.github/workflows/build.yml

@@ -25,7 +25,7 @@ jobs:
           path: |
             src/third_party/llvm-build/Release+Asserts/
             src/gn/
-            src/qemu-user-static*.deb
+            src/qemu-user*.deb
           key: toolchains-posix-${{ hashFiles('CHROMIUM_VERSION') }}-v${{ env.CACHE_EPOCH }}
       - name: Cache PGO (Linux, OpenWrt)
         uses: actions/cache@v4
@@ -45,11 +45,11 @@ jobs:
       - run: ./get-clang.sh
       - run: EXTRA_FLAGS='target_os="android"' ./get-clang.sh
       - run: |
-          if [ ! -f qemu-user-static*.deb ]; then
+          if [ ! -f qemu-user*.deb ]; then
-            wget https://snapshot.debian.org/archive/debian/20230611T210420Z/pool/main/q/qemu/qemu-user-static_8.0%2Bdfsg-4_amd64.deb
+            wget https://snapshot.debian.org/archive/debian/20250405T083429Z/pool/main/q/qemu/qemu-user_9.2.2%2Bds-1%2Bb2_amd64.deb
           fi
   cache-toolchains-win:
-    runs-on: windows-2019
+    runs-on: windows-2022
     steps:
       - uses: actions/checkout@v4
       - name: Cache toolchains
@@ -97,7 +97,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch: [x64, x86, arm64, arm, mipsel, mips64el, riscv64]
+        arch: [x64, x86, arm64, arm, mipsel, mips64el, riscv64, loong64]
     env:
       EXTRA_FLAGS: 'target_cpu="${{ matrix.arch }}"'
       BUNDLE: naiveproxy-${{ github.event.release.tag_name }}-${{ github.job }}-${{ matrix.arch }}
@@ -109,7 +109,7 @@ jobs:
           path: |
             src/third_party/llvm-build/Release+Asserts/
             src/gn/
-            src/qemu-user-static*.deb
+            src/qemu-user*.deb
           key: toolchains-posix-${{ hashFiles('CHROMIUM_VERSION') }}-v${{ env.CACHE_EPOCH }}
       - name: Cache PGO (Linux, OpenWrt)
         uses: actions/cache@v4
@@ -138,7 +138,7 @@ jobs:
           sudo apt update
           sudo apt install ninja-build pkg-config ccache bubblewrap
           sudo apt remove -y qemu-user-binfmt
-          sudo dpkg -i qemu-user-static*.deb
+          sudo dpkg -i qemu-user*.deb
           # libc6-i386 interferes with x86 build
           sudo apt remove libc6-i386
       - run: ./get-clang.sh
@@ -179,16 +179,20 @@ jobs:
             abi: armeabi-v7a
     env:
       EXTRA_FLAGS: 'target_cpu="${{ matrix.arch }}" target_os="android"'
-      BUNDLE: naiveproxy-plugin-${{ github.event.release.tag_name || 'v1' }}-${{ matrix.abi }}.apk
+      BUNDLE: naiveproxy-plugin-${{ github.event.release.tag_name || 'v1.1.1.1-1' }}-${{ matrix.abi }}.apk
     steps:
       - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 17
       - name: Cache toolchains (Linux, OpenWrt, Android)
         uses: actions/cache@v4
         with:
           path: |
             src/third_party/llvm-build/Release+Asserts/
             src/gn/
-            src/qemu-user-static*.deb
+            src/qemu-user*.deb
           key: toolchains-posix-${{ hashFiles('CHROMIUM_VERSION') }}-v${{ env.CACHE_EPOCH }}
       - name: Cache AFDO (Android)
         uses: actions/cache@v4
@@ -218,7 +222,7 @@ jobs:
           sudo apt update
           sudo apt install ninja-build pkg-config ccache bubblewrap
           sudo apt remove -y qemu-user-binfmt
-          sudo dpkg -i qemu-user-static*.deb
+          sudo dpkg -i qemu-user*.deb
           # libc6-i386 interferes with x86 build
           sudo apt remove libc6-i386
       - run: ./get-clang.sh
@@ -236,7 +240,7 @@ jobs:
         working-directory: apk
         env:
           APK_ABI: ${{ matrix.abi }}
-          APK_VERSION_NAME: ${{ github.event.release.tag_name || 'v1' }}
+          APK_VERSION_NAME: ${{ github.event.release.tag_name || 'v1.1.1.1-1' }}
           KEYSTORE_PASS: ${{ secrets.KEYSTORE_PASS }}
         run: |
           mkdir -p app/libs/$APK_ABI
@@ -256,7 +260,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   win:
     needs: cache-toolchains-win
-    runs-on: windows-2019
+    runs-on: windows-2022
     strategy:
       fail-fast: false
       matrix:
@@ -371,40 +375,6 @@ jobs:
         run: gh release upload "${GITHUB_REF##*/}" ${{ env.BUNDLE }}.tar.xz --clobber
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  ios:
-    needs: cache-toolchains-mac
-    runs-on: macos-13
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [arm64]
-    env:
-      EXTRA_FLAGS: 'target_cpu="${{ matrix.arch }}" target_os="ios" ios_enable_code_signing=false'
-      BUNDLE: naiveproxy-${{ github.event.release.tag_name }}-${{ github.job }}-${{ matrix.arch }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Cache toolchains and PGO
-        uses: actions/cache@v4
-        with:
-          path: |
-            src/third_party/llvm-build/Release+Asserts/
-            src/chrome/build/pgo_profiles/chrome-mac-*
-            src/gn/
-          key: toolchains-pgo-mac-${{ hashFiles('CHROMIUM_VERSION') }}-v${{ env.CACHE_EPOCH }}
-      - id: ccache-timestamp
-        run: echo "CCACHE_TIMESTAMP=$(date +%s)" >>$GITHUB_OUTPUT
-      - name: Cache ccache files
-        uses: actions/cache@v4
-        with:
-          path: ~/Library/Caches/ccache
-          key: ccache-ios-${{ matrix.arch }}-${{ hashFiles('CHROMIUM_VERSION') }}-${{ steps.ccache-timestamp.outputs.CCACHE_TIMESTAMP }}
-          restore-keys: ccache-ios-${{ matrix.arch }}-${{ hashFiles('CHROMIUM_VERSION') }}-
-      - run: brew install ninja ccache
-      - run: pip install setuptools
-      - run: ./get-clang.sh
-      - run: ccache -z
-      - run: ./build.sh
-      - run: ccache -s
   openwrt:
     needs: cache-toolchains-posix
     runs-on: ubuntu-22.04
@@ -416,7 +386,7 @@ jobs:
             openwrt: "target=x86 subtarget=64"
             target_cpu: x64
           - arch: x86
-            openwrt: "target=x86 subtarget=generic"
+            openwrt: "target=x86 subtarget=geode"
             target_cpu: x86
           - arch: aarch64_cortex-a53
             openwrt: "target=sunxi subtarget=cortexa53"
@@ -425,7 +395,9 @@ jobs:
           - arch: aarch64_cortex-a53-static
             openwrt: "target=sunxi subtarget=cortexa53"
             target_cpu: arm64
-            extra: 'arm_cpu="cortex-a53" build_static=true no_madvise_syscall=true'
+            extra: 'arm_cpu="cortex-a53" build_static=true use_allocator_shim=false use_partition_alloc=false'
+            openwrt_release: '24.10.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: aarch64_cortex-a72
             openwrt: "target=mvebu subtarget=cortexa72"
             target_cpu: arm64
@@ -433,16 +405,26 @@ jobs:
           - arch: aarch64_cortex-a72-static
             openwrt: "target=mvebu subtarget=cortexa72"
             target_cpu: arm64
-            extra: 'arm_cpu="cortex-a72" build_static=true no_madvise_syscall=true'
+            extra: 'arm_cpu="cortex-a72" build_static=true use_allocator_shim=false use_partition_alloc=false'
+            openwrt_release: '24.10.0'
+            openwrt_gcc_ver: '13.3.0'
+          - arch: aarch64_cortex-a76
+            openwrt: "target=bcm27xx subtarget=bcm2712"
+            target_cpu: arm64
+            extra: 'arm_cpu="cortex-a76"'
+            openwrt_release: '24.10.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: aarch64_generic
-            openwrt: "target=rockchip subtarget=armv8"
+            openwrt: "target=layerscape subtarget=armv8_64b"
             target_cpu: arm64
           - arch: aarch64_generic-static
-            openwrt: "target=rockchip subtarget=armv8"
+            openwrt: "target=layerscape subtarget=armv8_64b"
             target_cpu: arm64
-            extra: "build_static=true no_madvise_syscall=true"
+            extra: "build_static=true use_allocator_shim=false use_partition_alloc=false"
+            openwrt_release: '24.10.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: arm_arm1176jzf-s_vfp
-            openwrt: "target=bcm27xx subtarget=bcm2708"
+            openwrt: "target=brcm2708 subtarget=bcm2708"
             target_cpu: arm
             extra: 'arm_version=0 arm_cpu="arm1176jzf-s" arm_fpu="vfp" arm_float_abi="hard" arm_use_neon=false arm_use_thumb=false'
           - arch: arm_arm926ej-s
@@ -450,29 +432,35 @@ jobs:
             target_cpu: arm
             extra: 'arm_version=0 arm_cpu="arm926ej-s" arm_float_abi="soft" arm_use_neon=false arm_use_thumb=false'
           - arch: arm_cortex-a15_neon-vfpv4
-            openwrt: "target=armsr subtarget=armv7"
+            openwrt: "target=ipq806x subtarget=generic"
             target_cpu: arm
             extra: 'arm_version=0 arm_cpu="cortex-a15" arm_fpu="neon-vfpv4" arm_float_abi="hard" arm_use_neon=true'
           - arch: arm_cortex-a5_vfpv4
-            openwrt: "target=at91 subtarget=sama5"
+            openwrt: "target=at91 subtarget=sama5d3"
             target_cpu: arm
             extra: 'arm_version=0 arm_cpu="cortex-a5" arm_fpu="vfpv4" arm_float_abi="hard" arm_use_neon=false'
           - arch: arm_cortex-a7
             openwrt: "target=mediatek subtarget=mt7629"
             target_cpu: arm
             extra: 'arm_version=0 arm_cpu="cortex-a7" arm_float_abi="soft" arm_use_neon=false'
+            openwrt_release: '21.02.0'
+            openwrt_gcc_ver: '8.4.0'
           - arch: arm_cortex-a7_neon-vfpv4
             openwrt: "target=sunxi subtarget=cortexa7"
             target_cpu: arm
             extra: 'arm_version=0 arm_cpu="cortex-a7" arm_fpu="neon-vfpv4" arm_float_abi="hard" arm_use_neon=true'
+          - arch: arm_cortex-a7_neon-vfpv4-static
+            openwrt: "target=sunxi subtarget=cortexa7"
+            target_cpu: arm
+            extra: 'arm_version=0 arm_cpu="cortex-a7" arm_fpu="neon-vfpv4" arm_float_abi="hard" arm_use_neon=true build_static=true use_allocator_shim=false use_partition_alloc=false'
+            openwrt_release: '24.10.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: arm_cortex-a7_vfpv4
             openwrt: "target=at91 subtarget=sama7"
             target_cpu: arm
             extra: 'arm_version=0 arm_cpu="cortex-a7" arm_fpu="vfpv4" arm_float_abi="hard" arm_use_neon=false'
-          - arch: arm_cortex-a7_neon-vfpv4-static
+            openwrt_release: '22.03.0'
-            openwrt: "target=sunxi subtarget=cortexa7"
+            openwrt_gcc_ver: '11.2.0'
-            target_cpu: arm
-            extra: 'arm_version=0 arm_cpu="cortex-a7" arm_fpu="neon-vfpv4" arm_float_abi="hard" arm_use_neon=true build_static=true no_madvise_syscall=true'
           - arch: arm_cortex-a8_vfpv3
             openwrt: "target=sunxi subtarget=cortexa8"
             target_cpu: arm
@@ -484,13 +472,15 @@ jobs:
           - arch: arm_cortex-a9-static
             openwrt: "target=bcm53xx subtarget=generic"
             target_cpu: arm
-            extra: 'arm_version=0 arm_cpu="cortex-a9" arm_float_abi="soft" arm_use_neon=false build_static=true no_madvise_syscall=true'
+            extra: 'arm_version=0 arm_cpu="cortex-a9" arm_float_abi="soft" arm_use_neon=false build_static=true use_allocator_shim=false use_partition_alloc=false'
+            openwrt_release: '24.10.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: arm_cortex-a9_neon
-            openwrt: "target=zynq subtarget=generic"
+            openwrt: "target=imx6 subtarget=generic"
             target_cpu: arm
             extra: 'arm_version=0 arm_cpu="cortex-a9" arm_fpu="neon" arm_float_abi="hard" arm_use_neon=true'
           - arch: arm_cortex-a9_vfpv3-d16
-            openwrt: "target=tegra subtarget=generic"
+            openwrt: "target=mvebu subtarget=cortexa9"
             target_cpu: arm
             extra: 'arm_version=0 arm_cpu="cortex-a9" arm_fpu="vfpv3-d16" arm_float_abi="hard" arm_use_neon=false'
           - arch: arm_mpcore
@@ -508,17 +498,26 @@ jobs:
           - arch: mipsel_24kc-static
             openwrt: "target=ramips subtarget=rt305x"
             target_cpu: mipsel
-            extra: 'mips_arch_variant="r2" mips_float_abi="soft" build_static=true no_madvise_syscall=true'
+            extra: 'mips_arch_variant="r2" mips_float_abi="soft" build_static=true use_allocator_shim=false use_partition_alloc=false'
+            openwrt_release: '24.10.0'
+            openwrt_gcc_ver: '13.3.0'
           - arch: mipsel_mips32
-            openwrt: "target=bcm47xx subtarget=generic"
+            openwrt: "target=brcm47xx subtarget=legacy"
             target_cpu: mipsel
             extra: 'mips_arch_variant="r1" mips_float_abi="soft"'
           - arch: riscv64
             openwrt: "target=sifiveu subtarget=generic"
             target_cpu: riscv64
+            openwrt_release: '23.05.0'
+            openwrt_gcc_ver: '12.3.0'
+          - arch: loongarch64
+            openwrt: "target=loongarch64 subtarget=generic"
+            target_cpu: loong64
+            openwrt_release: '24.10.0'
+            openwrt_gcc_ver: '13.3.0'
     env:
-      EXTRA_FLAGS: target_cpu="${{ matrix.target_cpu }}" target_os="openwrt" ${{ matrix.extra }}
+      EXTRA_FLAGS: target_cpu="${{ matrix.target_cpu }}" target_os="openwrt" ${{ matrix.extra }} enable_shadow_metadata=false
-      OPENWRT_FLAGS: arch=${{ matrix.arch }} release=23.05.0 gcc_ver=12.3.0 ${{ matrix.openwrt }}
+      OPENWRT_FLAGS: arch=${{ matrix.arch }} release=${{ matrix.openwrt_release || '18.06.0' }} gcc_ver=${{ matrix.openwrt_gcc_ver || '7.3.0' }} ${{ matrix.openwrt }}
       BUNDLE: naiveproxy-${{ github.event.release.tag_name }}-${{ github.job }}-${{ matrix.arch }}
     steps:
       - uses: actions/checkout@v4
@@ -528,7 +527,7 @@ jobs:
           path: |
             src/third_party/llvm-build/Release+Asserts/
             src/gn/
-            src/qemu-user-static*.deb
+            src/qemu-user*.deb
           key: toolchains-posix-${{ hashFiles('CHROMIUM_VERSION') }}-v${{ env.CACHE_EPOCH }}
       - name: Cache PGO (Linux, OpenWrt)
         uses: actions/cache@v4
@@ -553,7 +552,7 @@ jobs:
           sudo apt update
           sudo apt install ninja-build pkg-config ccache bubblewrap
           sudo apt remove -y qemu-user-binfmt
-          sudo dpkg -i qemu-user-static*.deb
+          sudo dpkg -i qemu-user*.deb
           # libc6-i386 interferes with x86 build
           sudo apt remove libc6-i386
       - run: ./get-clang.sh

CHROMIUM_VERSION

@@ -1 +1 @@
-128.0.6613.40
+135.0.7049.38

README.md

@@ -21,7 +21,7 @@ The Naïve server here works as a forward proxy and a packet length padding laye
 
 ## Download NaïveProxy
 
-Download [here](https://github.com/klzgrad/naiveproxy/releases/latest). Supported platforms include: Windows, Android (with [NekoBox](https://github.com/MatsuriDayo/NekoBoxForAndroid)), Linux, Mac OS, and OpenWrt ([support status](https://github.com/klzgrad/naiveproxy/wiki/OpenWrt-Support)).
+Download [here](https://github.com/klzgrad/naiveproxy/releases/latest). Supported platforms include: Windows, Android (with [Exclave](https://github.com/dyhkwong/Exclave), [husi](https://github.com/xchacha20-poly1305/husi), [NekoBox](https://github.com/MatsuriDayo/NekoBoxForAndroid)), Linux, Mac OS, and OpenWrt ([support status](https://github.com/klzgrad/naiveproxy/wiki/OpenWrt-Support)).
 
 Users should always use the latest version to keep signatures identical to Chrome.
 
@@ -79,10 +79,7 @@ Or `quic://user:pass@example.com`, if it works better. See also [parameter usage
 
 ## Third-party integration
 
-* [v2rayN](https://github.com/2dust/v2rayN), GUI client, Windows
+* [v2rayN](https://github.com/2dust/v2rayN), GUI client
-* [NekoBox for Android](https://github.com/MatsuriDayo/NekoBoxForAndroid), Proxy toolchain, Android
-* [NekoRay / NekoBox For PC](https://github.com/MatsuriDayo/nekoray), Qt based GUI, Windows, Linux
-* [Yet Another Shadow Socket](https://github.com/Chilledheart/yass), NaïveProxy-compatible forward proxy, Android, iOS, Windows, macOS, Linux, FreeBSD 
 
 ## Notes for downstream
 
@@ -114,7 +111,7 @@ Further reads and writes after `kFirstPaddings` are unpadded to avoid performanc
 
 ### H2 RST_STREAM frame padding
 
-In experiments, NaïveProxy tends to send too many RST_STREAM frames per session, an uncommon behavior from regular browsers. To solve this, an END_STREAM DATA frame padded with total length distributed in [48, 72] is prepended to the RST_STREAM frame so it looks like a HEADERS frame. The server often replies to this with a WINDOW_UPDATE because padding is accounted in flow control. Whether this results in a new uncommon behavior is still unclear. 
+In experiments, NaïveProxy tends to send too many RST_STREAM frames per session, an uncommon behavior from regular browsers. To solve this, an END_STREAM DATA frame padded with total length distributed in [48, 72] is prepended to the RST_STREAM frame so it looks like a HEADERS frame. The server often replies to this with a WINDOW_UPDATE because padding is accounted in flow control. Whether this results in a new uncommon behavior is still unclear.
 
 ### H2 HEADERS frame padding
 
@@ -130,7 +127,7 @@ The first CONNECT request to a server cannot use "Fast Open" to send payload bef
 
 ## Changes from Chromium upstream
 
-- Minimize source code and build size (1% of the original)
+- Minimize source code and build size (0.3% of the original)
 - Disable exceptions and RTTI, except on Mac and Android.
 - Support OpenWrt builds
 - (Android, Linux) Use the builtin verifier instead of the system verifier (drop dependency of NSS on Linux) and read the system trust store from (following Go's behavior in crypto/x509/root_unix.go and crypto/x509/root_linux.go):

apk/.gitignore

@@ -1,2 +1,3 @@
 .gradle/
 app/build/
+app/libs/

apk/app/build.gradle.kts

@@ -4,7 +4,7 @@ plugins {
 }
 
 android {
-    namespace = "moe.matsuri.exe.naive"
+    namespace = "io.nekohasekai.sagernet.plugin.naive"
 
     signingConfigs {
         create("release") {
@@ -17,23 +17,21 @@ android {
 
     buildTypes {
         getByName("release") {
-            proguardFiles(
-                getDefaultProguardFile("proguard-android-optimize.txt"),
-                file("proguard-rules.pro")
-            )
             isMinifyEnabled = true
             signingConfig = signingConfigs.getByName("release")
         }
     }
 
-    compileSdk = 33
+    buildToolsVersion = "35.0.0"
+
+    compileSdk = 35
 
     defaultConfig {
-        minSdk = 21
+        minSdk = 24
-        targetSdk = 33
+        targetSdk = 35
 
-        applicationId = "moe.matsuri.exe.naive"
+        applicationId = "io.nekohasekai.sagernet.plugin.naive"
-        versionCode = System.getenv("APK_VERSION_NAME").removePrefix("v").split(".")[0].toInt()
+        versionCode = System.getenv("APK_VERSION_NAME").removePrefix("v").split(".")[0].toInt() * 10 + System.getenv("APK_VERSION_NAME").removePrefix("v").split("-")[1].toInt()
         versionName = System.getenv("APK_VERSION_NAME").removePrefix("v")
         splits.abi {
             isEnable = true
@@ -44,12 +42,8 @@ android {
     }
 
     compileOptions {
-        sourceCompatibility = JavaVersion.VERSION_1_8
+        sourceCompatibility = JavaVersion.VERSION_17
-        targetCompatibility = JavaVersion.VERSION_1_8
+        targetCompatibility = JavaVersion.VERSION_17
-    }
-
-    kotlinOptions {
-        jvmTarget = "1.8"
     }
 
     lint {
@@ -59,6 +53,10 @@ android {
         warningsAsErrors = true
     }
 
+    packaging {
+        jniLibs.useLegacyPackaging = true
+    }
+
     applicationVariants.all {
         outputs.all {
             this as com.android.build.gradle.internal.api.BaseVariantOutputImpl

apk/app/src/main/AndroidManifest.xml

@@ -13,13 +13,12 @@
 
     <application
         android:allowBackup="false"
-        android:extractNativeLibs="true"
         android:icon="@mipmap/ic_launcher"
-        android:label="Naïve For NekoBox"
+        android:label="Naïve Plugin"
         android:roundIcon="@mipmap/ic_launcher_round">
         <provider
             android:name=".BinaryProvider"
-            android:authorities="moe.matsuri.exe.naive.BinaryProvider"
+            android:authorities="io.nekohasekai.sagernet.plugin.naive.BinaryProvider"
             android:directBootAware="true"
             android:exported="true"
             tools:ignore="ExportedContentProvider">
@@ -29,7 +28,7 @@
             <intent-filter>
                 <action android:name="io.nekohasekai.sagernet.plugin.ACTION_NATIVE_PLUGIN" />
                 <data
-                    android:host="moe.matsuri.lite"
+                    android:host="io.nekohasekai.sagernet"
                     android:path="/naive-plugin"
                     android:scheme="plugin" />
             </intent-filter>

apk/app/src/main/java/io/nekohasekai/sagernet/plugin/naive/BinaryProvider.kt

@@ -17,7 +17,7 @@
  *                                                                            *
  ******************************************************************************/
 
-package moe.matsuri.exe.naive
+package io.nekohasekai.sagernet.plugin.naive
 
 import android.net.Uri
 import android.os.ParcelFileDescriptor

apk/build.gradle

@@ -5,8 +5,8 @@ buildscript {
         mavenCentral()
     }
     dependencies {
-        classpath 'com.android.tools.build:gradle:7.3.1'
+        classpath 'com.android.tools.build:gradle:8.6.0'
-        classpath 'org.jetbrains.kotlin:kotlin-gradle-plugin:1.6.10'
+        classpath 'org.jetbrains.kotlin:kotlin-gradle-plugin:2.0.20'
 
         // NOTE: Do not place your application dependencies here; they belong
         // in the individual module build.gradle files

apk/gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,7 @@
-#Thu Jan 27 22:42:44 HKT 2022
 distributionBase=GRADLE_USER_HOME
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.4-bin.zip
 distributionPath=wrapper/dists
-zipStorePath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists

apk/gradlew

@@ -1,7 +1,7 @@
-#!/usr/bin/env sh
+#!/bin/sh
 
 #
-# Copyright 2015 the original author or authors.
+# Copyright © 2015-2021 the original authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,69 +15,104 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+# SPDX-License-Identifier: Apache-2.0
+#
 
 ##############################################################################
-##
+#
-##  Gradle start up script for UN*X
+#   Gradle start up script for POSIX generated by Gradle.
-##
+#
+#   Important for running:
+#
+#   (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+#       noncompliant, but you have some other compliant shell such as ksh or
+#       bash, then to run this script, type that shell name before the whole
+#       command line, like:
+#
+#           ksh Gradle
+#
+#       Busybox and similar reduced shells will NOT work, because this script
+#       requires all of these POSIX shell features:
+#         * functions;
+#         * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+#           «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+#         * compound commands having a testable exit status, especially «case»;
+#         * various built-in commands including «command», «set», and «ulimit».
+#
+#   Important for patching:
+#
+#   (2) This script targets any POSIX shell, so it avoids extensions provided
+#       by Bash, Ksh, etc; in particular arrays are avoided.
+#
+#       The "traditional" practice of packing multiple parameters into a
+#       space-separated string is a well documented source of bugs and security
+#       problems, so this is (mostly) avoided, by progressively accumulating
+#       options in "$@", and eventually passing that to Java.
+#
+#       Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+#       and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+#       see the in-line comments for details.
+#
+#       There are tweaks for specific operating systems such as AIX, CygWin,
+#       Darwin, MinGW, and NonStop.
+#
+#   (3) This script is generated from the Groovy template
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       within the Gradle project.
+#
+#       You can find Gradle at https://github.com/gradle/gradle/.
+#
 ##############################################################################
 
 # Attempt to set APP_HOME
+
 # Resolve links: $0 may be a link
-PRG="$0"
+app_path=$0
-# Need this for relative symlinks.
+
-while [ -h "$PRG" ] ; do
+# Need this for daisy-chained symlinks.
-    ls=`ls -ld "$PRG"`
+while
-    link=`expr "$ls" : '.*-> \(.*\)$'`
+    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
-    if expr "$link" : '/.*' > /dev/null; then
+    [ -h "$app_path" ]
-        PRG="$link"
+do
-    else
+    ls=$( ls -ld "$app_path" )
-        PRG=`dirname "$PRG"`"/$link"
+    link=${ls#*' -> '}
-    fi
+    case $link in             #(
+      /*)   app_path=$link ;; #(
+      *)    app_path=$APP_HOME$link ;;
+    esac
 done
-SAVED="`pwd`"
-cd "`dirname \"$PRG\"`/" >/dev/null
-APP_HOME="`pwd -P`"
-cd "$SAVED" >/dev/null
 
-APP_NAME="Gradle"
+# This is normally unused
-APP_BASE_NAME=`basename "$0"`
+# shellcheck disable=SC2034
-
+APP_BASE_NAME=${0##*/}
-# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
+' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
-MAX_FD="maximum"
+MAX_FD=maximum
 
 warn () {
     echo "$*"
-}
+} >&2
 
 die () {
     echo
     echo "$*"
     echo
     exit 1
-}
+} >&2
 
 # OS specific support (must be 'true' or 'false').
 cygwin=false
 msys=false
 darwin=false
 nonstop=false
-case "`uname`" in
+case "$( uname )" in                #(
-  CYGWIN* )
+  CYGWIN* )         cygwin=true  ;; #(
-    cygwin=true
+  Darwin* )         darwin=true  ;; #(
-    ;;
+  MSYS* | MINGW* )  msys=true    ;; #(
-  Darwin* )
+  NONSTOP* )        nonstop=true ;;
-    darwin=true
-    ;;
-  MINGW* )
-    msys=true
-    ;;
-  NONSTOP* )
-    nonstop=true
-    ;;
 esac
 
 CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
@@ -87,9 +122,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 if [ -n "$JAVA_HOME" ] ; then
     if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
         # IBM's JDK on AIX uses strange locations for the executables
-        JAVACMD="$JAVA_HOME/jre/sh/java"
+        JAVACMD=$JAVA_HOME/jre/sh/java
     else
-        JAVACMD="$JAVA_HOME/bin/java"
+        JAVACMD=$JAVA_HOME/bin/java
     fi
     if [ ! -x "$JAVACMD" ] ; then
         die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
@@ -98,88 +133,120 @@ Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
     fi
 else
-    JAVACMD="java"
+    JAVACMD=java
-    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
+    fi
 fi
 
 # Increase the maximum file descriptors if we can.
-if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
-    MAX_FD_LIMIT=`ulimit -H -n`
+    case $MAX_FD in #(
-    if [ $? -eq 0 ] ; then
+      max*)
-        if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
+        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
-            MAX_FD="$MAX_FD_LIMIT"
+        # shellcheck disable=SC2039,SC3045
-        fi
+        MAX_FD=$( ulimit -H -n ) ||
-        ulimit -n $MAX_FD
+            warn "Could not query maximum file descriptor limit"
-        if [ $? -ne 0 ] ; then
+    esac
-            warn "Could not set maximum file descriptor limit: $MAX_FD"
+    case $MAX_FD in  #(
-        fi
+      '' | soft) :;; #(
-    else
+      *)
-        warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
+        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
-    fi
+        # shellcheck disable=SC2039,SC3045
-fi
+        ulimit -n "$MAX_FD" ||
-
+            warn "Could not set maximum file descriptor limit to $MAX_FD"
-# For Darwin, add options to specify how the application appears in the dock
-if $darwin; then
-    GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
-fi
-
-# For Cygwin or MSYS, switch paths to Windows format before running java
-if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
-    APP_HOME=`cygpath --path --mixed "$APP_HOME"`
-    CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
-
-    JAVACMD=`cygpath --unix "$JAVACMD"`
-
-    # We build the pattern for arguments to be converted via cygpath
-    ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
-    SEP=""
-    for dir in $ROOTDIRSRAW ; do
-        ROOTDIRS="$ROOTDIRS$SEP$dir"
-        SEP="|"
-    done
-    OURCYGPATTERN="(^($ROOTDIRS))"
-    # Add a user-defined pattern to the cygpath arguments
-    if [ "$GRADLE_CYGPATTERN" != "" ] ; then
-        OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
-    fi
-    # Now convert the arguments - kludge to limit ourselves to /bin/sh
-    i=0
-    for arg in "$@" ; do
-        CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
-        CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
-
-        if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
-            eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
-        else
-            eval `echo args$i`="\"$arg\""
-        fi
-        i=`expr $i + 1`
-    done
-    case $i in
-        0) set -- ;;
-        1) set -- "$args0" ;;
-        2) set -- "$args0" "$args1" ;;
-        3) set -- "$args0" "$args1" "$args2" ;;
-        4) set -- "$args0" "$args1" "$args2" "$args3" ;;
-        5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
-        6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
-        7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
-        8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
-        9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
     esac
 fi
 
-# Escape application args
+# Collect all arguments for the java command, stacking in reverse order:
-save () {
+#   * args from the command line
-    for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
+#   * the main class name
-    echo " "
+#   * -classpath
-}
+#   * -D...appname settings
-APP_ARGS=`save "$@"`
+#   * --module-path (only if needed)
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
 
-# Collect all arguments for the java command, following the shell quoting and substitution rules
+# For Cygwin or MSYS, switch paths to Windows format before running java
-eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
+if "$cygwin" || "$msys" ; then
+    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+    JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    for arg do
+        if
+            case $arg in                                #(
+              -*)   false ;;                            # don't mess with options #(
+              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
+                    [ -e "$t" ] ;;                      #(
+              *)    false ;;
+            esac
+        then
+            arg=$( cygpath --path --ignore --mixed "$arg" )
+        fi
+        # Roll the args list around exactly as many times as the number of
+        # args, so each arg winds up back in the position where it started, but
+        # possibly modified.
+        #
+        # NB: a `for` loop captures its iteration list before it begins, so
+        # changing the positional parameters here affects neither the number of
+        # iterations, nor the values presented in `arg`.
+        shift                   # remove old arg
+        set -- "$@" "$arg"      # push replacement arg
+    done
+fi
+
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
+
+set -- \
+        "-Dorg.gradle.appname=$APP_BASE_NAME" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
+        "$@"
+
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+#   readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+#   set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+        printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+        xargs -n1 |
+        sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+        tr '\n' ' '
+    )" '"$@"'
 
 exec "$JAVACMD" "$@"

apk/gradlew.bat

@@ -0,0 +1,94 @@
+@rem
+@rem Copyright 2015 the original author or authors.
+@rem
+@rem Licensed under the Apache License, Version 2.0 (the "License");
+@rem you may not use this file except in compliance with the License.
+@rem You may obtain a copy of the License at
+@rem
+@rem      https://www.apache.org/licenses/LICENSE-2.0
+@rem
+@rem Unless required by applicable law or agreed to in writing, software
+@rem distributed under the License is distributed on an "AS IS" BASIS,
+@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+@rem See the License for the specific language governing permissions and
+@rem limitations under the License.
+@rem
+@rem SPDX-License-Identifier: Apache-2.0
+@rem
+
+@if "%DEBUG%"=="" @echo off
+@rem ##########################################################################
+@rem
+@rem  Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+set DIRNAME=%~dp0
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if %ERRORLEVEL% equ 0 goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto execute
+
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
+
+goto fail
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+
+:end
+@rem End local scope for the variables with windows NT shell
+if %ERRORLEVEL% equ 0 goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+set EXIT_CODE=%ERRORLEVEL%
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega

apk/settings.gradle

@@ -5,6 +5,6 @@ dependencyResolutionManagement {
         mavenCentral()
     }
 }
-rootProject.name = "Matsuri Plugins"
+rootProject.name = "Naive Plugin"
 
 include ':app'

src/.clang-format

@@ -28,10 +28,10 @@ IncludeCategories:
   # LINT.IfChange(winheader)
   - Regex:           '^<objbase\.h>' # This has to be before initguid.h.
     Priority:        1
-  - Regex:           '^<(initguid|mmdeviceapi|windows|winsock2|ws2tcpip|shobjidl|atlbase|ole2|unknwn|tchar|ocidl)\.h>'
+  - Regex:           '^<(atlbase|initguid|mmdeviceapi|ocidl|ole2|shobjidl|tchar|unknwn|windows|winsock2|winternl|ws2tcpip)\.h>'
     Priority:        2
   # LINT.ThenChange(/tools/add_header.py:winheader)
-  # UIAutomation*.h need to be after base/win/atl.h.
+  # UIAutomation*.h needs to be after base/win/atl.h.
   # Note the low priority number.
   - Regex:           '^<UIAutomation.*\.h>'
     Priority:        6
@@ -39,8 +39,11 @@ IncludeCategories:
   - Regex:           '^<.*\.h>'
     Priority:        3
   # C++ standard library headers.
-  - Regex:           '^<.*'
+  - Regex:           '^<.*>'
     Priority:        4
+  # windows_h_disallowed.h should appear last. Note the low priority number.
+  - Regex:           '"(.*/)?windows_h_disallowed\.h"'
+    Priority:        7
   # Other libraries.
   - Regex:           '.*'
     Priority:        5

src/.gn

@@ -90,7 +90,7 @@ no_check_targets = [
   "//v8:v8_libplatform",  # 2 errors
 ]
 
-# These are the list of GN files that run exec_script. This whitelist exists
+# These are the list of GN files that run exec_script. This allowlist exists
 # to force additional review for new uses of exec_script, which is strongly
 # discouraged.
 #
@@ -145,11 +145,11 @@ no_check_targets = [
 #      this situation much easier to create. if the build always lists the
 #      files and passes them to a script, it will always be correct.
 
