chore: cherry-pick 7e42e0a7c6 and b1b3ccbd57 from chromium.

patches/chromium/.patches

@@ -102,3 +102,5 @@ provide_axtextchangevaluestartmarker_for_macos_a11y_value_change.patch
 allow_focus_to_move_into_an_editable_combobox_s_listbox.patch
 reconnect_p2p_socket_dispatcher_if_network_service_dies.patch
 fix_properly_honor_printing_page_ranges.patch
+disallow_creation_of_canvasresourceproviders_for_zero_sized_images.patch
+don_t_create_providers_if_context_is_lost.patch

patches/chromium/allow_focus_to_move_into_an_editable_combobox_s_listbox.patch

@@ -23,7 +23,7 @@ diff --git a/content/browser/accessibility/browser_accessibility_manager_mac.mm
 index 90bdee0cf769e872f2e9585eb5055429f12a9eda..614ea21f46190b14832ddba1e621464558630eb0 100644
 --- a/content/browser/accessibility/browser_accessibility_manager_mac.mm
 +++ b/content/browser/accessibility/browser_accessibility_manager_mac.mm
-@@ -142,11 +142,6 @@ BrowserAccessibility* BrowserAccessibilityManagerMac::GetFocus() const {
+@@ -142,11 +142,6 @@
    if (!focus)
      return nullptr;
 

patches/chromium/command-ismediakey.patch

@@ -74,7 +74,7 @@ index 6052fd13ff3d63cf8a4b019b058efb61aad39c3b..42eac7a7b656096c1d2039e340037ac8
    }
    return VKEY_UNKNOWN;
  }
-@@ -193,7 +199,10 @@ CGEventRef MediaKeysListenerImpl::EventTapCallback(CGEventTapProxy proxy,
+@@ -193,7 +199,10 @@ static CGEventRef EventTapCallback(CGEventTapProxy proxy,
    int key_code = (data1 & 0xFFFF0000) >> 16;
    if (key_code != NX_KEYTYPE_PLAY && key_code != NX_KEYTYPE_NEXT &&
        key_code != NX_KEYTYPE_PREVIOUS && key_code != NX_KEYTYPE_FAST &&

patches/chromium/crash_allow_setting_more_options.patch

@@ -78,7 +78,7 @@ diff --git a/components/crash/core/app/crashpad_mac.mm b/components/crash/core/a
 index 0b594d053d7c7f2a8eae9a15e62daacab52ffa64..96210530f699a2331f57415beddc20ed19b9cb4b 100644
 --- a/components/crash/core/app/crashpad_mac.mm
 +++ b/components/crash/core/app/crashpad_mac.mm
-@@ -67,6 +67,8 @@ std::map<std::string, std::string> GetProcessSimpleAnnotations() {
+@@ -67,6 +67,8 @@
      }  // @autoreleasepool
      return process_annotations;
    }();
@@ -87,7 +87,7 @@ index 0b594d053d7c7f2a8eae9a15e62daacab52ffa64..96210530f699a2331f57415beddc20ed
    return annotations;
  }
 
-@@ -137,6 +139,13 @@ base::FilePath PlatformCrashpadInitialization(
+@@ -137,6 +139,13 @@ void DumpProcessWithoutCrashing(task_t task_port) {
 
        std::vector<std::string> arguments;
 

patches/chromium/disable_compositor_recycling.patch

@@ -9,7 +9,7 @@ diff --git a/content/browser/renderer_host/render_widget_host_view_mac.mm b/cont
 index aef2f3625465d5de36d0ce496f7133865a7ba18a..3c8735755deb2b2ff4b00cff16292ae003a8670d 100644
 --- a/content/browser/renderer_host/render_widget_host_view_mac.mm
 +++ b/content/browser/renderer_host/render_widget_host_view_mac.mm
-@@ -478,7 +478,11 @@ void RenderWidgetHostViewMac::WasOccluded() {
+@@ -478,7 +478,11 @@
      return;
 
    host()->WasHidden();

patches/chromium/disallow_creation_of_canvasresourceproviders_for_zero_sized_images.patch

