Status Update
No update yet.
Comments
ps...@google.com
Branch: androidx-master-dev
commit b4a3fe1d53c8c8082cf16795da164c446f7fd912
Author: Ian Lake <ilake@google.com>
Date: Wed Jul 15 14:34:08 2020
Add a hook that fires before the Activity's super.onCreate()
Provide a standard, composable API for libraries and
developers to run code as soon as possible after a
Context is available to an Activity (i.e., before the
logic in the base Activity.onCreate() runs and before any
layout is inflated).
This updates the code in FragmentActivity and
AppCompatActivity to use that new API.
Test: new activity tests pass
Test: existing fragment and appcompat tests still pass
BUG: 161390636
Relnote: "`ComponentActivity` now implements
`ContextAware`, allowing you to add one or more
`OnContextAvailableListener` instances which will
receive a callback before the base `Activity.onCreate()`."
Change-Id: I513da73bc0862b62af4166be35ba353fc7869a09
M activity/activity/api/1.2.0-alpha07.txt
M activity/activity/api/current.txt
M activity/activity/api/public_plus_experimental_1.2.0-alpha07.txt
M activity/activity/api/public_plus_experimental_current.txt
M activity/activity/api/restricted_1.2.0-alpha07.txt
M activity/activity/api/restricted_current.txt
M activity/activity/src/androidTest/java/androidx/activity/ComponentActivityLifecycleTest.kt
A activity/activity/src/androidTest/java/androidx/activity/contextaware/ContextAwareHelperTest.kt
M activity/activity/src/main/java/androidx/activity/ComponentActivity.java
A activity/activity/src/main/java/androidx/activity/contextaware/ContextAware.java
A activity/activity/src/main/java/androidx/activity/contextaware/ContextAwareHelper.java
A activity/activity/src/main/java/androidx/activity/contextaware/OnContextAvailableListener.java
M appcompat/appcompat/build.gradle
M appcompat/appcompat/src/main/java/androidx/appcompat/app/AppCompatActivity.java
M fragment/fragment/src/main/java/androidx/fragment/app/FragmentActivity.java
sa...@google.com
Branch: androidx-master-dev
commit 494d98d48e3c95c4338bda7ed1bf46797de257f6
Author: Ian Lake <ilake@google.com>
Date: Mon Aug 03 13:07:36 2020
Deliver the Context when added after it is available
Previously, an OnContextAvailableListener would only
receive a callback if added prior to the Context
being made available.
Rather than allow developers fall into a pitfall
where they add a listener and never receive a
callback, synchronously deliver the currently
available Context to listeners.
Test: updated activity tests pass
BUG: 161390636
Relnote: N/A
Change-Id: I24eff02712c90e84e1998407082e0b07cf04b44a
M activity/activity/api/current.txt
M activity/activity/api/public_plus_experimental_current.txt
M activity/activity/api/restricted_current.txt
M activity/activity/src/androidTest/java/androidx/activity/contextaware/ContextAwareHelperTest.kt
M activity/activity/src/main/java/androidx/activity/ComponentActivity.java
M activity/activity/src/main/java/androidx/activity/contextaware/ContextAware.java
M activity/activity/src/main/java/androidx/activity/contextaware/ContextAwareHelper.java
cl...@appspot.gserviceaccount.com
Branch: androidx-master-dev
commit 5d11382f47626211d512b9135f6b5f40b88f6647
Author: Ian Lake <ilake@google.com>
Date: Mon Aug 03 12:45:55 2020
Simplify OnContextAvailableListener interface
Rather than pass the ContextAware object,
the Context, and a Bundle for saved instance
state, pass only the Context to the
onContextAvailable() callback.
The ContextAware parameter is not needed in
general (unregistering is a corner case that
can be handled by capturing a reference to the
ContextAware).
The saved instance state Bundle is not needed
when we can ensure that the
SavedStateRegistry has had its state restored
before the listeners are called. This ensures
that all Saved State logic is centralized in
the API specifically built for saving state
rather than leaking into other APIs.
To accomplish this API change, the storage of
FragmentManager's and AppCompatDelegate's saved
state was moved to SavedStateRegistry as part of
FragmentActivity and AppCompatActivity,
respectively. Longer term, FragmentManager and
AppCompatDelegate should provide public APIs for
connecting directly to SavedStateRegistry, but
that is out of scope for this change.
