Updated to 65.0.3325.181

4 files changed, 187 insertions, 36 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 272d43b36ec5..4ef566118148 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,12 +1,13 @@
 pkgbase = chromium-gtk2
 	pkgdesc = A web browser built for speed, simplicity, and security (GTK2 version)
-	pkgver = 65.0.3325.162
+	pkgver = 65.0.3325.181
 	pkgrel = 1
 	url = https://www.chromium.org/Home
 	install = chromium.install
 	arch = i686
 	arch = x86_64
 	license = BSD
+	makedepends = python
 	makedepends = python2
 	makedepends = gperf
 	makedepends = yasm
@@ -15,6 +16,7 @@ pkgbase = chromium-gtk2
 	makedepends = nodejs
 	makedepends = git
 	makedepends = clang
+	makedepends = lld
 	depends = gtk2
 	depends = nss
 	depends = alsa-lib
@@ -49,18 +51,22 @@ pkgbase = chromium-gtk2
 	optdepends = kwallet: for storing passwords in KWallet
 	provides = chromium
 	conflicts = chromium
-	source = https://commondatastorage.googleapis.com/chromium-browser-official/chromium-65.0.3325.162.tar.xz
-	source = chromium-launcher-5.tar.gz::https://github.com/foutrelis/chromium-launcher/archive/v5.tar.gz
-	source = chromium-65.0.3325.162.txt::https://chromium.googlesource.com/chromium/src.git/+/65.0.3325.162?format=TEXT
+	source = https://commondatastorage.googleapis.com/chromium-browser-official/chromium-65.0.3325.181.tar.xz
+	source = chromium-launcher-6.tar.gz::https://github.com/foutrelis/chromium-launcher/archive/v6.tar.gz
+	source = chromium-65.0.3325.181.txt::https://chromium.googlesource.com/chromium/src.git/+/65.0.3325.181?format=TEXT
+	source = fix-crash-in-is_cfi-true-builds-with-unbundled-ICU.patch
+	source = allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch
 	source = chromium-skia-harmony.patch
 	source = chromium-clang-r2.patch
 	source = chromium-math.h-r0.patch
 	source = chromium-stdint.patch
 	source = chromium-widevine.patch
 	source = chromium-gtk2-fix-build.patch
-	sha256sums = 627e7bfd84795de1553fac305239130d25186acf2d3c77d39d824327cd116cce
-	sha256sums = 4dc3428f2c927955d9ae117f2fb24d098cc6dd67adb760ac9c82b522ec8b0587
-	sha256sums = bed2a7ef4b1ebd53b28e2f38963a2dd761267ccc8818693c34ce8596db53dd4c
+	sha256sums = 93666448c6b96ec83e6a35a64cff40db4eb92a154fe1db4e7dab4761d0e38687
+	sha256sums = 04917e3cd4307d8e31bfb0027a5dce6d086edb10ff8a716024fbb8bb0c7dccf1
+	sha256sums = 2771c049b66c9aba3b945fe065f2610f164d55506eb5d71751a26aaf8b40d4ee
+	sha256sums = e3fb73b43bb8c69ff517e66b2cac73d6e759fd240003eb35598df9af442422fe
+	sha256sums = 4327289866d0b3006de62799ec06b07198a738e50e0a5c2e41ff62dbe00b4a2c
 	sha256sums = feca54ab09ac0fc9d0626770a6b899a6ac5a12173c7d0c1005bc3964ec83e7b3
 	sha256sums = 4495e8b29dae242c79ffe4beefc5171eb3c7aacb7e9aebfd2d4d69b9d8c958d3
 	sha256sums = fe0ab86aa5b0072db730eccda3e1582ebed4af25815bfd49fe0da24cf63ca902
diff --git a/PKGBUILD b/PKGBUILD
index 54a2f194d46d..28cef1ced672 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -7,9 +7,9 @@
 