@@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robert Phillips <robertphillips@google.com>
+Date: Wed, 16 Sep 2020 18:42:32 +0000
+Subject: Disallow creation of CanvasResourceProviders for zero sized images
+
+(cherry picked from commit ff3c6ce9ca777c4ab1031b8cfa98e7dfdaea88a1)
+
+Bug: 1126424
+Change-Id: I17ddbdce78d89a997a73c37f18cd945b83936f7f
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2405644
+Reviewed-by: Fernando Serboncini <fserb@chromium.org>
+Commit-Queue: Robert Phillips <robertphillips@google.com>
+Cr-Original-Commit-Position: refs/heads/master@{#806708}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2414669
+Reviewed-by: Robert Phillips <robertphillips@google.com>
+Reviewed-by: Aaron Krajeski <aaronhk@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4240@{#783}
+Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
+
+diff --git a/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc b/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
+index 4635d4a38836150f3abafedeffaf31a20d6e77cf..d13a4e208d19ed55a449641b4648e20303e33aa8 100644
+--- a/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
++++ b/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
+@@ -804,6 +804,9 @@ CanvasResourceProvider::CreateSharedImageProvider(
+   if (!context_provider_wrapper)
+     return nullptr;
+
++  if (size.Width() <= 0 || size.Height() <= 0)
++    return nullptr;
++
+   const auto& capabilities =
+       context_provider_wrapper->ContextProvider()->GetCapabilities();
+   bool use_webgpu =

patches/chromium/don_t_create_providers_if_context_is_lost.patch

@@ -0,0 +1,78 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Aaron Krajeski <aaronhk@chromium.org>
+Date: Tue, 22 Sep 2020 14:53:17 +0000
+Subject: Don't create providers if context is lost
+
+CanvasResourceProvider::CreateSharedImageProvider receives a weak pointer
+to the ContextProviderWrapper and returns nullptr if it does not exist.
+
+Unfortunately SharedGpuContext::IsGpuCompositingEnabled can re-create
+the ContextProviderWrapper after this check happens, leading to potential
+use-after-frees.
+
+To me it simply makes the most sense to not create a CRP if context is
+lost, as the created provider would be invalid and nullptr would get
+returned anyway.
+
+Bug: 1126424
+Change-Id: Ic92709d7a38d94e5e7529efac3a09405d64eaa34
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2417097
+Reviewed-by: Juanmi Huertas <juanmihd@chromium.org>
+Reviewed-by: Fernando Serboncini <fserb@chromium.org>
+Commit-Queue: Aaron Krajeski <aaronhk@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#809327}
+
+diff --git a/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc b/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
+index d13a4e208d19ed55a449641b4648e20303e33aa8..8fb14df8be73ef83fe0e67946b684d2faa825f38 100644
+--- a/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
++++ b/third_party/blink/renderer/platform/graphics/canvas_resource_provider.cc
+@@ -801,10 +801,16 @@ CanvasResourceProvider::CreateSharedImageProvider(
+     bool is_origin_top_left,
+     RasterMode raster_mode,
+     uint32_t shared_image_usage_flags) {
+-  if (!context_provider_wrapper)
+-    return nullptr;
+-
+-  if (size.Width() <= 0 || size.Height() <= 0)
++  // IsGpuCompositingEnabled can re-create the context if it has been lost, do
++  // this up front so that we can fail early and not expose ourselves to
++  // use after free bugs (crbug.com/1126424)
++  const bool is_gpu_compositing_enabled =
++      SharedGpuContext::IsGpuCompositingEnabled();
++
++  // If the context is lost we don't want to re-create it here, the resulting
++  // resource provider would be invalid anyway
++  if (!context_provider_wrapper ||
++      context_provider_wrapper->ContextProvider()->IsContextLost())
+     return nullptr;
+
+   const auto& capabilities =
+@@ -820,7 +826,7 @@ CanvasResourceProvider::CreateSharedImageProvider(
+   }
+
+   const bool is_gpu_memory_buffer_image_allowed =
+-      SharedGpuContext::IsGpuCompositingEnabled() &&
++      is_gpu_compositing_enabled &&
+       IsGMBAllowed(size, color_params, capabilities) &&
+       Platform::Current()->GetGpuMemoryBufferManager();
+
+@@ -853,6 +859,9 @@ CanvasResourceProvider::CreatePassThroughProvider(
+     const CanvasColorParams& color_params,
+     bool is_origin_top_left,
+     base::WeakPtr<CanvasResourceDispatcher> resource_dispatcher) {
++  // SharedGpuContext::IsGpuCompositingEnabled can potentially replace the
++  // context_provider_wrapper, so it's important to call that first as it can
++  // invalidate the weak pointer.
+   if (!SharedGpuContext::IsGpuCompositingEnabled() || !context_provider_wrapper)
+     return nullptr;
+
+@@ -886,6 +895,9 @@ CanvasResourceProvider::CreateSwapChainProvider(
+     const CanvasColorParams& color_params,
+     bool is_origin_top_left,
+     base::WeakPtr<CanvasResourceDispatcher> resource_dispatcher) {
++  // SharedGpuContext::IsGpuCompositingEnabled can potentially replace the
++  // context_provider_wrapper, so it's important to call that first as it can
++  // invalidate the weak pointer.
+   DCHECK(is_origin_top_left);
+   if (!SharedGpuContext::IsGpuCompositingEnabled() || !context_provider_wrapper)
+     return nullptr;