Test: activity, fragment, and appcompat tests pass
BUG: 161390636
Relnote: N/A
Change-Id: I32fdd4b2c4c391c3fa97158dbd7508fa96b08d7a
M activity/activity/api/current.txt
M activity/activity/api/public_plus_experimental_current.txt
M activity/activity/api/restricted_current.txt
M activity/activity/src/androidTest/java/androidx/activity/ComponentActivityLifecycleTest.kt
M activity/activity/src/androidTest/java/androidx/activity/ComponentActivitySavedStateTest.kt
M activity/activity/src/androidTest/java/androidx/activity/contextaware/ContextAwareHelperTest.kt
M activity/activity/src/main/java/androidx/activity/ComponentActivity.java
M activity/activity/src/main/java/androidx/activity/contextaware/ContextAwareHelper.java
M activity/activity/src/main/java/androidx/activity/contextaware/OnContextAvailableListener.java
M appcompat/appcompat/src/main/java/androidx/appcompat/app/AppCompatActivity.java
M fragment/fragment/src/androidTest/java/androidx/fragment/app/FragmentArchLifecycleTest.kt
M fragment/fragment/src/main/java/androidx/fragment/app/FragmentActivity.java
cl...@chromium.org
Branch: androidx-master-dev
commit d830158f1671930bab215716e329349a42eec1dd
Author: Ian Lake <ilake@google.com>
Date: Fri Jul 31 14:14:29 2020
Add suspending withContextAvailable to ContextAware
Expand the ContextAware interface to allow developers
to synchronously peek to see if the context is
availble.
This allows us to write a Kotlin extension
withContextAvailable() that runs a non-suspending
block once the context becomes available (either
synchronously if it is already available or by
using a OnContextAvailableListener under the hood
if not).
Test: new tests pass
BUG: 161390636
Relnote: "Added a `peekAvailableContext()` API to
`ContextAware` to allow you to synchronously determine
if a Context is available. A suspending Kotlin extension
`withContextAvailable()` allows you to run a
non-suspending block when the Context becomes available
and return a result."
Change-Id: I8290cd9de8231913036d23a233c177ed45d2d370
M activity/activity-ktx/api/current.txt
M activity/activity-ktx/api/public_plus_experimental_current.txt
M activity/activity-ktx/api/restricted_current.txt
A activity/activity-ktx/src/androidTest/java/androidx/activity/contextaware/ContextAwareTest.kt
A activity/activity-ktx/src/main/java/androidx/activity/contextaware/ContextAware.kt
M activity/activity/api/current.txt
M activity/activity/api/public_plus_experimental_current.txt
M activity/activity/api/restricted_current.txt
M activity/activity/src/androidTest/java/androidx/activity/contextaware/ContextAwareHelperTest.kt
M activity/activity/src/main/java/androidx/activity/ComponentActivity.java
M activity/activity/src/main/java/androidx/activity/contextaware/ContextAware.java
M activity/activity/src/main/java/androidx/activity/contextaware/ContextAwareHelper.java
pe...@google.com
le...@chromium.org
The new ContextAware API will be available in Activity 1.2.0-alpha08 and is used by Fragment 1.3.0-alpha08 and AppCompat 1.3.0-alpha02 to implement FragmentManager's and AppCompatDelegate's pre-onCreate() logic.
24...@project.gserviceaccount.com
Wait, this can't work as advertised.
FragmentActivity extends ComponentActivity
public FragmentActivity(@LayoutRes int contentLayoutId) {
super(contentLayoutId);
init();
}
private void init() {
addOnContextAvailableListener(new OnContextAvailableListener() {
// ...
}
}
ComponentActivity
@Override
protected void onCreate(@Nullable Bundle savedInstanceState) {
// ...
mContextAwareHelper.dispatchOnContextAvailable(this);
super.onCreate(savedInstanceState);
//...
}
- Call
FragmentActivityconstructor, - which calls
ComponentActivitysuper constructor, - which dispatches context available... to noone,
- and calls platform Activity.onCreate.
- Bubble up to
FragmentActivityconstructor and register context listener, - which is invoked synchronously but only after platform
Activity.onCreatehas already been called.
Did I miss something? I'm confused.
cl...@chromium.org
Never mind, constructor vs onCreate. :facepalm: Sorry.
le...@chromium.org
Re #8 - the fact that these are different things is indeed exactly why this API exists :)
pe...@google.com
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.
