From 3c9834aba68a0425a845152b481537b434756f51 Mon Sep 17 00:00:00 2001
From: Jeremy Rose <nornagon@nornagon.net>
Date: Mon, 31 Aug 2020 12:34:53 -0700
Subject: [PATCH 1/2] chore: cherry-pick 138b748dd0a4 from chromium

---
 patches/chromium/.patches                     |  1 +
 .../chromium/cherry-pick-138b748dd0a4.patch   | 68 +++++++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 patches/chromium/cherry-pick-138b748dd0a4.patch

diff --git a/patches/chromium/.patches b/patches/chromium/.patches
index ccd8798eb4dfa..6e3c9a9fc6b98 100644
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -121,3 +121,4 @@ backport_1081722.patch
 backport_1073409.patch
 backport_1074340.patch
 cherry-pick-70579363ce7b.patch
+cherry-pick-138b748dd0a4.patch
diff --git a/patches/chromium/cherry-pick-138b748dd0a4.patch b/patches/chromium/cherry-pick-138b748dd0a4.patch
new file mode 100644
index 0000000000000..59cab30c55939
--- /dev/null
+++ b/patches/chromium/cherry-pick-138b748dd0a4.patch
@@ -0,0 +1,68 @@
+From 138b748dd0a463a1932c7729017e5532fb1a1408 Mon Sep 17 00:00:00 2001
+From: Alexander Cooper <alcooper@chromium.org>
+Date: Tue, 4 Aug 2020 00:31:54 +0000
+Subject: [PATCH] Update FocusChanged notifiers to operate on a copy
+
+These focus changed calls ultimately trigger javascript events. These
+events could potentially run code that would modify the list of items
+that the FocusChanged notifiers are notifying, and thus invalidate their
+in-use iterators.
+
+Fix this by having these methods iterate over a copy instead of the
+member list.
+
+(cherry picked from commit d8f526f4e25c24ed29e60b46b3416bfabd5e8f11)
+
+Fixed: 1107815
+Change-Id: I03fa08eeadc60736f3a3fae079253dbd3ee26476
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2314158
+Reviewed-by: Daniel Cheng <dcheng@chromium.org>
+Reviewed-by: Klaus Weidner <klausw@chromium.org>
+Commit-Queue: Daniel Cheng <dcheng@chromium.org>
+Auto-Submit: Alexander Cooper <alcooper@chromium.org>
+Cr-Original-Commit-Position: refs/heads/master@{#791261}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2335893
+Reviewed-by: Alexander Cooper <alcooper@chromium.org>
+Commit-Queue: Alexander Cooper <alcooper@chromium.org>
+Cr-Commit-Position: refs/branch-heads/4147@{#1015}
+Cr-Branched-From: 16307825352720ae04d898f37efa5449ad68b606-refs/heads/master@{#768962}
+---
+ third_party/blink/renderer/core/page/focus_controller.cc | 7 ++++++-
+ third_party/blink/renderer/modules/xr/xr_system.cc       | 6 +++++-
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/third_party/blink/renderer/core/page/focus_controller.cc b/third_party/blink/renderer/core/page/focus_controller.cc
+index 1fdf8af956406..dc65fa823547f 100644
+--- a/third_party/blink/renderer/core/page/focus_controller.cc
++++ b/third_party/blink/renderer/core/page/focus_controller.cc
+@@ -1351,7 +1351,12 @@ void FocusController::RegisterFocusChangedObserver(
+ }
+ 
+ void FocusController::NotifyFocusChangedObservers() const {
+-  for (const auto& it : focus_changed_observers_)
++  // Since this eventually dispatches an event to the page, the page could add
++  // new observer, which would invalidate our iterators; so iterate over a copy
++  // of the observer list.
++  HeapHashSet<WeakMember<FocusChangedObserver>> observers =
++      focus_changed_observers_;
++  for (const auto& it : observers)
+     it->FocusedFrameChanged();
+ }
+ 
+diff --git a/third_party/blink/renderer/modules/xr/xr_system.cc b/third_party/blink/renderer/modules/xr/xr_system.cc
+index d1ac289d71936..12ef7ca420d3b 100644
+--- a/third_party/blink/renderer/modules/xr/xr_system.cc
++++ b/third_party/blink/renderer/modules/xr/xr_system.cc
+@@ -720,7 +720,11 @@ XRSystem::XRSystem(LocalFrame& frame, int64_t ukm_source_id)
+ 
+ void XRSystem::FocusedFrameChanged() {
+   // Tell all sessions that focus changed.
+-  for (const auto& session : sessions_) {
++  // Since this eventually dispatches an event to the page, the page could
++  // create a new session which would invalidate our iterators; so iterate over
++  // a copy of the session map.
++  HeapHashSet<WeakMember<XRSession>> processing_sessions = sessions_;
++  for (const auto& session : processing_sessions) {
+     session->OnFocusChanged();
+   }
+ 