 pkgname=chromium-gtk2
 _pkgname=chromium
-pkgver=65.0.3325.162
+pkgver=65.0.3325.181
 pkgrel=1
-_launcher_ver=5
+_launcher_ver=6
 pkgdesc="A web browser built for speed, simplicity, and security (GTK2 version)"
 arch=('i686' 'x86_64')
 url="https://www.chromium.org/Home"
@@ -17,7 +17,8 @@ license=('BSD')
 depends=('gtk2' 'nss' 'alsa-lib' 'xdg-utils' 'libxss' 'libcups' 'libgcrypt'
          'ttf-font' 'systemd' 'dbus' 'libpulse' 'pciutils' 'json-glib'
          'desktop-file-utils' 'hicolor-icon-theme')
-makedepends=('python2' 'gperf' 'yasm' 'mesa' 'ninja' 'nodejs' 'git' 'clang')
+makedepends=('python' 'python2' 'gperf' 'yasm' 'mesa' 'ninja' 'nodejs' 'git'
+             'clang' 'lld')
 optdepends=('pepper-flash: support for Flash content'
             'kdialog: needed for file dialogs in KDE'
             'gnome-keyring: for storing passwords in GNOME keyring'
@@ -28,15 +29,19 @@ install=chromium.install
 source=(https://commondatastorage.googleapis.com/chromium-browser-official/$_pkgname-$pkgver.tar.xz
         chromium-launcher-$_launcher_ver.tar.gz::https://github.com/foutrelis/chromium-launcher/archive/v$_launcher_ver.tar.gz
         chromium-$pkgver.txt::https://chromium.googlesource.com/chromium/src.git/+/$pkgver?format=TEXT
+        fix-crash-in-is_cfi-true-builds-with-unbundled-ICU.patch
+        allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch
         chromium-skia-harmony.patch
         chromium-clang-r2.patch
         chromium-math.h-r0.patch
         chromium-stdint.patch
         chromium-widevine.patch
         chromium-gtk2-fix-build.patch)
-sha256sums=('627e7bfd84795de1553fac305239130d25186acf2d3c77d39d824327cd116cce'
-            '4dc3428f2c927955d9ae117f2fb24d098cc6dd67adb760ac9c82b522ec8b0587'
-            'bed2a7ef4b1ebd53b28e2f38963a2dd761267ccc8818693c34ce8596db53dd4c'
+sha256sums=('93666448c6b96ec83e6a35a64cff40db4eb92a154fe1db4e7dab4761d0e38687'
+            '04917e3cd4307d8e31bfb0027a5dce6d086edb10ff8a716024fbb8bb0c7dccf1'
+            '2771c049b66c9aba3b945fe065f2610f164d55506eb5d71751a26aaf8b40d4ee'
+            'e3fb73b43bb8c69ff517e66b2cac73d6e759fd240003eb35598df9af442422fe'
+            '4327289866d0b3006de62799ec06b07198a738e50e0a5c2e41ff62dbe00b4a2c'
             'feca54ab09ac0fc9d0626770a6b899a6ac5a12173c7d0c1005bc3964ec83e7b3'
             '4495e8b29dae242c79ffe4beefc5171eb3c7aacb7e9aebfd2d4d69b9d8c958d3'
             'fe0ab86aa5b0072db730eccda3e1582ebed4af25815bfd49fe0da24cf63ca902'
@@ -91,12 +96,22 @@ prepare() {
   fi
   echo "LASTCHANGE=$_chrome_build_hash-" >build/util/LASTCHANGE
 
+  # Allow building against system libraries in official builds
+  sed -i 's/OFFICIAL_BUILD/GOOGLE_CHROME_BUILD/' \
+    tools/generate_shim_headers/generate_shim_headers.py
+
   # Enable support for the Widevine CDM plugin
   # libwidevinecdm.so is not included, but can be copied over from Chrome
   # (Version string doesn't seem to matter so let's go with "Pinkie Pie")
   sed "s/@WIDEVINE_VERSION@/Pinkie Pie/" ../chromium-widevine.patch |
     patch -Np1
 