-exec_script_whitelist =
+exec_script_allowlist =
-    build_dotfile_settings.exec_script_whitelist +
+    build_dotfile_settings.exec_script_allowlist +
     angle_dotfile_settings.exec_script_whitelist +
     [
-      # Whitelist entries for //build should go into
+      # Allowlist entries for //build should go into
       # //build/dotfile_settings.gni instead, so that they can be shared
       # with other repos. The entries in this list should be only for files
       # in the Chromium repo outside of //build.

src/AUTHORS

@@ -17,6 +17,7 @@ Aaron Jacobs <samusaaron3@gmail.com>
 Aaron Leventhal <aaronlevbugs@gmail.com>
 Aaron Randolph <aaron.randolph@gmail.com>
 Aaryaman Vasishta <jem456.vasishta@gmail.com>
+AbdAlRahman Gad <abdobngad@gmail.com>
 Abdu Ameen <abdu.ameen000@gmail.com>
 Abdullah Abu Tasneem <a.tasneem@samsung.com>
 Abhijeet Kandalkar <abhijeet.k@samsung.com>
@@ -48,6 +49,7 @@ Ahmed Elwasefi <a.m.elwasefi@gmail.com>
 Ahmet Emir Ercin <ahmetemiremir@gmail.com>
 Aidarbek Suleimenov <suleimenov.aidarbek@gmail.com>
 Aiden Grossman <aidengrossmanpso@gmail.com>
+Airing Deng <airingdeng@gmail.com>
 Ajay Berwal <a.berwal@samsung.com>
 Ajay Berwal <ajay.berwal@samsung.com>
 Ajay Sharma <ajay.sh@samsung.com>
@@ -116,6 +118,7 @@ Andreas Papacharalampous <andreas@apap04.com>
 Andrei Borza <andrei.borza@gmail.com>
 Andrei Parvu <andrei.prv@gmail.com>
 Andrei Parvu <parvu@adobe.com>
+Andrei Volykhin <andrei.volykhin@gmail.com>
 Andres Salomon <dilinger@queued.net>
 Andreu Botella <andreu@andreubotella.com>
 Andrew Boyarshin <andrew.boyarshin@gmail.com>
@@ -191,6 +194,7 @@ Ben Noordhuis <ben@strongloop.com>
 Benedek Heilig <benecene@gmail.com>
 Benjamin Dupont <bedupont@cisco.com>
 Benjamin Jemlich <pcgod99@gmail.com>
+Beomsik Min <beomsikm@gmail.com>
 Bernard Cafarelli <voyageur@gentoo.org>
 Bernhard M. Wiedemann <bwiedemann@suse.de>
 Bert Belder <bertbelder@gmail.com>
@@ -236,6 +240,7 @@ Cameron Gutman <aicommander@gmail.com>
 Camille Viot <viot.camille@outlook.com>
 Can Liu <peter.can.liu@gmail.com>
 Carlos Santa <carlos.santa@intel.com>
+Casey Primozic <me@ameo.link>
 Catalin Badea <badea@adobe.com>
 Cathie Chen <cathiechen@tencent.com>
 Cem Kocagil <cem.kocagil@gmail.com>
@@ -275,6 +280,7 @@ Chris Szurgot <szurgotc@amazon.com>
 Chris Tserng <tserng@amazon.com>
 Chris Vasselli <clindsay@gmail.com>
 Chris Ye <hawkoyates@gmail.com>
+Christian Liebel <christianliebel@gmail.com>
 Christoph Staengle <christoph142@gmx.com>
 Christophe Dumez <ch.dumez@samsung.com>
 Christopher Dale <chrelad@gmail.com>
@@ -307,6 +313,7 @@ Daniel Lockyer <thisisdaniellockyer@gmail.com>
 Daniel Nishi <dhnishi@gmail.com>
 Daniel Platz <daplatz@googlemail.com>
 Daniel Playfair Cal <daniel.playfair.cal@gmail.com>
+Daniel Richard G. <iskunk@gmail.com>
 Daniel Shaulov <dshaulov@ptc.com>
 Daniel Trebbien <dtrebbien@gmail.com>
 Daniel Waxweiler <daniel.waxweiler@gmail.com>
@@ -318,13 +325,16 @@ Danny Weiss <danny.weiss.fr@gmail.com>
 Danylo Boiko <danielboyko02@gmail.com>
 Daoming Qiu <daoming.qiu@intel.com>
 Darik Harter <darik.harter@gmail.com>
+Darryl Pogue <darryl@dpogue.ca>
 Darshan Sen <raisinten@gmail.com>
 Darshini KN <kn.darshini@samsung.com>
 Dave Vandyke <kzar@kzar.co.uk>
 David Benjamin <davidben@mit.edu>
 David Brown <develop.david.brown@gmail.com>
+David Cernoch <dcernoch@uplandsoftware.com>
 David Davidovic <david@davidovic.io>
 David Erceg <erceg.david@gmail.com>
+David Faden <dfaden@gmail.com>
 David Fox <david@davidjfox.com>
 David Futcher <david.mike.futcher@gmail.com>
 David Jin <davidjin@amazon.com>
@@ -333,6 +343,7 @@ David Leen <davileen@amazon.com>
 David Manouchehri <david@davidmanouchehri.com>
 David McAllister <mcdavid@amazon.com>
 David Michael Barr <david.barr@samsung.com>
+David Redondo <kde@david-redondo.de>
 David Sanders <dsanders11@ucsbalum.com>
 David Spellman <dspell@amazon.com>
 David Valachovic <adenflorian@gmail.com>
@@ -340,6 +351,7 @@ Dax Kelson <dkelson@gurulabs.com>
 Dean Leitersdorf <dean.leitersdorf@gmail.com>
 Debadree Chatterjee <debadree333@gmail.com>
 Debashish Samantaray <d.samantaray@samsung.com>
+Debin Zhang <debinzhang3@gmail.com>
 Debug Wang <debugwang@tencent.com>
 Deep Shah <deep.shah@samsung.com>
 Deepak Dilip Borade <deepak.db@samsung.com>
@@ -359,6 +371,7 @@ Diana Suvorova <diana.suvorova@gmail.com>
 Diego Fernández Santos <agujaydedal@gmail.com>
 Diego Ferreiro Val <elfogris@gmail.com>
 Dillon Sellars <dill.sellars@gmail.com>
+Dingming Liu <liudingming@bytedance.com>
 Divya Bansal <divya.bansal@samsung.com>
 Dmitry Shachnev <mitya57@gmail.com>
 Dmitry Sokolov <dimanne@gmail.com>
@@ -495,6 +508,7 @@ Hansel Lee <mr.hansel.lee@gmail.com>
 Hanwen Zheng <eserinc.z@gmail.com>
 Hao Li <hao.x.li@intel.com>
 Haojian Wu <hokein.wu@gmail.com>
+Haoran Tang <haoran.tang.personal@gmail.com>
 Haoxuan Zhang <zhanghaoxuan.59@bytedance.com>
 Hari Singh <hari.singh1@samsung.com>
 Harpreet Singh Khurana <harpreet.sk@samsung.com>
@@ -568,6 +582,7 @@ Ivan Naydonov <samogot@gmail.com>
 Ivan Pavlotskiy <ivan.pavlotskiy@lgepartner.com>
 Ivan Sham <ivansham@amazon.com>
 Ivan Sidorov <ivansid@gmail.com>
+Jacek Fedoryński <jfedor@gmail.com>
 Jack Bates <jack@nottheoilrig.com>
 Jack Shi <flystone2020@gmail.com>
 Jackson Loeffler <j@jloeffler.com>
@@ -575,11 +590,13 @@ Jacky Hu <flameddd@gmail.com>
 Jacob Clark <jacob.jh.clark@googlemail.com>
 Jacob Mandelson <jacob@mandelson.org>
 Jaehun Lim <ljaehun.lim@samsung.com>
+Jaehyun Chung <jaehyun.chung@amd.com>
 Jaehyun Ko <jaehyun.dev@gmail.com>
 Jaehyun Lee <j-hyun.lee@samsung.com>
 Jaekyeom Kim <btapiz@gmail.com>
 Jaemin Seo <jaemin86.seo@samsung.com>
 Jaemo Koo <jaemok@amazon.com>
+Jaemo Koo <koo2434@gmail.com>
 Jaeseok Yoon <yjaeseok@gmail.com>
 Jaewon Choi <jaewon.james.choi@gmail.com>
 Jaewon Jung <jw.jung@navercorp.com>
@@ -594,6 +611,7 @@ Jakob Weigert <jakob.j.w@googlemail.com>
 Jakub Machacek <xtreit@gmail.com>
 James Burton <jb@0.me.uk>
 James Choi <jchoi42@pha.jhu.edu>
+James Crosby <crosby.james@gmail.com>
 James Raphael Tiovalen <jamestiotio@gmail.com>
 James Stanley <james@apphaus.co.uk>
 James Vega <vega.james@gmail.com>
@@ -612,8 +630,10 @@ Jared Wein <weinjared@gmail.com>
 Jari Karppanen <jkarp@amazon.com>
 Jason Gronn <jasontopia03@gmail.com>
 Javayhu <javayhu@gmail.com>
+Jay Kapadia <jaykapadia389@gmail.com>
 Jay Oster <jay@kodewerx.org>
 Jay Soffian <jaysoffian@gmail.com>
+Jay Yang <sjyang1126@gmail.com>
 Jeado Ko <haibane84@gmail.com>
 Jeffrey C <jeffreyca16@gmail.com>
 Jeffrey Yeung <jeffrey.yeung@poly.com>
@@ -702,6 +722,7 @@ JongKwon Lee <jongkwon.lee@navercorp.com>
 Jongmok Kim <jongmok.kim@navercorp.com>
 Jongmok Kim <johny.kimc@gmail.com>
 Jongsoo Lee <leejongsoo@gmail.com>
+Joonas Halinen <joonashalinen@outlook.com>
 Joone Hur <joone.hur@intel.com>
 Joonghun Park <pjh0718@gmail.com>
 Jorge Villatoro <jorge@tomatocannon.com>
@@ -711,6 +732,7 @@ Joseph Lolak <joseph.lolak@samsung.com>
 Josh Triplett <josh.triplett@intel.com>
 Josh Triplett <josh@joshtriplett.org>
 Joshua Lock <joshua.lock@intel.com>
+Joshua Olaoye <joshuaolaoye46@gmail.com>
 Joshua Roesslein <jroesslein@gmail.com>
 Josué Ratelle <jorat1346@gmail.com>
 Josyula Venkat Narasimham <venkat.nj@samsung.com>
@@ -745,7 +767,7 @@ Jüri Valdmann <juri.valdmann@qt.io>
 Juyoung Kim <chattank05@gmail.com>
 Jingge Yu <jinggeyu423@gmail.com>
 Jing Peiyang <jingpeiyang@eswincomputing.com>
-Jinli Wu <wujinli.cn@gmail.com>
+Jinli Wu <wujinli@bytedance.com>
 K. M. Merajul Arefin <m.arefin@samsung.com>
 Kai Jiang <jiangkai@gmail.com>
 Kai Köhne <kai.koehne@qt.io>
@@ -760,6 +782,7 @@ Kangyuan Shu <kangyuan.shu@intel.com>
 Karan Thakkar <karanjthakkar@gmail.com>
 Karel Král <kralkareliv@gmail.com>
 Karl <karlpolicechromium@gmail.com>
+Karl Piper <karl4piper@gmail.com>
 Kartikey Bhatt <kartikey@amazon.com>
 Kaspar Brand <googlecontrib@velox.ch>
 Kaushalendra Mishra <k.mishra@samsung.com>
@@ -786,6 +809,8 @@ Ketan Goyal <ketan.goyal@samsung.com>
 Kevin Gibbons <bakkot@gmail.com>
 Kevin Lee Helpingstine <sig11@reprehensible.net>
 Kevin M. McCormick <mckev@amazon.com>
+Kexy Biscuit <kexybiscuit@aosc.io>
+Kexy Biscuit <kexybiscuit@gmail.com>
 Keyou <qqkillyou@gmail.com>
 Khasim Syed Mohammed <khasim.mohammed@linaro.org>
 Khem Raj <raj.khem@gmail.com>
@@ -821,6 +846,7 @@ Kyungtae Kim <ktf.kim@samsung.com>
 Kyungyoung Heo <bbvch13531@gmail.com>
 Kyutae Lee <gorisanson@gmail.com>
 Lalit Chandivade <lalit.chandivade@einfochips.com>
+Lalit Rana <lalitrn44@gmail.com>
 Lam Lu <lamlu@amazon.com>
 Laszlo Gombos <l.gombos@samsung.com>
 Laszlo Radanyi <bekkra@gmail.com>
@@ -850,6 +876,7 @@ Lin Peng <penglin220@gmail.com>
 Lin Peng <penglin22@huawei.com>
 Lingqi Chi <someway.bit@gmail.com>
 Lingyun Cai <lingyun.cai@intel.com>
+Linnan Li <lilinnan0903@gmail.com>
 Lionel Landwerlin <lionel.g.landwerlin@intel.com>
 Lisha Guo <lisha.guo@intel.com>
 Lizhi Fan <lizhi.fan@samsung.com>
@@ -885,6 +912,7 @@ Malcolm Wang <malcolm.2.wang@gmail.com>
 Mallikarjuna Rao V <vm.arjun@samsung.com>
 Manish Chhajer <chhajer.m@samsung.com>
 Manish Jethani <m.jethani@eyeo.com>
+Manjunath Babu <10manju@gmail.com>
 Manojkumar Bhosale <manojkumar.bhosale@imgtec.com>
 Manuel Braun <thembrown@gmail.com>
 Manuel Lagana <manuel.lagana.dev@gmail.com>
@@ -914,6 +942,7 @@ Martin Persson <mnpn03@gmail.com>
 Martin Rogalla <martin@martinrogalla.com>
 Martina Kollarova <martina.kollarova@intel.com>
 Martino Fontana <tinozzo123@gmail.com>
+Marvin Giessing <marvin.giessing@gmail.com>
 Masahiro Yado <yado.masa@gmail.com>
 Masaru Nishida <msr.i386@gmail.com>
 Masayuki Wakizaka <mwakizaka0108@gmail.com>
@@ -923,6 +952,8 @@ Mathias Bynens <mathias@qiwi.be>
 Mathieu Meisser <mmeisser@logitech.com>
 Matt Arpidone <mma.public@gmail.com>
 Matt Fysh <mattfysh@gmail.com>
+Matt Harding <majaharding@gmail.com>
+Matt Jolly <kangie@gentoo.org>
 Matt Strum <mstrum@amazon.com>
 Matt Zeunert <matt@mostlystatic.com>
 Matthew "strager" Glazar <strager.nds@gmail.com>
@@ -946,16 +977,19 @@ Mc Zeng <zengmcong@gmail.com>
 Md Abdullah Al Alamin <a.alamin.cse@gmail.com>
 Md. Hasanur Rashid <hasanur.r@samsung.com>
 Md Hasibul Hasan <hasibulhasan873@gmail.com>
+Md Hasibul Hasan <hasibul.h@samsung.com>
 Md Jobed Hossain <jobed.h@samsung.com>
 Md Raiyan bin Sayeed <mrbsayee@uwaterloo.ca>
 Md. Sadiqul Amin <sadiqul.amin@samsung.com>
 Md Sami Uddin <md.sami@samsung.com>
+Mego Tan <tannal2409@gmail.com>
 Merajul Arefin <merajularefin@gmail.com>
 Micha Hanselmann <micha.hanselmann@gmail.com>
 Michael Cirone <mikecirone@gmail.com>
 Michael Constant <mconst@gmail.com>
 Michael Forney <mforney@mforney.org>
 Michael Gilbert <floppymaster@gmail.com>
+Michael Herrmann <michael@herrmann.io>
 Michael Kolomeytsev <michael.kolomeytsev@gmail.com>
 Michael Lopez <lopes92290@gmail.com>
 Michael Morrison <codebythepound@gmail.com>
@@ -976,6 +1010,7 @@ Milko Leporis <milko.leporis@imgtec.com>
 Milton Chiang <milton.chiang@mediatek.com>
 Milutin Smiljanic <msmiljanic.gm@gmail.com>
 Minchul Kang <tegongkang@gmail.com>
+Ming Lei <minggeorgelei@gmail.com>
 Mingeun Park <mindal99546@gmail.com>
 Minggang Wang <minggang.wang@intel.com>
 Mingmin Xie <melvinxie@gmail.com>
@@ -992,10 +1027,14 @@ Mitchell Cohen <mitchell@agilebits.com>
 Miyoung Shin <myid.shin@navercorp.com>
 Mohamed I. Hammad <ibraaaa@gmail.com>
 Mohamed Mansour <m0.interactive@gmail.com>
+Mohamed Hany Youns <mohamedhyouns@gmail.com>
 Mohammad Azam <m.azam@samsung.com>
+MohammadSabri <mohammad.kh.sabri@exalt.ps>
+Mohammed Ashraf <mohammedashraf4599@gmail.com>
 Mohammed Wajahat Ali Siddiqui <wajahat.s@samsung.com>
 Mohan Reddy <mohan.reddy@samsung.com>
 Mohit Bhalla <bhallam@amazon.com>
+Mohraiel Matta <mohraielmatta@gmail.com>
 Moiseanu Rares-Marian <moiseanurares@gmail.com>
 Momoka Yamamoto <momoka.my6@gmail.com>
 Momoko Hattori <momohatt10@gmail.com>
@@ -1031,7 +1070,9 @@ Nedeljko Babic <nedeljko.babic@imgtec.com>
 Neehit Goyal <neehit.goyal@samsung.com>
 Nidhi Jaju <nidhijaju127@gmail.com>
 Niek van der Maas <mail@niekvandermaas.nl>
+Nik Pavlov <nikita.pavlov.dev@gmail.com>
 Nikhil Bansal <n.bansal@samsung.com>
+Nikhil Meena <iakhilmeena@gmail.com>
 Nikhil Sahni <nikhil.sahni@samsung.com>
 Nikita Ofitserov <himikof@gmail.com>
 Niklas Hambüchen <mail@nh2.me>
@@ -1045,6 +1086,7 @@ Nivedan Sharma <ni.sharma@samsung.com>
 Noam Rosenthal <noam.j.rosenthal@gmail.com>
 Noj Vek <nojvek@gmail.com>
 Nolan Cao <nolan.robin.cao@gmail.com>
+Nourhan Hasan <nourhan.m.hasan@gmail.com>
 Oleksii Kadurin <ovkadurin@gmail.com>
 Oliver Dunk <oliver@oliverdunk.com>
 Olivier Tilloy <olivier+chromium@tilloy.net>
@@ -1078,6 +1120,7 @@ Paul Wicks <pwicks86@gmail.com>
 Pavan Kumar Emani <pavan.e@samsung.com>
 Pavel Golikov <paullo612@ya.ru>
 Pavel Ivanov <paivanof@gmail.com>
+Pawan Udassi <pawanudassi@hotmail.com>
 Pawel Forysiuk <p.forysiuk@samsung.com>
 Paweł Hajdan jr <phajdan.jr@gmail.com>
 Paweł Stanek <pawel@gener8ads.com>
@@ -1258,6 +1301,7 @@ Sergei Poletaev <spylogsster@gmail.com>
 Sergei Romanov <rsv.981@gmail.com>
 Sergey Romanov <svromanov@sberdevices.ru>
 Sergey Kipet <sergey.kipet@gmail.com>
+Sergey Markelov <sergionso@gmail.com>
 Sergey Putilin <p.sergey@samsung.com>
 Sergey Shekyan <shekyan@gmail.com>
 Sergey Talantov <sergey.talantov@gmail.com>
@@ -1268,6 +1312,7 @@ Serhii Matrunchyk <sergiy.matrunchyk@gmail.com>
 Seshadri Mahalingam <seshadri.mahalingam@gmail.com>
 Seungkyu Lee <zx6658@gmail.com>
 Sevan Janiyan <venture37@geeklan.co.uk>
+Shaheen Fazim <fazim.pentester@gmail.com>
 Shahriar Rostami <shahriar.rostami@gmail.com>
 Shail Singhal <shail.s@samsung.com>
 Shane Hansen <shanemhansen@gmail.com>
@@ -1325,6 +1370,7 @@ Sooho Park <sooho1000@gmail.com>
 Soojung Choi <crystal2840@gmail.com>
 Soorya R <soorya.r@samsung.com>
 Soren Dreijer <dreijerbit@gmail.com>
+Spencer Wilson <spencer@spencerwilson.org>
 Sreerenj Balachandran <sreerenj.balachandran@intel.com>
 Srirama Chandra Sekhar Mogali <srirama.m@samsung.com>
 Stacy Kim <stacy.kim@ucla.edu>
@@ -1348,6 +1394,7 @@ Sunchang Li <johnstonli@tencent.com>
 Sundoo Kim <nerdooit@gmail.com>
 Sundoo Kim <0xd00d00b@gmail.com>
 Suneel Kota <suneel.kota@samsung.com>
+Sung Lee <sung.lee@amd.com>
 Sungguk Lim <limasdf@gmail.com>
 Sunghyeok Kang <sh0528.kang@samsung.com>
 Sungmann Cho <sungmann.cho@gmail.com>
@@ -1407,6 +1454,7 @@ Tibor Dusnoki <tibor.dusnoki.91@gmail.com>
 Tibor Dusnoki <tdusnoki@inf.u-szeged.hu>
 Tien Hock Loh <tienhock.loh@starfivetech.com>
 Tim Ansell <mithro@mithis.com>
+Tim Barry <oregongraperoot@gmail.com>
 Tim Niederhausen <tim@rnc-ag.de>
 Tim Steiner <twsteiner@gmail.com>
 Timo Gurr <timo.gurr@gmail.com>
@@ -1422,6 +1470,7 @@ Tom Harwood <tfh@skip.org>
 Tomas Popela <tomas.popela@gmail.com>
 Tomasz Edward Posłuszny <tom@devpeer.net>
 Tony Shen <legendmastertony@gmail.com>
+Topi Lassila <tolassila@gmail.com>
 Torsten Kurbad <google@tk-webart.de>
 Toshihito Kikuchi <leamovret@gmail.com>
 Toshiaki Tanaka <zokutyou2@gmail.com>
@@ -1465,6 +1514,7 @@ Vishal Bhatnagar <vishal.b@samsung.com>
 Vishal Lingam <vishal.reddy@samsung.com>
 Vitaliy Kharin <kvserr@gmail.com>
 Vivek Galatage <vivek.vg@samsung.com>
+Vlad Zahorodnii <vlad.zahorodnii@kde.org>
 Volker Sorge <volker.sorge@gmail.com>
 Waihung Fu <fufranci@amazon.com>
 wafuwafu13 <mariobaske@i.softbank.jp>
@@ -1472,9 +1522,11 @@ Wojciech Bielawski <wojciech.bielawski@gmail.com>
 Wang Chen <wangchen20@iscas.ac.cn>
 Wang Chen <unicornxw@gmail.com>
 Wang Weiwei <wangww@dingdao.com>
+Wang Zirui <kingzirvi@gmail.com>
 Wangyang Dai <jludwy@gmail.com>
 Wanming Lin <wanming.lin@intel.com>
 Wei Li <wei.c.li@intel.com>
+Weicong Yu <yuweicong666@gmail.com>
 Wen Fan <fanwen1@huawei.com>
 Wenxiang Qian <leonwxqian@gmail.com>
 WenSheng He <wensheng.he@samsung.com>
@@ -1540,6 +1592,7 @@ Yong Shin <sy3620@gmail.com>
 Yong Wang <ccyongwang@tencent.com>
 Yonggang Luo <luoyonggang@gmail.com>
 Yongha Lee <yongha78.lee@samsung.com>
+Yongsang Park <yongsangpark980813@gmail.com>
 Yongseok Choi <yongseok.choi@navercorp.com>
 Yongsheng Zhu <yongsheng.zhu@intel.com>
 Yoonjae Cho <yoonjae.cho92@gmail.com>
@@ -1572,11 +1625,13 @@ Yuta Kasai <kasai.yuta0810@gmail.com>
 Yuvanesh Natarajan <yuvanesh.n1@samsung.com>
 Zach Bjornson <zbbjornson@gmail.com>
 Zachary Capalbo <zach.geek@gmail.com>
+Zehan Li <synclzhhans@gmail.com>
 Zeno Albisser <zeno.albisser@digia.com>
 Zeqin Chen <talonchen@tencent.com>
 Zhanbang He <hezhanbang@gmail.com>
 Zhang Hao <zhanghao.m@bytedance.com>
 Zhang Hao <15686357310a@gmail.com>
+Zhao Qin <qzmiss@gmail.com>
 Zhaoming Jiang <zhaoming.jiang@intel.com>
 Zhaoze Zhou <zhaoze.zhou@partner.samsung.com>
 Zheda Chen <zheda.chen@intel.com>
@@ -1602,6 +1657,7 @@ Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
 迷渡 <justjavac@gmail.com>
 郑苏波 (Super Zheng) <superzheng@tencent.com>
 一丝 (Yisi) <yiorsi@gmail.com>
+林训杰 (XunJie Lin) <wick.linxunjie@gmail.com>
 # Please DO NOT APPEND here. See comments at the top of the file.
 # END individuals section.
 
@@ -1631,6 +1687,7 @@ EngFlow, Inc. <*@engflow.com>
 Estimote, Inc. <*@estimote.com>
 Google Inc. <*@google.com>
 Grammarly, Inc. <*@grammarly.com>
+Here Inc. <*@here.io>
 Hewlett-Packard Development Company, L.P. <*@hp.com>
 HyperConnect Inc. <*@hpcnt.com>
 IBM Inc. <*@*.ibm.com>
@@ -1660,6 +1717,7 @@ NVIDIA Corporation <*@nvidia.com>
 OpenFin Inc. <*@openfin.co>
 Opera Software ASA <*@opera.com>
 Optical Tone Ltd <*@opticaltone.com>
+Palo Alto Networks, Inc. <*@paloaltonetworks.com>
 Pengutronix e.K. <*@pengutronix.de>
 Quality First Software GmbH <*@qf-software.com>
 Rakuten Kobo Inc. <*@kobo.com>

src/BUILD.gn

@@ -12,7 +12,6 @@ import("//build/config/compiler/compiler.gni")
 import("//build/config/cronet/config.gni")
 import("//build/config/dcheck_always_on.gni")
 import("//build/config/features.gni")
-import("//build/config/ios/config.gni")
 import("//build/config/rust.gni")
 import("//build/config/sanitizers/sanitizers.gni")
 import("//build/config/ui.gni")

src/base/BUILD.gn

@@ -25,12 +25,9 @@ import("//build/buildflag_header.gni")
 import("//build/config/arm.gni")
 import("//build/config/c++/c++.gni")
 import("//build/config/cast.gni")
-import("//build/config/chromeos/ui_mode.gni")
 import("//build/config/compiler/compiler.gni")
 import("//build/config/cronet/config.gni")
 import("//build/config/dcheck_always_on.gni")
-import("//build/config/features.gni")
-import("//build/config/ios/config.gni")
 import("//build/config/logging.gni")
 import("//build/config/nacl/config.gni")
 import("//build/config/profiling/profiling.gni")
@@ -43,6 +40,9 @@ import("//build/util/process_version.gni")
 import("//build_overrides/build.gni")
 
 if (is_ios) {
+  # Used to access target_environment and target_platform.
+  import("//build/config/apple/mobile_config.gni")
+
   # Used to access ios_is_app_extension variable definition.
   import("//build/config/ios/ios_sdk.gni")
 }
@@ -92,12 +92,6 @@ assert(!is_nacl || is_nacl_saigo,
 assert(!is_win || is_clang,
        "only clang-cl is supported on Windows, see https://crbug.com/988071")
 
-# Determines whether libevent should be dep.
-dep_libevent = !is_fuchsia && !is_win && !is_mac && !is_nacl
-
-# Determines whether message_pump_libevent should be used.
-use_libevent = dep_libevent && !is_ios
-
 if (is_android || is_robolectric) {
   import("//build/config/android/rules.gni")
   import("//third_party/jni_zero/jni_zero.gni")
@@ -107,30 +101,6 @@ if (is_fuchsia) {
   import("//third_party/fuchsia-gn-sdk/src/fidl_library.gni")
 }
 
-# The Rust implementation of base::JSONReader. NaCl depends on base and doesn't
-# have a Rust toolchain, so we need a fallback to C++ for it until it removes
-# its dependency on //base.
-#
-# TODO(crbug.com/40811643): Drop toolchain_has_rust and move the C++ parser into
-# components/nacl to just run in-process there. Don't compile base::JSONReader
-# on NaCL at all.
-build_rust_json_reader = toolchain_has_rust && enable_rust_json
-
-# Rust to C++ type conversions. Also can not be enabled while NaCl depends on
-# //base.
-build_rust_base_conversions = toolchain_has_rust && enable_rust_base_conversions
-
-assert(build_rust_base_conversions || !build_rust_json_reader,
-       "Cannot enable Rust JSON decoder without also base conversions")
-
-buildflag_header("rust_buildflags") {
-  header = "rust_buildflags.h"
-  flags = [
-    "BUILD_RUST_JSON_READER=$build_rust_json_reader",
-    "BUILD_RUST_BASE_CONVERSIONS=$build_rust_base_conversions",
-  ]
-}
-
 if (is_win) {
   # This is in a separate config so the flags can be applied to dependents.
   # ldflags in GN aren't automatically inherited.
@@ -174,12 +144,7 @@ buildflag_header("ios_cronet_buildflags") {
   flags = [ "CRONET_BUILD=$is_cronet_build" ]
 }
 
-enable_message_pump_epoll = is_linux || is_chromeos || is_android
+use_epoll = is_linux || is_chromeos || is_android
-buildflag_header("message_pump_buildflags") {
-  header = "message_pump_buildflags.h"
-  header_dir = "base/message_loop"
-  flags = [ "ENABLE_MESSAGE_PUMP_EPOLL=$enable_message_pump_epoll" ]
-}
 