From fd7bbe5cecb0d974bdad8bc6320de95a5aadb25b Mon Sep 17 00:00:00 2001
From: Electron Bot <anonymous@electronjs.org>
Date: Mon, 31 Aug 2020 19:47:45 +0000
Subject: [PATCH 2/2] update patches

---
 .../chromium/cherry-pick-138b748dd0a4.patch   | 24 ++++++++-----------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/patches/chromium/cherry-pick-138b748dd0a4.patch b/patches/chromium/cherry-pick-138b748dd0a4.patch
index 59cab30c55939..e397fab541ce7 100644
--- a/patches/chromium/cherry-pick-138b748dd0a4.patch
+++ b/patches/chromium/cherry-pick-138b748dd0a4.patch
@@ -1,7 +1,7 @@
-From 138b748dd0a463a1932c7729017e5532fb1a1408 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Alexander Cooper <alcooper@chromium.org>
 Date: Tue, 4 Aug 2020 00:31:54 +0000
-Subject: [PATCH] Update FocusChanged notifiers to operate on a copy
+Subject: Update FocusChanged notifiers to operate on a copy
 
 These focus changed calls ultimately trigger javascript events. These
 events could potentially run code that would modify the list of items
@@ -26,16 +26,12 @@ Reviewed-by: Alexander Cooper <alcooper@chromium.org>
 Commit-Queue: Alexander Cooper <alcooper@chromium.org>
 Cr-Commit-Position: refs/branch-heads/4147@{#1015}
 Cr-Branched-From: 16307825352720ae04d898f37efa5449ad68b606-refs/heads/master@{#768962}
----
- third_party/blink/renderer/core/page/focus_controller.cc | 7 ++++++-
- third_party/blink/renderer/modules/xr/xr_system.cc       | 6 +++++-
- 2 files changed, 11 insertions(+), 2 deletions(-)
 
 diff --git a/third_party/blink/renderer/core/page/focus_controller.cc b/third_party/blink/renderer/core/page/focus_controller.cc
-index 1fdf8af956406..dc65fa823547f 100644
+index 03eef54ac1e7b8f4cc635b5315f6ecb0d27e0019..19615ab1bcbf1d0a6e87f5dd549d014ba6826356 100644
 --- a/third_party/blink/renderer/core/page/focus_controller.cc
 +++ b/third_party/blink/renderer/core/page/focus_controller.cc
-@@ -1351,7 +1351,12 @@ void FocusController::RegisterFocusChangedObserver(
+@@ -1326,7 +1326,12 @@ void FocusController::RegisterFocusChangedObserver(
  }
  
  void FocusController::NotifyFocusChangedObservers() const {
@@ -49,13 +45,13 @@ index 1fdf8af956406..dc65fa823547f 100644
      it->FocusedFrameChanged();
  }
  
-diff --git a/third_party/blink/renderer/modules/xr/xr_system.cc b/third_party/blink/renderer/modules/xr/xr_system.cc
-index d1ac289d71936..12ef7ca420d3b 100644
---- a/third_party/blink/renderer/modules/xr/xr_system.cc
-+++ b/third_party/blink/renderer/modules/xr/xr_system.cc
-@@ -720,7 +720,11 @@ XRSystem::XRSystem(LocalFrame& frame, int64_t ukm_source_id)
+diff --git a/third_party/blink/renderer/modules/xr/xr.cc b/third_party/blink/renderer/modules/xr/xr.cc
+index 0f0a0c792c2a7479228f377488a413c7b32e3854..968a1a4dca1a680e00870e42258f4824963f6b16 100644
+--- a/third_party/blink/renderer/modules/xr/xr.cc
++++ b/third_party/blink/renderer/modules/xr/xr.cc
+@@ -524,7 +524,11 @@ XR::XR(LocalFrame& frame, int64_t ukm_source_id)
  
- void XRSystem::FocusedFrameChanged() {
+ void XR::FocusedFrameChanged() {
    // Tell all sessions that focus changed.
 -  for (const auto& session : sessions_) {
 +  // Since this eventually dispatches an event to the page, the page could