache_state_.stack_state.pop_back();
- }
- 
--void LiftoffAssembler::PrepareLoopArgs(int num) {
--  for (int i = 0; i < num; ++i) {
--    VarState& slot = cache_state_.stack_state.end()[-1 - i];
--    if (slot.is_stack()) continue;
--    RegClass rc = reg_class_for(slot.kind());
--    if (slot.is_reg()) {
--      if (cache_state_.get_use_count(slot.reg()) > 1) {
--        // If the register is used more than once, we cannot use it for the
--        // merge. Move it to an unused register instead.
--        LiftoffRegList pinned;
--        pinned.set(slot.reg());
--        LiftoffRegister dst_reg = GetUnusedRegister(rc, pinned);
--        Move(dst_reg, slot.reg(), slot.kind());
--        cache_state_.dec_used(slot.reg());
--        cache_state_.inc_used(dst_reg);
--        slot.MakeRegister(dst_reg);
--      }
--      continue;
--    }
--    LiftoffRegister reg = GetUnusedRegister(rc, {});
--    LoadConstant(reg, slot.constant());
--    slot.MakeRegister(reg);
--    cache_state_.inc_used(reg);
-+void LiftoffAssembler::SpillLoopArgs(int num) {
-+  for (VarState& slot :
-+       base::VectorOf(cache_state_.stack_state.end() - num, num)) {
-+    Spill(&slot);
-   }
- }
- 
-@@ -685,14 +666,14 @@ void LiftoffAssembler::Spill(VarState* slot) {
- }
- 
- void LiftoffAssembler::SpillLocals() {
--  for (uint32_t i = 0; i < num_locals_; ++i) {
--    Spill(&cache_state_.stack_state[i]);
-+  for (VarState& local_slot :
-+       base::VectorOf(cache_state_.stack_state.data(), num_locals_)) {
-+    Spill(&local_slot);
-   }
- }
- 
- void LiftoffAssembler::SpillAllRegisters() {
--  for (uint32_t i = 0, e = cache_state_.stack_height(); i < e; ++i) {
--    auto& slot = cache_state_.stack_state[i];
-+  for (VarState& slot : cache_state_.stack_state) {
-     if (!slot.is_reg()) continue;
-     Spill(slot.offset(), slot.reg(), slot.kind());
-     slot.MakeStack();
-diff --git a/src/wasm/baseline/liftoff-assembler.h b/src/wasm/baseline/liftoff-assembler.h
-index fec9efb7d32819d39a836fb38b71ae6233a12d72..3261b582139c0652e2faff455f1c8a580f57c382 100644
---- a/src/wasm/baseline/liftoff-assembler.h
-+++ b/src/wasm/baseline/liftoff-assembler.h
-@@ -460,9 +460,9 @@ class LiftoffAssembler : public MacroAssembler {
-   // the bottom of the stack.
-   void DropExceptionValueAtOffset(int offset);
- 
--  // Ensure that the loop inputs are either in a register or spilled to the
--  // stack, so that we can merge different values on the back-edge.
--  void PrepareLoopArgs(int num);
-+  // Spill all loop inputs to the stack to free registers and to ensure that we
-+  // can merge different values on the back-edge.
-+  void SpillLoopArgs(int num);
- 
-   V8_INLINE static int NextSpillOffset(ValueKind kind, int top_spill_offset);
-   V8_INLINE int NextSpillOffset(ValueKind kind);
-diff --git a/src/wasm/baseline/liftoff-compiler.cc b/src/wasm/baseline/liftoff-compiler.cc
-index 29a4cdce9bac51d1ad0fa5e5cb7a39e14a8b7eae..c613568dc476418e3c40ec1a37690b3263f9473a 100644
---- a/src/wasm/baseline/liftoff-compiler.cc
-+++ b/src/wasm/baseline/liftoff-compiler.cc
-@@ -1390,7 +1390,7 @@ class LiftoffCompiler {
-     // pre-analysis of the function.
-     __ SpillLocals();
- 
--    __ PrepareLoopArgs(loop->start_merge.arity);
-+    __ SpillLoopArgs(loop->start_merge.arity);
- 
-     // Loop labels bind at the beginning of the block.
-     __ bind(loop->label.get());