+  # https://crbug.com/822820
+  patch -Np1 -i ../fix-crash-in-is_cfi-true-builds-with-unbundled-ICU.patch
+
+  # https://crbug.com/817400
+  patch -Np1 -i ../allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch
+
   # https://crbug.com/skia/6663#c10
   patch -Np4 -i ../chromium-skia-harmony.patch
 
@@ -105,25 +120,13 @@ prepare() {
   patch -Np1 -i ../chromium-math.h-r0.patch
   patch -Np1 -i ../chromium-stdint.patch
 
-  # Remove compiler flags not supported by our system clang
-  sed -i \
-    -e '/"-Wno-enum-compare-switch"/d' \
-    -e '/"-Wno-null-pointer-arithmetic"/d' \
-    -e '/"-Wno-tautological-unsigned-zero-compare"/d' \
-    -e '/"-Wno-tautological-constant-compare"/d' \
-    build/config/compiler/BUILD.gn
+  # Force script incompatible with Python 3 to use /usr/bin/python2
+  sed -i '1s|python$|&2|' third_party/dom_distiller_js/protoc_plugins/*.py
 
   # Fix GTK2 build
   # https://chromium-review.googlesource.com/c/chromium/src/+/894993
   patch -Np1 -i ../chromium-gtk2-fix-build.patch
 
-  # Use Python 2
-  find . -name '*.py' -exec sed -i -r 's|/usr/bin/python$|&2|g' {} +
-
-  # There are still a lot of relative calls which need a workaround
-  mkdir "$srcdir/python2-path"
-  ln -s /usr/bin/python2 "$srcdir/python2-path/python"
-
   mkdir -p third_party/node/linux/node-linux-x64/bin
   ln -s /usr/bin/node third_party/node/linux/node-linux-x64/bin/
 
@@ -156,10 +159,6 @@ build() {
     export CCACHE_SLOPPINESS=time_macros
   fi
 
-  export PATH="$srcdir/python2-path:$PATH"
-  export TMPDIR="$srcdir/temp"
-  mkdir -p "$TMPDIR"
-
   export CC=clang
   export CXX=clang++
   export AR=ar
@@ -168,10 +167,9 @@ build() {
   local _flags=(
     'custom_toolchain="//build/toolchain/linux/unbundle:default"'
     'host_toolchain="//build/toolchain/linux/unbundle:default"'
-    'is_clang=true'
     'clang_use_chrome_plugins=false'
+    'is_official_build=true' # implies is_cfi=true on x86_64
     'is_debug=false'
-    'fatal_linker_warnings=false'
     'treat_warnings_as_errors=false'
     'fieldtrial_testing_like_official_build=true'
     'remove_webcore_debug_symbols=true'
@@ -180,8 +178,6 @@ build() {
     'link_pulseaudio=true'
     'use_gtk3=false'
     'use_gnome_keyring=false'
-    'use_gold=false'
-    'use_lld=false'
     'use_sysroot=false'
     'linux_use_bundled_binutils=false'
     'use_custom_libcxx=false'
@@ -194,13 +190,21 @@ build() {
     "google_default_client_secret=\"${_google_default_client_secret}\""
   )
 
+  # Facilitate deterministic builds (taken from build/config/compiler/BUILD.gn)
+  CFLAGS+='   -Wno-builtin-macro-redefined'
+  CXXFLAGS+=' -Wno-builtin-macro-redefined'
+  CPPFLAGS+=' -D__DATE__=  -D__TIME__=  -D__TIMESTAMP__='
+
   if check_option strip y; then
+    _flags+=('symbol_level=0')
+
+    # Mimic exclude_unwind_tables=true
     CFLAGS+='   -fno-unwind-tables -fno-asynchronous-unwind-tables'
     CXXFLAGS+=' -fno-unwind-tables -fno-asynchronous-unwind-tables'
     CPPFLAGS+=' -DNO_UNWIND_TABLES'
   fi
 