 # Base and everything it depends on should be a static library rather than
 # a source set. Base is more of a "library" in the classic sense in that many
@@ -205,8 +170,6 @@ component("base") {
     "allocator/dispatcher/internal/dispatch_data.h",
     "allocator/dispatcher/internal/dispatcher_internal.h",
     "allocator/dispatcher/internal/tools.h",
-    "allocator/dispatcher/memory_tagging.cc",
-    "allocator/dispatcher/memory_tagging.h",
     "allocator/dispatcher/notification_data.h",
     "allocator/dispatcher/reentry_guard.cc",
     "allocator/dispatcher/reentry_guard.h",
@@ -217,6 +180,7 @@ component("base") {
     "at_exit.h",
     "atomic_ref_count.h",
     "atomic_sequence_num.h",
+    "atomicops.cc",
     "atomicops.h",
     "atomicops_internals_atomicword_compat.h",
     "atomicops_internals_portable.h",
@@ -248,11 +212,11 @@ component("base") {
     "compiler_specific.h",
     "component_export.h",
     "containers/adapters.h",
+    "containers/adapters_internal.h",
     "containers/buffer_iterator.h",
     "containers/checked_iterators.h",
     "containers/circular_deque.h",
     "containers/contains.h",
-    "containers/dynamic_extent.h",
     "containers/enum_set.h",
     "containers/extend.h",
     "containers/fixed_flat_map.h",
@@ -279,8 +243,6 @@ component("base") {
     "containers/unique_ptr_adapters.h",
     "containers/util.h",
     "containers/vector_buffer.h",
-    "cpu_reduction_experiment.cc",
-    "cpu_reduction_experiment.h",
     "critical_closure.h",
     "dcheck_is_on.h",
     "debug/alias.cc",
@@ -303,6 +265,7 @@ component("base") {
     "export_template.h",
     "feature_list.cc",
     "feature_list.h",
+    "feature_visitor.h",
     "features.cc",
     "features.h",
     "file_version_info.h",
@@ -369,6 +332,7 @@ component("base") {
     "location.h",
     "logging.cc",
     "logging.h",
+    "logging/log_severity.h",
     "macros/concat.h",
     "macros/if.h",
     "macros/is_empty.h",
@@ -376,13 +340,12 @@ component("base") {
     "macros/uniquify.h",
     "memory/aligned_memory.cc",
     "memory/aligned_memory.h",
+    "memory/asan_interface.h",
     "memory/free_deleter.h",
     "memory/memory_pressure_listener.cc",
     "memory/memory_pressure_listener.h",
     "memory/memory_pressure_monitor.cc",
     "memory/memory_pressure_monitor.h",
-    "memory/nonscannable_memory.cc",
-    "memory/nonscannable_memory.h",
     "memory/page_size.h",
     "memory/platform_shared_memory_handle.cc",
     "memory/platform_shared_memory_handle.h",
@@ -403,7 +366,6 @@ component("base") {
     "memory/raw_ptr_cast.h",
     "memory/raw_ptr_exclusion.h",
     "memory/raw_ref.h",
-    "memory/raw_scoped_refptr_mismatch_checker.h",
     "memory/raw_span.h",
     "memory/read_only_shared_memory_region.cc",
     "memory/read_only_shared_memory_region.h",
@@ -422,12 +384,14 @@ component("base") {
     "memory/shared_memory_mapper.h",
     "memory/shared_memory_mapping.cc",
     "memory/shared_memory_mapping.h",
+    "memory/shared_memory_safety_checker.h",
     "memory/shared_memory_security_policy.cc",
     "memory/shared_memory_security_policy.h",
     "memory/shared_memory_tracker.cc",
     "memory/shared_memory_tracker.h",
     "memory/singleton.h",
     "memory/stack_allocated.h",
+    "memory/structured_shared_memory.h",
     "memory/unsafe_shared_memory_pool.cc",
     "memory/unsafe_shared_memory_pool.h",
     "memory/unsafe_shared_memory_region.cc",
@@ -438,6 +402,8 @@ component("base") {
     "memory/weak_ptr.h",
     "memory/writable_shared_memory_region.cc",
     "memory/writable_shared_memory_region.h",
+    "message_loop/io_watcher.cc",
+    "message_loop/io_watcher.h",
     "message_loop/message_pump.cc",
     "message_loop/message_pump.h",
     "message_loop/message_pump_default.cc",
@@ -470,6 +436,7 @@ component("base") {
     "metrics/histogram_flattener.h",
     "metrics/histogram_functions.cc",
     "metrics/histogram_functions.h",
+    "metrics/histogram_functions_internal_overloads.h",
     "metrics/histogram_macros.h",
     "metrics/histogram_macros_internal.h",
     "metrics/histogram_macros_local.h",
@@ -490,6 +457,7 @@ component("base") {
     "metrics/record_histogram_checker.h",
     "metrics/sample_map.cc",
     "metrics/sample_map.h",
+    "metrics/sample_map_iterator.h",
     "metrics/sample_vector.cc",
     "metrics/sample_vector.h",
     "metrics/single_sample_metrics.cc",
@@ -549,14 +517,18 @@ component("base") {
     "process/process_info.h",
     "process/set_process_title.cc",
     "process/set_process_title.h",
+    "profiler/core_unwinders.h",
     "profiler/frame.cc",
     "profiler/frame.h",
     "profiler/metadata_recorder.cc",
     "profiler/metadata_recorder.h",
     "profiler/module_cache.cc",
     "profiler/module_cache.h",
+    "profiler/periodic_sampling_scheduler.cc",
+    "profiler/periodic_sampling_scheduler.h",
     "profiler/profile_builder.h",
     "profiler/register_context.h",
+    "profiler/register_context_registers.h",
     "profiler/sample_metadata.cc",
     "profiler/sample_metadata.h",
     "profiler/sampling_profiler_thread_token.cc",
@@ -575,18 +547,19 @@ component("base") {
     "profiler/stack_unwind_data.h",
     "profiler/suspendable_thread_delegate.h",
     "profiler/thread_delegate.h",
+    "profiler/thread_group_profiler.cc",
+    "profiler/thread_group_profiler.h",
+    "profiler/thread_group_profiler_client.h",
     "profiler/unwinder.cc",
     "profiler/unwinder.h",
     "rand_util.cc",
     "rand_util.h",
-    "ranges/algorithm.h",
-    "ranges/from_range.h",
-    "ranges/functional.h",
-    "ranges/ranges.h",
     "run_loop.cc",
     "run_loop.h",
     "sampling_heap_profiler/lock_free_address_hash_set.cc",
     "sampling_heap_profiler/lock_free_address_hash_set.h",
+    "sampling_heap_profiler/lock_free_bloom_filter.cc",
+    "sampling_heap_profiler/lock_free_bloom_filter.h",
     "sampling_heap_profiler/poisson_allocation_sampler.cc",
     "sampling_heap_profiler/poisson_allocation_sampler.h",
     "sampling_heap_profiler/sampling_heap_profiler.cc",
@@ -611,6 +584,7 @@ component("base") {
     "strings/abseil_string_number_conversions.cc",
     "strings/abseil_string_number_conversions.h",
     "strings/cstring_view.h",
+    "strings/durable_string_view.h",
     "strings/escape.cc",
     "strings/escape.h",
     "strings/latin1_string_conversions.cc",
@@ -621,12 +595,14 @@ component("base") {
     "strings/pattern.h",
     "strings/safe_sprintf.cc",
     "strings/safe_sprintf.h",
+    "strings/span_printf.h",
     "strings/strcat.cc",
     "strings/strcat.h",
     "strings/strcat_internal.h",
     "strings/string_number_conversions.cc",
     "strings/string_number_conversions.h",
     "strings/string_number_conversions_internal.h",
+    "strings/string_slice.h",
     "strings/string_split.cc",
     "strings/string_split.h",
     "strings/string_split_internal.h",
@@ -657,6 +633,8 @@ component("base") {
     "supports_user_data.h",
     "synchronization/atomic_flag.cc",
     "synchronization/atomic_flag.h",
+    "synchronization/cancelable_event.cc",
+    "synchronization/cancelable_event.h",
     "synchronization/condition_variable.h",
     "synchronization/lock.cc",
     "synchronization/lock.h",
@@ -712,7 +690,6 @@ component("base") {
     "task/sequence_manager/enqueue_order_generator.h",
     "task/sequence_manager/fence.cc",
     "task/sequence_manager/fence.h",
-    "task/sequence_manager/lazily_deallocated_deque.h",
     "task/sequence_manager/sequence_manager.cc",
     "task/sequence_manager/sequence_manager.h",
     "task/sequence_manager/sequence_manager_impl.cc",
@@ -786,7 +763,6 @@ component("base") {
     "task/thread_pool/pooled_task_runner_delegate.h",
     "task/thread_pool/priority_queue.cc",
     "task/thread_pool/priority_queue.h",
-    "task/thread_pool/semaphore.h",
     "task/thread_pool/sequence.cc",
     "task/thread_pool/sequence.h",
     "task/thread_pool/service_thread.cc",
@@ -803,10 +779,6 @@ component("base") {
     "task/thread_pool/thread_group.h",
     "task/thread_pool/thread_group_impl.cc",
     "task/thread_pool/thread_group_impl.h",
-    "task/thread_pool/thread_group_semaphore.cc",
-    "task/thread_pool/thread_group_semaphore.h",
-    "task/thread_pool/thread_group_worker_delegate.cc",
-    "task/thread_pool/thread_group_worker_delegate.h",
     "task/thread_pool/thread_pool_impl.cc",
     "task/thread_pool/thread_pool_impl.h",
     "task/thread_pool/thread_pool_instance.cc",
@@ -815,23 +787,13 @@ component("base") {
     "task/thread_pool/worker_thread.cc",
     "task/thread_pool/worker_thread.h",
     "task/thread_pool/worker_thread_observer.h",
-    "task/thread_pool/worker_thread_semaphore.cc",
-    "task/thread_pool/worker_thread_semaphore.h",
     "task/thread_pool/worker_thread_set.cc",
     "task/thread_pool/worker_thread_set.h",
-    "task/thread_pool/worker_thread_waitable_event.cc",
-    "task/thread_pool/worker_thread_waitable_event.h",
     "task/updateable_sequenced_task_runner.h",
     "test/scoped_logging_settings.h",
     "test/spin_wait.h",
-    "third_party/cityhash/city.cc",
-    "third_party/cityhash/city.h",
-    "third_party/cityhash_v103/src/city_v103.cc",
-    "third_party/cityhash_v103/src/city_v103.h",
-    "third_party/icu/icu_utf.h",
     "third_party/nspr/prtime.cc",
     "third_party/nspr/prtime.h",
-    "third_party/superfasthash/superfasthash.c",
     "thread_annotations.h",
     "threading/hang_watcher.cc",
     "threading/hang_watcher.h",
@@ -906,6 +868,8 @@ component("base") {
     "trace_event/heap_profiler_allocation_context.h",
     "trace_event/heap_profiler_allocation_context_tracker.cc",
     "trace_event/heap_profiler_allocation_context_tracker.h",
+    "trace_event/histogram_scope.cc",
+    "trace_event/histogram_scope.h",
     "trace_event/memory_allocator_dump_guid.cc",
     "trace_event/memory_allocator_dump_guid.h",
     "trace_event/named_trigger.cc",
@@ -915,6 +879,7 @@ component("base") {
     "traits_bag.h",
     "tuple.h",
     "types/always_false.h",
+    "types/cxx23_from_range.h",
     "types/cxx23_is_scoped_enum.h",
     "types/cxx23_to_underlying.h",
     "types/expected.h",
@@ -922,16 +887,20 @@ component("base") {
     "types/expected_macros.h",
     "types/fixed_array.h",
     "types/id_type.h",
+    "types/is_arc_pointer.h",
     "types/is_complete.h",
     "types/is_instantiation.h",
     "types/optional_ref.h",
     "types/optional_util.h",
     "types/pass_key.h",
+    "types/same_as_any.h",
     "types/strong_alias.h",
     "types/supports_ostream_operator.h",
+    "types/supports_to_string.h",
     "types/to_address.h",
     "types/token_type.h",
     "types/variant_util.h",
+    "types/zip.h",
     "unguessable_token.cc",
     "unguessable_token.h",
     "uuid.cc",
@@ -975,6 +944,7 @@ component("base") {
       "files/dir_reader_posix.h",
       "files/file_posix.cc",
       "files/memory_mapped_file_posix.cc",
+      "memory/protected_memory_posix.cc",
       "message_loop/watchable_io_message_pump_posix.cc",
       "message_loop/watchable_io_message_pump_posix.h",
       "posix/eintr_wrapper.h",
@@ -1023,10 +993,6 @@ component("base") {
     ]
   }
 
-  if (is_chromeos_ash) {
-    sources += [ "feature_visitor.h" ]
-  }
-
   if (is_linux || is_chromeos || is_android) {
     sources += [
       "files/file_path_watcher_inotify.cc",
@@ -1050,9 +1016,11 @@ component("base") {
 
   deps = [
     ":check_version_internal",
-    ":message_pump_buildflags",
     "//base/allocator:buildflags",
+    "//base/third_party/cityhash",
+    "//base/third_party/cityhash_v103",
     "//base/third_party/double_conversion",
+    "//base/third_party/superfasthash",
     "//build:blink_buildflags",
     "//build:branding_buildflags",
     "//build:ios_buildflags",
@@ -1069,12 +1037,8 @@ component("base") {
   # to provide the appropriate `#define` here.
   defines += [ "IS_RAW_PTR_IMPL" ]
 
-  if (build_rust_json_reader) {
+  # native_unwinder_android is split into a separate target to avoid pulling
-    deps += [ "//third_party/rust/serde_json_lenient/v0_2/wrapper" ]
+  # libunwindstack dependencies into cronet's base.
-  }
-
-  # native_unwinder_android is intended for use solely via a dynamic feature
-  # module, to avoid increasing Chrome's executable size.
   assert_no_deps = [ ":native_unwinder_android" ]
 
   public_deps = [
@@ -1086,33 +1050,24 @@ component("base") {
     ":debugging_buildflags",
     ":feature_list_buildflags",
     ":ios_cronet_buildflags",
-    ":logging_buildflags",
     ":orderfile_buildflags",
     ":power_monitor_buildflags",
     ":profiler_buildflags",
     ":protected_memory_buildflags",
-    ":rust_buildflags",
     ":sanitizer_buildflags",
     ":synchronization_buildflags",
     ":tracing_buildflags",
     "//base/allocator/partition_allocator:buildflags",
     "//base/allocator/partition_allocator:raw_ptr",
     "//base/numerics:base_numerics",
+    "//base/third_party/icu",
     "//build:chromecast_buildflags",
-    "//build:chromeos_buildflags",
     "//third_party/abseil-cpp:absl",
   ]
 
-  if (build_rust_base_conversions) {
+  # TODO(crbug.com/354842935): Remove this dependency once other modules don't
-    sources += [
+  # accidentally (transitively) depend on it anymore.
-      "containers/span_rust.h",
+  public_deps += [ "//build:chromeos_buildflags" ]
-      "strings/string_piece_rust.h",
-    ]
-
-    # Base provides conversions between CXX types and base types (e.g.
-    # std::string_view).
-    public_deps += [ "//build/rust:cxx_cppdeps" ]
-  }
 
   # Needed for <atomic> if using newer C++ library than sysroot, except if
   # building inside the cros_sdk environment - use host_toolchain as a
@@ -1155,16 +1110,14 @@ component("base") {
       "android/build_info_stub.cc",
       "android/content_uri_utils.h",
       "android/content_uri_utils_stub.cc",
-      "android/jni_android.h",
       "android/library_loader/anchor_functions.h",
-      "android/library_loader/library_loader_hooks.h",
       "android/path_utils.h",
       "android/scoped_hardware_buffer_fence_sync.cc",
       "android/scoped_hardware_buffer_fence_sync.h",
       "android/scoped_hardware_buffer_handle.cc",
       "android/scoped_hardware_buffer_handle.h",
-      "android/scoped_java_ref.h",
+      "android/scoped_input_event.cc",
-      "android/sys_utils.h",
+      "android/scoped_input_event.h",
       "debug/stack_trace_android.cc",
       "files/file_util_android.cc",
       "files/scoped_file_android.cc",
@@ -1198,25 +1151,18 @@ component("base") {
     deps += [
       "//third_party/ashmem",
       "//third_party/cpu_features:ndk_compat",
-      "//third_party/jni_zero:jni_zero",
     ]
 
     # Needs to be a public config so that dependent targets link against it as
     # well when doing a component build.
     public_configs = [ ":android_system_libs" ]
 
-    if (can_unwind_with_cfi_table) {
-      sources += [
-        "trace_event/cfi_backtrace_android.cc",
-        "trace_event/cfi_backtrace_android.h",
-      ]
-    }
     if (current_cpu == "arm") {
       sources += [
-        "profiler/chrome_unwind_info_android.cc",
+        "profiler/chrome_unwind_info_android_32.cc",
-        "profiler/chrome_unwind_info_android.h",
+        "profiler/chrome_unwind_info_android_32.h",
-        "profiler/chrome_unwinder_android.cc",
+        "profiler/chrome_unwinder_android_32.cc",
-        "profiler/chrome_unwinder_android.h",
+        "profiler/chrome_unwinder_android_32.h",
       ]
     }
 
@@ -1242,7 +1188,6 @@ component("base") {
   if (is_robolectric) {
     # Make jni.h available.
     configs += [ "//third_party/jdk" ]
-    deps += [ ":base_robolectric_jni" ]
   }
   if (is_robolectric) {
     sources += [
@@ -1251,6 +1196,8 @@ component("base") {
       "android/callback_android.cc",
       "android/callback_android.h",
       "android/command_line_android.cc",
+      "android/int_string_callback.cc",
+      "android/int_string_callback.h",
       "android/java_exception_reporter.cc",
       "android/java_exception_reporter.h",
       "android/jni_android.cc",
@@ -1259,6 +1206,8 @@ component("base") {
       "android/jni_array.h",
       "android/jni_bytebuffer.cc",
       "android/jni_bytebuffer.h",
+      "android/jni_callback.cc",
+      "android/jni_callback.h",
       "android/jni_registrar.cc",
       "android/jni_registrar.h",
       "android/jni_string.cc",
@@ -1266,8 +1215,13 @@ component("base") {
       "android/jni_utils.cc",
       "android/jni_utils.h",
       "android/jni_weak_ref.h",
+      "android/library_loader/anchor_functions.cc",
+      "android/library_loader/anchor_functions.h",
       "android/library_loader/library_loader_hooks.cc",
       "android/library_loader/library_loader_hooks.h",
+      "android/library_loader/library_prefetcher.cc",
+      "android/library_loader/library_prefetcher.h",
+      "android/library_loader/library_prefetcher_hooks.cc",
       "android/native_uma_recorder.cc",
       "android/scoped_java_ref.h",
       "android/token_android.cc",
@@ -1278,6 +1232,8 @@ component("base") {
       "android/unguessable_token_android.h",
     ]
     deps += [ "//build:robolectric_buildflags" ]
+  }
+  if (is_android || is_robolectric) {
     public_deps += [ "//third_party/jni_zero:jni_zero" ]
   }  # is_android || is_robolectric
 
@@ -1354,6 +1310,7 @@ component("base") {
       "fuchsia/system_info.h",
       "memory/platform_shared_memory_mapper_fuchsia.cc",
       "memory/platform_shared_memory_region_fuchsia.cc",
+      "memory/protected_memory_posix.cc",
       "message_loop/message_pump_fuchsia.cc",
       "message_loop/message_pump_fuchsia.h",
       "message_loop/watchable_io_message_pump_posix.cc",
@@ -1474,7 +1431,6 @@ component("base") {
       "rand_util_nacl.cc",
       "sync_socket_nacl.cc",
       "system/sys_info_nacl.cc",
-      "task/thread_pool/semaphore/semaphore_default.cc",
       "threading/platform_thread_linux_base.cc",
       "threading/platform_thread_nacl.cc",
     ]
@@ -1488,6 +1444,8 @@ component("base") {
       "debug/crash_logging.h",
       "debug/stack_trace.cc",
       "debug/stack_trace.h",
+      "files/drive_info.cc",
+      "files/drive_info.h",
       "files/file_enumerator.cc",
       "files/file_enumerator.h",
       "files/file_proxy.cc",
@@ -1504,6 +1462,8 @@ component("base") {
       "files/scoped_temp_file.h",
       "json/json_file_value_serializer.cc",
       "json/json_file_value_serializer.h",
+      "logging/rust_log_integration.cc",
+      "logging/rust_log_integration.h",
       "memory/discardable_memory.cc",
       "memory/discardable_memory.h",
       "memory/discardable_memory_allocator.cc",
@@ -1554,10 +1514,6 @@ component("base") {
       ]
     }
 
-    if (is_linux || is_chromeos || is_android || is_fuchsia) {
-      sources += [ "task/thread_pool/semaphore/semaphore_posix.cc" ]
-    }
-
     if (is_posix) {
       sources += [
         "base_paths_posix.h",
@@ -1580,6 +1536,10 @@ component("base") {
         "files/file_util_posix.cc",
         "memory/page_size_posix.cc",
       ]
+
+      if (!is_apple) {
+        sources += [ "files/drive_info_posix.cc" ]
+      }
     }
 
     if ((is_posix && !is_ios) || is_fuchsia) {
@@ -1612,6 +1572,13 @@ component("base") {
     if (is_posix && !is_ios) {
       sources += [ "process/process_posix.cc" ]
     }
+    if (!is_win && !is_chromeos && !is_android && !is_linux) {
+      sources += [ "synchronization/cancelable_event_default.cc" ]
+    }
+
+    if (is_linux || is_chromeos || is_android) {
+      sources += [ "synchronization/cancelable_event_posix.cc" ]
+    }
 
     if (use_blink) {
       sources += [
@@ -1646,8 +1613,12 @@ component("base") {
       ]
     }
     if (use_partition_alloc) {
-      # Add stuff that doesn't work in NaCl.
+      # Add stuff that doesn't work in NaCl or other environments that disable
+      # partition_alloc.
       sources += [
+        "allocator/dispatcher/memory_tagging.cc",
+        "allocator/dispatcher/memory_tagging.h",
+
         # PartitionAlloc uses SpinLock, which doesn't work in NaCl (see below).
         "allocator/miracle_parameter.cc",
         "allocator/miracle_parameter.h",
@@ -1657,15 +1628,9 @@ component("base") {
         "allocator/partition_alloc_support.h",
       ]
     }
-
+    if (use_allocator_shim) {
-    # Need this to pass gn check, because gn check doesn't see
+      public_deps += [ "allocator/partition_allocator:allocator_shim" ]
-    # BUILDFLAG(USE_PARTITION_ALLOC). A linker will remove all
+    }
-    # partition_alloc code if use_partition_alloc = false because no code uses
-    # partition_alloc.
-    public_deps += [
-      "allocator/partition_allocator:partition_alloc",
-      "allocator/partition_allocator:raw_ptr",
-    ]
   }
 
   # Windows.
@@ -1684,6 +1649,7 @@ component("base") {
       "enterprise_util_win.cc",
       "file_version_info_win.cc",
       "file_version_info_win.h",
+      "files/drive_info_win.cc",
       "files/file_enumerator_win.cc",
       "files/file_path_watcher_win.cc",
       "files/file_util_win.cc",
@@ -1711,6 +1677,7 @@ component("base") {
       "process/process_iterator_win.cc",
       "process/process_metrics_win.cc",
       "process/process_win.cc",
+      "profiler/core_unwinders_win.cc",
       "profiler/module_cache_win.cc",
       "profiler/native_unwinder_win.cc",
       "profiler/native_unwinder_win.h",
@@ -1731,12 +1698,12 @@ component("base") {
       "strings/string_util_win.h",
       "strings/sys_string_conversions_win.cc",
       "sync_socket_win.cc",
+      "synchronization/cancelable_event_win.cc",
       "synchronization/condition_variable_win.cc",
       "synchronization/lock_impl_win.cc",
       "synchronization/waitable_event_watcher_win.cc",
       "synchronization/waitable_event_win.cc",
       "system/sys_info_win.cc",
-      "task/thread_pool/semaphore/semaphore_win.cc",
       "threading/platform_thread_win.cc",
       "threading/platform_thread_win.h",
       "threading/thread_local_storage_win.cc",
@@ -1763,6 +1730,8 @@ component("base") {
       "win/dark_mode_support.h",
       "win/default_apps_util.cc",
       "win/default_apps_util.h",
+      "win/elevation_util.cc",
+      "win/elevation_util.h",
       "win/embedded_i18n/language_selector.cc",
       "win/embedded_i18n/language_selector.h",
       "win/enum_variant.cc",
@@ -1772,6 +1741,8 @@ component("base") {
       "win/event_trace_controller.h",
       "win/event_trace_provider.cc",
       "win/event_trace_provider.h",
+      "win/hardware_check.cc",
+      "win/hardware_check.h",
       "win/hstring_reference.cc",
       "win/hstring_reference.h",
       "win/i18n.cc",
@@ -1783,10 +1754,12 @@ component("base") {
       "win/message_window.h",
       "win/nt_status.cc",
       "win/nt_status.h",
+      "win/ntsecapi_shim.h",
       "win/object_watcher.cc",
       "win/object_watcher.h",
       "win/patch_util.cc",
       "win/patch_util.h",
+      "win/pdh_shim.h",
       "win/pe_image_reader.cc",
       "win/pe_image_reader.h",
       "win/post_async_results.h",
@@ -1805,6 +1778,7 @@ component("base") {
       "win/scoped_co_mem.h",
       "win/scoped_com_initializer.cc",
       "win/scoped_com_initializer.h",
+      "win/scoped_gdi_object.cc",
       "win/scoped_gdi_object.h",
       "win/scoped_handle.cc",
       "win/scoped_handle.h",
@@ -1844,10 +1818,13 @@ component("base") {
       "win/variant_vector.h",
       "win/vector.cc",
       "win/vector.h",
+      "win/wbemidl_shim.h",
       "win/win_handle_types.h",
       "win/win_handle_types_list.inc",
       "win/win_util.cc",
       "win/win_util.h",
+      "win/winbase_shim.h",
+      "win/wincred_shim.h",
       "win/wincrypt_shim.h",
       "win/window_enumerator.cc",
       "win/window_enumerator.h",
@@ -1861,6 +1838,7 @@ component("base") {
       "win/winrt_foundation_helpers.h",
       "win/winrt_storage_util.cc",
       "win/winrt_storage_util.h",
+      "win/wintrust_shim.h",
       "win/wmi.cc",
       "win/wmi.h",
       "win/wrapped_window_proc.cc",
@@ -1916,8 +1894,8 @@ component("base") {
       "apple/call_with_eh_frame.cc",
       "apple/call_with_eh_frame.h",
       "apple/call_with_eh_frame_asm.S",
-      "apple/dispatch_source_mach.cc",
+      "apple/dispatch_source.cc",
-      "apple/dispatch_source_mach.h",
+      "apple/dispatch_source.h",
       "apple/foundation_util.h",
       "apple/foundation_util.mm",
       "apple/mach_logging.cc",
@@ -1941,17 +1919,17 @@ component("base") {
       "apple/scoped_typeref.h",
       "file_version_info_apple.h",
       "file_version_info_apple.mm",
+      "files/drive_info_apple.mm",
       "files/file_util_apple.mm",
       "memory/platform_shared_memory_mapper_apple.cc",
       "memory/platform_shared_memory_region_apple.cc",
       "message_loop/message_pump_apple.h",
       "message_loop/message_pump_apple.mm",
-      "process/process_metrics_apple.cc",
+      "native_library_apple.mm",
+      "process/process_metrics_apple.mm",
       "profiler/module_cache_apple.cc",
       "strings/sys_string_conversions_apple.mm",
-      "synchronization/waitable_event_apple.cc",
       "system/sys_info_apple.mm",
-      "task/thread_pool/semaphore/semaphore_apple.cc",
       "threading/platform_thread_apple.mm",
       "time/time_apple.mm",
     ]
@@ -1962,11 +1940,17 @@ component("base") {
       "Foundation.framework",
       "Security.framework",
     ]
+
+    if (!is_ios || !use_blink) {
+      sources += [ "synchronization/waitable_event_apple.cc" ]
+    }
   }
 
   # Desktop Mac.
   if (is_mac) {
     sources += [
+      "apple/mach_port_rendezvous.cc",
+      "apple/mach_port_rendezvous.h",
       "enterprise_util.cc",
       "enterprise_util.h",
       "enterprise_util_mac.mm",
@@ -1978,6 +1962,11 @@ component("base") {
       "mac/authorization_util.h",
       "mac/authorization_util.mm",
       "mac/close_nocancel.cc",
+      "mac/code_signature.cc",
+      "mac/code_signature.h",
+      "mac/code_signature_spi.h",
+      "mac/info_plist_data.h",
+      "mac/info_plist_data.mm",
       "mac/launch_application.h",
       "mac/launch_application.mm",
       "mac/launch_services_spi.h",
@@ -1987,10 +1976,10 @@ component("base") {
       "mac/login_util.h",
       "mac/mac_util.h",
       "mac/mac_util.mm",
-      "mac/mach_port_rendezvous.cc",
-      "mac/mach_port_rendezvous.h",
       "mac/os_crash_dumps.cc",
       "mac/os_crash_dumps.h",
+      "mac/process_requirement.cc",
+      "mac/process_requirement.h",
       "mac/scoped_aedesc.h",
       "mac/scoped_authorizationref.h",
       "mac/scoped_authorizationref.mm",
@@ -2003,7 +1992,6 @@ component("base") {
       "mac/scoped_sending_event.mm",
       "message_loop/message_pump_kqueue.cc",
       "message_loop/message_pump_kqueue.h",
-      "native_library_mac.mm",
       "power_monitor/battery_level_provider_mac.mm",
       "power_monitor/battery_state_sampler_mac.cc",
       "power_monitor/iopm_power_source_sampling_event_source.cc",
@@ -2017,10 +2005,11 @@ component("base") {
       "process/port_provider_mac.cc",
       "process/port_provider_mac.h",
       "process/process_handle_mac.cc",
-      "process/process_info_mac.cc",
+      "process/process_info_mac.mm",
       "process/process_iterator_mac.cc",
       "process/process_mac.cc",
       "process/process_metrics_mac.cc",
+      "profiler/core_unwinders_mac.cc",
       "profiler/frame_pointer_unwinder.cc",
       "profiler/frame_pointer_unwinder.h",
       "profiler/stack_sampler_mac.cc",
@@ -2039,6 +2028,7 @@ component("base") {
       "ApplicationServices.framework",
       "AppKit.framework",
       "CoreFoundation.framework",
+      "DiskArbitration.framework",
       "IOKit.framework",
       "OpenDirectory.framework",
     ]
@@ -2059,10 +2049,10 @@ component("base") {
       "ios/ns_error_util.h",
       "ios/ns_error_util.mm",
       "ios/ns_range.h",
-      "native_library_ios.mm",
       "power_monitor/power_monitor_device_source_ios.mm",
       "process/process_metrics_ios.cc",
       "process/process_metrics_posix.cc",
+      "profiler/core_unwinders_ios.cc",
       "profiler/stack_sampler_ios.cc",
       "system/sys_info_ios.mm",
     ]
@@ -2077,12 +2067,12 @@ component("base") {
 
     if (use_blink) {
       sources += [
+        "apple/mach_port_rendezvous.cc",
+        "apple/mach_port_rendezvous.h",
         "files/file_path_watcher_kqueue.cc",
         "files/file_path_watcher_kqueue.h",
         "files/file_path_watcher_mac.cc",
         "ios/sim_header_shims.h",
-        "mac/mach_port_rendezvous.cc",
-        "mac/mach_port_rendezvous.h",
         "process/kill_ios.cc",
         "process/memory_mac.mm",
         "process/port_provider_mac.cc",
@@ -2090,12 +2080,20 @@ component("base") {
         "process/process_handle_mac.cc",
         "process/process_ios.cc",
         "process/process_iterator_mac.cc",
-        "process/process_mac.cc",
         "process/process_posix.cc",
         "sync_socket_posix.cc",
-        "synchronization/waitable_event_watcher_mac.cc",
+        "synchronization/waitable_event_posix.cc",
+        "synchronization/waitable_event_watcher_posix.cc",
       ]
 
+      if (target_platform == "tvos") {
+        # tvOS apps must be single-process. Build a Process version that does
+        # the bare minimum and does not use Mach ports.
+        sources += [ "process/process_tvos.cc" ]
+      } else {
+        sources += [ "process/process_mac.cc" ]
+      }
+
       # We include launch_mac on simulator builds so unittests can fork.
       if (target_environment == "simulator") {
         sources += [
@@ -2118,6 +2116,11 @@ component("base") {
         "message_loop/message_pump_io_ios.cc",
         "message_loop/message_pump_io_ios.h",
       ]
+    } else if (use_blink) {
+      sources += [
+        "message_loop/message_pump_io_ios_libdispatch.cc",
+        "message_loop/message_pump_io_ios_libdispatch.h",
+      ]
     } else {
       sources += [
         "message_loop/message_pump_kqueue.cc",
@@ -2198,18 +2201,7 @@ component("base") {
     ]
   }
 
-  if (dep_libevent) {
+  if (use_epoll) {
-    deps += [ "//third_party/libevent" ]
-  }
-
-  if (use_libevent) {
-    sources += [
-      "message_loop/message_pump_libevent.cc",
-      "message_loop/message_pump_libevent.h",
-    ]
-  }
-
-  if (enable_message_pump_epoll) {
     sources += [
       "message_loop/message_pump_epoll.cc",
       "message_loop/message_pump_epoll.h",
@@ -2258,7 +2250,10 @@ component("base") {
   }
 
   if ((is_posix && !is_apple && !is_android) || is_fuchsia) {
-    sources += [ "profiler/stack_sampler_posix.cc" ]
+    sources += [
+      "profiler/core_unwinders_posix.cc",
+      "profiler/stack_sampler_posix.cc",
+    ]
   }
 
   if ((is_posix && !is_apple && !is_android && !is_chromeos) || is_fuchsia) {
@@ -2281,10 +2276,7 @@ component("base") {
   if (enable_base_tracing) {
     sources += [
       "trace_event/auto_open_close_event.h",
-      "trace_event/builtin_categories.cc",
       "trace_event/builtin_categories.h",
-      "trace_event/category_registry.cc",
-      "trace_event/category_registry.h",
       "trace_event/heap_profiler.h",
       "trace_event/interned_args_helper.cc",
       "trace_event/interned_args_helper.h",
@@ -2311,13 +2303,14 @@ component("base") {
       "trace_event/memory_usage_estimator.cc",
       "trace_event/memory_usage_estimator.h",
       "trace_event/optional_trace_event.h",
+      "trace_event/perfetto_proto_appender.cc",
+      "trace_event/perfetto_proto_appender.h",
       "trace_event/process_memory_dump.cc",
       "trace_event/process_memory_dump.h",
       "trace_event/trace_arguments.cc",
       "trace_event/trace_arguments.h",
       "trace_event/trace_buffer.cc",
       "trace_event/trace_buffer.h",
-      "trace_event/trace_category.h",
       "trace_event/trace_config.cc",
       "trace_event/trace_config.h",
       "trace_event/trace_config_category_filter.cc",
@@ -2325,11 +2318,8 @@ component("base") {
       "trace_event/trace_event.h",
       "trace_event/trace_event_impl.cc",
       "trace_event/trace_event_impl.h",
-      "trace_event/trace_event_memory_overhead.cc",
-      "trace_event/trace_event_memory_overhead.h",
       "trace_event/trace_log.cc",
       "trace_event/trace_log.h",
-      "trace_event/trace_log_constants.cc",
       "trace_event/traced_value.cc",
       "trace_event/traced_value.h",
       "trace_event/traced_value_support.h",
@@ -2337,8 +2327,6 @@ component("base") {
       "trace_event/tracing_agent.h",
       "trace_event/typed_macros.h",
       "trace_event/typed_macros_embedder_support.h",
-      "trace_event/typed_macros_internal.cc",
-      "trace_event/typed_macros_internal.h",
       "tracing/perfetto_platform.cc",
       "tracing/perfetto_platform.h",
       "tracing/perfetto_task_runner.cc",
@@ -2365,8 +2353,6 @@ component("base") {
       sources += [
         "trace_event/etw_interceptor_win.cc",
         "trace_event/etw_interceptor_win.h",
-        "trace_event/trace_event_etw_export_win.cc",
-        "trace_event/trace_event_etw_export_win.h",
         "trace_event/trace_logging_minimal_win.cc",
         "trace_event/trace_logging_minimal_win.h",
       ]
@@ -2492,7 +2478,7 @@ buildflag_header("debugging_buildflags") {
 buildflag_header("feature_list_buildflags") {
   header = "feature_list_buildflags.h"
 