If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security Impact hotlist or the Severity field, and remove the ReleaseBlock hotlist.
cl...@chromium.org
The latest bisection (for Debug check failed: (heap) != nullptr) results in [interpreter] Enable TDZ elision by default).
Before that, we get ReferenceError: Must call super constructor in derived class before accessing 'this' or returning from derived constructor.
cl...@chromium.org
Shu, can you take this one?
TDZ seems to be "temporal dead zone", and from TDZ elision (aka "hole elision" in the codebase)).
So this seems highly related.
pe...@google.com
syg: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?
If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?
If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.
Thanks for your time! To disable nags, add Disable-Nags (case sensitive) to the Chromium Labels custom field.
dd...@gmail.com
Any update?
sy...@chromium.org
Sorry I had missed this, taking a look.
ap...@google.com
Project: v8/v8
Branch: main
Author: Shu-yu Guo <
Link:
[interpreter] Fix hole elision scope for switch jump tables
Expand for full commit details
[interpreter] Fix hole elision scope for switch jump tables
Fixed: 374627491
Change-Id: I7b6142b45295ba795a8ae8a90692fc09e704b65d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6032225
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#97274}
Files:
- M
src/interpreter/bytecode-generator.cc - A
test/mjsunit/regress/regress-374627491.js
Hash: 5c3b50c26c50e68dbedf8ff991249e75e46ef06e
Date: Mon Nov 18 16:02:28 2024
24...@project.gserviceaccount.com
If this is incorrect, please add the hotlistid:5433040 and re-open the issue.
pe...@google.com
Security Merge Request Consideration: This is sufficiently serious that it should be merged to beta. But I can't see a Chromium repo commit here,so you will need to investigate what - if anything - needs to be merged to M132. Is there a fix in some other repo which should be merged? Or, perhaps this ticket is a duplicate of some other ticket which has the real fix: please track that down and ensure it is merged appropriately. Security Merge Request: Thank you for fixing this security bug! We aim to ship security fixes as quickly as possible, to limit their opportunity for exploitation as an "n-day" (that is, a bug where git fixes are developed into attacks before those fixes reach users).
We have determined this fix is necessary on milestone(s): [].
Please answer the following questions so that we can safely process this merge request:
- Which CLs should be backmerged? (Please include Gerrit links.)
- Has this fix been verified on Canary to not pose any stability regressions?
- Does this fix pose any potential non-verifiable stability risks?
- Does this fix pose any known compatibility risks?
- Does it require manual verification by the test team? If so, please describe required testing.
- (no answer required) Please check the OS custom field to ensure all impacted OSes are checked!
pe...@google.com
Merge review required: M132 is already shipping to beta.
Please answer the following questions so that we can safely process your merge request:
- Why does your merge fit within the merge criteria for these milestones?
- Chrome Browser:
https://chromiumdash.appspot.com/branches - Chrome OS:
https://goto.google.com/cros-release-branch-merge-guidelines
- What changes specifically would you like to merge? Please link to Gerrit.
- Have the changes been released and tested on canary?
- Is this a new feature? If yes, is it behind a Finch flag and are experiments active in any release channels?
- [Chrome OS only]: Was the change reviewed and approved by the Eng Prod Representative?
https://goto.google.com/cros-engprodcomponents - If this merge addresses a major issue in the stable channel, does it require manual verification by the test team? If so, please describe required testing.
Please contact the milestone owner if you have questions. Owners: govind (Android), govind (iOS), alonbajayo (ChromeOS), srinivassista (Desktop)
sy...@chromium.org
- It is a security bug fix.
https://chromium-review.googlesource.com/c/v8/v8/+/6032225 - Yes
- No, not a new feature.