-  python2 tools/gn/bootstrap/bootstrap.py --gn-gen-args "${_flags[*]}"
+  python2 tools/gn/bootstrap/bootstrap.py -s --no-clean
   out/Release/gn gen out/Release --args="${_flags[*]}" \
     --script-executable=/usr/bin/python2
 
diff --git a/allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch b/allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch
new file mode 100644
index 000000000000..327d8c3bb569
--- /dev/null
+++ b/allow-stat-in-Linux-for-GPU-process-for-a-list-of-files.patch
@@ -0,0 +1,88 @@
+From 6b1b6d3a8555075e23cca89335e855d55f35fba9 Mon Sep 17 00:00:00 2001
+From: Zhenyao Mo <zmo@chromium.org>
+Date: Thu, 29 Mar 2018 23:48:19 +0000
+Subject: [PATCH] Allow `stat` in Linux for GPU process for a list of files.
+
+This is to unblock certain NVidia driver's glReadPixels calls in the sandboxed
+GPU process.
+
+Note that the needed file /dev/nvidiactl is already in the list for read/write.
+
+BUG=817400
+TEST=manual
+R=tsepez@chromium.org
+
+Change-Id: I9074a8335a9c4df1487f5a288d5e284bbedf67c3
+Reviewed-on: https://chromium-review.googlesource.com/965462
+Reviewed-by: Zhenyao Mo <zmo@chromium.org>
+Reviewed-by: Tom Sepez <tsepez@chromium.org>
+Reviewed-by: Robert Sesek <rsesek@chromium.org>
+Reviewed-by: Kenneth Russell <kbr@chromium.org>
+Commit-Queue: Zhenyao Mo <zmo@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#547027}
+---
+ content/gpu/gpu_sandbox_hook_linux.cc                     |  5 ++++-
+ .../service_manager/sandbox/linux/bpf_gpu_policy_linux.cc | 15 ++++++++++++++-
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/content/gpu/gpu_sandbox_hook_linux.cc b/content/gpu/gpu_sandbox_hook_linux.cc
+index ddd7b99485fe..cd914e2f9926 100644
+--- a/content/gpu/gpu_sandbox_hook_linux.cc
++++ b/content/gpu/gpu_sandbox_hook_linux.cc
+@@ -153,6 +153,7 @@ void AddStandardGpuWhiteList(std::vector<BrokerFilePermission>* permissions) {
+   static const char kDriCardBasePath[] = "/dev/dri/card";
+   static const char kNvidiaCtlPath[] = "/dev/nvidiactl";
+   static const char kNvidiaDeviceBasePath[] = "/dev/nvidia";
++  static const char kNvidiaDeviceModeSetPath[] = "/dev/nvidia-modeset";
+   static const char kNvidiaParamsPath[] = "/proc/driver/nvidia/params";
+   static const char kDevShm[] = "/dev/shm/";
+ 
+@@ -172,6 +173,8 @@ void AddStandardGpuWhiteList(std::vector<BrokerFilePermission>* permissions) {
+     permissions->push_back(BrokerFilePermission::ReadWrite(
+         base::StringPrintf("%s%d", kNvidiaDeviceBasePath, i)));
+   }
++  permissions->push_back(
++      BrokerFilePermission::ReadWrite(kNvidiaDeviceModeSetPath));
+   permissions->push_back(BrokerFilePermission::ReadOnly(kNvidiaParamsPath));
+ }
+ 
+@@ -262,9 +265,9 @@ sandbox::syscall_broker::BrokerCommandSet CommandSetForGPU(
+   sandbox::syscall_broker::BrokerCommandSet command_set;
+   command_set.set(sandbox::syscall_broker::COMMAND_ACCESS);
+   command_set.set(sandbox::syscall_broker::COMMAND_OPEN);
++  command_set.set(sandbox::syscall_broker::COMMAND_STAT);
+   if (IsChromeOS() && options.use_amd_specific_policies) {
+     command_set.set(sandbox::syscall_broker::COMMAND_READLINK);
+-    command_set.set(sandbox::syscall_broker::COMMAND_STAT);
+   }
+   return command_set;
+ }
+diff --git a/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.cc b/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.cc
+index bc16952c0898..d683aacc76f4 100644
+--- a/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.cc