-  if (is_chromeos_ash) {
+  if (is_chromeos) {
     flags = [
       "ENABLE_BANNED_BASE_FEATURE_PREFIX=true",
       "BANNED_BASE_FEATURE_PREFIX=\"CrOSLateBoot\"",
@@ -2502,12 +2488,6 @@ buildflag_header("feature_list_buildflags") {
   }
 }
 
-buildflag_header("logging_buildflags") {
-  header = "logging_buildflags.h"
-
-  flags = [ "ENABLE_LOG_ERROR_NOT_REACHED=$enable_log_error_not_reached" ]
-}
-
 buildflag_header("orderfile_buildflags") {
   header = "orderfile_buildflags.h"
   header_dir = "base/android/orderfile"
@@ -2526,8 +2506,8 @@ buildflag_header("protected_memory_buildflags") {
   header = "protected_memory_buildflags.h"
   header_dir = "base/memory"
 
-  # Currently Protected Memory is only supported on Windows.
+  protected_memory_enabled = !is_component_build && is_clang &&
-  protected_memory_enabled = !is_component_build && is_win
+                             (is_win || is_linux || is_android || is_mac)
 
   flags = [ "PROTECTED_MEMORY_ENABLED=$protected_memory_enabled" ]
 }
@@ -2620,10 +2600,7 @@ static_library("base_static") {
     "immediate_crash.h",
   ]
 
-  deps = [
+  deps = [ ":fuzzing_buildflags" ]
-    ":fuzzing_buildflags",
-    "//build:chromeos_buildflags",
-  ]
 
   if (is_win) {
     sources += [

src/base/DEPS

@@ -1,17 +1,12 @@
 include_rules = [
-  # `#include "partition_alloc/..."` is prefered to
-  # `#include "base/allocator/partition_allocator/src/partition_alloc/..."`.
-  "+partition_alloc",
-  "-base/allocator/partition_allocator",
-
   "+third_party/ashmem",
   "+third_party/apple_apsl",
   "+third_party/boringssl/src/include",
   "+third_party/ced",
+  "+third_party/fuzztest",
   # We are moving the old jni_generator to jni_zero, some references will remain
   # in //base.
   "+third_party/jni_zero",
-  "+third_party/libevent",
   "+third_party/libunwindstack/src/libunwindstack/include",
   "+third_party/lss",
   "+third_party/modp_b64",

src/base/OWNERS

@@ -4,7 +4,6 @@ set noparent
 # NOTE: keep this in sync with global-owners-override@chromium.org owners
 # by emailing lsc-policy@chromium.org when this list changes.
 altimin@chromium.org
-danakj@chromium.org
 dcheng@chromium.org
 fdoray@chromium.org
 gab@chromium.org

src/base/SECURITY_OWNERS

@@ -9,5 +9,4 @@
 # yourself, don't hesitate to seek help from another security team member!
 # Nobody knows everything, and the only way to learn is from experience.
 dcheng@chromium.org
-rsesek@chromium.org
 tsepez@chromium.org

src/base/allocator/dispatcher/configuration.h

@@ -21,4 +21,4 @@ constexpr size_t kMaximumNumberOfObservers = 4;
 
 }  // namespace base::allocator::dispatcher::configuration
 
-#endif  // BASE_ALLOCATOR_DISPATCHER_CONFIGURATION_H_
+#endif  // BASE_ALLOCATOR_DISPATCHER_CONFIGURATION_H_

src/base/allocator/dispatcher/dispatcher.cc

@@ -16,7 +16,7 @@
 #endif
 
 #if PA_BUILDFLAG(USE_PARTITION_ALLOC)
-#include "partition_alloc/partition_alloc_hooks.h"
+#include "partition_alloc/partition_alloc_hooks.h"  // nogncheck
 #endif
 
 namespace base::allocator::dispatcher {
@@ -34,7 +34,7 @@ struct Dispatcher::Impl {
 
   void Reset() {
 #if DCHECK_IS_ON()
-    DCHECK([&]() {
+    DCHECK([&] {
       auto const was_set = is_initialized_check_flag_.test_and_set();
       is_initialized_check_flag_.clear();
       return was_set;

src/base/allocator/dispatcher/dispatcher.h

@@ -5,11 +5,11 @@
 #ifndef BASE_ALLOCATOR_DISPATCHER_DISPATCHER_H_
 #define BASE_ALLOCATOR_DISPATCHER_DISPATCHER_H_
 
+#include <memory>
+
 #include "base/allocator/dispatcher/internal/dispatcher_internal.h"
 #include "base/base_export.h"
 
-#include <memory>
-
 namespace base::allocator::dispatcher {
 
 namespace internal {

src/base/allocator/dispatcher/initializer.h

@@ -5,13 +5,13 @@
 #ifndef BASE_ALLOCATOR_DISPATCHER_INITIALIZER_H_
 #define BASE_ALLOCATOR_DISPATCHER_INITIALIZER_H_
 
+#include <tuple>
+#include <utility>
+
 #include "base/allocator/dispatcher/configuration.h"
 #include "base/allocator/dispatcher/dispatcher.h"
 #include "base/allocator/dispatcher/internal/tools.h"
 
-#include <tuple>
-#include <utility>
-
 namespace base::allocator::dispatcher {
 namespace internal {
 

src/base/allocator/dispatcher/internal/dispatch_data.h

@@ -10,11 +10,11 @@
 #include "partition_alloc/buildflags.h"
 
 #if PA_BUILDFLAG(USE_PARTITION_ALLOC)
-#include "partition_alloc/partition_alloc_hooks.h"
+#include "partition_alloc/partition_alloc_hooks.h"  // nogncheck
 #endif
 
 #if PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
-#include "partition_alloc/shim/allocator_shim.h"
+#include "partition_alloc/shim/allocator_shim.h"  // nogncheck
 #endif
 
 namespace base::allocator::dispatcher::internal {

src/base/allocator/dispatcher/internal/dispatcher_internal.h

@@ -16,7 +16,7 @@
 #include "partition_alloc/buildflags.h"
 
 #if PA_BUILDFLAG(USE_PARTITION_ALLOC)
-#include "partition_alloc/partition_alloc_allocation_data.h"
+#include "partition_alloc/partition_alloc_allocation_data.h"  // nogncheck
 #endif
 
 #if PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
@@ -125,193 +125,165 @@ struct DispatcherImpl {
 #endif  // PA_BUILDFLAG(USE_PARTITION_ALLOC)
 
 #if PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
-  static void* AllocFn(const AllocatorDispatch* self,
+  static void* AllocFn(size_t size, void* context) {
-                       size_t size,
-                       void* context) {
-    void* const address = self->next->alloc_function(self->next, size, context);
-
-    DoNotifyAllocationForShim(address, size);
-
-    return address;
-  }
-
-  static void* AllocUncheckedFn(const AllocatorDispatch* self,
-                                size_t size,
-                                void* context) {
     void* const address =
-        self->next->alloc_unchecked_function(self->next, size, context);
+        allocator_dispatch_.next->alloc_function(size, context);
 
     DoNotifyAllocationForShim(address, size);
 
     return address;
   }
 
-  static void* AllocZeroInitializedFn(const AllocatorDispatch* self,
+  static void* AllocUncheckedFn(size_t size, void* context) {
-                                      size_t n,
+    void* const address =
-                                      size_t size,
+        allocator_dispatch_.next->alloc_unchecked_function(size, context);
-                                      void* context) {
+
-    void* const address = self->next->alloc_zero_initialized_function(
+    DoNotifyAllocationForShim(address, size);
-        self->next, n, size, context);
+
+    return address;
+  }
+
+  static void* AllocZeroInitializedFn(size_t n, size_t size, void* context) {
+    void* const address =
+        allocator_dispatch_.next->alloc_zero_initialized_function(n, size,
+                                                                  context);
 
     DoNotifyAllocationForShim(address, n * size);
 
     return address;
   }
 
-  static void* AllocAlignedFn(const AllocatorDispatch* self,
+  static void* AllocAlignedFn(size_t alignment, size_t size, void* context) {
-                              size_t alignment,
+    void* const address = allocator_dispatch_.next->alloc_aligned_function(
-                              size_t size,
+        alignment, size, context);
-                              void* context) {
-    void* const address = self->next->alloc_aligned_function(
-        self->next, alignment, size, context);
 
     DoNotifyAllocationForShim(address, size);
 
     return address;
   }
 
-  static void* ReallocFn(const AllocatorDispatch* self,
+  static void* ReallocFn(void* address, size_t size, void* context) {
-                         void* address,
-                         size_t size,
-                         void* context) {
     // Note: size == 0 actually performs free.
     DoNotifyFreeForShim(address);
     void* const reallocated_address =
-        self->next->realloc_function(self->next, address, size, context);
+        allocator_dispatch_.next->realloc_function(address, size, context);
 
     DoNotifyAllocationForShim(reallocated_address, size);
 
     return reallocated_address;
   }
 
-  static void* ReallocUncheckedFn(const AllocatorDispatch* self,
+  static void* ReallocUncheckedFn(void* address, size_t size, void* context) {
-                                  void* address,
-                                  size_t size,
-                                  void* context) {
     // Note: size == 0 actually performs free.
     DoNotifyFreeForShim(address);
-    void* const reallocated_address = self->next->realloc_unchecked_function(
+    void* const reallocated_address =
-        self->next, address, size, context);
+        allocator_dispatch_.next->realloc_unchecked_function(address, size,
+                                                             context);
 
     DoNotifyAllocationForShim(reallocated_address, size);
 
     return reallocated_address;
   }
 
-  static void FreeFn(const AllocatorDispatch* self,
+  static void FreeFn(void* address, void* context) {
-                     void* address,
-                     void* context) {
     // Note: DoNotifyFree should be called before free_function (here and in
     // other places). That is because observers need to handle the allocation
     // being freed before calling free_function, as once the latter is executed
     // the address becomes available and can be allocated by another thread.
     // That would be racy otherwise.
     DoNotifyFreeForShim(address);
-    MUSTTAIL return self->next->free_function(self->next, address, context);
+    MUSTTAIL return allocator_dispatch_.next->free_function(address, context);
   }
 
-  static unsigned BatchMallocFn(const AllocatorDispatch* self,
+  static unsigned BatchMallocFn(size_t size,
-                                size_t size,
                                 void** results,
                                 unsigned num_requested,
                                 void* context) {
-    unsigned const num_allocated = self->next->batch_malloc_function(
+    unsigned const num_allocated =
-        self->next, size, results, num_requested, context);
+        allocator_dispatch_.next->batch_malloc_function(size, results,
+                                                        num_requested, context);
     for (unsigned i = 0; i < num_allocated; ++i) {
       DoNotifyAllocationForShim(results[i], size);
     }
     return num_allocated;
   }
 
-  static void BatchFreeFn(const AllocatorDispatch* self,
+  static void BatchFreeFn(void** to_be_freed,
-                          void** to_be_freed,
                           unsigned num_to_be_freed,
                           void* context) {
     for (unsigned i = 0; i < num_to_be_freed; ++i) {
       DoNotifyFreeForShim(to_be_freed[i]);
     }
 
-    MUSTTAIL return self->next->batch_free_function(self->next, to_be_freed,
+    MUSTTAIL return allocator_dispatch_.next->batch_free_function(
-                                                    num_to_be_freed, context);
+        to_be_freed, num_to_be_freed, context);
   }
 
-  static void FreeDefiniteSizeFn(const AllocatorDispatch* self,
+  static void FreeDefiniteSizeFn(void* address, size_t size, void* context) {
-                                 void* address,
-                                 size_t size,
-                                 void* context) {
     DoNotifyFreeForShim(address);
-    MUSTTAIL return self->next->free_definite_size_function(self->next, address,
+    MUSTTAIL return allocator_dispatch_.next->free_definite_size_function(
-                                                            size, context);
+        address, size, context);
   }
 
-  static void TryFreeDefaultFn(const AllocatorDispatch* self,
+  static void TryFreeDefaultFn(void* address, void* context) {
-                               void* address,
-                               void* context) {
     DoNotifyFreeForShim(address);
-    MUSTTAIL return self->next->try_free_default_function(self->next, address,
+    MUSTTAIL return allocator_dispatch_.next->try_free_default_function(
-                                                          context);
+        address, context);
   }
 
-  static void* AlignedMallocFn(const AllocatorDispatch* self,
+  static void* AlignedMallocFn(size_t size, size_t alignment, void* context) {
-                               size_t size,
+    void* const address = allocator_dispatch_.next->aligned_malloc_function(
-                               size_t alignment,
+        size, alignment, context);
-                               void* context) {
-    void* const address = self->next->aligned_malloc_function(
-        self->next, size, alignment, context);
 
     DoNotifyAllocationForShim(address, size);
 
     return address;
   }
 
-  static void* AlignedMallocUncheckedFn(const AllocatorDispatch* self,
+  static void* AlignedMallocUncheckedFn(size_t size,
-                                        size_t size,
                                         size_t alignment,
                                         void* context) {
-    void* const address = self->next->aligned_malloc_unchecked_function(
+    void* const address =
-        self->next, size, alignment, context);
+        allocator_dispatch_.next->aligned_malloc_unchecked_function(
+            size, alignment, context);
 
     DoNotifyAllocationForShim(address, size);
 
     return address;
   }
 
-  static void* AlignedReallocFn(const AllocatorDispatch* self,
+  static void* AlignedReallocFn(void* address,
-                                void* address,
                                 size_t size,
                                 size_t alignment,
                                 void* context) {
     // Note: size == 0 actually performs free.
     DoNotifyFreeForShim(address);
-    address = self->next->aligned_realloc_function(self->next, address, size,
+    address = allocator_dispatch_.next->aligned_realloc_function(
-                                                   alignment, context);
+        address, size, alignment, context);
 
     DoNotifyAllocationForShim(address, size);
 
     return address;
   }
 
-  static void* AlignedReallocUncheckedFn(const AllocatorDispatch* self,
+  static void* AlignedReallocUncheckedFn(void* address,
-                                         void* address,
                                          size_t size,
                                          size_t alignment,
                                          void* context) {
     // Note: size == 0 actually performs free.
     DoNotifyFreeForShim(address);
-    address = self->next->aligned_realloc_unchecked_function(
+    address = allocator_dispatch_.next->aligned_realloc_unchecked_function(
-        self->next, address, size, alignment, context);
+        address, size, alignment, context);
 
     DoNotifyAllocationForShim(address, size);
 
     return address;
   }
 
-  static void AlignedFreeFn(const AllocatorDispatch* self,
+  static void AlignedFreeFn(void* address, void* context) {
-                            void* address,
-                            void* context) {
     DoNotifyFreeForShim(address);
-    MUSTTAIL return self->next->aligned_free_function(self->next, address,
+    MUSTTAIL return allocator_dispatch_.next->aligned_free_function(address,
-                                                      context);
+                                                                    context);
   }
 
   ALWAYS_INLINE static void DoNotifyAllocationForShim(void* address,

src/base/allocator/dispatcher/reentry_guard.h

@@ -33,8 +33,9 @@ struct BASE_EXPORT ReentryGuard {
   }
 
   ALWAYS_INLINE ~ReentryGuard() {
-    if (LIKELY(allowed_))
+    if (allowed_) [[likely]] {
       pthread_setspecific(entered_key_, nullptr);
+    }
   }
 
   explicit operator bool() const noexcept { return allowed_; }

src/base/allocator/dispatcher/subsystem.h

@@ -24,4 +24,4 @@ enum class AllocationSubsystem {
 };
 }  // namespace base::allocator::dispatcher
 
-#endif  // BASE_ALLOCATOR_DISPATCHER_SUBSYSTEM_H_
+#endif  // BASE_ALLOCATOR_DISPATCHER_SUBSYSTEM_H_

src/base/allocator/dispatcher/testing/dispatcher_test.h

@@ -24,4 +24,4 @@ struct DispatcherTest : public ::testing::Test {
 
 }  // namespace base::allocator::dispatcher::testing
 
-#endif  // BASE_ALLOCATOR_DISPATCHER_TESTING_DISPATCHER_TEST_H_
+#endif  // BASE_ALLOCATOR_DISPATCHER_TESTING_DISPATCHER_TEST_H_

src/base/allocator/dispatcher/testing/observer_mock.h

@@ -30,4 +30,4 @@ struct ObserverMock {
 }  // namespace testing
 }  // namespace base::allocator::dispatcher
 
-#endif  // BASE_ALLOCATOR_DISPATCHER_TESTING_OBSERVER_MOCK_H_
+#endif  // BASE_ALLOCATOR_DISPATCHER_TESTING_OBSERVER_MOCK_H_

src/base/allocator/dispatcher/tls.cc

@@ -8,14 +8,14 @@
 
 #if USE_LOCAL_TLS_EMULATION()
 
+#include <sys/mman.h>
+
 #include "base/check.h"
 #include "base/dcheck_is_on.h"
 #include "base/debug/crash_logging.h"
 #include "base/immediate_crash.h"
 #include "build/build_config.h"
 
-#include <sys/mman.h>
-
 #if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_LINUX)
 #include <sys/prctl.h>
 #endif
@@ -96,7 +96,7 @@ PThreadTLSSystem& PThreadTLSSystem::operator=(PThreadTLSSystem&& other) {
 
 bool PThreadTLSSystem::Setup(
     OnThreadTerminationFunction thread_termination_function,
-    const std::string_view instance_id) {
+    std::string_view instance_id) {
 #if DCHECK_IS_ON()
   // Initialize must happen outside of the allocation path. Therefore, it is
   // secure to verify with DCHECK.

src/base/allocator/dispatcher/tls.h

@@ -17,17 +17,21 @@
 #endif
 
 #if USE_LOCAL_TLS_EMULATION()
+#include <pthread.h>
+
 #include <algorithm>
 #include <atomic>
+#include <functional>
 #include <memory>
 #include <mutex>
 
 #include "base/base_export.h"
 #include "base/check.h"
 #include "base/compiler_specific.h"
-#include "partition_alloc/partition_alloc_constants.h"
 
-#include <pthread.h>
+#if PA_BUILDFLAG(USE_PARTITION_ALLOC)
+#include "partition_alloc/partition_alloc_constants.h"  // nogncheck
+#endif
 
 #if HAS_FEATURE(thread_sanitizer)
 #define DISABLE_TSAN_INSTRUMENTATION __attribute__((no_sanitize("thread")))
@@ -111,7 +115,7 @@ class BASE_EXPORT PThreadTLSSystem {
   // @param thread_termination_function An optional function which will be
   // invoked upon termination of a thread.
   bool Setup(OnThreadTerminationFunction thread_termination_function,
-             const std::string_view instance_id);
+             std::string_view instance_id);
   // Tear down the TLS system. After completing tear down, the thread
   // termination function passed to Setup will not be invoked anymore.
   bool TearDownForTesting();
@@ -199,7 +203,7 @@ template <typename PayloadType,
           size_t AllocationChunkSize,
           bool IsDestructibleForTesting>
 struct ThreadLocalStorage {
-  explicit ThreadLocalStorage(const std::string_view instance_id)
+  explicit ThreadLocalStorage(std::string_view instance_id)
       : root_(AllocateAndInitializeChunk()) {
     Initialize(instance_id);
   }
@@ -207,7 +211,7 @@ struct ThreadLocalStorage {
   // Create a new instance of |ThreadLocalStorage| using the passed allocator
   // and TLS system. This initializes the underlying TLS system and creates the
   // first chunk of data.
-  ThreadLocalStorage(const std::string_view instance_id,
+  ThreadLocalStorage(std::string_view instance_id,
                      AllocatorType allocator,
                      TLSSystemType tls_system)
       : allocator_(std::move(allocator)),
@@ -244,7 +248,7 @@ struct ThreadLocalStorage {
 
     auto* slot = static_cast<SingleSlot*>(tls_system.GetThreadSpecificData());
 
-    if (UNLIKELY(slot == nullptr)) {
+    if (slot == nullptr) [[unlikely]] {
       slot = FindAndAllocateFreeSlot(root_.load(std::memory_order_relaxed));
 
       // We might be called in the course of handling a memory allocation. We do
@@ -360,7 +364,7 @@ struct ThreadLocalStorage {
   }
 
   // Perform common initialization during construction of an instance.
-  void Initialize(const std::string_view instance_id) {
+  void Initialize(std::string_view instance_id) {
     // The constructor must be called outside of the allocation path. Therefore,
     // it is secure to verify with CHECK.
 

src/base/allocator/miracle_parameter.cc

@@ -8,22 +8,7 @@
 #include "base/strings/strcat.h"
 #include "base/system/sys_info.h"
 
-namespace base {
+namespace base::miracle_parameter {
-
-namespace miracle_parameter {
-
-namespace {
-
-std::string GetFieldTrialParamByFeatureAsString(
-    const base::Feature& feature,
-    const std::string& param_name,
-    const std::string& default_value) {
-  const std::string value =
-      base::GetFieldTrialParamValueByFeature(feature, param_name);
-  return value.empty() ? default_value : value;
-}
-
-}  // namespace
 
 std::string GetParamNameWithSuffix(const std::string& param_name) {
   // `base::SysInfo::AmountOfPhysicalMemoryMB()` refers to CommandLine
@@ -88,6 +73,4 @@ base::TimeDelta GetMiracleParameterAsTimeDelta(const base::Feature& feature,
                                                    default_value));
 }
 
-}  // namespace miracle_parameter
+}  // namespace base::miracle_parameter
-
-}  // namespace base

src/base/allocator/miracle_parameter.h

@@ -166,7 +166,7 @@ Enum GetMiracleParameterAsEnum(
                                    default_value, type, options)            \
   type function_name() {                                                    \
     static const type value = miracle_parameter::GetMiracleParameterAsEnum( \
-        feature, param_name, default_value, base::make_span(options));      \
+        feature, param_name, default_value, base::span(options));           \
     return value;                                                           \
   }
 

src/base/allocator/partition_alloc_features.cc

@@ -12,7 +12,6 @@
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "build/chromecast_buildflags.h"
-#include "build/chromeos_buildflags.h"
 #include "partition_alloc/buildflags.h"
 #include "partition_alloc/partition_alloc_base/time/time.h"
 #include "partition_alloc/partition_alloc_constants.h"
@@ -20,8 +19,22 @@
 #include "partition_alloc/shim/allocator_shim_dispatch_to_noop_on_free.h"
 #include "partition_alloc/thread_cache.h"
 
-namespace base {
+namespace base::features {
-namespace features {
+
+namespace {
+
+static constexpr char kPAFeatureEnabledProcessesStr[] = "enabled-processes";
+static constexpr char kBrowserOnlyStr[] = "browser-only";
+static constexpr char kBrowserAndRendererStr[] = "browser-and-renderer";
+static constexpr char kNonRendererStr[] = "non-renderer";
+static constexpr char kAllProcessesStr[] = "all-processes";
+
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
+static constexpr char kRendererOnlyStr[] = "renderer-only";
+static constexpr char kAllChildProcessesStr[] = "all-child-processes";
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+
+}  // namespace
 
 BASE_FEATURE(kPartitionAllocUnretainedDanglingPtr,
              "PartitionAllocUnretainedDanglingPtr",
@@ -33,7 +46,8 @@ constexpr FeatureParam<UnretainedDanglingPtrMode>::Option
         {UnretainedDanglingPtrMode::kDumpWithoutCrashing,
          "dump_without_crashing"},
 };
-const base::FeatureParam<UnretainedDanglingPtrMode>
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<UnretainedDanglingPtrMode>
     kUnretainedDanglingPtrModeParam = {
         &kPartitionAllocUnretainedDanglingPtr,
         "mode",
@@ -41,6 +55,10 @@ const base::FeatureParam<UnretainedDanglingPtrMode>
         &kUnretainedDanglingPtrModeOption,
 };
 
+// Note: DPD conflicts with no-op `free()` (see
+// `base::allocator::MakeFreeNoOp()`). No-op `free()` stands down in the
+// presence of DPD, but hypothetically fully launching DPD should prompt
+// a rethink of no-op `free()`.
 BASE_FEATURE(kPartitionAllocDanglingPtr,
              "PartitionAllocDanglingPtr",
 #if PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_FEATURE_FLAG)
@@ -54,7 +72,8 @@ constexpr FeatureParam<DanglingPtrMode>::Option kDanglingPtrModeOption[] = {
     {DanglingPtrMode::kCrash, "crash"},
     {DanglingPtrMode::kLogOnly, "log_only"},
 };
-const base::FeatureParam<DanglingPtrMode> kDanglingPtrModeParam{
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<DanglingPtrMode> kDanglingPtrModeParam{
     &kPartitionAllocDanglingPtr,
     "mode",
     DanglingPtrMode::kCrash,
@@ -64,7 +83,8 @@ constexpr FeatureParam<DanglingPtrType>::Option kDanglingPtrTypeOption[] = {
     {DanglingPtrType::kAll, "all"},
     {DanglingPtrType::kCrossTask, "cross_task"},
 };
-const base::FeatureParam<DanglingPtrType> kDanglingPtrTypeParam{
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<DanglingPtrType> kDanglingPtrTypeParam{
     &kPartitionAllocDanglingPtr,
     "type",
     DanglingPtrType::kAll,
@@ -90,32 +110,64 @@ MIRACLE_PARAMETER_FOR_INT(
 
 BASE_FEATURE(kPartitionAllocLargeEmptySlotSpanRing,
              "PartitionAllocLargeEmptySlotSpanRing",
-#if BUILDFLAG(IS_MAC)
+#if BUILDFLAG(IS_MAC) || BUILDFLAG(IS_WIN)
              FEATURE_ENABLED_BY_DEFAULT);
 #else
              FEATURE_DISABLED_BY_DEFAULT);
 #endif
 
+BASE_FEATURE(kPartitionAllocWithAdvancedChecks,
+             "PartitionAllocWithAdvancedChecks",
+             FEATURE_DISABLED_BY_DEFAULT);
+constexpr FeatureParam<PartitionAllocWithAdvancedChecksEnabledProcesses>::Option
+    kPartitionAllocWithAdvancedChecksEnabledProcessesOptions[] = {
+        {PartitionAllocWithAdvancedChecksEnabledProcesses::kBrowserOnly,
+         kBrowserOnlyStr},
+        {PartitionAllocWithAdvancedChecksEnabledProcesses::kBrowserAndRenderer,
+         kBrowserAndRendererStr},
+        {PartitionAllocWithAdvancedChecksEnabledProcesses::kNonRenderer,
+         kNonRendererStr},
+        {PartitionAllocWithAdvancedChecksEnabledProcesses::kAllProcesses,
+         kAllProcessesStr}};
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<PartitionAllocWithAdvancedChecksEnabledProcesses>
+    kPartitionAllocWithAdvancedChecksEnabledProcessesParam{
+        &kPartitionAllocWithAdvancedChecks, kPAFeatureEnabledProcessesStr,
+        PartitionAllocWithAdvancedChecksEnabledProcesses::kBrowserOnly,
+        &kPartitionAllocWithAdvancedChecksEnabledProcessesOptions};
+
 BASE_FEATURE(kPartitionAllocSchedulerLoopQuarantine,
              "PartitionAllocSchedulerLoopQuarantine",
              FEATURE_DISABLED_BY_DEFAULT);
 // Scheduler Loop Quarantine's per-branch capacity in bytes.
-const base::FeatureParam<int>
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<int>
     kPartitionAllocSchedulerLoopQuarantineBranchCapacity{
         &kPartitionAllocSchedulerLoopQuarantine,
         "PartitionAllocSchedulerLoopQuarantineBranchCapacity", 0};
+// Scheduler Loop Quarantine's capacity for the UI thread in bytes.
+BASE_FEATURE_PARAM(int,
+                   kPartitionAllocSchedulerLoopQuarantineBrowserUICapacity,
+                   &kPartitionAllocSchedulerLoopQuarantine,
+                   "PartitionAllocSchedulerLoopQuarantineBrowserUICapacity",
+                   0);
 
 BASE_FEATURE(kPartitionAllocZappingByFreeFlags,
              "PartitionAllocZappingByFreeFlags",
              FEATURE_DISABLED_BY_DEFAULT);
+
+BASE_FEATURE(kPartitionAllocEventuallyZeroFreedMemory,
+             "PartitionAllocEventuallyZeroFreedMemory",
+             FEATURE_DISABLED_BY_DEFAULT);
+
+BASE_FEATURE(kPartitionAllocFewerMemoryRegions,
+             "PartitionAllocFewerMemoryRegions",
+             FEATURE_DISABLED_BY_DEFAULT);
 #endif  // PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 
 BASE_FEATURE(kPartitionAllocBackupRefPtr,
              "PartitionAllocBackupRefPtr",
-#if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || \
+#if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_FEATURE_FLAG)
-    BUILDFLAG(IS_CHROMEOS_ASH) || BUILDFLAG(IS_CHROMEOS_LACROS) ||     \
-    (BUILDFLAG(IS_LINUX) && !BUILDFLAG(IS_CASTOS)) ||                  \
-    PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_FEATURE_FLAG)
              FEATURE_ENABLED_BY_DEFAULT
 #else
              FEATURE_DISABLED_BY_DEFAULT
@@ -124,30 +176,41 @@ BASE_FEATURE(kPartitionAllocBackupRefPtr,
 
 constexpr FeatureParam<BackupRefPtrEnabledProcesses>::Option
     kBackupRefPtrEnabledProcessesOptions[] = {
-        {BackupRefPtrEnabledProcesses::kBrowserOnly, "browser-only"},
+        {BackupRefPtrEnabledProcesses::kBrowserOnly, kBrowserOnlyStr},
         {BackupRefPtrEnabledProcesses::kBrowserAndRenderer,
-         "browser-and-renderer"},
+         kBrowserAndRendererStr},
-        {BackupRefPtrEnabledProcesses::kNonRenderer, "non-renderer"},
+        {BackupRefPtrEnabledProcesses::kNonRenderer, kNonRendererStr},
-        {BackupRefPtrEnabledProcesses::kAllProcesses, "all-processes"}};
+        {BackupRefPtrEnabledProcesses::kAllProcesses, kAllProcessesStr}};
 
-const base::FeatureParam<BackupRefPtrEnabledProcesses>
+BASE_FEATURE_ENUM_PARAM(BackupRefPtrEnabledProcesses,
-    kBackupRefPtrEnabledProcessesParam{
+                        kBackupRefPtrEnabledProcessesParam,
-        &kPartitionAllocBackupRefPtr, "enabled-processes",
+                        &kPartitionAllocBackupRefPtr,
-        BackupRefPtrEnabledProcesses::kNonRenderer,
+                        kPAFeatureEnabledProcessesStr,
-        &kBackupRefPtrEnabledProcessesOptions};
+#if PA_BUILDFLAG(IS_MAC) && PA_BUILDFLAG(PA_ARCH_CPU_ARM64)
+                        BackupRefPtrEnabledProcesses::kNonRenderer,
+#else
+                        BackupRefPtrEnabledProcesses::kAllProcesses,
+#endif
+                        &kBackupRefPtrEnabledProcessesOptions);
 
 constexpr FeatureParam<BackupRefPtrMode>::Option kBackupRefPtrModeOptions[] = {
     {BackupRefPtrMode::kDisabled, "disabled"},
     {BackupRefPtrMode::kEnabled, "enabled"},
 };
 
-const base::FeatureParam<BackupRefPtrMode> kBackupRefPtrModeParam{
+BASE_FEATURE_ENUM_PARAM(BackupRefPtrMode,
-    &kPartitionAllocBackupRefPtr, "brp-mode", BackupRefPtrMode::kEnabled,
+                        kBackupRefPtrModeParam,
-    &kBackupRefPtrModeOptions};
+                        &kPartitionAllocBackupRefPtr,
+                        "brp-mode",
+                        BackupRefPtrMode::kEnabled,
+                        &kBackupRefPtrModeOptions);
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<int> kBackupRefPtrExtraExtrasSizeParam{
+    &kPartitionAllocBackupRefPtr, "brp-extra-extras-size", 0};
 
 BASE_FEATURE(kPartitionAllocMemoryTagging,
              "PartitionAllocMemoryTagging",
-#if PA_BUILDFLAG(USE_FULL_MTE)
+#if PA_BUILDFLAG(USE_FULL_MTE) || BUILDFLAG(IS_ANDROID)
              FEATURE_ENABLED_BY_DEFAULT
 #else
              FEATURE_DISABLED_BY_DEFAULT
@@ -158,7 +221,8 @@ constexpr FeatureParam<MemtagMode>::Option kMemtagModeOptions[] = {
     {MemtagMode::kSync, "sync"},
     {MemtagMode::kAsync, "async"}};
 
-const base::FeatureParam<MemtagMode> kMemtagModeParam{
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<MemtagMode> kMemtagModeParam{
     &kPartitionAllocMemoryTagging, "memtag-mode",
 #if PA_BUILDFLAG(USE_FULL_MTE)
     MemtagMode::kSync,
@@ -167,19 +231,30 @@ const base::FeatureParam<MemtagMode> kMemtagModeParam{
 #endif
     &kMemtagModeOptions};
 