- N/A
- No manual verification needed.
am...@chromium.org
Please merge this fix to 13.2 at your convenience and by EOD 3 December, so this fix can be included in the next M132 beta update following the current release freeze
ap...@google.com
Project: v8/v8
Branch: refs/branch-heads/13.2
Author: Shu-yu Guo <
Link:
Merged: [interpreter] Fix hole elision scope for switch jump tables
Expand for full commit details
Merged: [interpreter] Fix hole elision scope for switch jump tables
(cherry picked from commit 5c3b50c26c50e68dbedf8ff991249e75e46ef06e)
Change-Id: Id6bf2b62598b85a05c6cc7bd06b6cce673d7342a
Bug: 374627491
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6042925
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Rezvan Mahdavi Hezaveh <rezvan@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@chromium.org>
Cr-Commit-Position: refs/branch-heads/13.2@{#18}
Cr-Branched-From: 24068c59cedad9ee976ddc05431f5f497b1ebd71-refs/heads/13.2.152@{#1}
Cr-Branched-From: 6054ba94db0969220be4f94dc1677fc4696bdc4f-refs/heads/main@{#97085}
Files:
- M
src/interpreter/bytecode-generator.cc - A
test/mjsunit/regress/regress-374627491.js
Hash: 3c2d220ad025e2c532ea17289d8d29350f0b722a
Date: Mon Nov 18 16:02:28 2024
dd...@gmail.com
According the impacts analysis of CF, this bug affect 'Extended_Stable 130.0.6723.127' and 'Stable 131.0.6778.69'. So will this issue get CVE?
pe...@google.com
LTS Milestone M126
This issue has been flagged as a merge candidate for Chrome OS' LTS channel. If selected, our merge team will handle any additional merges. To help us determine if this issue requires a merge to LTS, please answer this short questionnaire:
- Was this issue a regression for the milestone it was found in?
- Is this issue related to a change or feature merged after the latest LTS Milestone?
sy...@chromium.org
pe...@google.com
This issue requires additional review before it can be merged to the LTS channel. Please answer the following questions to help us evaluate this merge:
- Number of CLs needed for this fix and links to them.
- Level of complexity (High, Medium, Low - Explain)
- Has this been merged to a stable release? beta release?
- Overall Recommendation (Yes, No)
qk...@google.com
2. Low, there are small conflicts.
3. 132.
4. Yes, as mentioned in the
pe...@google.com
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!
If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.
Thanks for your time! To disable nags, add Disable-Nags (case sensitive) to the Chromium Labels custom field.
sp...@google.com
Hello,
Congratulations! The Chrome Vulnerability Rewards Program (VRP) Panel has decided to award you $7000.00 for this report.
Rationale for this decision:
report of memory corruption in a sandboxed process / renderer
Important: If you aren't already registered with Google as a supplier, p2p-vrp@google.com will reach out to you. If you have registered in the past, no need to repeat the process – you can sit back and relax, and we will process the payment soon.
If you have any payment related requests, please direct them to p2p-vrp@google.com. Please remember to include the subject of this email and the email address that the report was sent from.
Thank you for your efforts and helping us make Chrome more secure for all users!
Cheers,
Chrome VRP Panel Bot
P.S. One other thing we'd like to mention:
* Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Please contact security-vrp@chromium.org with any questions.
am...@chromium.org
Congratulations! Thank you for your efforts and reporting this issue to us.
dd...@gmail.com
Thank you Amy. BTW, please answer the #c24, because the foundin of this issue seems not complete
cl...@chromium.org
sr...@chromium.org
go...@google.com
Please see branch details here:
ap...@google.com
Project: v8/v8
Branch: refs/branch-heads/12.6
Author: Gyuyoung Kim <
Link:
[M126-LTS][interpreter] Fix hole elision scope for switch jump tables
Expand for full commit details
[M126-LTS][interpreter] Fix hole elision scope for switch jump tables
(cherry picked from commit 5c3b50c26c50e68dbedf8ff991249e75e46ef06e)
Fixed: 374627491
Change-Id: I7b6142b45295ba795a8ae8a90692fc09e704b65d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6032225
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#97274}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6048230
Reviewed-by: Shu-yu Guo <syg@chromium.org>
Commit-Queue: Gyuyoung Kim (xWF) <qkim@google.com>
Cr-Commit-Position: refs/branch-heads/12.6@{#84}
Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}
Files:
- M
src/interpreter/bytecode-generator.cc - A
test/mjsunit/regress/regress-374627491.js
Hash: 7c5364450454daabe31f09768ad4afb898efc91d
Date: Tue Nov 26 07:30:41 2024
ch...@google.com
This bug has been closed for more than 14 weeks. Removing issue access restrictions.
Description
Steps to reproduce the problem
Problem Description
Summary
Type Confusion in ConvertToNumeric
Custom Questions
Type of crash:
tab
Additional Data
Category: Security
Chrome Channel: Not sure
Regression: N/A