chore: cherry-pick 11 changes from Release-1-M115

[VerteDinde]

electron/security#385 - d0c1b8954a1b from chromium

Ensure unique entries in frame_timing_details_

CompositorFrameSinkSupport::DidPresentCompositorFrame() keeps
|frame_timing_details_| map keyed on CompositorFrame frame_tokens. These
are supposed to be unique but a malicious renderer could violate that
assumption. Convert some DCHECKs into CHECKs to guard against problems
related to this.

(cherry picked from commit 9b62ab5a88379b37dbc712171fdfd5530b99a7a9)

Bug: 1458819
Change-Id: Ib0b9551d18ea421957e0dce49a2593043f4abb12
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4673638
Reviewed-by: Jonathan Ross jonross@chromium.org
Commit-Queue: Kyle Charbonneau kylechar@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1169287}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4689943
Bot-Commit: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Commit-Queue: Vasiliy Telezhnikov vasilyt@chromium.org
Cr-Commit-Position: refs/branch-heads/5735@{#1481}
Cr-Branched-From: 2f562e4ddbaf79a3f3cb338b4d1bd4398d49eb67-refs/heads/main@{#1135570}

electron/security#383 - 96fc6d931c97 from v8

[wasm-gc] Merge a few fixes

This commit cherry-picks small parts of:
crrev.com/c/4669597
crrev.com/c/4675296
crrev.com/c/4677170
that are suitable for backmerging.

Bug: chromium:1462951
Change-Id: Ic8994753c3bdbf9676701ce3ab8c98ae9700156b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4677663
Auto-Submit: Jakob Kummerow jkummerow@chromium.org
Reviewed-by: Manos Koukoutos manoskouk@chromium.org
Commit-Queue: Manos Koukoutos manoskouk@chromium.org
Cr-Commit-Position: refs/branch-heads/11.5@{#35}
Cr-Branched-From: 0c4044b7336787781646e48b2f98f0c7d1b400a5-refs/heads/11.5.150@{#1}
Cr-Branched-From: b71d3038a7d99c79e1c21239e8ae07da5fc8c90b-refs/heads/main@{#87781}

electron/security#386 - abb3ebd3d2ef from chromium

Destroy CastDeviceListHost during KeyedServices shutdown

This makes MediaNotificationService destroy all the CastDeviceListHosts
that it's instantiated in its KeyedService shutdown. This is necessary
because CastDeviceListHost depends on MediaRouter, another KeyedService.

(cherry picked from commit ffc0dfef649ad5b1149f89bb24c70d43405442ba)

Bug: 1457757
Change-Id: I453279da77b141ad9cd89310fc8128cc7d2919f2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4672319
Reviewed-by: Tommy Steimel steimel@chromium.org
Commit-Queue: Takumi Fujimoto takumif@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1168361}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4692442
Auto-Submit: Takumi Fujimoto takumif@chromium.org
Commit-Queue: Tommy Steimel steimel@chromium.org
Cr-Commit-Position: refs/branch-heads/5790@{#1763}
Cr-Branched-From: 1d71a337b1f6e707a13ae074dca1e2c34905eb9f-refs/heads/main@{#1148114}

electron/security#384 - fa181f8768c9 from chromium

Roll WebRTC from dbb89430ef77 to e9e03a916050 (3 revisions)

Bug: chromium:1459124

https://webrtc.googlesource.com/src.git/+log/dbb89430ef77..e9e03a916050

2023-07-19 joachimr@meta.com Fix inaccurate contentType in RTCInbound/OutboundRtpStreamStats
2023-07-19 phancke@microsoft.com Prevent SDP munging of duplicate SSRCs
2023-07-19 chromium-webrtc-autoroll@webrtc-ci.iam.gserviceaccount.com Roll chromium_revision 21b76e39ae..58a3c40eba (1172261:1172400)

If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
https://autoroll.skia.org/r/webrtc-chromium-autoroll
Please CC webrtc-chromium-sheriffs-robots@google.com,webrtc-infra@google.com on the revert to ensure that a human
is aware of the problem.