+constexpr FeatureParam<RetagMode>::Option kRetagModeOptions[] = {
+    {RetagMode::kIncrement, "increment"},
+    {RetagMode::kRandom, "random"},
+};
+
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<RetagMode> kRetagModeParam{
+    &kPartitionAllocMemoryTagging, "retag-mode", RetagMode::kIncrement,
+    &kRetagModeOptions};
+
 constexpr FeatureParam<MemoryTaggingEnabledProcesses>::Option
     kMemoryTaggingEnabledProcessesOptions[] = {
-        {MemoryTaggingEnabledProcesses::kBrowserOnly, "browser-only"},
+        {MemoryTaggingEnabledProcesses::kBrowserOnly, kBrowserOnlyStr},
-        {MemoryTaggingEnabledProcesses::kNonRenderer, "non-renderer"},
+        {MemoryTaggingEnabledProcesses::kNonRenderer, kNonRendererStr},
-        {MemoryTaggingEnabledProcesses::kAllProcesses, "all-processes"}};
+        {MemoryTaggingEnabledProcesses::kAllProcesses, kAllProcessesStr}};
 
-const base::FeatureParam<MemoryTaggingEnabledProcesses>
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<MemoryTaggingEnabledProcesses>
     kMemoryTaggingEnabledProcessesParam{
-        &kPartitionAllocMemoryTagging, "enabled-processes",
+        &kPartitionAllocMemoryTagging, kPAFeatureEnabledProcessesStr,
 #if PA_BUILDFLAG(USE_FULL_MTE)
         MemoryTaggingEnabledProcesses::kAllProcesses,
 #else
-        MemoryTaggingEnabledProcesses::kBrowserOnly,
+        MemoryTaggingEnabledProcesses::kNonRenderer,
 #endif
         &kMemoryTaggingEnabledProcessesOptions};
 
@@ -198,13 +273,15 @@ BASE_FEATURE(kPartitionAllocPermissiveMte,
 #endif
 );
 
-const base::FeatureParam<bool> kBackupRefPtrAsanEnableDereferenceCheckParam{
+BASE_FEATURE(kAsanBrpDereferenceCheck,
-    &kPartitionAllocBackupRefPtr, "asan-enable-dereference-check", true};
+             "AsanBrpDereferenceCheck",
-const base::FeatureParam<bool> kBackupRefPtrAsanEnableExtractionCheckParam{
+             FEATURE_ENABLED_BY_DEFAULT);
-    &kPartitionAllocBackupRefPtr, "asan-enable-extraction-check",
+BASE_FEATURE(kAsanBrpExtractionCheck,
-    false};  // Not much noise at the moment to enable by default.
+             "AsanBrpExtractionCheck",      // Not much noise at the moment to
-const base::FeatureParam<bool> kBackupRefPtrAsanEnableInstantiationCheckParam{
+             FEATURE_DISABLED_BY_DEFAULT);  // enable by default.
-    &kPartitionAllocBackupRefPtr, "asan-enable-instantiation-check", true};
+BASE_FEATURE(kAsanBrpInstantiationCheck,
+             "AsanBrpInstantiationCheck",
+             FEATURE_ENABLED_BY_DEFAULT);
 
 // If enabled, switches the bucket distribution to a denser one.
 //
@@ -218,29 +295,31 @@ BASE_FEATURE(kPartitionAllocUseDenserDistribution,
              FEATURE_ENABLED_BY_DEFAULT
 #endif  // BUILDFLAG(IS_ANDROID) && defined(ARCH_CPU_32_BITS)
 );
-const base::FeatureParam<BucketDistributionMode>::Option
+const FeatureParam<BucketDistributionMode>::Option
     kPartitionAllocBucketDistributionOption[] = {
         {BucketDistributionMode::kDefault, "default"},
         {BucketDistributionMode::kDenser, "denser"},
 };
-const base::FeatureParam<BucketDistributionMode>
+// Note: Do not use the prepared macro as of no need for a local cache.
-    kPartitionAllocBucketDistributionParam {
+constinit const FeatureParam<BucketDistributionMode>
-  &kPartitionAllocUseDenserDistribution, "mode",
+    kPartitionAllocBucketDistributionParam{
+        &kPartitionAllocUseDenserDistribution, "mode",
 #if BUILDFLAG(IS_ANDROID) && defined(ARCH_CPU_32_BITS)
-      BucketDistributionMode::kDefault,
+        BucketDistributionMode::kDefault,
 #else
-      BucketDistributionMode::kDenser,
+        BucketDistributionMode::kDenser,
 #endif  // BUILDFLAG(IS_ANDROID) && defined(ARCH_CPU_32_BITS)
-      &kPartitionAllocBucketDistributionOption
+        &kPartitionAllocBucketDistributionOption};
-};
 
 BASE_FEATURE(kPartitionAllocMemoryReclaimer,
              "PartitionAllocMemoryReclaimer",
              FEATURE_ENABLED_BY_DEFAULT);
-const base::FeatureParam<TimeDelta> kPartitionAllocMemoryReclaimerInterval = {
+BASE_FEATURE_PARAM(TimeDelta,
-    &kPartitionAllocMemoryReclaimer, "interval",
+                   kPartitionAllocMemoryReclaimerInterval,
-    TimeDelta(),  // Defaults to zero.
+                   &kPartitionAllocMemoryReclaimer,
-};
+                   "interval",
+                   TimeDelta()  // Defaults to zero.
+);
 
 // Configures whether we set a lower limit for renderers that do not have a main
 // frame, similar to the limit that is already done for backgrounded renderers.
@@ -253,16 +332,17 @@ BASE_FEATURE(kLowerPAMemoryLimitForNonMainRenderers,
 BASE_FEATURE(kPartitionAllocStraightenLargerSlotSpanFreeLists,
              "PartitionAllocStraightenLargerSlotSpanFreeLists",
              FEATURE_ENABLED_BY_DEFAULT);
-const base::FeatureParam<
+const FeatureParam<partition_alloc::StraightenLargerSlotSpanFreeListsMode>::
-    partition_alloc::StraightenLargerSlotSpanFreeListsMode>::Option
+    Option kPartitionAllocStraightenLargerSlotSpanFreeListsModeOption[] = {
-    kPartitionAllocStraightenLargerSlotSpanFreeListsModeOption[] = {
         {partition_alloc::StraightenLargerSlotSpanFreeListsMode::
              kOnlyWhenUnprovisioning,
          "only-when-unprovisioning"},
         {partition_alloc::StraightenLargerSlotSpanFreeListsMode::kAlways,
          "always"},
 };
-const base::FeatureParam<partition_alloc::StraightenLargerSlotSpanFreeListsMode>
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<
+    partition_alloc::StraightenLargerSlotSpanFreeListsMode>
     kPartitionAllocStraightenLargerSlotSpanFreeListsMode = {
         &kPartitionAllocStraightenLargerSlotSpanFreeLists,
         "mode",
@@ -295,9 +375,11 @@ BASE_FEATURE(kPageAllocatorRetryOnCommitFailure,
 // The feature: kPartialLowEndModeOnMidRangeDevices is defined in
 // //base/features.cc. Since the following feature param is related to
 // PartitionAlloc, define the param here.
-const FeatureParam<bool> kPartialLowEndModeExcludePartitionAllocSupport{
+BASE_FEATURE_PARAM(bool,
-    &kPartialLowEndModeOnMidRangeDevices, "exclude-partition-alloc-support",
+                   kPartialLowEndModeExcludePartitionAllocSupport,
-    false};
+                   &kPartialLowEndModeOnMidRangeDevices,
+                   "exclude-partition-alloc-support",
+                   false);
 #endif
 
 BASE_FEATURE(kEnableConfigurableThreadCacheMultiplier,
@@ -315,19 +397,19 @@ MIRACLE_PARAMETER_FOR_DOUBLE(GetThreadCacheMultiplierForAndroid,
                              1.)
 
 constexpr partition_alloc::internal::base::TimeDelta ToPartitionAllocTimeDelta(
-    base::TimeDelta time_delta) {
+    TimeDelta time_delta) {
   return partition_alloc::internal::base::Microseconds(
       time_delta.InMicroseconds());
 }
 
-constexpr base::TimeDelta FromPartitionAllocTimeDelta(
+constexpr TimeDelta FromPartitionAllocTimeDelta(
     partition_alloc::internal::base::TimeDelta time_delta) {
-  return base::Microseconds(time_delta.InMicroseconds());
+  return Microseconds(time_delta.InMicroseconds());
 }
 
 BASE_FEATURE(kEnableConfigurableThreadCachePurgeInterval,
              "EnableConfigurableThreadCachePurgeInterval",
-             base::FEATURE_DISABLED_BY_DEFAULT);
+             FEATURE_DISABLED_BY_DEFAULT);
 
 MIRACLE_PARAMETER_FOR_TIME_DELTA(
     GetThreadCacheMinPurgeIntervalValue,
@@ -364,7 +446,7 @@ GetThreadCacheDefaultPurgeInterval() {
 
 BASE_FEATURE(kEnableConfigurableThreadCacheMinCachedMemoryForPurging,
              "EnableConfigurableThreadCacheMinCachedMemoryForPurging",
-             base::FEATURE_DISABLED_BY_DEFAULT);
+             FEATURE_DISABLED_BY_DEFAULT);
 
 MIRACLE_PARAMETER_FOR_INT(
     GetThreadCacheMinCachedMemoryForPurgingBytes,
@@ -384,64 +466,9 @@ BASE_FEATURE(kPartitionAllocDisableBRPInBufferPartition,
              "PartitionAllocDisableBRPInBufferPartition",
              FEATURE_DISABLED_BY_DEFAULT);
 
-#if PA_BUILDFLAG(USE_FREELIST_DISPATCHER)
-BASE_FEATURE(kUsePoolOffsetFreelists,
-             "PartitionAllocUsePoolOffsetFreelists",
-             base::FEATURE_DISABLED_BY_DEFAULT);
-#endif
-
-BASE_FEATURE(kPartitionAllocMakeFreeNoOpOnShutdown,
-             "PartitionAllocMakeFreeNoOpOnShutdown",
-             FEATURE_DISABLED_BY_DEFAULT);
-
-constexpr FeatureParam<WhenFreeBecomesNoOp>::Option
-    kPartitionAllocMakeFreeNoOpOnShutdownOptions[] = {
-        {WhenFreeBecomesNoOp::kBeforePreShutdown, "before-preshutdown"},
-        {WhenFreeBecomesNoOp::kBeforeHaltingStartupTracingController,
-         "before-halting-startup-tracing-controller"},
-        {
-            WhenFreeBecomesNoOp::kBeforeShutDownThreads,
-            "before-shutdown-threads",
-        },
-        {
-            WhenFreeBecomesNoOp::kInShutDownThreads,
-            "in-shutdown-threads",
-        },
-        {
-            WhenFreeBecomesNoOp::kAfterShutDownThreads,
-            "after-shutdown-threads",
-        },
-};
-
-const base::FeatureParam<WhenFreeBecomesNoOp>
-    kPartitionAllocMakeFreeNoOpOnShutdownParam{
-        &kPartitionAllocMakeFreeNoOpOnShutdown, "callsite",
-        WhenFreeBecomesNoOp::kBeforeShutDownThreads,
-        &kPartitionAllocMakeFreeNoOpOnShutdownOptions};
-
-void MakeFreeNoOp(WhenFreeBecomesNoOp callsite) {
-  CHECK(base::FeatureList::GetInstance());
-  // Ignoring `free()` during Shutdown would allow developers to introduce new
-  // dangling pointers. So we want to avoid ignoring free when it is enabled.
-  // Note: For now, the DanglingPointerDetector is only enabled on 5 bots, and
-  // on linux non-official configuration.
-  // TODO(b/40802063): Reconsider this decision after the experiment.
-#if PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
-  if (base::FeatureList::IsEnabled(features::kPartitionAllocDanglingPtr)) {
-    return;
-  }
-#endif  // PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
-#if PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
-  if (base::FeatureList::IsEnabled(kPartitionAllocMakeFreeNoOpOnShutdown) &&
-      kPartitionAllocMakeFreeNoOpOnShutdownParam.Get() == callsite) {
-    allocator_shim::InsertNoOpOnFreeAllocatorShimOnShutDown();
-  }
-#endif  // PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
-}
-
 BASE_FEATURE(kPartitionAllocAdjustSizeWhenInForeground,
              "PartitionAllocAdjustSizeWhenInForeground",
-#if BUILDFLAG(IS_MAC)
+#if BUILDFLAG(IS_MAC) || BUILDFLAG(IS_WIN)
              FEATURE_ENABLED_BY_DEFAULT);
 #else
              FEATURE_DISABLED_BY_DEFAULT);
@@ -449,7 +476,25 @@ BASE_FEATURE(kPartitionAllocAdjustSizeWhenInForeground,
 
 BASE_FEATURE(kPartitionAllocUseSmallSingleSlotSpans,
              "PartitionAllocUseSmallSingleSlotSpans",
-             base::FEATURE_DISABLED_BY_DEFAULT);
+             FEATURE_ENABLED_BY_DEFAULT);
 
-}  // namespace features
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
-}  // namespace base
+BASE_FEATURE(kPartitionAllocShadowMetadata,
+             "PartitionAllocShadowMetadata",
+             FEATURE_DISABLED_BY_DEFAULT);
+
+constexpr FeatureParam<ShadowMetadataEnabledProcesses>::Option
+    kShadowMetadataEnabledProcessesOptions[] = {
+        {ShadowMetadataEnabledProcesses::kRendererOnly, kRendererOnlyStr},
+        {ShadowMetadataEnabledProcesses::kAllChildProcesses,
+         kAllChildProcessesStr}};
+
+// Note: Do not use the prepared macro as of no need for a local cache.
+constinit const FeatureParam<ShadowMetadataEnabledProcesses>
+    kShadowMetadataEnabledProcessesParam{
+        &kPartitionAllocShadowMetadata, kPAFeatureEnabledProcessesStr,
+        ShadowMetadataEnabledProcesses::kRendererOnly,
+        &kShadowMetadataEnabledProcessesOptions};
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+
+}  // namespace base::features

src/base/allocator/partition_alloc_features.h

@@ -15,16 +15,34 @@
 #include "partition_alloc/partition_alloc_base/time/time.h"
 #include "partition_alloc/partition_root.h"
 
-namespace base {
+namespace base::features {
-namespace features {
 
-extern const BASE_EXPORT Feature kPartitionAllocUnretainedDanglingPtr;
+namespace internal {
+
+enum class PAFeatureEnabledProcesses {
+  // Enabled only in the browser process.
+  kBrowserOnly,
+  // Enabled only in the browser and renderer processes.
+  kBrowserAndRenderer,
+  // Enabled in all processes, except renderer.
+  kNonRenderer,
+  // Enabled only in renderer processes.
+  kRendererOnly,
+  // Enabled in all child processes, except zygote.
+  kAllChildProcesses,
+  // Enabled in all processes.
+  kAllProcesses,
+};
+
+}  // namespace internal
+
+BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocUnretainedDanglingPtr);
 enum class UnretainedDanglingPtrMode {
   kCrash,
   kDumpWithoutCrashing,
 };
-extern const BASE_EXPORT base::FeatureParam<UnretainedDanglingPtrMode>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(UnretainedDanglingPtrMode,
-    kUnretainedDanglingPtrModeParam;
+                                       kUnretainedDanglingPtrModeParam);
 
 // See /docs/dangling_ptr.md
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocDanglingPtr);
@@ -43,8 +61,7 @@ enum class DanglingPtrMode {
 
   // Note: This will be extended with a single shot DumpWithoutCrashing.
 };
-extern const BASE_EXPORT base::FeatureParam<DanglingPtrMode>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(DanglingPtrMode, kDanglingPtrModeParam);
-    kDanglingPtrModeParam;
 enum class DanglingPtrType {
   // Act on any dangling raw_ptr released after being freed.
   kAll,  // (default)
@@ -55,8 +72,10 @@ enum class DanglingPtrType {
 
   // Note: This will be extended with LongLived
 };
-extern const BASE_EXPORT base::FeatureParam<DanglingPtrType>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(DanglingPtrType, kDanglingPtrTypeParam);
-    kDanglingPtrTypeParam;
+
+using PartitionAllocWithAdvancedChecksEnabledProcesses =
+    internal::PAFeatureEnabledProcesses;
 
 #if PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocLargeThreadCacheSize);
@@ -64,24 +83,36 @@ BASE_EXPORT int GetPartitionAllocLargeThreadCacheSizeValue();
 BASE_EXPORT int GetPartitionAllocLargeThreadCacheSizeValueForLowRAMAndroid();
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocLargeEmptySlotSpanRing);
+
+BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocWithAdvancedChecks);
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
+    PartitionAllocWithAdvancedChecksEnabledProcesses,
+    kPartitionAllocWithAdvancedChecksEnabledProcessesParam);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocSchedulerLoopQuarantine);
 // Scheduler Loop Quarantine's per-thread capacity in bytes.
-extern const BASE_EXPORT base::FeatureParam<int>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
-    kPartitionAllocSchedulerLoopQuarantineBranchCapacity;
+    int,
+    kPartitionAllocSchedulerLoopQuarantineBranchCapacity);
+// Scheduler Loop Quarantine's capacity for the UI thread in bytes.
+// TODO(https://crbug.com/387470567): Support more thread types.
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
+    int,
+    kPartitionAllocSchedulerLoopQuarantineBrowserUICapacity);
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocZappingByFreeFlags);
+
+// Eventually zero out most PartitionAlloc memory. This is not meant as a
+// security guarantee, but to increase the compression ratio of PartitionAlloc's
+// fragmented super pages.
+BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocEventuallyZeroFreedMemory);
+
+// Whether to make PartitionAlloc use fewer memory regions. This matters on
+// Linux-based systems, where there is a per-process limit that we hit in some
+// cases. See the comment in PartitionBucket::SlotSpanCOmmitedSize() for detail.
+BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocFewerMemoryRegions);
 #endif  // PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 
-enum class BackupRefPtrEnabledProcesses {
+using BackupRefPtrEnabledProcesses = internal::PAFeatureEnabledProcesses;
-  // BRP enabled only in the browser process.
-  kBrowserOnly,
-  // BRP enabled only in the browser and renderer processes.
-  kBrowserAndRenderer,
-  // BRP enabled in all processes, except renderer.
-  kNonRenderer,
-  // BRP enabled in all processes.
-  kAllProcesses,
-};
 
 enum class BackupRefPtrMode {
   // BRP is disabled across all partitions. Equivalent to the Finch flag being
@@ -100,71 +131,54 @@ enum class MemtagMode {
   kAsync,
 };
 
-enum class MemoryTaggingEnabledProcesses {
+enum class RetagMode {
-  // Memory tagging enabled only in the browser process.
+  // Allocations are retagged by incrementing the current tag.
-  kBrowserOnly,
+  kIncrement,
-  // Memory tagging enabled in all processes, except renderer.
+
-  kNonRenderer,
+  // Allocations are retagged with a random tag.
-  // Memory tagging enabled in all processes.
+  kRandom,
-  kAllProcesses,
 };
 
+using MemoryTaggingEnabledProcesses = internal::PAFeatureEnabledProcesses;
+
 enum class BucketDistributionMode : uint8_t {
   kDefault,
   kDenser,
 };
 
-// Parameter for 'kPartitionAllocMakeFreeNoOpOnShutdown' feature which
-// controls when free() becomes a no-op during Shutdown()
-enum class WhenFreeBecomesNoOp {
-  kBeforePreShutdown,
-  kBeforeHaltingStartupTracingController,
-  kBeforeShutDownThreads,
-  kInShutDownThreads,
-  kAfterShutDownThreads,
-};
-
-// Inserts a no-op on 'free()' allocator shim at the front of the
-// dispatch chain if called from the appropriate callsite.
-BASE_EXPORT void MakeFreeNoOp(WhenFreeBecomesNoOp callsite);
-
-BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocMakeFreeNoOpOnShutdown);
-extern const BASE_EXPORT base::FeatureParam<WhenFreeBecomesNoOp>
-    kPartitionAllocMakeFreeNoOpOnShutdownParam;
-
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocBackupRefPtr);
-extern const BASE_EXPORT base::FeatureParam<BackupRefPtrEnabledProcesses>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(BackupRefPtrEnabledProcesses,
-    kBackupRefPtrEnabledProcessesParam;
+                                       kBackupRefPtrEnabledProcessesParam);
-extern const BASE_EXPORT base::FeatureParam<BackupRefPtrMode>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(BackupRefPtrMode,
-    kBackupRefPtrModeParam;
+                                       kBackupRefPtrModeParam);
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(int,
+                                       kBackupRefPtrExtraExtrasSizeParam);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocMemoryTagging);
-extern const BASE_EXPORT base::FeatureParam<MemtagMode> kMemtagModeParam;
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(MemtagMode, kMemtagModeParam);
-extern const BASE_EXPORT base::FeatureParam<MemoryTaggingEnabledProcesses>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(RetagMode, kRetagModeParam);
-    kMemoryTaggingEnabledProcessesParam;
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(MemoryTaggingEnabledProcesses,
+                                       kMemoryTaggingEnabledProcessesParam);
 // Kill switch for memory tagging. Skips any code related to memory tagging when
 // enabled.
 BASE_EXPORT BASE_DECLARE_FEATURE(kKillPartitionAllocMemoryTagging);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocPermissiveMte);
-extern const BASE_EXPORT base::FeatureParam<bool>
+BASE_EXPORT BASE_DECLARE_FEATURE(kAsanBrpDereferenceCheck);
-    kBackupRefPtrAsanEnableDereferenceCheckParam;
+BASE_EXPORT BASE_DECLARE_FEATURE(kAsanBrpExtractionCheck);
-extern const BASE_EXPORT base::FeatureParam<bool>
+BASE_EXPORT BASE_DECLARE_FEATURE(kAsanBrpInstantiationCheck);
-    kBackupRefPtrAsanEnableExtractionCheckParam;
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(BucketDistributionMode,
-extern const BASE_EXPORT base::FeatureParam<bool>
+                                       kPartitionAllocBucketDistributionParam);
-    kBackupRefPtrAsanEnableInstantiationCheckParam;
-extern const BASE_EXPORT base::FeatureParam<BucketDistributionMode>
-    kPartitionAllocBucketDistributionParam;
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kLowerPAMemoryLimitForNonMainRenderers);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocUseDenserDistribution);
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocMemoryReclaimer);
-extern const BASE_EXPORT base::FeatureParam<TimeDelta>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(TimeDelta,
-    kPartitionAllocMemoryReclaimerInterval;
+                                       kPartitionAllocMemoryReclaimerInterval);
 BASE_EXPORT BASE_DECLARE_FEATURE(
     kPartitionAllocStraightenLargerSlotSpanFreeLists);
-extern const BASE_EXPORT
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
-    base::FeatureParam<partition_alloc::StraightenLargerSlotSpanFreeListsMode>
+    partition_alloc::StraightenLargerSlotSpanFreeListsMode,
-        kPartitionAllocStraightenLargerSlotSpanFreeListsMode;
+    kPartitionAllocStraightenLargerSlotSpanFreeListsMode);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocSortSmallerSlotSpanFreeLists);
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocSortActiveSlotSpans);
 
@@ -173,8 +187,9 @@ BASE_EXPORT BASE_DECLARE_FEATURE(kPageAllocatorRetryOnCommitFailure);
 #endif
 
 #if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_CHROMEOS)
-extern const base::FeatureParam<bool>
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(
-    kPartialLowEndModeExcludePartitionAllocSupport;
+    bool,
+    kPartialLowEndModeExcludePartitionAllocSupport);
 #endif
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kEnableConfigurableThreadCacheMultiplier);
@@ -195,13 +210,6 @@ BASE_EXPORT int GetThreadCacheMinCachedMemoryForPurgingBytes();
 
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocDisableBRPInBufferPartition);
 
-// This feature is additionally gated behind a buildflag because
-// pool offset freelists cannot be represented when PartitionAlloc uses
-// 32-bit pointers.
-#if PA_BUILDFLAG(USE_FREELIST_DISPATCHER)
-BASE_EXPORT BASE_DECLARE_FEATURE(kUsePoolOffsetFreelists);
-#endif
-
 // When set, partitions use a larger ring buffer and free memory less
 // aggressively when in the foreground.
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocAdjustSizeWhenInForeground);
@@ -212,7 +220,14 @@ BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocAdjustSizeWhenInForeground);
 // See also: https://crbug.com/333443437
 BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocUseSmallSingleSlotSpans);
 
-}  // namespace features
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
-}  // namespace base
+using ShadowMetadataEnabledProcesses = internal::PAFeatureEnabledProcesses;
+
+BASE_EXPORT BASE_DECLARE_FEATURE(kPartitionAllocShadowMetadata);
+BASE_EXPORT BASE_DECLARE_FEATURE_PARAM(ShadowMetadataEnabledProcesses,
+                                       kShadowMetadataEnabledProcessesParam);
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+
+}  // namespace base::features
 
 #endif  // BASE_ALLOCATOR_PARTITION_ALLOC_FEATURES_H_

src/base/allocator/partition_alloc_support.cc

@@ -4,6 +4,7 @@
 
 #include "base/allocator/partition_alloc_support.h"
 
+#include <algorithm>
 #include <array>
 #include <cinttypes>
 #include <cstdint>
@@ -15,6 +16,7 @@
 #include "base/allocator/partition_alloc_features.h"
 #include "base/at_exit.h"
 #include "base/check.h"
+#include "base/containers/span.h"
 #include "base/cpu.h"
 #include "base/debug/dump_without_crashing.h"
 #include "base/debug/stack_trace.h"
@@ -30,7 +32,6 @@
 #include "base/metrics/histogram_macros.h"
 #include "base/no_destructor.h"
 #include "base/pending_task.h"
-#include "base/ranges/algorithm.h"
 #include "base/strings/string_split.h"
 #include "base/strings/stringprintf.h"
 #include "base/system/sys_info.h"
@@ -47,6 +48,7 @@
 #include "partition_alloc/memory_reclaimer.h"
 #include "partition_alloc/page_allocator.h"
 #include "partition_alloc/partition_alloc_base/debug/alias.h"
+#include "partition_alloc/partition_alloc_base/immediate_crash.h"
 #include "partition_alloc/partition_alloc_base/threading/platform_thread.h"
 #include "partition_alloc/partition_alloc_check.h"
 #include "partition_alloc/partition_alloc_config.h"
@@ -57,6 +59,7 @@
 #include "partition_alloc/pointers/raw_ptr.h"
 #include "partition_alloc/shim/allocator_shim.h"
 #include "partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc.h"
+#include "partition_alloc/shim/allocator_shim_dispatch_to_noop_on_free.h"
 #include "partition_alloc/stack/stack.h"
 #include "partition_alloc/thread_cache.h"
 
@@ -68,6 +71,11 @@
 #include "partition_alloc/memory_reclaimer.h"
 #endif
 
+#if PA_BUILDFLAG( \
+    ENABLE_ALLOCATOR_SHIM_PARTITION_ALLOC_DISPATCH_WITH_ADVANCED_CHECKS_SUPPORT)
+#include "partition_alloc/shim/allocator_shim_default_dispatch_to_partition_alloc_with_advanced_checks.h"
+#endif
+
 #if BUILDFLAG(IS_ANDROID) && PA_BUILDFLAG(HAS_MEMORY_TAGGING)
 #include <sys/system_properties.h>
 #endif
@@ -99,12 +107,9 @@ BootloaderOverride GetBootloaderOverride() {
 }
 #endif
 
-// When under this experiment avoid running periodic purging or reclaim for the
+// Avoid running periodic purging or reclaim for the first minute after the
-// first minute after the first attempt. This is based on the insight that
+// first attempt. This is based on the insight that processes often don't live
-// processes often don't live paste this minute.
+// paste this minute.
-static BASE_FEATURE(kDelayFirstPeriodicPAPurgeOrReclaim,
-                    "DelayFirstPeriodicPAPurgeOrReclaim",
-                    base::FEATURE_ENABLED_BY_DEFAULT);
 constexpr base::TimeDelta kFirstPAPurgeOrReclaimDelay = base::Minutes(1);
 
 // This is defined in content/public/common/content_switches.h, which is not
@@ -141,7 +146,7 @@ BASE_FEATURE(kDisableMemoryReclaimerInBackground,
 // exceeded.
 BASE_FEATURE(kPartitionAllocShortMemoryReclaim,
              "PartitionAllocShortMemoryReclaim",
-             base::FEATURE_DISABLED_BY_DEFAULT);
+             base::FEATURE_ENABLED_BY_DEFAULT);
 
 // static
 MemoryReclaimerSupport& MemoryReclaimerSupport::Instance() {
@@ -163,6 +168,8 @@ void MemoryReclaimerSupport::Start(scoped_refptr<TaskRunner> task_runner) {
     return;
   }
 
+  task_runner_ = task_runner;
+
   // The caller of the API fully controls where running the reclaim.
   // However there are a few reasons to recommend that the caller runs
   // it on the main thread:
@@ -178,13 +185,7 @@ void MemoryReclaimerSupport::Start(scoped_refptr<TaskRunner> task_runner) {
   // seconds is useful. Since this is meant to run during idle time only, it is
   // a reasonable starting point balancing effectivenes vs cost. See
   // crbug.com/942512 for details and experimental results.
-  TimeDelta delay;
+  MaybeScheduleTask(kFirstPAPurgeOrReclaimDelay);
-  if (base::FeatureList::IsEnabled(kDelayFirstPeriodicPAPurgeOrReclaim)) {
-    delay = std::max(delay, kFirstPAPurgeOrReclaimDelay);
-  }
-
-  task_runner_ = task_runner;
-  MaybeScheduleTask(delay);
 }
 
 void MemoryReclaimerSupport::SetForegrounded(bool in_foreground) {
@@ -245,12 +246,9 @@ void MemoryReclaimerSupport::MaybeScheduleTask(TimeDelta delay) {
 
 void StartThreadCachePeriodicPurge() {
   auto& instance = ::partition_alloc::ThreadCacheRegistry::Instance();
-  TimeDelta delay =
+  TimeDelta delay = std::max(
-      Microseconds(instance.GetPeriodicPurgeNextIntervalInMicroseconds());
+      Microseconds(instance.GetPeriodicPurgeNextIntervalInMicroseconds()),
-
+      kFirstPAPurgeOrReclaimDelay);
-  if (base::FeatureList::IsEnabled(kDelayFirstPeriodicPAPurgeOrReclaim)) {
-    delay = std::max(delay, kFirstPAPurgeOrReclaimDelay);
-  }
 
   SingleThreadTaskRunner::GetCurrentDefault()->PostDelayedTask(
       FROM_HERE, BindOnce(RunThreadCachePeriodicPurge), delay);
@@ -331,6 +329,40 @@ std::map<std::string, std::string> ProposeSyntheticFinchTrials() {
   return trials;
 }
 
+namespace {
+
+bool ShouldEnableFeatureOnProcess(
+    features::internal::PAFeatureEnabledProcesses enabled_processes,
+    const std::string& process_type) {
+  switch (enabled_processes) {
+    case features::internal::PAFeatureEnabledProcesses::kBrowserOnly:
+      return process_type.empty();
+    case features::internal::PAFeatureEnabledProcesses::kNonRenderer:
+      return process_type != switches::kRendererProcess;
+    case features::internal::PAFeatureEnabledProcesses::kBrowserAndRenderer:
+      return process_type.empty() || process_type == switches::kRendererProcess;
+    case features::internal::PAFeatureEnabledProcesses::kRendererOnly:
+      return process_type == switches::kRendererProcess;
+    case features::internal::PAFeatureEnabledProcesses::kAllChildProcesses:
+      return !process_type.empty() && process_type != switches::kZygoteProcess;
+    case features::internal::PAFeatureEnabledProcesses::kAllProcesses:
+      return true;
+  }
+}
+
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
+bool ShouldEnableShadowMetadata(const std::string& process_type) {
+  if (!base::FeatureList::IsEnabled(
+          base::features::kPartitionAllocShadowMetadata)) {
+    return false;
+  }
+  return ShouldEnableFeatureOnProcess(
+      features::kShadowMetadataEnabledProcessesParam.Get(), process_type);
+}
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
+
+}  // namespace
+
 #if PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
 
 namespace {
@@ -423,7 +455,7 @@ std::string ExtractDanglingPtrSignature(std::string stacktrace) {
   size_t caller_index = 0;
   for (size_t i = 0; i < lines.size(); ++i) {
     for (const auto& patterns : callee_patterns) {
-      if (ranges::all_of(patterns, [&](std::string_view pattern) {
+      if (std::ranges::all_of(patterns, [&](std::string_view pattern) {
             return lines[i].find(pattern) != std::string_view::npos;
           })) {
         caller_index = i + 1;
@@ -546,38 +578,55 @@ void DanglingRawPtrReleased(uintptr_t id) {
 
   std::string dangling_signature = ExtractDanglingPtrSignature(
       free_info, stack_trace_release, task_trace_release);
-  static const char dangling_ptr_footer[] =
+
-      "\n"
+  {
-      "\n"
+    // Log the full error in a single LogMessage. Printing StackTrace is
-      "Please check for more information on:\n"
+    // expensive, so we want to avoid interleaving the output with other logs.
-      "https://chromium.googlesource.com/chromium/src/+/main/docs/"
+    logging::LogMessage log_message(__FILE__, __LINE__, logging::LOGGING_ERROR);
-      "dangling_ptr_guide.md\n"
+    std::ostream& error = log_message.stream();
-      "\n"
+
-      "Googlers: Please give us your feedback about the dangling pointer\n"
+    // The dangling signature can be used by script to locate the origin of
-      "          detector at:\n"
+    // every dangling pointers.
-      "          http://go/dangling-ptr-cq-survey\n";
+    error << "\n\n"
-  if (free_info) {
+          << ExtractDanglingPtrSignature(free_info, stack_trace_release,
-    LOG(ERROR) << "Detected dangling raw_ptr with id="
+                                         task_trace_release)
-               << StringPrintf("0x%016" PRIxPTR, id) << ":\n"
+          << "\n\n";
-               << dangling_signature << "\n\n"
+
-               << "The memory was freed at:\n"
+    error << "[DanglingPtr](1/3) A raw_ptr/raw_ref is dangling.\n\n";
-               << free_info->stack_trace << "\n"
+
-               << free_info->task_trace << "\n"
+    auto print_traces = [](debug::StackTrace stack_trace,
-               << "The dangling raw_ptr was released at:\n"
+                           debug::TaskTrace task_trace, std::ostream& error) {
-               << stack_trace_release << "\n"
+      error << "Stack trace:\n";
-               << task_trace_release << dangling_ptr_footer;
+      error << stack_trace << "\n";
-  } else {
+
-    LOG(ERROR) << "Detected dangling raw_ptr with id="
+      // Printing "Task trace:" is implied by the TaskTrace itself.
-               << StringPrintf("0x%016" PRIxPTR, id) << ":\n\n"
+      if (!task_trace.empty()) {
-               << dangling_signature << "\n\n"
+        error << task_trace << "\n";
-               << "It was not recorded where the memory was freed.\n\n"
+      }
-               << "The dangling raw_ptr was released at:\n"
+    };
-               << stack_trace_release << "\n"
+
-               << task_trace_release << dangling_ptr_footer;
+    error << "[DanglingPtr](2/3) ";
+    if (free_info) {
+      error << "First, the memory was freed at:\n\n";
+      print_traces(free_info->stack_trace, free_info->task_trace, error);
+    } else {
+      error << "It was not recorded where the memory was freed.\n";
+    }
+
+    error << "[DanglingPtr](3/3) Later, the dangling raw_ptr was released "
+             "at:\n\n";
+    print_traces(stack_trace_release, task_trace_release, error);
+
+    error << "Please check for more information on:\n";
+    error << "https://chromium.googlesource.com/chromium/src/+/main/docs/";
+    error << "dangling_ptr_guide.md\n";
+    error << "\n";
   }
 
   if constexpr (dangling_pointer_mode == features::DanglingPtrMode::kCrash) {
-    ImmediateCrash();
+    // We use `PA_IMMEDIATE_CRASH()` instead of base's ImmediateCrash() to avoid
+    // printing the raw_ptr release stack trace twice.
+    PA_IMMEDIATE_CRASH();
   }
 }
 