patches/chromium/fix_properly_honor_printing_page_ranges.patch

@@ -26,7 +26,7 @@ diff --git a/printing/printing_context_mac.mm b/printing/printing_context_mac.mm
 index 93438609a3a0eaeec0dbc76efe5c46e03fb40e52..dc64546f7d88db3b48f379b34c7dcc49b692a048 100644
 --- a/printing/printing_context_mac.mm
 +++ b/printing/printing_context_mac.mm
-@@ -186,7 +186,8 @@ PrintingContext::Result PrintingContextMac::UpdatePrinterSettings(
+@@ -186,7 +186,8 @@ PMPaper MatchPaper(CFArrayRef paper_list,
          !SetCopiesInPrintSettings(settings_->copies()) ||
          !SetCollateInPrintSettings(settings_->collate()) ||
          !SetDuplexModeInPrintSettings(settings_->duplex_mode()) ||
@@ -36,7 +36,7 @@ index 93438609a3a0eaeec0dbc76efe5c46e03fb40e52..dc64546f7d88db3b48f379b34c7dcc49
        return OnError();
      }
    }
-@@ -339,6 +340,22 @@ bool PrintingContextMac::SetCopiesInPrintSettings(int copies) {
+@@ -339,6 +340,22 @@ PMPaper MatchPaper(CFArrayRef paper_list,
    return PMSetCopies(print_settings, copies, false) == noErr;
  }
 

patches/chromium/fix_use_the_new_mediaplaypause_key_listener_for_internal_chrome.patch

@@ -12,7 +12,7 @@ diff --git a/chrome/browser/extensions/global_shortcut_listener_mac.mm b/chrome/
 index befe726af9c10b1563a7fc0bb77cc55f65943d5c..bac51f33f35f96fe4ecc764cf5ca887176642f74 100644
 --- a/chrome/browser/extensions/global_shortcut_listener_mac.mm
 +++ b/chrome/browser/extensions/global_shortcut_listener_mac.mm
-@@ -39,7 +39,7 @@ GlobalShortcutListenerMac::GlobalShortcutListenerMac()
+@@ -39,7 +39,7 @@
    // global MediaKeysListener to receive media keys.
    if (!content::MediaKeysListenerManager::IsMediaKeysListenerManagerEnabled()) {
      media_keys_listener_ = ui::MediaKeysListener::Create(