To file a bug in WebRTC: https://bugs.chromium.org/p/webrtc/issues/entry
To file a bug in Chromium: https://bugs.chromium.org/p/chromium/issues/entry

To report a problem with the AutoRoller itself, please file a bug:
https://bugs.chromium.org/p/skia/issues/entry?template=Autoroller+Bug

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md

Bug: chromium:1459124
Tbr: webrtc-chromium-sheriffs-robots@google.com
Change-Id: I2340d48bb0484a1dd608eb61bb97de4c3313307b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4703308
Bot-Commit: chromium-autoroll chromium-autoroll@skia-public.iam.gserviceaccount.com
Commit-Queue: chromium-autoroll chromium-autoroll@skia-public.iam.gserviceaccount.com
Cr-Commit-Position: refs/heads/main@{#1172688}

electron/security#379 - 896deb576574 from v8

Merged: [maglev] Fix default constructor instantiation

The new.target may not be in the correct state for fast instantiation.

(cherry picked from commit ed93bef7ab786d5367c2ae7882922c23aa0eda64)

Bug: v8:7700, chromium:1465326
Change-Id: I09f92576c0b5573e902ae3b2210a7b5fdbd1e415
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4694007
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4711047
Auto-Submit: Toon Verwaest verwaest@chromium.org
Reviewed-by: Leszek Swirski leszeks@chromium.org
Commit-Queue: Leszek Swirski leszeks@chromium.org
Cr-Commit-Position: refs/branch-heads/11.6@{#20}
Cr-Branched-From: e29c028f391389a7a60ee37097e3ca9e396d6fa4-refs/heads/11.6.189@{#3}
Cr-Branched-From: 95cbef20e2aa556a1ea75431a48b36c4de6b9934-refs/heads/main@{#88340}

electron/security#388 - 337124b13aaa from chromium

[Merge M116] [blink] Fix UAF in NonMainThreadTaskQueue

The issue is that WorkerThreadScheduler::OnTaskCompleted's
PerformMicrotaskCheckpoint() might result in a blink heap GC which may
collect NonMainThreadWebSchedulingTaskQueueImpl (owned by
GarbageCollected) which might own the last ref to
NonMainThreadTaskQueue. If the NonMainThreadTaskQueue is deleted,
there's a UAF in the follow-up call to
task_queue->OnTaskRunTimeReported(task_timing);

Retain a ref to NonMainThreadTaskQueue throughout OnTaskCompleted() to
prevent this.

The other option, proposed @ crbug.com/1464113#c3 was to bind the ref
ahead of time in the on_task_completed_handler but I am leery that
this might prevent deleting queues with pending tasks.

R=altimin@chromium.org

(cherry picked from commit 3463ed58f68034e68a1291b6413776c2b72994e8)

Bug: 1464113
Change-Id: I877c609244ab90a0af1c87c317cf5a55e2fa60ff
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4678047
Reviewed-by: Alexander Timin altimin@chromium.org
Reviewed-by: Etienne Pierre-Doray etiennep@chromium.org
Commit-Queue: Gabriel Charette gab@chromium.org
Auto-Submit: Gabriel Charette gab@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1170760}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4706171
Commit-Queue: Alexander Timin altimin@chromium.org
Cr-Commit-Position: refs/branch-heads/5845@{#750}
Cr-Branched-From: 5a5dff63a4a4c63b9b18589819bebb2566c85443-refs/heads/main@{#1160321}

electron/security#382 - 83b0bdb696d8 from chromium

Roll SwiftShader from 222e07b368b1 to 8d9a45b1f3ab (12 revisions)

https://swiftshader.googlesource.com/SwiftShader.git/+log/222e07b368b1..8d9a45b1f3ab