@@ -602,14 +651,22 @@ void CheckDanglingRawPtrBufferEmpty() {
                << entry->task_trace << "\n"
                << entry->stack_trace << "\n";
 #if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_INSTANCE_TRACER)
+    auto is_frame_ptr_not_null = [](const void* frame_ptr) {
+      return frame_ptr != nullptr;
+    };
     std::vector<std::array<const void*, 32>> stack_traces =
         internal::InstanceTracer::GetStackTracesForDanglingRefs(entry->id);
     for (const auto& raw_stack_trace : stack_traces) {
+      CHECK(std::ranges::is_partitioned(raw_stack_trace, is_frame_ptr_not_null))
+          << "`raw_stack_trace` is expected to be partitioned: non-null values "
+             "at the begining followed by `nullptr`s.";
       LOG(ERROR) << "Dangling reference from:\n";
-      LOG(ERROR) << debug::StackTrace(raw_stack_trace.data(),
+      LOG(ERROR) << debug::StackTrace(
-                                      raw_stack_trace.size() -
+                        // This call truncates the `nullptr` tail of the stack
-                                          static_cast<size_t>(ranges::count(
+                        // trace (see the `is_partitioned` CHECK above).
-                                              raw_stack_trace, nullptr)))
+                        span(raw_stack_trace.begin(),
+                             std::ranges::partition_point(
+                                 raw_stack_trace, is_frame_ptr_not_null)))
                  << "\n";
     }
 #else
@@ -734,6 +791,22 @@ void ReconfigurePartitionForKnownProcess(const std::string& process_type) {
   // experiments.
 }
 
+void MakeFreeNoOp() {
+  // Ignoring `free()` during Shutdown would allow developers to introduce new
+  // dangling pointers. So we want to avoid ignoring free when it is enabled.
+  // Note: For now, the DanglingPointerDetector is only enabled on 5 bots, and
+  // on linux non-official configuration.
+#if PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
+  CHECK(base::FeatureList::GetInstance());
+  if (base::FeatureList::IsEnabled(features::kPartitionAllocDanglingPtr)) {
+    return;
+  }
+#endif  // PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
+#if PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
+  allocator_shim::InsertNoOpOnFreeAllocatorShimOnShutDown();
+#endif  // PA_BUILDFLAG(USE_ALLOCATOR_SHIM)
+}
+
 PartitionAllocSupport* PartitionAllocSupport::Get() {
   static auto* singleton = new PartitionAllocSupport();
   return singleton;
@@ -765,14 +838,8 @@ bool PartitionAllocSupport::ShouldEnableMemoryTagging(
           base::features::kKillPartitionAllocMemoryTagging)) {
     return false;
   }
-  switch (base::features::kMemoryTaggingEnabledProcessesParam.Get()) {
+  return ShouldEnableFeatureOnProcess(
-    case base::features::MemoryTaggingEnabledProcesses::kBrowserOnly:
+      base::features::kMemoryTaggingEnabledProcessesParam.Get(), process_type);
-      return process_type.empty();
-    case base::features::MemoryTaggingEnabledProcesses::kNonRenderer:
-      return process_type != switches::kRendererProcess;
-    case base::features::MemoryTaggingEnabledProcesses::kAllProcesses:
-      return true;
-  }
 }
 
 // static
@@ -780,55 +847,51 @@ bool PartitionAllocSupport::ShouldEnableMemoryTaggingInRendererProcess() {
   return ShouldEnableMemoryTagging(switches::kRendererProcess);
 }
 
+// static
+bool PartitionAllocSupport::ShouldEnablePartitionAllocWithAdvancedChecks(
+    const std::string& process_type) {
+#if !PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
+  return false;
+#else
+  if (!base::FeatureList::IsEnabled(
+          base::features::kPartitionAllocWithAdvancedChecks)) {
+    return false;
+  }
+  return ShouldEnableFeatureOnProcess(
+      base::features::kPartitionAllocWithAdvancedChecksEnabledProcessesParam
+          .Get(),
+      process_type);
+#endif  // !PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
+}
+
 // static
 PartitionAllocSupport::BrpConfiguration
 PartitionAllocSupport::GetBrpConfiguration(const std::string& process_type) {
   // TODO(bartekn): Switch to DCHECK once confirmed there are no issues.
   CHECK(base::FeatureList::GetInstance());
 
-  bool process_affected_by_brp_flag = false;
-#if (PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC) &&  \
-     PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)) || \
-    PA_BUILDFLAG(USE_ASAN_BACKUP_REF_PTR)
-  if (base::FeatureList::IsEnabled(
-          base::features::kPartitionAllocBackupRefPtr)) {
-    // No specified process type means this is the Browser process.
-    switch (base::features::kBackupRefPtrEnabledProcessesParam.Get()) {
-      case base::features::BackupRefPtrEnabledProcesses::kBrowserOnly:
-        process_affected_by_brp_flag = process_type.empty();
-        break;
-      case base::features::BackupRefPtrEnabledProcesses::kBrowserAndRenderer:
-        process_affected_by_brp_flag =
-            process_type.empty() ||
-            (process_type == switches::kRendererProcess);
-        break;
-      case base::features::BackupRefPtrEnabledProcesses::kNonRenderer:
-        process_affected_by_brp_flag =
-            (process_type != switches::kRendererProcess);
-        break;
-      case base::features::BackupRefPtrEnabledProcesses::kAllProcesses:
-        process_affected_by_brp_flag = true;
-        break;
-    }
-  }
-#endif  // (PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC) &&
-        // PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)) ||
-        // PA_BUILDFLAG(USE_ASAN_BACKUP_REF_PTR)
-
-  const bool enable_brp =
 #if PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC) && \
-    PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
+    PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT) && \
-      // kDisabled is equivalent to !IsEnabled(kPartitionAllocBackupRefPtr).
+    !PA_BUILDFLAG(FORCE_DISABLE_BACKUP_REF_PTR_FEATURE)
-      process_affected_by_brp_flag &&
+
+  if (base::FeatureList::IsEnabled(
+          base::features::kPartitionAllocBackupRefPtr) &&
       base::features::kBackupRefPtrModeParam.Get() !=
-          base::features::BackupRefPtrMode::kDisabled;
+          base::features::BackupRefPtrMode::kDisabled &&
-#else
+      ShouldEnableFeatureOnProcess(
-      false;
+          base::features::kBackupRefPtrEnabledProcessesParam.Get(),
+          process_type)) {
+    return {
+        .enable_brp = true,
+        .extra_extras_size = static_cast<size_t>(
+            base::features::kBackupRefPtrExtraExtrasSizeParam.Get()),
+    };
+  }
 #endif
 
   return {
-      enable_brp,
+      .enable_brp = false,
-      process_affected_by_brp_flag,
+      .extra_extras_size = 0,
   };
 }
 
@@ -931,20 +994,26 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
   [[maybe_unused]] BrpConfiguration brp_config =
       GetBrpConfiguration(process_type);
 
-#if PA_BUILDFLAG(USE_ASAN_BACKUP_REF_PTR)
+  // Configure ASAN hooks to report the `MiraclePtr status`. This is enabled
-  if (brp_config.process_affected_by_brp_flag) {
+  // only if BackupRefPtr is normally enabled in the current process for the
-    base::RawPtrAsanService::GetInstance().Configure(
+  // current platform. Note that CastOS and iOS aren't protected by BackupRefPtr
-        base::EnableDereferenceCheck(
+  // a the moment, so they are excluded.
-            base::features::kBackupRefPtrAsanEnableDereferenceCheckParam.Get()),
+#if PA_BUILDFLAG(USE_ASAN_BACKUP_REF_PTR) && !PA_BUILDFLAG(IS_CASTOS) && \
-        base::EnableExtractionCheck(
+    !PA_BUILDFLAG(IS_IOS)
-            base::features::kBackupRefPtrAsanEnableExtractionCheckParam.Get()),
+  if (ShouldEnableFeatureOnProcess(
-        base::EnableInstantiationCheck(
+          base::features::kBackupRefPtrEnabledProcessesParam.Get(),
-            base::features::kBackupRefPtrAsanEnableInstantiationCheckParam
+          process_type)) {
-                .Get()));
+    RawPtrAsanService::GetInstance().Configure(
+        EnableDereferenceCheck(
+            FeatureList::IsEnabled(features::kAsanBrpDereferenceCheck)),
+        EnableExtractionCheck(
+            FeatureList::IsEnabled(features::kAsanBrpExtractionCheck)),
+        EnableInstantiationCheck(
+            FeatureList::IsEnabled(features::kAsanBrpInstantiationCheck)));
   } else {
-    base::RawPtrAsanService::GetInstance().Configure(
+    RawPtrAsanService::GetInstance().Configure(EnableDereferenceCheck(false),
-        base::EnableDereferenceCheck(false), base::EnableExtractionCheck(false),
+                                               EnableExtractionCheck(false),
-        base::EnableInstantiationCheck(false));
+                                               EnableInstantiationCheck(false));
   }
 #endif  // PA_BUILDFLAG(USE_ASAN_BACKUP_REF_PTR)
 
@@ -969,13 +1038,10 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
               .Get());
   const bool zapping_by_free_flags = base::FeatureList::IsEnabled(
       base::features::kPartitionAllocZappingByFreeFlags);
-
+  const bool eventually_zero_freed_memory = base::FeatureList::IsEnabled(
-#if PA_BUILDFLAG(USE_FREELIST_DISPATCHER)
+      base::features::kPartitionAllocEventuallyZeroFreedMemory);
-  const bool use_pool_offset_freelists =
+  const bool fewer_memory_regions = base::FeatureList::IsEnabled(
-      base::FeatureList::IsEnabled(base::features::kUsePoolOffsetFreelists);
+      base::features::kPartitionAllocFewerMemoryRegions);
-#else
-  const bool use_pool_offset_freelists = false;
-#endif  // PA_BUILDFLAG(USE_FREELIST_DISPATCHER)
 
   bool enable_memory_tagging = false;
   partition_alloc::TagViolationReportingMode memory_tagging_reporting_mode =
@@ -986,17 +1052,37 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
   // check here too to wrap the GetMemoryTaggingModeForCurrentThread() call.
   if (!base::FeatureList::IsEnabled(
           base::features::kKillPartitionAllocMemoryTagging)) {
-    // If synchronous mode is enabled from startup it means this is a test and
+    // If synchronous mode is enabled from startup it means this is a test or it
-    // memory tagging should be enabled.
+    // was force enabled in Chrome some how so honor that choice.
-    if (partition_alloc::internal::GetMemoryTaggingModeForCurrentThread() ==
+    partition_alloc::TagViolationReportingMode
+        startup_memory_tagging_reporting_mode =
+            partition_alloc::internal::GetMemoryTaggingModeForCurrentThread();
+    if (startup_memory_tagging_reporting_mode ==
         partition_alloc::TagViolationReportingMode::kSynchronous) {
       enable_memory_tagging = true;
       memory_tagging_reporting_mode =
           partition_alloc::TagViolationReportingMode::kSynchronous;
+      // Not enabling permissive mode as this config is used to crash and detect
+      // bugs.
+      VLOG(1) << "PartitionAlloc: Memory tagging enabled in SYNC mode at "
+                 "startup (Process: "
+              << process_type << ")";
     } else {
       enable_memory_tagging = ShouldEnableMemoryTagging(process_type);
 #if BUILDFLAG(IS_ANDROID)
+      // Android Scudo does not allow MTE to be re-enabled if MTE was disabled.
+      if (enable_memory_tagging &&
+          startup_memory_tagging_reporting_mode ==
+              partition_alloc::TagViolationReportingMode::kDisabled) {
+        LOG(ERROR) << "PartitionAlloc: Failed to enable memory tagging due to "
+                      "MTE disabled at startup (Process: "
+                   << process_type << ")";
+        debug::DumpWithoutCrashing();
+        enable_memory_tagging = false;
+      }
+
       if (enable_memory_tagging) {
+        // Configure MTE.
         switch (base::features::kMemtagModeParam.Get()) {
           case base::features::MemtagMode::kSync:
             memory_tagging_reporting_mode =
@@ -1007,15 +1093,28 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
                 partition_alloc::TagViolationReportingMode::kAsynchronous;
             break;
         }
-        partition_alloc::PermissiveMte::SetEnabled(base::FeatureList::IsEnabled(
+        bool enable_permissive_mte = base::FeatureList::IsEnabled(
-            base::features::kPartitionAllocPermissiveMte));
+            base::features::kPartitionAllocPermissiveMte);
+        partition_alloc::PermissiveMte::SetEnabled(enable_permissive_mte);
         CHECK(partition_alloc::internal::
                   ChangeMemoryTaggingModeForAllThreadsPerProcess(
                       memory_tagging_reporting_mode));
         CHECK_EQ(
             partition_alloc::internal::GetMemoryTaggingModeForCurrentThread(),
             memory_tagging_reporting_mode);
+        VLOG(1)
+            << "PartitionAlloc: Memory tagging enabled in "
+            << (memory_tagging_reporting_mode ==
+                        partition_alloc::TagViolationReportingMode::kSynchronous
+                    ? "SYNC"
+                    : "ASYNC")
+            << " mode (Process: " << process_type << ")";
+        if (enable_permissive_mte) {
+          VLOG(1) << "PartitionAlloc: Permissive MTE enabled (Process: "
+                  << process_type << ")";
+        }
       } else if (base::CPU::GetInstanceNoAllocation().has_mte()) {
+        // Disable MTE.
         memory_tagging_reporting_mode =
             partition_alloc::TagViolationReportingMode::kDisabled;
         CHECK(partition_alloc::internal::
@@ -1024,36 +1123,28 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
         CHECK_EQ(
             partition_alloc::internal::GetMemoryTaggingModeForCurrentThread(),
             memory_tagging_reporting_mode);
+        VLOG(1) << "PartitionAlloc: Memory tagging disabled (Process: "
+                << process_type << ")";
       }
 #endif  // BUILDFLAG(IS_ANDROID)
     }
   }
 #endif  // PA_BUILDFLAG(HAS_MEMORY_TAGGING)
 
-  if (enable_memory_tagging) {
-    CHECK((memory_tagging_reporting_mode ==
-           partition_alloc::TagViolationReportingMode::kSynchronous) ||
-          (memory_tagging_reporting_mode ==
-           partition_alloc::TagViolationReportingMode::kAsynchronous));
-  } else {
-    CHECK((memory_tagging_reporting_mode ==
-           partition_alloc::TagViolationReportingMode::kUndefined) ||
-          (memory_tagging_reporting_mode ==
-           partition_alloc::TagViolationReportingMode::kDisabled));
-  }
-
   allocator_shim::UseSmallSingleSlotSpans use_small_single_slot_spans(
       base::FeatureList::IsEnabled(
           features::kPartitionAllocUseSmallSingleSlotSpans));
 
   allocator_shim::ConfigurePartitions(
       allocator_shim::EnableBrp(brp_config.enable_brp),
+      brp_config.extra_extras_size,
       allocator_shim::EnableMemoryTagging(enable_memory_tagging),
       memory_tagging_reporting_mode, bucket_distribution,
       allocator_shim::SchedulerLoopQuarantine(scheduler_loop_quarantine),
       scheduler_loop_quarantine_branch_capacity_in_bytes,
       allocator_shim::ZappingByFreeFlags(zapping_by_free_flags),
-      allocator_shim::UsePoolOffsetFreelists(use_pool_offset_freelists),
+      allocator_shim::EventuallyZeroFreedMemory(eventually_zero_freed_memory),
+      allocator_shim::FewerMemoryRegions(fewer_memory_regions),
       use_small_single_slot_spans);
 
   const uint32_t extras_size = allocator_shim::GetMainPartitionRootExtrasSize();
@@ -1063,12 +1154,8 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
   UmaHistogramCounts100("Memory.PartitionAlloc.PartitionRoot.ExtrasSize",
                         int(extras_size));
 
-#if !defined(__MUSL__)
-  // This call causes hanging in pthread_getattr_np() under qemu-user, see
-  // https://www.openwall.com/lists/musl/2017/06/15/9.
   partition_alloc::internal::StackTopRegistry::Get().NotifyThreadCreated(
       partition_alloc::internal::GetStackTop());
-#endif
 
   allocator_shim::internal::PartitionAllocMalloc::Allocator()
       ->EnableThreadCacheIfSupported();
@@ -1078,6 +1165,28 @@ void PartitionAllocSupport::ReconfigureAfterFeatureListInit(
     allocator_shim::internal::PartitionAllocMalloc::Allocator()
         ->EnableLargeEmptySlotSpanRing();
   }
+
+  if (process_type == "" &&
+      base::FeatureList::IsEnabled(
+          base::features::kPartitionAllocSchedulerLoopQuarantine)) {
+    // `ReconfigureAfterTaskRunnerInit()` is called on the UI thread.
+    const size_t capacity_in_bytes = static_cast<size_t>(
+        base::features::kPartitionAllocSchedulerLoopQuarantineBrowserUICapacity
+            .Get());
+    allocator_shim::internal::PartitionAllocMalloc::Allocator()
+        ->SetSchedulerLoopQuarantineThreadLocalBranchCapacity(
+            capacity_in_bytes);
+  }
+
+#if PA_BUILDFLAG( \
+    ENABLE_ALLOCATOR_SHIM_PARTITION_ALLOC_DISPATCH_WITH_ADVANCED_CHECKS_SUPPORT)
+  bool enable_pa_with_advanced_checks =
+      ShouldEnablePartitionAllocWithAdvancedChecks(process_type);
+  if (enable_pa_with_advanced_checks) {
+    allocator_shim::InstallCustomDispatchForPartitionAllocWithAdvancedChecks();
+  }
+#endif  // PA_BUILDFLAG(
+        // ENABLE_ALLOCATOR_SHIM_PARTITION_ALLOC_DISPATCH_WITH_ADVANCED_CHECKS_SUPPORT)
 #endif  // PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 
 #if BUILDFLAG(IS_WIN)
@@ -1189,6 +1298,15 @@ void PartitionAllocSupport::ReconfigureAfterTaskRunnerInit(
   partition_alloc::PartitionRoot::SetSortActiveSlotSpansEnabled(
       base::FeatureList::IsEnabled(
           base::features::kPartitionAllocSortActiveSlotSpans));
+
+#if PA_CONFIG(ENABLE_SHADOW_METADATA)
+  if (ShouldEnableShadowMetadata(process_type)) {
+    partition_alloc::PartitionRoot::EnableShadowMetadata(
+        partition_alloc::internal::PoolHandleMask::kRegular |
+        partition_alloc::internal::PoolHandleMask::kBRP |
+        partition_alloc::internal::PoolHandleMask::kConfigurable);
+  }
+#endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
 }
 
 void PartitionAllocSupport::OnForegrounded(bool has_main_frame) {
@@ -1243,9 +1361,8 @@ void PartitionAllocSupport::OnBackgrounded() {
   // TODO(lizeb): Remove once/if the behavior of idle tasks changes.
   base::PostDelayedMemoryReductionTask(
       base::SingleThreadTaskRunner::GetCurrentDefault(), FROM_HERE,
-      base::BindOnce([]() {
+      base::BindOnce(
-        ::partition_alloc::MemoryReclaimer::Instance()->ReclaimAll();
+          [] { ::partition_alloc::MemoryReclaimer::Instance()->ReclaimAll(); }),
-      }),
       base::Seconds(10));
 
 #endif  // PA_CONFIG(THREAD_CACHE_SUPPORTED)

src/base/allocator/partition_alloc_support.h

@@ -37,12 +37,21 @@ BASE_EXPORT std::map<std::string, std::string> ProposeSyntheticFinchTrials();
 BASE_EXPORT void InstallDanglingRawPtrChecks();
 BASE_EXPORT void InstallUnretainedDanglingRawPtrChecks();
 
+// Once called, makes `free()` do nothing. This is done to reduce
+// shutdown hangs on CrOS.
+// Does nothing if Dangling Pointer Detector (`docs/dangling_ptr.md`)
+// is not active.
+// Does nothing if allocator shim support is not built.
+BASE_EXPORT void MakeFreeNoOp();
+
 // Allows to re-configure PartitionAlloc at run-time.
 class BASE_EXPORT PartitionAllocSupport {
  public:
   struct BrpConfiguration {
     bool enable_brp = false;
-    bool process_affected_by_brp_flag = false;
+
+    // TODO(https://crbug.com/371135823): Remove after the investigation.
+    size_t extra_extras_size = 0;
   };
 
   // Reconfigure* functions re-configure PartitionAlloc. It is impossible to
@@ -98,6 +107,11 @@ class BASE_EXPORT PartitionAllocSupport {
   // For calling from within third_party/blink/.
   static bool ShouldEnableMemoryTaggingInRendererProcess();
 
+  // Returns true if PA advanced checks should be enabled if available for the
+  // given process type. May be called multiple times per process.
+  static bool ShouldEnablePartitionAllocWithAdvancedChecks(
+      const std::string& process_type);
+
  private:
   PartitionAllocSupport();
 

src/base/allocator/partition_allocator/.clang-tidy

@@ -0,0 +1,7 @@
+---
+  Checks: 'google-build-namespaces,
+           readability-redundant-smartptr-get,
+           readability-static-accessed-through-instance'
+  InheritParentConfig: true
+  HeaderFilterRegex: 'partition_alloc/*'
+...

src/base/allocator/partition_allocator/BUILD.gn

@@ -11,8 +11,14 @@ group("buildflags") {
   public_deps = [ "src/partition_alloc:buildflags" ]
 }
 
-if (is_clang_or_gcc) {
+if (use_partition_alloc && is_clang_or_gcc) {
   group("partition_alloc") {
     public_deps = [ "src/partition_alloc:partition_alloc" ]
   }
 }
+
+if (use_allocator_shim) {
+  group("allocator_shim") {
+    public_deps = [ "src/partition_alloc:allocator_shim" ]
+  }
+}

src/base/allocator/partition_allocator/OWNERS

@@ -1,4 +1,3 @@
-bartekn@chromium.org
 haraken@chromium.org
 keishi@chromium.org
 lizeb@chromium.org

src/base/allocator/partition_allocator/PRESUBMIT.py

@@ -13,15 +13,11 @@ PRESUBMIT_VERSION = '2.0.0'
 # chromium repository. PRESUBMIT.py is executed from chromium.
 _PARTITION_ALLOC_BASE_PATH = 'base/allocator/partition_allocator/src/'
 
+# Pattern matching C/C++ source files, for use in allowlist args.
+_SOURCE_FILE_PATTERN = r'.*\.(h|hpp|c|cc|cpp)$'
 
-# Filter for C/C++ files.
+# Similar pattern, matching GN files.
-def c_cpp_files(file):
+_BUILD_FILE_PATTERN = r'.*\.(gn|gni)$'
-    return file.LocalPath().endswith(('.h', '.hpp', '.c', '.cc', '.cpp'))
-
-# Filter for GN files.
-def gn_files(file):
-    return file.LocalPath().endswith(('.gn', '.gni'))
-
 
 # This is adapted from Chromium's PRESUBMIT.py. The differences are:
 # - Base path: It is relative to the partition_alloc's source directory instead
@@ -112,8 +108,13 @@ def CheckNoExternalImportInGn(input_api, output_api):
     # Match and capture <path> from import("<path>").
     import_re = input_api.re.compile(r'^ *import\("([^"]+)"\)')
 
+    sources = lambda affected_file: input_api.FilterSourceFile(
+        affected_file,
+        files_to_skip=[],
+        files_to_check=[_BUILD_FILE_PATTERN])
+
     errors = []
-    for f in input_api.AffectedSourceFiles(gn_files):
+    for f in input_api.AffectedSourceFiles(sources):
         for line_number, line in f.ChangedContents():
             match = import_re.search(line)
             if not match:
@@ -133,7 +134,7 @@ def CheckCpp17CompatibleHeaders(input_api, output_api):
     CPP_20_HEADERS = [
         "barrier",
         "bit",
-        "compare",
+        #"compare",  Three-way comparison may be used under appropriate guards.
         "format",
         "numbers",
         "ranges",
@@ -158,8 +159,16 @@ def CheckCpp17CompatibleHeaders(input_api, output_api):
         "stdfloat",
     ]
 
+    sources = lambda affected_file: input_api.FilterSourceFile(
+        affected_file,
+        # compiler_specific.h may use these headers in guarded ways.
+        files_to_skip=[
+            r'.*partition_alloc_base/augmentations/compiler_specific\.h'
+        ],
+        files_to_check=[_SOURCE_FILE_PATTERN])
+
     errors = []
-    for f in input_api.AffectedSourceFiles(c_cpp_files):
+    for f in input_api.AffectedSourceFiles(sources):
         # for line_number, line in f.ChangedContents():
         for line_number, line in enumerate(f.NewContents()):
             for header in CPP_20_HEADERS:
@@ -187,11 +196,22 @@ def CheckCpp17CompatibleKeywords(input_api, output_api):
         "co_return",
         "co_yield",
         "requires",
+        "std::hardware_",
+        "std::is_constant_evaluated",
+        "std::bit_cast",
+        "std::midpoint",
+        "std::to_array",
     ]
     # Note: C++23 doesn't introduce new keywords.
 
+    sources = lambda affected_file: input_api.FilterSourceFile(
+        affected_file,
+        # compiler_specific.h may use these keywords in guarded macros.
+        files_to_skip=[r'.*partition_alloc_base/compiler_specific\.h'],
+        files_to_check=[_SOURCE_FILE_PATTERN])
+
     errors = []
-    for f in input_api.AffectedSourceFiles(c_cpp_files):
+    for f in input_api.AffectedSourceFiles(sources):
         for line_number, line in f.ChangedContents():
             for keyword in CPP_20_KEYWORDS:
                 if not keyword in line:
@@ -210,3 +230,20 @@ def CheckCpp17CompatibleKeywords(input_api, output_api):
                         '%s:%d\nPartitionAlloc disallows C++20 keywords: %s'
                         % (f.LocalPath(), line_number + 1, keyword)))
     return errors
+
+# Check `NDEBUG` is not used inside partition_alloc. We prefer to use the
+# buildflags `#if PA_BUILDFLAG(IS_DEBUG)` instead.
+def CheckNoNDebug(input_api, output_api):
+    sources = lambda affected_file: input_api.FilterSourceFile(
+        affected_file,
+        files_to_skip=[],
+        files_to_check=[_SOURCE_FILE_PATTERN])
+
+    errors = []
+    for f in input_api.AffectedSourceFiles(sources):
+        for line_number, line in f.ChangedContents():
+            if 'NDEBUG' in line:
+                errors.append(output_api.PresubmitError('%s:%d\nPartitionAlloc'
+                  % (f.LocalPath(), line_number + 1)
+                  + 'disallows NDEBUG, use PA_BUILDFLAG(IS_DEBUG) instead'))
+    return errors

src/base/allocator/partition_allocator/build_overrides/partition_alloc.gni

@@ -15,6 +15,7 @@ use_allocator_shim_default = false
 enable_backup_ref_ptr_support_default = false
 enable_backup_ref_ptr_slow_checks_default = false
 enable_dangling_raw_ptr_checks_default = false
+enable_ios_corruption_hardening_default = false
 
 # This is the default build configuration for pointers/raw_ptr*.
 raw_ptr_zero_on_construct_default = true

src/base/allocator/partition_allocator/gn/BUILDCONFIG.gn

@@ -52,7 +52,6 @@ is_nacl = false
 is_win = current_os == "win" || current_os == "winuwp"
 is_cast_android = false
 is_castos = false
-is_chromeos_ash = false
 is_cronet_build = false
 enable_expensive_dchecks = false
 dcheck_is_configurable = false

src/base/allocator/partition_allocator/partition_alloc.gni

@@ -4,6 +4,56 @@
 
 import("//build_overrides/partition_alloc.gni")
 
+# -----------------------------------------------------------------------------
+# Note on the use of `xxx_default` variable in partition_alloc.
+#
+# GN provides default_args() instruction. It is meant to be used by embedders,
+# to override the default args declared by the embeddees (e.g. partition_alloc).
+# This is the intended way to use GN. It properly interacts with the args.gn
+# user's file.
+#
+# Unfortunately, Chrome and others embedders aren't using it. Instead, they
+# expect embeddees to import global '.gni' file from the embedder, e.g.
+# `//build_overrides/partition_alloc.gni`. This file sets some `xxx_default`
+# variable that will be transferred to the declared args. For instance
+# a library would use:
+# ```
+#     import("//build_overrides/library.gni")
+#     declare_args() {
+#       xxx = xxx_default
+#     }
+# ```
+#
+# We don't really want to break embedders when introducing new args. Ideally,
+# We would have liked to have defaults for default variables. That would be
+# a recursive problem. To resolve it, we sometimes use the `defined(...)`
+# instruction to check if the embedder has defined the `xxx_default` variable or
+# not.
+#
+# In general, we should aim to support the embedders that are using GN normally,
+# and avoid requiring them to define `xxx_default` in the `//build_overrides`
+# -----------------------------------------------------------------------------
+
+# Some embedders uses `is_debug`, it can be used to set the default value of
+# `partition_alloc_is_debug_default`.
+if (!defined(partition_alloc_is_debug_default)) {
+  if (defined(is_debug)) {
+    partition_alloc_is_debug_default = is_debug
+  } else {
+    partition_alloc_is_debug_default = false
+  }
+}
+
+# Some embedders uses `dcheck_always_on`, it can be used to set the default
+# value of `partition_alloc_dcheck_always_on_default`.
+if (!defined(partition_alloc_dcheck_always_on_default)) {
+  if (defined(dcheck_always_on)) {
+    partition_alloc_dcheck_always_on_default = dcheck_always_on
+  } else {
+    partition_alloc_dcheck_always_on_default = false
+  }
+}
+
 # PartitionAlloc have limited support for MSVC's cl.exe compiler. It can only
 # access the generate "buildflags" and the "raw_ptr" definitions implemented
 # with RawPtrNoOpImpl. Everything else is considered not supported.
@@ -28,8 +78,16 @@ if (is_nacl) {
   assert(false, "Unknown CPU: $current_cpu")
 }
 
-# Increases the size of the empty slot span ring.
+# Makes the number of empty slot spans that can remain committed larger in
-use_large_empty_slot_span_ring = is_mac
+# foreground mode compared to background mode
+# (see `PartitionRoot::AdjustFor(Background|Foreground)`).
+#
+# Foreground/background modes are used by default on macOS and Windows so this
+# must be true on these platforms. It's also true on other platforms to allow
+# experiments.
+#
+# TODO(crbug.com/329199197): Clean this up when experiments are complete.
+use_large_empty_slot_span_ring = true
 
 # Disables for Android ARM64 because it actually requires API 31+.
 # See partition_alloc/tagging.cc:
@@ -40,6 +98,12 @@ has_memory_tagging =
     current_cpu == "arm64" && is_clang && !is_asan && is_linux && current_os != "openwrt"
 
 declare_args() {
+  # Debug configuration.
+  partition_alloc_is_debug = partition_alloc_is_debug_default
+
+  # Enable PA_DCHECKs in PartitionAlloc in release mode.
+  partition_alloc_dcheck_always_on = partition_alloc_dcheck_always_on_default
+
   # Causes all the allocations to be routed via allocator_shim.cc. Usually,
   # the allocator shim will, in turn, route them to PartitionAlloc, but
   # other allocators are also supported by the allocator shim.
@@ -83,27 +147,57 @@ declare_args() {
                                   use_partition_alloc_as_malloc_default
 }
 