++++ b/services/service_manager/sandbox/linux/bpf_gpu_policy_linux.cc
+@@ -61,7 +61,20 @@ ResultExpr GpuProcessPolicy::EvaluateSyscall(int sysno) const {
+     case __NR_open:
+ #endif  // !defined(__aarch64__)
+     case __NR_faccessat:
+-    case __NR_openat: {
++    case __NR_openat:
++#if defined(__NR_stat)
++    case __NR_stat:
++#endif
++#if defined(__NR_stat64)
++    case __NR_stat64:
++#endif
++#if defined(__NR_fstatat)
++    case __NR_fstatat:
++#endif
++#if defined(__NR_newfstatat)
++    case __NR_newfstatat:
++#endif
++    {
+       auto* broker_process = SandboxLinux::GetInstance()->broker_process();
+       DCHECK(broker_process);
+       return Trap(BrokerProcess::SIGSYS_Handler, broker_process);
+-- 
+2.16.2
+
diff --git a/fix-crash-in-is_cfi-true-builds-with-unbundled-ICU.patch b/fix-crash-in-is_cfi-true-builds-with-unbundled-ICU.patch
new file mode 100644
index 000000000000..ee7339d39817
--- /dev/null
+++ b/fix-crash-in-is_cfi-true-builds-with-unbundled-ICU.patch
@@ -0,0 +1,53 @@
+From f15e8b573ada0fcd643ae393484214b1c7c940f8 Mon Sep 17 00:00:00 2001
+From: Evangelos Foutras <evangelos@foutrelis.com>
+Date: Sat, 24 Mar 2018 00:04:33 +0000
+Subject: [PATCH] Fix crash in is_cfi=true builds with unbundled ICU
+
+Ensure ICU symbols have public visibility and are thus excluded from CFI
+checks and whole-program optimization. The former caused a startup crash
+and the latter has the potential to break virtual calls in weird ways.
+
+BUG=822820
+
+Change-Id: Ia809eefcb9e93b3c612f2381d394db83bbc67120
+Reviewed-on: https://chromium-review.googlesource.com/978008
+Reviewed-by: Peter Collingbourne <pcc@chromium.org>
+Reviewed-by: Thomas Anderson <thomasanderson@chromium.org>
+Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
+Cr-Commit-Position: refs/heads/master@{#545638}
+---
+ build/linux/unbundle/icu.gn | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/build/linux/unbundle/icu.gn b/build/linux/unbundle/icu.gn
+index 5bdd91555df7..4450e409dba5 100644
+--- a/build/linux/unbundle/icu.gn
++++ b/build/linux/unbundle/icu.gn
+@@ -17,6 +17,24 @@ config("icu_config") {
+     "USING_SYSTEM_ICU=1",
+     "ICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_STATIC",
+     "UCHAR_TYPE=uint16_t",
++
++    # U_EXPORT (defined in unicode/platform.h) is used to set public visibility
++    # on classes through the U_COMMON_API and U_I18N_API macros (among others).
++    # When linking against the system ICU library, we want its symbols to have
++    # public LTO visibility. This disables CFI checks for the ICU classes and
++    # allows whole-program optimization to be applied to the rest of Chromium.
++    #
++    # Both U_COMMON_API and U_I18N_API macros would be defined to U_EXPORT only
++    # when U_COMBINED_IMPLEMENTATION is defined (see unicode/utypes.h). Because
++    # we override the default system UCHAR_TYPE (char16_t), it is not possible
++    # to use U_COMBINED_IMPLEMENTATION at this moment, meaning the U_COMMON_API
++    # and U_I18N_API macros are set to U_IMPORT which is an empty definition.
++    #
++    # Until building with UCHAR_TYPE=char16_t is supported, one way to apply
++    # public visibility (and thus public LTO visibility) to all ICU classes is
++    # to define U_IMPORT to have the same value as U_EXPORT. For more details,
++    # please see: https://crbug.com/822820
++    "U_IMPORT=U_EXPORT",
+   ]
+ }
+ 
+-- 
+2.16.3
+