2023-07-24 bclayton@google.com LLVMReactor: Remove CreateFreeze() call
2023-07-23 bclayton@google.com LLVMReactor: Clamp RHS of bit shifts using type width
2023-07-22 bclayton@google.com Fix another 'sign-compare' warning as error
2023-07-22 bclayton@google.com Fix 'sign-compare' warning as error
2023-07-21 bclayton@google.com LLVMReactor: Clamp RHS of bit shifts.
2023-07-21 swiftshader.regress@gmail.com Regres: Update test lists @ 4a260c12
2023-07-21 bclayton@google.com ExecutableMemory: Use VirtualAlloc() instead of new on windows
2023-07-20 avi@google.com Don't allow Swiftshader to be compiled as ARC
2023-07-18 tiszka@chromium.org [subzero] Fix integer overflows during alloca coalescing
2023-07-12 aredulla@google.com [ssci] Added Shipped field to READMEs
2023-07-11 jif@google.com [LLVM 16] Have Swiftshader built with Android.bp use LLVM 16.
2023-07-04 jif@google.com [LLVM 16] Shifts do not generate poison values

If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
https://autoroll.skia.org/r/swiftshader-chromium-autoroll
Please CC capn@chromium.org,swiftshader-eng+autoroll@google.com on the revert to ensure that a human
is aware of the problem.

To file a bug in SwiftShader: https://bugs.chromium.org/p/swiftshader/issues/entry
To file a bug in Chromium: https://bugs.chromium.org/p/chromium/issues/entry

To report a problem with the AutoRoller itself, please file a bug:
https://bugs.chromium.org/p/skia/issues/entry?template=Autoroller+Bug

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md

Cq-Include-Trybots: luci.chromium.try:linux_chromium_msan_rel_ng;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel;luci.chromium.try:linux-swangle-try-x64;luci.chromium.try:win-swangle-try-x86
Bug: chromium:1427865,chromium:1431761,chromium:1464038,chromium:1464680,chromium:1466124,chromium:733237
Tbr: swiftshader-eng+autoroll@google.com
Change-Id: Ifea78e22e4b836267a9094fffa87ddda27516f1c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4711308
Bot-Commit: chromium-autoroll chromium-autoroll@skia-public.iam.gserviceaccount.com
Commit-Queue: chromium-autoroll chromium-autoroll@skia-public.iam.gserviceaccount.com
Cr-Commit-Position: refs/heads/main@{#1174303}

electron/security#378 - 8d60b1d3b1be from v8

[wasm-gc] Use wasm-null as default value for wasm reference types

(cherry picked from commit b947905d27518b7764607708ec9f74ac3ea94b6b)

Bug: v8:7748, chromium:1466183
Change-Id: I6d7de33e0cec37747045269f441e65f7a482dd4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4701553
Auto-Submit: Manos Koukoutos manoskouk@chromium.org
Reviewed-by: Jakob Kummerow jkummerow@chromium.org
Commit-Queue: Jakob Kummerow jkummerow@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#89060}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4714606
Commit-Queue: Manos Koukoutos manoskouk@chromium.org
Cr-Commit-Position: refs/branch-heads/11.6@{#22}
Cr-Branched-From: e29c028f391389a7a60ee37097e3ca9e396d6fa4-refs/heads/11.6.189@{#3}
Cr-Branched-From: 95cbef20e2aa556a1ea75431a48b36c4de6b9934-refs/heads/main@{#88340}

electron/security#381 - 285c7712c506 from angle

M116: Translator: Unconditionally limit variable sizes

... instead of just for WebGL. This is to avoid hitting driver bugs
that were prevented with this check for WebGL on a compromised renderer
that can create non-WebGL contexts.