-assert(!use_allocator_shim || (is_android || is_apple || is_chromeos ||
+declare_args() {
-                                   is_fuchsia || is_linux || is_win),
+  # Whether PartitionAlloc dispatch can be replaced with another dispatch with
-       "The allocator shim does not (yet) support the platform.")
+  # some more safety checks at runtime or not.  When true, the allocator shim
+  # provides an extended API to swap PartitionAlloc.
+  enable_allocator_shim_partition_alloc_dispatch_with_advanced_checks_support =
+      use_partition_alloc_as_malloc
+}
+
+declare_args() {
+  # This is a flag for binary experiment on iOS. When BRP for iOS is enabled,
+  # we see some un-actionable `DoubleFreeOrCorruptionDetected` crashes.
+  # This flag enables some extra `CHECK`s to get actionable crash reports.
+  # TODO(crbug.com/371135823): Remove upon completion of investigation.
+  enable_ios_corruption_hardening = use_partition_alloc_as_malloc && is_ios &&
+                                    enable_ios_corruption_hardening_default
+}
+
+assert(
+    !enable_allocator_shim_partition_alloc_dispatch_with_advanced_checks_support || use_partition_alloc_as_malloc,
+    "PartitionAlloc with advanced checks requires PartitionAlloc itself.")
+
+assert(!use_allocator_shim || !is_nacl,
+       "The allocator shim supports every platform, except nacl")
 
 if (use_allocator_shim && is_win) {
   # It's hard to override CRT's malloc family in every case in the component
   # build, and it's very easy to override it partially and to be inconsistent
   # among allocations and deallocations. Then, we'll crash when PA deallocates
   # a memory region allocated by the CRT's malloc or vice versa.
-  assert(!is_component_build,
+  # Since PartitionAlloc depends on libc++, it is difficult to link libc++.dll
-         "The allocator shim doesn't work for the component build on Windows.")
+  # with PartitionAlloc to replace its allocator with PartitionAlloc.
+  # If using libcxx_is_shared=true,
+  # a. since inline methods or inline functions defined in some libc++ headers,
+  #    e.g. vector, use new, malloc(), and so on, the memory allocation will
+  #    be done inside a client code.
+  # b. on the other hand, libc++.dll deallocates the memory allocated by the
+  #    inline methods or inline functions. It will not be run inside the client
+  #    code.
+  # So a.'s allocation is done by PartitionAlloc, but b.'s deallocation is
+  # done by system allocator. This will cause heap check failure (WinHeap
+  # doesn't know PartitionAlloc) and crash.
+  # If libcxx_is_shared=false, libc++ is a static library. All libc++ code
+  # will be run inside the client. The above issue will disappear.
+  assert(
+      !is_component_build || (!libcxx_is_shared && !partition_alloc_is_debug),
+      "The allocator shim for the Windows component build needs !libcxx_is_shared && !partition_alloc_is_debug.")
 }
 
 declare_args() {
   use_freeslot_bitmap = false
 
-  # Puts the regular and BRP pools right next to each other, so that we can
-  # check "belongs to one of the two pools" with a single bitmask operation.
-  # TODO(crbug.com/350104111): Fix ios-simulator failures to remove `!is_ios`.
-  glue_core_pools = use_partition_alloc_as_malloc && !is_ios
-
   # Introduces pointer compression support in PA. These are 4-byte
   # pointers that can point within the core pools (regular and BRP).
   #
@@ -125,6 +219,23 @@ declare_args() {
   # through malloc. Useful for using with tools that intercept malloc, e.g.
   # heaptrack.
   forward_through_malloc = false
+
+  # Enable reentrancy checks at `partition_alloc::internal::Lock`.
+  # TODO(crbug.com/371135823): Remove upon completion of investigation.
+  enable_partition_lock_reentrancy_check = enable_ios_corruption_hardening
+
+  # This will write a fixed cookie pattern at the end of each allocation, and
+  # later verify the pattern remain unchanged to ensure there is no OOB write.
+  # It comes with performance and memory cost, hence enabled only in debug.
+  use_partition_cookie =
+      partition_alloc_is_debug || partition_alloc_dcheck_always_on ||
+      enable_ios_corruption_hardening
+
+  # This will change partition cookie size to 4B or 8B, whichever equivalent to
+  # size of InSlotMetadata. This option is useful for InSlotMetadata corruption
+  # investigation.
+  # TODO(crbug.com/371135823): Remove upon completion of investigation.
+  smaller_partition_cookie = enable_ios_corruption_hardening
 }
 
 declare_args() {
@@ -194,12 +305,21 @@ declare_args() {
   # Enable the feature flag required to activate backup ref pointers. That is to
   # say `PartitionAllocBackupRefPtr`.
   #
-  # This is meant to be used primarily on bots. It is much easier to override
+  # This is meant to be modified primarily on bots. It is much easier to
-  # the feature flags using a binary flag instead of updating multiple bots's
+  # override the feature flags using a binary flag instead of updating multiple
-  # scripts to pass command line arguments.
+  # bots's scripts to pass command line arguments.
   #
   # TODO(328104161): Remove this flag.
-  enable_backup_ref_ptr_feature_flag = false
+  enable_backup_ref_ptr_feature_flag =
+      enable_backup_ref_ptr_support && use_raw_ptr_backup_ref_impl &&
+      # Platforms where BackupRefPtr hasn't shipped yet:
+      !is_castos && !is_ios
+
+  # While keeping BRP support, override a feature flag to make it disabled
+  # state. This will overwrite `enable_backup_ref_ptr_feature_flag`.
+  # TODO(https://crbug.com/372183586): Fix the bug and remove this arg.
+  force_disable_backup_ref_ptr_feature =
+      enable_backup_ref_ptr_support && enable_ios_corruption_hardening
 
   # Build support for Dangling Ptr Detection (DPD) via BackupRefPtr (BRP),
   # making the raw_ptr<T> implementation to RawPtrBackupRefImpl if active.
@@ -217,9 +337,9 @@ declare_args() {
   # Enable the feature flag required to check for dangling pointers. That is to
   # say `PartitionAllocDanglingPtr`.
   #
-  # This is meant to be used primarily on bots. It is much easier to override
+  # This is meant to be modified primarily on bots. It is much easier to
-  # the feature flags using a binary flag instead of updating multiple bots's
+  # override the feature flags using a binary flag instead of updating multiple
-  # scripts to pass command line arguments.
+  # bots's scripts to pass command line arguments.
   #
   # TODO(328104161): Remove this flag.
   enable_dangling_raw_ptr_feature_flag = enable_dangling_raw_ptr_checks
@@ -233,7 +353,7 @@ declare_args() {
 declare_args() {
   # Shadow metadata is still under development and only supports Linux
   # for now.
-  enable_shadow_metadata = false
+  enable_shadow_metadata = is_linux && has_64_bit_pointers
 }
 
 declare_args() {
@@ -248,19 +368,28 @@ declare_args() {
 
 stack_scan_supported =
     current_cpu == "x64" || current_cpu == "x86" || current_cpu == "arm" ||
-    current_cpu == "arm64" || current_cpu == "riscv64"
+    current_cpu == "arm64" || current_cpu == "riscv64" || current_cpu == "loong64"
 
 # We want to provide assertions that guard against inconsistent build
 # args, but there is no point in having them fire if we're not building
 # PartitionAlloc at all. If `use_partition_alloc` is false, we jam all
 # related args to `false`.
 #
+# We also disable PA-Everywhere and PA-based features in two types of
+# toolchains:
+# - Toolchains that disable PA-Everywhere explicitly.
+# - The rust host build tools toochain, which builds DLLs to dlopen into the
+#   compiler for proc macros. We would want any allocations to use the same
+#   paths as the compiler.
+#
 # Do not clear the following, as they can function outside of PartitionAlloc
 # - has_64_bit_pointers
 # - has_memory_tagging
 if (!use_partition_alloc ||
     (defined(toolchain_allows_use_partition_alloc_as_malloc) &&
-     !toolchain_allows_use_partition_alloc_as_malloc)) {
+     !toolchain_allows_use_partition_alloc_as_malloc) ||
+    (defined(toolchain_for_rust_host_build_tools) &&
+     toolchain_for_rust_host_build_tools)) {
   use_partition_alloc_as_malloc = false
   glue_core_pools = false
   enable_backup_ref_ptr_support = false

src/base/allocator/partition_allocator/src/partition_alloc/BUILD.gn

@@ -29,16 +29,20 @@ record_alloc_info = false
 # GWP-ASan is tied to BRP's enablement.
 enable_gwp_asan_support = enable_backup_ref_ptr_support
 
-# Pools are a logical concept when address space is 32-bit.
-glue_core_pools = glue_core_pools && has_64_bit_pointers
-
 # Pointer compression requires 64-bit pointers.
 enable_pointer_compression =
     enable_pointer_compression_support && has_64_bit_pointers
 
 # Duplicates the setup Chromium uses to define `DCHECK_IS_ON()`, but avails it
 # as a buildflag.
-dchecks_are_on = is_debug || dcheck_always_on
+partition_alloc_dchecks_are_on =
+    partition_alloc_is_debug || partition_alloc_dcheck_always_on
+
+# Building PartitionAlloc for Windows component build.
+# Currently use build_with_chromium not to affect any third_party code,
+# but if any third_party code wants to use, remove build_with_chromium.
+use_partition_alloc_as_malloc_on_win_component_build =
+    build_with_chromium && is_win && is_component_build
 
 # TODO(crbug.com/40276913): Split PartitionAlloc into a public and
 # private parts. The public config would include add the "./include" dir and
@@ -77,6 +81,7 @@ config("dependants_extra_warnings") {
       "-Wduplicate-enum",
       "-Wextra-semi",
       "-Wextra-semi-stmt",
+      "-Widiomatic-parentheses",
       "-Wimplicit-fallthrough",
       "-Winconsistent-missing-destructor-override",
       "-Winvalid-offsetof",
@@ -118,12 +123,34 @@ source_set("buildflag_macro") {
   public_configs = [ ":public_includes" ]
 }
 
+# When developers are repeatedly growing a buffer with `realloc`, they are
+# expected to request a new size that is larger than the current size by
+# some growth factor. This growth factor allows to amortize the cost of
+# memcpy. Unfortunately, some nVidia drivers have a bug where they repeatedly
+# increase the buffer by 4144 byte only.
+#
+# In particular, most Skia Linux bots are using the affected nVidia driver. So
+# this flag is used as a workaround for Skia standalone, not in production.
+#
+# External link:
+#   https://forums.developer.nvidia.com/t/550-54-14-very-bad-performance-due-to-bunch-of-reallocations-during-glcore-initialization/287027
+#
+# Internal discussion at @chrome-memory-safety:
+#   https://groups.google.com/a/google.com/d/msgid/chrome-memory-safety/CAAzos5HrexY2njz2YzWrffTq1xEfkx15GVpSvHUyQED6wBSXvA%40mail.gmail.com?utm_medium=email&utm_source=footer
+declare_args() {
+  partition_alloc_realloc_growth_factor_mitigation = false
+}
+
 pa_buildflag_header("buildflags") {
   header = "buildflags.h"
   flags = [
     "ASSERT_CPP_20=$assert_cpp20",
     "BACKUP_REF_PTR_EXTRA_OOB_CHECKS=$backup_ref_ptr_extra_oob_checks",
     "BACKUP_REF_PTR_POISON_OOB_PTR=$backup_ref_ptr_poison_oob_ptr",
+    "CAN_UNWIND_WITH_FRAME_POINTERS=$can_unwind_with_frame_pointers",
+    "DCHECKS_ARE_ON=$partition_alloc_dchecks_are_on",
+    "DCHECK_IS_CONFIGURABLE=$dcheck_is_configurable",
+    "ENABLE_ALLOCATOR_SHIM_PARTITION_ALLOC_DISPATCH_WITH_ADVANCED_CHECKS_SUPPORT=$enable_allocator_shim_partition_alloc_dispatch_with_advanced_checks_support",
     "ENABLE_BACKUP_REF_PTR_FEATURE_FLAG=$enable_backup_ref_ptr_feature_flag",
     "ENABLE_BACKUP_REF_PTR_INSTANCE_TRACER=$enable_backup_ref_ptr_instance_tracer",
     "ENABLE_BACKUP_REF_PTR_SLOW_CHECKS=$enable_backup_ref_ptr_slow_checks",
@@ -131,25 +158,30 @@ pa_buildflag_header("buildflags") {
     "ENABLE_DANGLING_RAW_PTR_CHECKS=$enable_dangling_raw_ptr_checks",
     "ENABLE_DANGLING_RAW_PTR_FEATURE_FLAG=$enable_dangling_raw_ptr_feature_flag",
     "ENABLE_GWP_ASAN_SUPPORT=$enable_gwp_asan_support",
+    "ENABLE_PARTITION_LOCK_REENTRANCY_CHECK=$enable_partition_lock_reentrancy_check",
     "ENABLE_PKEYS=$enable_pkeys",
     "ENABLE_POINTER_ARITHMETIC_TRAIT_CHECK=$enable_pointer_arithmetic_trait_check",
     "ENABLE_POINTER_COMPRESSION=$enable_pointer_compression",
     "ENABLE_POINTER_SUBTRACTION_CHECK=$enable_pointer_subtraction_check",
     "ENABLE_SHADOW_METADATA_FOR_64_BITS_POINTERS=$enable_shadow_metadata",
     "ENABLE_THREAD_ISOLATION=$enable_pkeys",
+    "EXPENSIVE_DCHECKS_ARE_ON=$enable_expensive_dchecks",
+    "FORCE_DISABLE_BACKUP_REF_PTR_FEATURE=$force_disable_backup_ref_ptr_feature",
     "FORCE_ENABLE_RAW_PTR_EXCLUSION=$force_enable_raw_ptr_exclusion",
     "FORWARD_THROUGH_MALLOC=$forward_through_malloc",
-    "GLUE_CORE_POOLS=$glue_core_pools",
     "HAS_64_BIT_POINTERS=$has_64_bit_pointers",
     "HAS_MEMORY_TAGGING=$has_memory_tagging",
+    "IS_ANDROID=$is_android",
     "IS_CASTOS=$is_castos",
     "IS_CAST_ANDROID=$is_cast_android",
     "IS_CHROMEOS=$is_chromeos",
-    "IS_DEBUG=$is_debug",
+    "IS_DEBUG=$partition_alloc_is_debug",
     "RAW_PTR_ZERO_ON_CONSTRUCT=$raw_ptr_zero_on_construct",
     "RAW_PTR_ZERO_ON_DESTRUCT=$raw_ptr_zero_on_destruct",
     "RAW_PTR_ZERO_ON_MOVE=$raw_ptr_zero_on_move",
+    "REALLOC_GROWTH_FACTOR_MITIGATION=$partition_alloc_realloc_growth_factor_mitigation",
     "RECORD_ALLOC_INFO=$record_alloc_info",
+    "SMALLER_PARTITION_COOKIE=$smaller_partition_cookie",
     "STACK_SCAN_SUPPORTED=$stack_scan_supported",
     "USE_ALLOCATOR_SHIM=$use_allocator_shim",
     "USE_ASAN_BACKUP_REF_PTR=$use_asan_backup_ref_ptr",
@@ -159,13 +191,10 @@ pa_buildflag_header("buildflags") {
     "USE_LARGE_EMPTY_SLOT_SPAN_RING=$use_large_empty_slot_span_ring",
     "USE_PARTITION_ALLOC=$use_partition_alloc",
     "USE_PARTITION_ALLOC_AS_MALLOC=$use_partition_alloc_as_malloc",
+    "USE_PARTITION_COOKIE=$use_partition_cookie",
     "USE_RAW_PTR_ASAN_UNOWNED_IMPL=$use_raw_ptr_asan_unowned_impl",
     "USE_RAW_PTR_BACKUP_REF_IMPL=$use_raw_ptr_backup_ref_impl",
     "USE_RAW_PTR_HOOKABLE_IMPL=$use_raw_ptr_hookable_impl",
-    "DCHECKS_ARE_ON=$dchecks_are_on",
-    "EXPENSIVE_DCHECKS_ARE_ON=$enable_expensive_dchecks",
-    "DCHECK_IS_CONFIGURABLE=$dcheck_is_configurable",
-    "CAN_UNWIND_WITH_FRAME_POINTERS=$can_unwind_with_frame_pointers",
   ]
 }
 
@@ -225,11 +254,13 @@ component("raw_ptr") {
     sources += [ "pointers/raw_ptr_noop_impl.h" ]
     sources += [ "pointers/empty.cc" ]
   }
-  public_deps = [ ":build_config" ]
+  public_deps = [
+    ":build_config",
+    ":buildflags",
+  ]
   if (use_partition_alloc) {
     public_deps += [ ":partition_alloc" ]
   }
-  deps = [ ":buildflags" ]
 
   # See also: `partition_alloc_base/component_export.h`
   defines = [ "IS_RAW_PTR_IMPL" ]
@@ -319,7 +350,7 @@ if (is_clang_or_gcc) {
     }
   }
 
-  if (enable_pkeys && is_debug) {
+  if (enable_pkeys && partition_alloc_is_debug) {
     config("no_stack_protector") {
       cflags = [ "-fno-stack-protector" ]
     }
@@ -330,12 +361,40 @@ if (is_clang_or_gcc) {
       ":allocator_base",
       ":allocator_core",
       ":allocator_shim",
+      ":buildflags",
     ]
   }
 
+  if (is_win && is_component_build) {
+    group("win_component_build_adapter") {
+      # Currently guard this target by using build_with_chromium to avoid
+      # any issues on third_party build. But if any third_party code wants to
+      # use allocator_shim for its own component build, we will remove this
+      # guard.
+      if (build_with_chromium) {
+        if (use_allocator_shim) {
+          public_deps = [
+            ":allocator_base",
+            ":allocator_shim",
+          ]
+        }
+      }
+      # If not with chromium, currently do nothing.
+    }
+  }
+
   component("allocator_core") {
     visibility = [ ":*" ]
 
+    if (use_partition_alloc_as_malloc_on_win_component_build) {
+      # Since common_deps defined in //build/config/BUILD.gn depends on
+      # PartitionAlloc for PartitionAlloc-Everywhere, we need no_default_deps
+      # here, because default deps includes common_deps dependency.
+      # Without no_defaults_deps=true, we will see cyclic deps:
+      # common_deps=>PartitionAlloc=>common_deps
+      no_default_deps = true
+    }
+
     sources = [
       "aarch64_support.h",
       "address_pool_manager.cc",
@@ -388,6 +447,7 @@ if (is_clang_or_gcc) {
       "partition_bucket.cc",
       "partition_bucket.h",
       "partition_bucket_lookup.h",
+      "partition_cookie.cc",
       "partition_cookie.h",
       "partition_dcheck_helper.cc",
       "partition_dcheck_helper.h",
@@ -402,6 +462,7 @@ if (is_clang_or_gcc) {
       "partition_page_constants.h",
       "partition_root.cc",
       "partition_root.h",
+      "partition_shared_mutex.h",
       "partition_stats.cc",
       "partition_stats.h",
       "partition_superpage_extent_entry.h",
@@ -460,6 +521,9 @@ if (is_clang_or_gcc) {
     } else if (current_cpu == "riscv64") {
       assert(stack_scan_supported)
       sources += [ "stack/asm/riscv64/push_registers_asm.cc" ]
+    } else if (current_cpu == "loong64") {
+      assert(stack_scan_supported)
+      sources += [ "stack/asm/loong64/push_registers_asm.cc" ]
     } else {
       # To support a trampoline for another arch, please refer to v8/src/heap/base.
       assert(!stack_scan_supported)
@@ -484,6 +548,12 @@ if (is_clang_or_gcc) {
       ":wexit_time_destructors",
     ]
     deps = [ ":allocator_base" ]
+    if (use_partition_alloc_as_malloc_on_win_component_build) {
+      # We need to add explicit libc++ dependency here because of
+      # no_default_deps=true.
+      deps += [ "//buildtools/third_party/libc++:libc++" ]
+    }
+
     public_configs = []
     if (is_fuchsia) {
       deps += [
@@ -520,13 +590,21 @@ if (is_clang_or_gcc) {
 
     # We want to be able to test pkey mode without access to the default pkey.
     # This is incompatible with stack protectors since the TLS won't be pkey-tagged.
-    if (enable_pkeys && is_debug) {
+    if (enable_pkeys && partition_alloc_is_debug) {
       configs += [ ":no_stack_protector" ]
     }
   }
 
   component("allocator_base") {
     visibility = [ ":*" ]
+    if (use_partition_alloc_as_malloc_on_win_component_build) {
+      # Since common_deps defined in //build/config/BUILD.gn depends on
+      # PartitionAlloc for PartitionAlloc-Everywhere, we need no_default_deps
+      # here, because default deps includes common_deps dependency.
+      # Without no_defaults_deps=true, we will see cyclic deps:
+      # common_deps=>PartitionAlloc=>common_deps
+      no_default_deps = true
+    }
 
     sources = [
       "partition_alloc_base/atomic_ref_count.h",
@@ -545,6 +623,7 @@ if (is_clang_or_gcc) {
       "partition_alloc_base/debug/stack_trace.cc",
       "partition_alloc_base/debug/stack_trace.h",
       "partition_alloc_base/export_template.h",
+      "partition_alloc_base/files/platform_file.h",
       "partition_alloc_base/immediate_crash.h",
       "partition_alloc_base/log_message.cc",
       "partition_alloc_base/log_message.h",
@@ -590,11 +669,13 @@ if (is_clang_or_gcc) {
       "partition_alloc_base/time/time.h",
       "partition_alloc_base/time/time_override.cc",
       "partition_alloc_base/time/time_override.h",
+      "partition_alloc_base/types/same_as_any.h",
       "partition_alloc_base/types/strong_alias.h",
       "partition_alloc_base/win/win_handle_types.h",
       "partition_alloc_base/win/win_handle_types_list.inc",
       "partition_alloc_base/win/windows_types.h",
     ]
+    libs = []
 
     if (is_win) {
       sources += [
@@ -606,6 +687,9 @@ if (is_clang_or_gcc) {
         "partition_alloc_base/threading/platform_thread_win.cc",
         "partition_alloc_base/time/time_win.cc",
       ]
+      libs += [
+        "winmm.lib",  # For timeGetTime.
+      ]
     }
 
     if (is_posix) {
@@ -706,6 +790,11 @@ if (is_clang_or_gcc) {
     ]
 
     deps = []
+    if (use_partition_alloc_as_malloc_on_win_component_build) {
+      # We need to add explicit libc++ dependency here because of
+      # no_default_deps=true.
+      deps += [ "//buildtools/third_party/libc++:libc++" ]
+    }
     if (is_fuchsia) {
       public_deps += [ "//third_party/fuchsia-sdk/sdk/pkg/fit" ]
     }
@@ -724,8 +813,6 @@ if (is_clang_or_gcc) {
   }
 
   component("allocator_shim") {
-    visibility = [ ":*" ]
-
     sources = []
     deps = []
     all_dependent_configs = []
@@ -761,6 +848,10 @@ if (is_clang_or_gcc) {
       shim_headers +=
           [ "shim/allocator_shim_default_dispatch_to_partition_alloc.h" ]
     }
+    if (enable_allocator_shim_partition_alloc_dispatch_with_advanced_checks_support) {
+      shim_sources += [ "shim/allocator_shim_default_dispatch_to_partition_alloc_with_advanced_checks.cc" ]
+      shim_headers += [ "shim/allocator_shim_default_dispatch_to_partition_alloc_with_advanced_checks.h" ]
+    }
     if (is_android) {
       shim_headers += [
         "shim/allocator_shim_override_cpp_symbols.h",
@@ -947,7 +1038,7 @@ if (build_with_chromium) {
       ]
     }
 
-    if (enable_pkeys && is_debug && !is_component_build) {
+    if (enable_pkeys && partition_alloc_is_debug && !is_component_build) {
       # This test requires RELRO, which is not enabled in component builds.
       # Also, require a debug build, since we only disable stack protectors in
       # debug builds in PartitionAlloc (see below why it's needed).

src/base/allocator/partition_allocator/src/partition_alloc/address_pool_manager.cc

@@ -26,7 +26,7 @@
 
 namespace partition_alloc::internal {
 
-AddressPoolManager AddressPoolManager::singleton_;
+PA_CONSTINIT AddressPoolManager AddressPoolManager::singleton_;
 
 // static
 AddressPoolManager& AddressPoolManager::GetInstance() {
@@ -556,7 +556,7 @@ void AddressPoolManager::DumpStats(AddressSpaceStatsDumper* dumper) {
 
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
 // This function just exists to static_assert the layout of the private fields
-// in Pool.
+// in Pool. It is never called.
 void AddressPoolManager::AssertThreadIsolatedLayout() {
   constexpr size_t last_pool_offset =
       offsetof(AddressPoolManager, pools_) + sizeof(Pool) * (kNumPools - 1);

src/base/allocator/partition_allocator/src/partition_alloc/address_pool_manager.h

@@ -113,6 +113,8 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC)
   bool GetStats(AddressSpaceStats* stats);
 
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
+  // This function just exists to static_assert the layout of the private fields
+  // in Pool. It is never called.
   static void AssertThreadIsolatedLayout();
 #endif  // PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
 
@@ -200,7 +202,7 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC)
 
 #endif  // PA_BUILDFLAG(HAS_64_BIT_POINTERS)
 
-  static PA_CONSTINIT AddressPoolManager singleton_;
+  PA_CONSTINIT static AddressPoolManager singleton_;
 };
 
 }  // namespace partition_alloc::internal

src/base/allocator/partition_allocator/src/partition_alloc/address_space_randomization.h

@@ -292,7 +292,7 @@ AslrMask(uintptr_t bits) {
 
 #endif  // PA_BUILDFLAG(PA_ARCH_CPU_32_BITS)
 
-    // clang-format on
+// clang-format on
 
 }  // namespace internal
 

src/base/allocator/partition_allocator/src/partition_alloc/allocation_guard.cc

@@ -3,6 +3,7 @@
 // found in the LICENSE file.
 
 #include "partition_alloc/allocation_guard.h"
+
 #include "partition_alloc/partition_alloc_base/immediate_crash.h"
 #include "partition_alloc/partition_alloc_config.h"
 

src/base/allocator/partition_allocator/src/partition_alloc/build_config.h

@@ -16,9 +16,8 @@
 // This files contains the following definition:
 //
 // Operating system:
-//   IS_IOS / IS_AIX / IS_ANDROID / IS_ASMJS / IS_FREEBSD / IS_FUCHSIA /
+//   IS_IOS / IS_AIX / IS_ASMJS / IS_FREEBSD / IS_FUCHSIA / IS_LINUX / IS_MAC /
-//   IS_LINUX / IS_MAC / IS_NACL / IS_NETBSD / IS_OPENBSD / IS_QNX /
+//   IS_NACL / IS_NETBSD / IS_OPENBSD / IS_QNX / IS_SOLARIS / IS_WIN
-//   IS_SOLARIS / IS_WIN
 //
 // Operating system family:
 //   IS_APPLE / IS_BSD / IS_POSIX
@@ -59,8 +58,14 @@
 #if defined(__native_client__)
 // __native_client__ must be first, so that other IS_ defines are not set.
 #define PA_IS_NACL
-#elif defined(ANDROID)
+#elif PA_BUILDFLAG(IS_ANDROID)
-#define PA_IS_ANDROID
+// The IS_ANDROID PA_BUILDFLAG macro is defined in buildflags.h.
+//
+// PartitionAlloc's embedders (Chromium, Dawn, Pdfium, Skia) define different
+// macros for Android builds: "ANDROID" or "SK_BUILD_FOR_ANDROID".
+//
+// To avoid relying on these external definitions, PartitionAlloc uses its own
+// dedicated build flag.
 #elif defined(__APPLE__)
 // Only include TargetConditionals after testing ANDROID as some Android builds
 // on the Mac have this header available and it's not needed unless the target
@@ -74,7 +79,7 @@
 #elif defined(__linux__)
 #if !PA_BUILDFLAG(IS_CHROMEOS)
 // Do not define PA_IS_LINUX on Chrome OS build.
-// The IS_CHROMEOS PA_BUILDFLAG macro is defined in chromeos_buildflags.h.
+// The IS_CHROMEOS PA_BUILDFLAG macro is defined in buildflags.h.
 #define PA_IS_LINUX
 #endif  // !PA_BUILDFLAG(IS_CHROMEOS)
 // Include a system header to pull in features.h for glibc/uclibc macros.
@@ -114,11 +119,11 @@
 #define PA_IS_BSD
 #endif
 
-#if defined(PA_IS_AIX) || defined(PA_IS_ANDROID) || defined(PA_IS_ASMJS) ||  \
+#if defined(PA_IS_AIX) || defined(PA_IS_ASMJS) || defined(PA_IS_FREEBSD) ||   \
-    defined(PA_IS_FREEBSD) || defined(PA_IS_IOS) || defined(PA_IS_LINUX) ||  \
+    defined(PA_IS_IOS) || defined(PA_IS_LINUX) || defined(PA_IS_CHROMEOS) ||  \
-    defined(PA_IS_CHROMEOS) || defined(PA_IS_MAC) || defined(PA_IS_NACL) ||  \
+    defined(PA_IS_MAC) || defined(PA_IS_NACL) || defined(PA_IS_NETBSD) ||     \
-    defined(PA_IS_NETBSD) || defined(PA_IS_OPENBSD) || defined(PA_IS_QNX) || \
+    defined(PA_IS_OPENBSD) || defined(PA_IS_QNX) || defined(PA_IS_SOLARIS) || \
-    defined(PA_IS_SOLARIS) || PA_BUILDFLAG(IS_CHROMEOS)
+    PA_BUILDFLAG(IS_ANDROID) || PA_BUILDFLAG(IS_CHROMEOS)
 #define PA_IS_POSIX
 #endif
 
@@ -388,13 +393,6 @@
 #endif
 #undef PA_IS_AIX
 
-#if defined(PA_IS_ANDROID)
-#define PA_BUILDFLAG_INTERNAL_IS_ANDROID() (1)
-#else
-#define PA_BUILDFLAG_INTERNAL_IS_ANDROID() (0)
-#endif
-#undef PA_IS_ANDROID
-
 #if defined(PA_IS_APPLE)
 #define PA_BUILDFLAG_INTERNAL_IS_APPLE() (1)
 #else

src/base/allocator/partition_allocator/src/partition_alloc/compressed_pointer.h

@@ -102,11 +102,11 @@ class CompressedPointerBaseGlobal final {
   static constexpr uintptr_t kUsefulBitsMask =
       PartitionAddressSpace::CorePoolsSize() - 1;
 
-  static union alignas(kPartitionCachelineSize)
+  PA_CONSTINIT static union alignas(kPartitionCachelineSize)
       PA_COMPONENT_EXPORT(PARTITION_ALLOC) Base {
     uintptr_t base;
     char cache_line[kPartitionCachelineSize];
-  } g_base_ PA_CONSTINIT;
+  } g_base_;
 
   PA_ALWAYS_INLINE static bool IsBaseConsistent() {
     return kUsefulBitsMask == (g_base_.base & kUsefulBitsMask);

src/base/allocator/partition_allocator/src/partition_alloc/encoded_next_freelist.h

@@ -180,9 +180,9 @@ class EncodedNextFreelistEntry {
     // Regular freelists always point to an entry within the same super page.
     //
     // This is most likely a PartitionAlloc bug if this triggers.
-    if (PA_UNLIKELY(entry &&
+    if (entry && (SlotStartPtr2Addr(this) & kSuperPageBaseMask) !=
-                    (SlotStartPtr2Addr(this) & kSuperPageBaseMask) !=
+                     (SlotStartPtr2Addr(entry) & kSuperPageBaseMask))
-                        (SlotStartPtr2Addr(entry) & kSuperPageBaseMask))) {
+        [[unlikely]] {
       FreelistCorruptionDetected(0);
     }
 #endif  // PA_BUILDFLAG(DCHECKS_ARE_ON)
@@ -220,7 +220,7 @@ class EncodedNextFreelistEntry {
     }
 
     auto* ret = encoded_next_.Decode();
-    if (PA_UNLIKELY(!IsWellFormed<for_thread_cache>(this, ret))) {
+    if (!IsWellFormed<for_thread_cache>(this, ret)) [[unlikely]] {
       if constexpr (crash_on_corruption) {
         // Put the corrupted data on the stack, it may give us more information
         // about what kind of corruption that was.

src/base/allocator/partition_allocator/src/partition_alloc/extended_api.cc

@@ -77,7 +77,17 @@ ThreadCacheProcessScopeForTesting::ThreadCacheProcessScopeForTesting(
     // Replace ThreadCache's PartitionRoot.
     ThreadCache::SwapForTesting(root_);
   } else {
-    if (!regular_was_enabled_) {
+    bool regular_was_disabled = !regular_was_enabled_;
+#if PA_BUILDFLAG(IS_WIN)
+    // ThreadCache may be tombstone because of the previous test. In the
+    // case, we have to remove tombstone and re-create ThreadCache for
+    // a new test.
+    if (ThreadCache::IsTombstone(ThreadCache::Get())) {
+      ThreadCache::RemoveTombstoneForTesting();
+      regular_was_disabled = true;
+    }
+#endif
+    if (regular_was_disabled) {
       EnablePartitionAllocThreadCacheForRootIfDisabled(root_);
       ThreadCache::SwapForTesting(root_);
     }
@@ -89,6 +99,7 @@ ThreadCacheProcessScopeForTesting::ThreadCacheProcessScopeForTesting(
 #endif  // PA_BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 
   PA_CHECK(ThreadCache::Get());
+  PA_CHECK(!ThreadCache::IsTombstone(ThreadCache::Get()));
 }
 
