From a0c7fae43ffc4eb8da280e20bdf5c849df251130 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20Bostr=C3=B6m?= <pbos@chromium.org>
Date: Fri, 24 Feb 2023 00:33:06 +0000
Subject: [Backport] Security bug 1418734
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4288168:
Convert known it != end() DCHECK failures to CHECK

M102 merge issues:
  third_party/blink/renderer/core/annotation/annotation_agent_impl.cc is
  not present in 102

These have hit on DCHECK builds in the wild and precede erasing or
dereferencing an iterator that is UB.

This CL excludes DCHECK failures that precede non-DCHECK handling of the
it != end() failures. Those should probably be rewritten as CHECKs
but are less urgent and semi-orthogonal.

Known crashes (one per file) are:

crash/dc49e3cadab36d4c
crash/0ee3427d25937024
crash/b89303e84d123019
crash/cc35183b861a4992

Bug: 1418734
Change-Id: I81ed7b45be33769e250c65c8bb7334a34be4380e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4288168
Commit-Queue: Peter Boström <pbos@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1109350}
(cherry picked from commit 1aec0b297900a7b59bd24314dff239f3c5697f45)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468621
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/base/scoped_multi_source_observation.h     | 2 +-
 chromium/cc/tiles/gpu_image_decode_cache.cc         | 4 ++--
 chromium/ui/base/interaction/element_tracker_mac.mm | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/chromium/base/scoped_multi_source_observation.h b/chromium/base/scoped_multi_source_observation.h
index fe2f2c7a079..5a8b0fc5d83 100644
--- a/chromium/base/scoped_multi_source_observation.h
+++ b/chromium/base/scoped_multi_source_observation.h
@@ -68,7 +68,7 @@ class ScopedMultiSourceObservation {
   // Remove the object passed to the constructor as an observer from |source|.
   void RemoveObservation(Source* source) {
     auto it = base::ranges::find(sources_, source);
-    DCHECK(it != sources_.end());
+    CHECK(it != sources_.end());
     sources_.erase(it);
     (source->*RemoveObsFn)(observer_);
   }
diff --git a/chromium/cc/tiles/gpu_image_decode_cache.cc b/chromium/cc/tiles/gpu_image_decode_cache.cc
index e9b6f98615b..bf14f655b11 100644
--- a/chromium/cc/tiles/gpu_image_decode_cache.cc
+++ b/chromium/cc/tiles/gpu_image_decode_cache.cc
@@ -1340,8 +1340,8 @@ Iterator GpuImageDecodeCache::RemoveFromPersistentCache(Iterator it) {
   }
 
   auto entries_it = paint_image_entries_.find(it->second->paint_image_id);
-  DCHECK(entries_it != paint_image_entries_.end());
-  DCHECK_GT(entries_it->second.count, 0u);
+  CHECK(entries_it != paint_image_entries_.end());
+  CHECK_GT(entries_it->second.count, 0u);
 
   // If this is the last entry for this image, remove its tracking.
   --entries_it->second.count;
diff --git a/chromium/ui/base/interaction/element_tracker_mac.mm b/chromium/ui/base/interaction/element_tracker_mac.mm
index b29ae9babb0..4d495fc36bb 100644
--- a/chromium/ui/base/interaction/element_tracker_mac.mm
+++ b/chromium/ui/base/interaction/element_tracker_mac.mm
@@ -50,7 +50,7 @@ class ElementTrackerMac::ContextData {
 
   void ActivateElement(ElementIdentifier identifier) {
     const auto it = elements_.find(identifier);
-    DCHECK(it != elements_.end());
+    CHECK(it != elements_.end());
     ui::ElementTracker::GetFrameworkDelegate()->NotifyElementActivated(
         it->second.get());
   }
-- 
cgit v1.2.1