Bug: chromium:1464682
Change-Id: I2b1c5a8c51f06225f5f850109d30778d97e574c7
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4717371
Reviewed-by: Roman Lavrov romanl@google.com

electron/security#377 - 2bf945775fe6 from angle

M116: Translator: Limit variable sizes vs uint overflow

Bug: chromium:1464680
Change-Id: Iee41a2da7a7a330e6cc4d6da59a6e9836ee9dd36
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4717372
Reviewed-by: Roman Lavrov romanl@google.com

electron/security#387 - cafe56b591ed from angle

M116: GL: Ensure all instanced attributes have a buffer with data

Apple OpenGL drivers sometimes crash when given an instanced draw with
a buffer that has never been given data.

It's not efficient to check if the attribute is both zero-sized and
instanced so just ensure that every time a zero-sized buffer is bound
to an attribute, it gets initialized with some data.

Bug: chromium:1456243
Change-Id: I66b7c7017843153db2df3bc50010cba765d03c5f
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4642048
Commit-Queue: Geoff Lang geofflang@chromium.org
Reviewed-by: Shahbaz Youssefi syoussefi@chromium.org
(cherry picked from commit 4e6124dae892690204f8e5996aeaad14f45e0a97)
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4727452

electron/security#TBD - ecf8b698d from chromium

Check whether read side is closed when reading QuicChromiumClientStream

When quic::QuicSpdyStream receives a RST_STREAM frame it clears the
underlying read buffer. Subsequent read operations should check
quic::QuicStream::read_side_closed() so that it doesn't access the
cleared read buffer.

This CL is cloned from https://crrev.com/c/4691923 by bashi@chromium.org.

Bug: 1465224
Change-Id: I35a908e11d09c67dea857b34653d6cf1cadbb407
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4728448
Commit-Queue: Bence Béky bnc@chromium.org
Auto-Submit: Bence Béky bnc@chromium.org

electron/security#TBD - aa7dddc from chromium

Defer initialization of extensions when the main target isn't there yet

When the target isn't fully initialized or its inspected url isn't set
yet extension registration would fail-open. With this CL we defer
loading extensions until there is an inspected url.

Bug: 1451146, 1461895
Change-Id: Iac7a3323f561f538706c59b8e10c75ce0e3364b6
Reviewed-on: https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/4664806
Commit-Queue: Philip Pfaffe pfaffe@chromium.org
Reviewed-by: Danil Somsikov dsv@chromium.org

electron/security#TBD - f5ad056 from chromium

GL: Fix ScalarizeVecAndMatConstructorArgs and move to gl/

This transformation was buggy and was disabled. Originally, it was
intended to be used everywhere. It is now needed for a GL driver
workaround.

This change reimplements this transformation and uses it as a GL
workaround.

Bug: chromium:1420130
Change-Id: I42d63fa5844bcf683ac41e61925aa637e033ca2e
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4676634
Commit-Queue: Shahbaz Youssefi syoussefi@chromium.org
Reviewed-by: Geoff Lang geofflang@chromium.org

Notes:

• Security: backported fix for CVE-2023-4071.
• Security: backported fix for CVE-2023-4070.
• Security: backported fix for CVE-2023-4075.
• Security: backported fix for CVE-2023-4076.
• Security: backported fix for CVE-2023-4069.
• Security: backported fix for CVE-2023-4074.
• Security: backported fix for CVE-2023-4072.
• Security: backported fix for CVE-2023-4068.
• Security: backported fix for 1464682.
• Security: backported fix for 1464680.
• Security: backported fix for CVE-2023-4073.

[release-clerk]

Release Notes Persisted

• Security: backported fix for CVE-2023-4071.
• Security: backported fix for CVE-2023-4070.
• Security: backported fix for CVE-2023-4075.
• Security: backported fix for CVE-2023-4076.
• Security: backported fix for CVE-2023-4069.
• Security: backported fix for CVE-2023-4074.
• Security: backported fix for CVE-2023-4072.
• Security: backported fix for CVE-2023-4068.
• Security: backported fix for 1464682.
• Security: backported fix for 1464680.
• Security: backported fix for CVE-2023-4073.