patches/chromium/mas-cfisobjc.patch

@@ -9,7 +9,7 @@ diff --git a/base/mac/foundation_util.mm b/base/mac/foundation_util.mm
 index be12912dcd0ef0cf046ee2d4033a18ecfdf1e992..d2af322a9d5751105e2c8fe023aad9a91027bf05 100644
 --- a/base/mac/foundation_util.mm
 +++ b/base/mac/foundation_util.mm
-@@ -28,12 +28,6 @@ CFTypeID SecKeyGetTypeID();
+@@ -28,12 +28,6 @@
  #if !defined(OS_IOS)
  CFTypeID SecACLGetTypeID();
  CFTypeID SecTrustedApplicationGetTypeID();
@@ -22,7 +22,7 @@ index be12912dcd0ef0cf046ee2d4033a18ecfdf1e992..d2af322a9d5751105e2c8fe023aad9a9
  #endif
  }  // extern "C"
 
-@@ -326,8 +320,7 @@ NSFont* CFToNSCast(CTFontRef cf_val) {
+@@ -326,8 +320,7 @@ void SetBaseBundleID(const char* new_base_bundle_id) {
        const_cast<NSFont*>(reinterpret_cast<const NSFont*>(cf_val));
    DCHECK(!cf_val ||
           CTFontGetTypeID() == CFGetTypeID(cf_val) ||
@@ -32,7 +32,7 @@ index be12912dcd0ef0cf046ee2d4033a18ecfdf1e992..d2af322a9d5751105e2c8fe023aad9a9
    return ns_val;
  }
 
-@@ -398,9 +391,6 @@ CFCast<CTFontRef>(const CFTypeRef& cf_val) {
+@@ -398,9 +391,6 @@ CTFontRef NSToCFCast(NSFont* ns_val) {
      return (CTFontRef)(cf_val);
    }
 

patches/chromium/mas_blink_no_private_api.patch

@@ -18,7 +18,7 @@ index 94afefcee81b87c05bf9b1199d90d3d4b5ea84a6..2ec7f04c71824b47de1ddbf1f0e8625d
  extern "C" {
 
  // Kill ring calls. Would be better to use NSKillRing.h, but that's not
-@@ -39,38 +40,53 @@ NSString* _NSYankFromKillRing();
+@@ -39,38 +40,53 @@
  void _NSNewKillRingSequence();
  void _NSSetKillRingToYankedState();
  }
@@ -92,7 +92,7 @@ index 8f4ae94bc1d8188d041654c50511f3346eee79de..fa06f47abbff3dcda937bf0b794f616e
 
  namespace blink {
 
-@@ -95,10 +97,12 @@ bool ThemePainterMac::PaintTextField(const Node* node,
+@@ -95,10 +97,12 @@ void _NSDrawCarbonThemeListBox(NSRect frame,
    // behavior change while remaining a fragile solution.
    // https://bugs.chromium.org/p/chromium/issues/detail?id=658085#c3
    if (!use_ns_text_field_cell) {
@@ -105,7 +105,7 @@ index 8f4ae94bc1d8188d041654c50511f3346eee79de..fa06f47abbff3dcda937bf0b794f616e
      return false;
    }
 
-@@ -186,10 +190,12 @@ bool ThemePainterMac::PaintTextArea(const Node* node,
+@@ -186,10 +190,12 @@ void _NSDrawCarbonThemeListBox(NSRect frame,
                                      const IntRect& r) {
    ScopedColorSchemeAppearance appearance(style.UsedColorScheme());
    LocalCurrentGraphicsContext local_context(paint_info.context, r);

patches/chromium/mas_disable_custom_window_frame.patch

@@ -18,7 +18,7 @@ index 69580888047c4ac6abb68873315bcafb78dda706..aa347913a75084f669bf7d89fbcc919b
  @interface NSWindow (PrivateBrowserNativeWidgetAPI)
  + (Class)frameViewClassForStyleMask:(NSUInteger)windowStyle;
  @end
-@@ -63,6 +64,8 @@
+@@ -63,6 +64,8 @@ - (NSRect)_draggableFrame NS_DEPRECATED_MAC(10_10, 10_11) {
 
  @end
 
@@ -27,15 +27,15 @@ index 69580888047c4ac6abb68873315bcafb78dda706..aa347913a75084f669bf7d89fbcc919b
  @implementation BrowserNativeWidgetWindow
 
  // Prevent detached tabs from glitching when the window is partially offscreen.
-@@ -84,6 +87,7 @@
+@@ -84,6 +87,7 @@ - (NSRect)constrainFrameRect:(NSRect)rect toScreen:(NSScreen*)screen {
 
  // NSWindow (PrivateAPI) overrides.
 
 +#ifndef MAS_BUILD
  + (Class)frameViewClassForStyleMask:(NSUInteger)windowStyle {
    // - NSThemeFrame and its subclasses will be nil if it's missing at runtime.
    if ([BrowserWindowFrame class])
-@@ -98,6 +102,8 @@
+@@ -98,6 +102,8 @@ - (BOOL)_usesCustomDrawing {
    return NO;
  }
 
@@ -57,7 +57,7 @@ index 8416c7c6e052dafb2aad61c0bd3224c36e945d23..cd356beda023ab2409b16d58ca38c70b
  @interface NSWindow (PrivateAPI)
  + (Class)frameViewClassForStyleMask:(NSUInteger)windowStyle;
  @end
-@@ -18,8 +20,12 @@
+@@ -18,8 +20,12 @@ - (CGFloat)_titlebarHeight {
  }
  @end
 
@@ -70,7 +70,7 @@ index 8416c7c6e052dafb2aad61c0bd3224c36e945d23..cd356beda023ab2409b16d58ca38c70b
  + (Class)frameViewClassForStyleMask:(NSUInteger)windowStyle {
    if ([NativeWidgetMacFramelessNSWindowFrame class]) {
      return [NativeWidgetMacFramelessNSWindowFrame class];
-@@ -27,4 +33,6 @@
+@@ -27,4 +33,6 @@ + (Class)frameViewClassForStyleMask:(NSUInteger)windowStyle {
    return [super frameViewClassForStyleMask:windowStyle];
  }
 
@@ -111,7 +111,7 @@ index 5e5a39c2920b748823d21f15bc054733d7aa6441..980c4cef13bacb46e92264bf38f39346
  - (BOOL)hasKeyAppearance;
  - (long long)_resizeDirectionForMouseLocation:(CGPoint)location;
  - (BOOL)_isConsideredOpenForPersistentState;
-@@ -57,6 +59,8 @@
+@@ -57,6 +59,8 @@ - (void)cr_mouseDownOnFrameView:(NSEvent*)event {
  }
  @end
 
@@ -120,7 +120,7 @@ index 5e5a39c2920b748823d21f15bc054733d7aa6441..980c4cef13bacb46e92264bf38f39346
  @implementation NativeWidgetMacNSWindowTitledFrame
  - (void)mouseDown:(NSEvent*)event {
    if (self.window.isMovable)
-@@ -83,6 +87,8 @@
+@@ -83,6 +87,8 @@ - (BOOL)usesCustomDrawing {
  }
  @end
 
@@ -129,7 +129,7 @@ index 5e5a39c2920b748823d21f15bc054733d7aa6441..980c4cef13bacb46e92264bf38f39346
  @implementation NativeWidgetMacNSWindow {
   @private
    base::scoped_nsobject<CommandDispatcher> _commandDispatcher;
-@@ -164,6 +170,8 @@
+@@ -164,6 +170,8 @@ - (BOOL)hasViewsMenuActive {
 
  // NSWindow overrides.
 
@@ -138,7 +138,7 @@ index 5e5a39c2920b748823d21f15bc054733d7aa6441..980c4cef13bacb46e92264bf38f39346
  + (Class)frameViewClassForStyleMask:(NSWindowStyleMask)windowStyle {
    if (windowStyle & NSWindowStyleMaskTitled) {
      if (Class customFrame = [NativeWidgetMacNSWindowTitledFrame class])
-@@ -175,6 +183,8 @@
+@@ -175,6 +183,8 @@ + (Class)frameViewClassForStyleMask:(NSWindowStyleMask)windowStyle {
    return [super frameViewClassForStyleMask:windowStyle];
  }