 ThreadCacheProcessScopeForTesting::~ThreadCacheProcessScopeForTesting() {

src/base/allocator/partition_allocator/src/partition_alloc/flags.h

@@ -46,12 +46,6 @@ constexpr inline IfEnum<EnumType, bool> ContainsFlags(EnumType superset,
   return (superset & subset) == subset;
 }
 
-// Removes flags `target` from `from`.
-template <typename EnumType>
-constexpr inline IfEnum<EnumType> RemoveFlags(EnumType from, EnumType target) {
-  return from & ~target;
-}
-
 // A macro to define binary arithmetic over `EnumType`.
 // Use inside `namespace partition_alloc::internal`.
 #define PA_DEFINE_OPERATORS_FOR_FLAGS(EnumType)                              \

src/base/allocator/partition_allocator/src/partition_alloc/gwp_asan_support.cc

@@ -42,8 +42,7 @@ void* GwpAsanSupport::MapRegion(size_t slot_count,
 
   const size_t kSuperPagePayloadStartOffset =
       internal::SuperPagePayloadStartOffset(
-          /* is_managed_by_normal_buckets = */ true,
+          /* is_managed_by_normal_buckets = */ true);
-          /* with_quarantine = */ false);
   PA_CHECK(kSuperPagePayloadStartOffset % kSlotSize == 0);
   const size_t kSuperPageGwpAsanSlotAreaBeginOffset =
       kSuperPagePayloadStartOffset;
@@ -94,15 +93,16 @@ void* GwpAsanSupport::MapRegion(size_t slot_count,
            partition_page_idx += bucket->get_pages_per_slot_span()) {
         auto* slot_span_metadata =
             &page_metadata[partition_page_idx].slot_span_metadata;
-        bucket->InitializeSlotSpanForGwpAsan(slot_span_metadata);
+        bucket->InitializeSlotSpanForGwpAsan(slot_span_metadata, root.get());
         auto slot_span_start =
-            internal::SlotSpanMetadata::ToSlotSpanStart(slot_span_metadata);
+            internal::SlotSpanMetadata<internal::MetadataKind::kReadOnly>::
+                ToSlotSpanStart(slot_span_metadata);
 
         for (uintptr_t slot_idx = 0; slot_idx < kSlotsPerSlotSpan; ++slot_idx) {
           auto slot_start = slot_span_start + slot_idx * kSlotSize;
           PartitionRoot::InSlotMetadataPointerFromSlotStartAndSize(slot_start,
                                                                    kSlotSize)
-              ->InitalizeForGwpAsan();
+              ->InitializeForGwpAsan();
           size_t global_slot_idx = (slot_start - super_page_span_start -
                                     kSuperPageGwpAsanSlotAreaBeginOffset) /
                                    kSlotSize;

src/base/allocator/partition_allocator/src/partition_alloc/in_slot_metadata.h

@@ -46,7 +46,6 @@ PA_ALWAYS_INLINE constexpr size_t AlignUpInSlotMetadataSizeForApple(
 
 #if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
 
-namespace {
 // Utility functions to define a bit field.
 template <typename CountType>
 static constexpr CountType SafeShift(CountType lhs, int rhs) {
@@ -64,7 +63,6 @@ struct BitField {
            ~(SafeShift<CountType>(1, lo) - 1);
   }
 };
-}  // namespace
 
 // Special-purpose atomic bit field class mainly used by RawPtrBackupRefImpl.
 // Formerly known as `PartitionRefCount`, but renamed to support usage that is
@@ -215,8 +213,8 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) InSlotMetadata {
 
 #if PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
     // If a dangling raw_ptr<> was detected, report it.
-    if (PA_UNLIKELY((old_count & kDanglingRawPtrDetectedBit) ==
+    if ((old_count & kDanglingRawPtrDetectedBit) == kDanglingRawPtrDetectedBit)
-                    kDanglingRawPtrDetectedBit)) {
+        [[unlikely]] {
       partition_alloc::internal::DanglingRawPtrReleased(
           reinterpret_cast<uintptr_t>(this));
     }
@@ -264,13 +262,13 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) InSlotMetadata {
     // detection mechanism isn't perfect, because in-slot-metadata can be
     // overwritten by the freelist pointer (or its shadow) for very small slots,
     // thus masking the error away.
-    if (PA_UNLIKELY(!(old_count & kMemoryHeldByAllocatorBit))) {
+    if (!(old_count & kMemoryHeldByAllocatorBit)) [[unlikely]] {
       DoubleFreeOrCorruptionDetected(old_count);
     }
 
     // Release memory when no raw_ptr<> exists anymore:
     static constexpr CountType mask = kPtrCountMask | kUnprotectedPtrCountMask;
-    if (PA_LIKELY((old_count & mask) == 0)) {
+    if ((old_count & mask) == 0) [[likely]] {
       std::atomic_thread_fence(std::memory_order_acquire);
       // The allocation is about to get freed, so clear the cookie.
       ClearCookieIfSupported();
@@ -317,6 +315,8 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) InSlotMetadata {
 
   // Request to quarantine this allocation. The request might be ignored if
   // the allocation is already freed.
+  // TODO(crbug.com/329027914) This is an unused function. Start using it in
+  // tests and/or in production code.
   PA_ALWAYS_INLINE void SetQuarantineRequest() {
     CountType old_count =
         count_.fetch_or(kRequestQuarantineBit, std::memory_order_relaxed);
@@ -325,6 +325,8 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) InSlotMetadata {
   }
 
   // Get and clear out quarantine request.
+  // TODO(crbug.com/329027914) This is an unused function. Start using it in
+  // tests and/or in production code.
   PA_ALWAYS_INLINE bool PopQuarantineRequest() {
     CountType old_count =
         count_.fetch_and(~kRequestQuarantineBit, std::memory_order_acq_rel);
@@ -337,7 +339,7 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) InSlotMetadata {
   // make sure the `raw_ptr<T>` release operation will never attempt to call the
   // PA `free` on such a slot. GWP-ASan takes the extra reference into account
   // when determining whether the slot can be reused.
-  PA_ALWAYS_INLINE void InitalizeForGwpAsan() {
+  PA_ALWAYS_INLINE void InitializeForGwpAsan() {
 #if PA_CONFIG(IN_SLOT_METADATA_CHECK_COOKIE)
     brp_cookie_ = CalculateCookie();
 #endif
@@ -369,7 +371,7 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) InSlotMetadata {
 #if PA_BUILDFLAG(ENABLE_DANGLING_RAW_PTR_CHECKS)
     // The `kPtrCountMask` counts the number of raw_ptr<T>. It is expected to be
     // zero when there are no unexpected dangling pointers.
-    if (PA_LIKELY((count & kPtrCountMask) == 0)) {
+    if ((count & kPtrCountMask) == 0) [[likely]] {
       return;
     }
 
@@ -404,9 +406,9 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) InSlotMetadata {
     // - A raw_ptr<T, DisableDanglingPtrDetection>
     //
     // Assuming this raw_ptr is not dangling, the memory must still be held at
-    // least by the allocator, so this is PA_LIKELY true.
+    // least by the allocator, so this is `[[likely]]`.
-    if (PA_LIKELY((count & (kMemoryHeldByAllocatorBit | kPtrCountMask |
+    if ((count & (kMemoryHeldByAllocatorBit | kPtrCountMask |
-                            kUnprotectedPtrCountMask)))) {
+                  kUnprotectedPtrCountMask))) [[likely]] {
       return false;  // Do not release the memory.
     }
 
@@ -542,7 +544,7 @@ PA_ALWAYS_INLINE InSlotMetadata* InSlotMetadataPointer(uintptr_t slot_start,
   // the InSlotMetadata object out-of-line in this case, specifically in a
   // special table after the super page metadata (see InSlotMetadataTable in
   // partition_alloc_constants.h).
-  if (PA_LIKELY(slot_start & SystemPageOffsetMask())) {
+  if (slot_start & SystemPageOffsetMask()) [[likely]] {
     uintptr_t refcount_address =
         slot_start + slot_size - sizeof(InSlotMetadata);
 #if PA_BUILDFLAG(DCHECKS_ARE_ON) || \

src/base/allocator/partition_allocator/src/partition_alloc/internal_allocator.cc

@@ -7,7 +7,7 @@
 namespace partition_alloc::internal {
 PA_COMPONENT_EXPORT(PARTITION_ALLOC)
 PartitionRoot& InternalAllocatorRoot() {
-  static internal::base::NoDestructor<PartitionRoot> allocator([]() {
+  static internal::base::NoDestructor<PartitionRoot> allocator([] {
     // Disable features using the internal root to avoid reentrancy issue.
     PartitionOptions opts;
     opts.thread_cache = PartitionOptions::kDisabled;
@@ -37,8 +37,4 @@ void InternalPartitionAllocated::operator delete(void* ptr, std::align_val_t) {
   InternalAllocatorRoot().Free<FreeFlags::kNoHooks>(ptr);
 }
 
-// A deleter for `std::unique_ptr<T>`.
-void InternalPartitionDeleter::operator()(void* ptr) const {
-  InternalAllocatorRoot().Free<FreeFlags::kNoHooks>(ptr);
-}
 }  // namespace partition_alloc::internal

src/base/allocator/partition_allocator/src/partition_alloc/internal_allocator_forward.h

@@ -71,8 +71,9 @@ template <typename T>
 void DestroyAtInternalPartition(T* ptr);
 
 // A deleter for `std::unique_ptr<T>`.
-struct PA_COMPONENT_EXPORT(PARTITION_ALLOC) InternalPartitionDeleter final {
+template <typename T>
-  void operator()(void* ptr) const;
+struct InternalPartitionDeleter final {
+  void operator()(T* ptr) const { DestroyAtInternalPartition(ptr); }
 };
 
 }  // namespace partition_alloc::internal

src/base/allocator/partition_allocator/src/partition_alloc/lightweight_quarantine.cc

@@ -9,19 +9,51 @@
 #include "partition_alloc/partition_root.h"
 
 namespace partition_alloc::internal {
-namespace {
 
-// An utility to lock only if a condition is met.
+// Utility classes to lock only if a condition is met.
-class PA_SCOPED_LOCKABLE ConditionalScopedGuard {
+
+template <>
+class PA_SCOPED_LOCKABLE
+    LightweightQuarantineBranch::CompileTimeConditionalScopedGuard<
+        LightweightQuarantineBranch::LockRequired::kNotRequired> {
  public:
-  PA_ALWAYS_INLINE ConditionalScopedGuard(bool condition, Lock& lock)
+  PA_ALWAYS_INLINE explicit CompileTimeConditionalScopedGuard(Lock& lock)
+      PA_EXCLUSIVE_LOCK_FUNCTION(lock) {}
+  // For some reason, defaulting this causes a thread safety annotation failure.
+  PA_ALWAYS_INLINE
+  ~CompileTimeConditionalScopedGuard()  // NOLINT(modernize-use-equals-default)
+      PA_UNLOCK_FUNCTION() {}
+};
+
+template <>
+class PA_SCOPED_LOCKABLE
+    LightweightQuarantineBranch::CompileTimeConditionalScopedGuard<
+        LightweightQuarantineBranch::LockRequired::kRequired> {
+ public:
+  PA_ALWAYS_INLINE explicit CompileTimeConditionalScopedGuard(Lock& lock)
+      PA_EXCLUSIVE_LOCK_FUNCTION(lock)
+      : lock_(lock) {
+    lock_.Acquire();
+  }
+  PA_ALWAYS_INLINE ~CompileTimeConditionalScopedGuard() PA_UNLOCK_FUNCTION() {
+    lock_.Release();
+  }
+
+ private:
+  Lock& lock_;
+};
+
+class PA_SCOPED_LOCKABLE
+    LightweightQuarantineBranch::RuntimeConditionalScopedGuard {
+ public:
+  PA_ALWAYS_INLINE RuntimeConditionalScopedGuard(bool condition, Lock& lock)
       PA_EXCLUSIVE_LOCK_FUNCTION(lock)
       : condition_(condition), lock_(lock) {
     if (condition_) {
       lock_.Acquire();
     }
   }
-  PA_ALWAYS_INLINE ~ConditionalScopedGuard() PA_UNLOCK_FUNCTION() {
+  PA_ALWAYS_INLINE ~RuntimeConditionalScopedGuard() PA_UNLOCK_FUNCTION() {
     if (condition_) {
       lock_.Release();
     }
@@ -32,8 +64,6 @@ class PA_SCOPED_LOCKABLE ConditionalScopedGuard {
   Lock& lock_;
 };
 
-}  // namespace
-
 LightweightQuarantineBranch LightweightQuarantineRoot::CreateBranch(
     const LightweightQuarantineBranchConfig& config) {
   return LightweightQuarantineBranch(*this, config);
@@ -44,7 +74,12 @@ LightweightQuarantineBranch::LightweightQuarantineBranch(
     const LightweightQuarantineBranchConfig& config)
     : root_(root),
       lock_required_(config.lock_required),
-      branch_capacity_in_bytes_(config.branch_capacity_in_bytes) {}
+      branch_capacity_in_bytes_(config.branch_capacity_in_bytes) {
+  if (lock_required_) {
+    to_be_freed_working_memory_ =
+        ConstructAtInternalPartition<ToBeFreedArray>();
+  }
+}
 
 LightweightQuarantineBranch::LightweightQuarantineBranch(
     LightweightQuarantineBranch&& b)
@@ -55,57 +90,23 @@ LightweightQuarantineBranch::LightweightQuarantineBranch(
       branch_capacity_in_bytes_(
           b.branch_capacity_in_bytes_.load(std::memory_order_relaxed)) {
   b.branch_size_in_bytes_ = 0;
+  if (lock_required_) {
+    to_be_freed_working_memory_.store(b.to_be_freed_working_memory_.exchange(
+                                          nullptr, std::memory_order_relaxed),
+                                      std::memory_order_relaxed);
+  }
 }
 
 LightweightQuarantineBranch::~LightweightQuarantineBranch() {
   Purge();
-  slots_.clear();
+  if (lock_required_) {
-}
+    DestroyAtInternalPartition(to_be_freed_working_memory_.exchange(
-
+        nullptr, std::memory_order_relaxed));
-bool LightweightQuarantineBranch::Quarantine(void* object,
-                                             SlotSpanMetadata* slot_span,
-                                             uintptr_t slot_start,
-                                             size_t usable_size) {
-  PA_DCHECK(usable_size == root_.allocator_root_.GetSlotUsableSize(slot_span));
-
-  const size_t capacity_in_bytes =
-      branch_capacity_in_bytes_.load(std::memory_order_relaxed);
-
-  {
-    ConditionalScopedGuard guard(lock_required_, lock_);
-
-    if (capacity_in_bytes < usable_size) {
-      // Even if this branch dequarantines all entries held by it, this entry
-      // cannot fit within the capacity.
-      root_.allocator_root_.FreeNoHooksImmediate(object, slot_span, slot_start);
-      root_.quarantine_miss_count_.fetch_add(1u, std::memory_order_relaxed);
-      return false;
-    }
-
-    // Dequarantine some entries as required.
-    PurgeInternal(capacity_in_bytes - usable_size);
-
-    // Put the entry onto the list.
-    branch_size_in_bytes_ += usable_size;
-    slots_.push_back({slot_start, usable_size});
-
-    // Swap randomly so that the quarantine list remain shuffled.
-    // This is not uniformly random, but sufficiently random.
-    const size_t random_index = random_.RandUint32() % slots_.size();
-    std::swap(slots_[random_index], slots_.back());
   }
-
-  // Update stats (not locked).
-  root_.count_.fetch_add(1, std::memory_order_relaxed);
-  root_.size_in_bytes_.fetch_add(usable_size, std::memory_order_relaxed);
-  root_.cumulative_count_.fetch_add(1, std::memory_order_relaxed);
-  root_.cumulative_size_in_bytes_.fetch_add(usable_size,
-                                            std::memory_order_relaxed);
-  return true;
 }
 
 bool LightweightQuarantineBranch::IsQuarantinedForTesting(void* object) {
-  ConditionalScopedGuard guard(lock_required_, lock_);
+  RuntimeConditionalScopedGuard guard(lock_required_, lock_);
   uintptr_t slot_start =
       root_.allocator_root_.ObjectToSlotStartUnchecked(object);
   for (const auto& slot : slots_) {
@@ -121,26 +122,139 @@ void LightweightQuarantineBranch::SetCapacityInBytes(size_t capacity_in_bytes) {
 }
 
 void LightweightQuarantineBranch::Purge() {
-  ConditionalScopedGuard guard(lock_required_, lock_);
+  RuntimeConditionalScopedGuard guard(lock_required_, lock_);
   PurgeInternal(0);
   slots_.shrink_to_fit();
 }
 
+template <LightweightQuarantineBranch::LockRequired lock_required>
+bool LightweightQuarantineBranch::QuarantineInternal(
+    void* object,
+    SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+    uintptr_t slot_start,
+    size_t usable_size) {
+  PA_DCHECK(lock_required_ ? lock_required == LockRequired::kRequired
+                           : lock_required == LockRequired::kNotRequired);
+  PA_DCHECK(usable_size == root_.allocator_root_.GetSlotUsableSize(slot_span));
+
+  const size_t capacity_in_bytes =
+      branch_capacity_in_bytes_.load(std::memory_order_relaxed);
+  if (capacity_in_bytes < usable_size) [[unlikely]] {
+    // Even if this branch dequarantines all entries held by it, this entry
+    // cannot fit within the capacity.
+    root_.allocator_root_.FreeNoHooksImmediate(object, slot_span, slot_start);
+    root_.quarantine_miss_count_.fetch_add(1u, std::memory_order_relaxed);
+    return false;
+  }
+
+  if constexpr (lock_required == LockRequired::kNotRequired) {
+    // Although there is no need to actually acquire the lock as
+    // LockRequired::kNotRequired is specified,
+    // a CompileTimeConditionalScopedGuard is necessary in order to touch
+    // `slots_` as `slots_` is annotated with `PA_GUARDED_BY(lock_)`.
+    // CompileTimeConditionalScopedGuard's ctor and dtor behave as
+    // PA_EXCLUSIVE_LOCK_FUNCTION and PA_UNLOCK_FUNCTION.
+    CompileTimeConditionalScopedGuard<lock_required> guard(lock_);
+
+    // Dequarantine some entries as required.
+    PurgeInternal(capacity_in_bytes - usable_size);
+
+    // Put the entry onto the list.
+    branch_size_in_bytes_ += usable_size;
+    slots_.push_back({slot_start, usable_size});
+
+    // Swap randomly so that the quarantine list remain shuffled.
+    // This is not uniformly random, but sufficiently random.
+    const size_t random_index = random_.RandUint32() % slots_.size();
+    std::swap(slots_[random_index], slots_.back());
+  } else {
+    std::unique_ptr<ToBeFreedArray, InternalPartitionDeleter<ToBeFreedArray>>
+        to_be_freed;
+    size_t num_of_slots = 0;
+
+    {
+      CompileTimeConditionalScopedGuard<lock_required> guard(lock_);
+
+      // Borrow the reserved working memory from to_be_freed_working_memory_,
+      // and set nullptr to it indicating that it's in use.
+      to_be_freed.reset(to_be_freed_working_memory_.exchange(nullptr));
+      if (!to_be_freed) {
+        // When the reserved working memory has already been in use by another
+        // thread, fall back to allocate another chunk of working memory.
+        to_be_freed.reset(ConstructAtInternalPartition<ToBeFreedArray>());
+      }
+
+      // Dequarantine some entries as required. Save the objects to be
+      // deallocated into `to_be_freed`.
+      PurgeInternalWithDefferedFree(capacity_in_bytes - usable_size,
+                                    *to_be_freed, num_of_slots);
+
+      // Put the entry onto the list.
+      branch_size_in_bytes_ += usable_size;
+      slots_.push_back({slot_start, usable_size});
+
+      // Swap randomly so that the quarantine list remain shuffled.
+      // This is not uniformly random, but sufficiently random.
+      const size_t random_index = random_.RandUint32() % slots_.size();
+      std::swap(slots_[random_index], slots_.back());
+    }
+
+    // Actually deallocate the dequarantined objects.
+    BatchFree(*to_be_freed, num_of_slots);
+
+    // Return the possibly-borrowed working memory to
+    // to_be_freed_working_memory_. It doesn't matter much if it's really
+    // borrowed or locally-allocated. The important facts are 1) to_be_freed is
+    // non-null, and 2) to_be_freed_working_memory_ may likely be null (because
+    // this or another thread has already borrowed it). It's simply good to make
+    // to_be_freed_working_memory_ non-null whenever possible. Maybe yet another
+    // thread would be about to borrow the working memory.
+    to_be_freed.reset(
+        to_be_freed_working_memory_.exchange(to_be_freed.release()));
+  }
+
+  // Update stats (not locked).
+  root_.count_.fetch_add(1, std::memory_order_relaxed);
+  root_.size_in_bytes_.fetch_add(usable_size, std::memory_order_relaxed);
+  root_.cumulative_count_.fetch_add(1, std::memory_order_relaxed);
+  root_.cumulative_size_in_bytes_.fetch_add(usable_size,
+                                            std::memory_order_relaxed);
+  return true;
+}
+
+template bool LightweightQuarantineBranch::QuarantineInternal<
+    LightweightQuarantineBranch::LockRequired::kNotRequired>(
+    void* object,
+    SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+    uintptr_t slot_start,
+    size_t usable_size);
+
+template bool LightweightQuarantineBranch::QuarantineInternal<
+    LightweightQuarantineBranch::LockRequired::kRequired>(
+    void* object,
+    SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+    uintptr_t slot_start,
+    size_t usable_size);
+
 PA_ALWAYS_INLINE void LightweightQuarantineBranch::PurgeInternal(
     size_t target_size_in_bytes) {
   int64_t freed_count = 0;
   int64_t freed_size_in_bytes = 0;
 
   // Dequarantine some entries as required.
-  while (!slots_.empty() && target_size_in_bytes < branch_size_in_bytes_) {
+  while (target_size_in_bytes < branch_size_in_bytes_) {
+    PA_DCHECK(!slots_.empty());
+
     // As quarantined entries are shuffled, picking last entry is equivalent
     // to picking random entry.
     const auto& to_free = slots_.back();
     size_t to_free_size = to_free.usable_size;
 
-    auto* slot_span = SlotSpanMetadata::FromSlotStart(to_free.slot_start);
+    auto* slot_span = SlotSpanMetadata<MetadataKind::kReadOnly>::FromSlotStart(
+        to_free.slot_start);
     void* object = root_.allocator_root_.SlotStartToObject(to_free.slot_start);
-    PA_DCHECK(slot_span == SlotSpanMetadata::FromObject(object));
+    PA_DCHECK(slot_span ==
+              SlotSpanMetadata<MetadataKind::kReadOnly>::FromObject(object));
 
     PA_DCHECK(to_free.slot_start);
     root_.allocator_root_.FreeNoHooksImmediate(object, slot_span,
@@ -158,4 +272,53 @@ PA_ALWAYS_INLINE void LightweightQuarantineBranch::PurgeInternal(
   root_.count_.fetch_sub(freed_count, std::memory_order_relaxed);
 }
 
+PA_ALWAYS_INLINE void
+LightweightQuarantineBranch::PurgeInternalWithDefferedFree(
+    size_t target_size_in_bytes,
+    ToBeFreedArray& to_be_freed,
+    size_t& num_of_slots) {
+  num_of_slots = 0;
+
+  int64_t freed_size_in_bytes = 0;
+
+  // Dequarantine some entries as required.
+  while (target_size_in_bytes < branch_size_in_bytes_) {
+    PA_DCHECK(!slots_.empty());
+
+    // As quarantined entries are shuffled, picking last entry is equivalent to
+    // picking random entry.
+    const QuarantineSlot& to_free = slots_.back();
+    const size_t to_free_size = to_free.usable_size;
+
+    to_be_freed[num_of_slots++] = to_free.slot_start;
+    slots_.pop_back();
+
+    freed_size_in_bytes += to_free_size;
+    branch_size_in_bytes_ -= to_free_size;
+
+    if (num_of_slots >= kMaxFreeTimesPerPurge) {
+      break;
+    }
+  }
+
+  root_.size_in_bytes_.fetch_sub(freed_size_in_bytes,
+                                 std::memory_order_relaxed);
+  root_.count_.fetch_sub(num_of_slots, std::memory_order_relaxed);
+}
+
+PA_ALWAYS_INLINE void LightweightQuarantineBranch::BatchFree(
+    const ToBeFreedArray& to_be_freed,
+    size_t num_of_slots) {
+  for (size_t i = 0; i < num_of_slots; ++i) {
+    const uintptr_t slot_start = to_be_freed[i];
+    PA_DCHECK(slot_start);
+    auto* slot_span =
+        SlotSpanMetadata<MetadataKind::kReadOnly>::FromSlotStart(slot_start);
+    void* object = root_.allocator_root_.SlotStartToObject(slot_start);
+    PA_DCHECK(slot_span ==
+              SlotSpanMetadata<MetadataKind::kReadOnly>::FromObject(object));
+    root_.allocator_root_.FreeNoHooksImmediate(object, slot_span, slot_start);
+  }
+}
+
 }  // namespace partition_alloc::internal

src/base/allocator/partition_allocator/src/partition_alloc/lightweight_quarantine.h

@@ -108,10 +108,35 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) LightweightQuarantineBranch {
   // as much as possible.  If the object is too large, this may return
   // `false`, meaning that quarantine request has failed (and freed
   // immediately). Otherwise, returns `true`.
-  bool Quarantine(void* object,
+  PA_ALWAYS_INLINE bool Quarantine(
-                  SlotSpanMetadata* slot_span,
+      void* object,
-                  uintptr_t slot_start,
+      SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
-                  size_t usable_size);
+      uintptr_t slot_start,
+      size_t usable_size) {
+    return lock_required_ ? QuarantineWithAcquiringLock(object, slot_span,
+                                                        slot_start, usable_size)
+                          : QuarantineWithoutAcquiringLock(
+                                object, slot_span, slot_start, usable_size);
+  }
+  // Despite that LightweightQuarantineBranchConfig::lock_required_ is already
+  // specified, we provide two versions `With/WithoutAcquiringLock` so that we
+  // can avoid the overhead of runtime conditional branches.
+  PA_ALWAYS_INLINE bool QuarantineWithAcquiringLock(
+      void* object,
+      SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+      uintptr_t slot_start,
+      size_t usable_size) {
+    PA_MUSTTAIL return QuarantineInternal<LockRequired::kRequired>(
+        object, slot_span, slot_start, usable_size);
+  }
+  PA_ALWAYS_INLINE bool QuarantineWithoutAcquiringLock(
+      void* object,
+      SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+      uintptr_t slot_start,
+      size_t usable_size) {
+    PA_MUSTTAIL return QuarantineInternal<LockRequired::kNotRequired>(
+        object, slot_span, slot_start, usable_size);
+  }
 
   // Dequarantine all entries **held by this branch**.
   // It is possible that another branch with entries and it remains untouched.
@@ -130,9 +155,27 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) LightweightQuarantineBranch {
   void SetCapacityInBytes(size_t capacity_in_bytes);
 
  private:
+  enum class LockRequired { kNotRequired, kRequired };
+  template <LockRequired lock_required>
+  class PA_SCOPED_LOCKABLE CompileTimeConditionalScopedGuard;
+  class PA_SCOPED_LOCKABLE RuntimeConditionalScopedGuard;
+  // `ToBeFreedArray` is used in `PurgeInternalInTwoPhases1of2` and
+  // `PurgeInternalInTwoPhases2of2`. See the function comment about the purpose.
+  // In order to avoid reentrancy issues, we must not deallocate any object in
+  // `Quarantine`. So, std::vector is not an option. std::array doesn't
+  // deallocate, plus, std::array has perf advantages.
+  static constexpr size_t kMaxFreeTimesPerPurge = 1024;
+  using ToBeFreedArray = std::array<uintptr_t, kMaxFreeTimesPerPurge>;
+
   LightweightQuarantineBranch(Root& root,
                               const LightweightQuarantineBranchConfig& config);
 
+  template <LockRequired lock_required>
+  bool QuarantineInternal(void* object,
+                          SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+                          uintptr_t slot_start,
+                          size_t usable_size);
+
   // Try to dequarantine entries to satisfy below:
   //   root_.size_in_bytes_ <=  target_size_in_bytes
   // It is possible that this branch cannot satisfy the
@@ -140,6 +183,19 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) LightweightQuarantineBranch {
   // constraint, call `Purge()` for each branch in sequence, synchronously.
   PA_ALWAYS_INLINE void PurgeInternal(size_t target_size_in_bytes)
       PA_EXCLUSIVE_LOCKS_REQUIRED(lock_);
+  // In order to reduce thread contention, dequarantines entries in two phases:
+  //   Phase 1) With the lock acquired, saves `slot_start`s of the quarantined
+  //     objects in an array, and shrinks `slots_`. Then, releases the lock so
+  //     that another thread can quarantine an object.
+  //   Phase 2) Without the lock acquired, deallocates objects saved in the
+  //     array in Phase 1. This may take some time, but doesn't block other
+  //     threads.
+  PA_ALWAYS_INLINE void PurgeInternalWithDefferedFree(
+      size_t target_size_in_bytes,
+      ToBeFreedArray& to_be_freed,
+      size_t& num_of_slots) PA_EXCLUSIVE_LOCKS_REQUIRED(lock_);
+  PA_ALWAYS_INLINE void BatchFree(const ToBeFreedArray& to_be_freed,
+                                  size_t num_of_slots);
 
   Root& root_;
 
@@ -161,9 +217,35 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) LightweightQuarantineBranch {
   // Using `std::atomic` here so that other threads can update this value.
   std::atomic_size_t branch_capacity_in_bytes_;
 
+  // This working memory is temporarily needed only while dequarantining
+  // objects in slots_ when lock_required_ is true. However, allocating this
+  // working memory on stack may cause stack overflow [1]. Plus, it's non-
+  // negligible perf penalty to allocate and deallocate this working memory on
+  // heap only while dequarantining. So, we reserve one chunk of working memory
+  // on heap during the entire lifetime of this branch object and try to reuse
+  // this working memory among threads. Only when thread contention occurs, we
+  // allocate and deallocate another chunk of working memory.
+  // [1] https://issues.chromium.org/issues/387508217
+  std::atomic<ToBeFreedArray*> to_be_freed_working_memory_ = nullptr;
+
   friend class LightweightQuarantineRoot;
 };
 
+extern template PA_COMPONENT_EXPORT(
+    PARTITION_ALLOC) bool LightweightQuarantineBranch::
+    QuarantineInternal<LightweightQuarantineBranch::LockRequired::kNotRequired>(
+        void* object,
+        SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+        uintptr_t slot_start,
+        size_t usable_size);
+extern template PA_COMPONENT_EXPORT(
+    PARTITION_ALLOC) bool LightweightQuarantineBranch::
+    QuarantineInternal<LightweightQuarantineBranch::LockRequired::kRequired>(
+        void* object,
+        SlotSpanMetadata<MetadataKind::kReadOnly>* slot_span,
+        uintptr_t slot_start,
+        size_t usable_size);
+
 }  // namespace internal
 
 }  // namespace partition_alloc

src/base/allocator/partition_allocator/src/partition_alloc/oom.cc

@@ -15,6 +15,7 @@
 
 #include <array>
 #include <cstdlib>
+#include <limits>
 #endif  // PA_BUILDFLAG(IS_WIN)
 
 namespace partition_alloc {
@@ -26,23 +27,50 @@ namespace internal {
 // Crash server classifies base::internal::OnNoMemoryInternal as OOM.
 // TODO(crbug.com/40158212): Update to
 // partition_alloc::internal::base::internal::OnNoMemoryInternal
-PA_NOINLINE void OnNoMemoryInternal(size_t size) {
+[[noreturn]] PA_NOINLINE PA_NOT_TAIL_CALLED void OnNoMemoryInternal(
+    size_t size) {
   g_oom_size = size;
+  size_t tmp_size = size;
+  internal::base::debug::Alias(&tmp_size);
+
 #if PA_BUILDFLAG(IS_WIN)
+  // Create an exception vector with:
+  // [0] the size of the allocation, in bytes
+  // [1] "current committed memory limit for the system or the current process,
+  //     whichever is smaller, in bytes"
+  // [2] "maximum amount of memory the current process can commit, in bytes"
+  //
+  // Citations from
+  // https://learn.microsoft.com/en-us/windows/win32/api/sysinfoapi/ns-sysinfoapi-memorystatusex
+  //
+  // System commit constraints (which may be different from the process commit
+  // constraints) are in the stability_report.SystemMemoryState.WindowsMemory
+  // proto attached to crash reports.
+  //
+  // Note: Both the process commit constraints in the exception vector and the
+  // system commit constraints in the proto are collected *after* the OOM and
+  // may therefore not reflect the state at the time of the OOM (e.g. another
+  // process may have exited or the page file may have been resized).
+  constexpr size_t kInvalid = std::numeric_limits<ULONG_PTR>::max();
+  ULONG_PTR exception_args[] = {size, kInvalid, kInvalid};
+
+  MEMORYSTATUSEX memory_status = {};
+  memory_status.dwLength = sizeof(memory_status);
+  if (::GlobalMemoryStatusEx(&memory_status) != 0) {
+    exception_args[1] = memory_status.ullTotalPageFile;
+    exception_args[2] = memory_status.ullAvailPageFile;
+  }
+  internal::base::debug::Alias(&memory_status);
+
   // Kill the process. This is important for security since most of code
   // does not check the result of memory allocation.
-  // https://msdn.microsoft.com/en-us/library/het71c37.aspx
+  // Documentation: https://msdn.microsoft.com/en-us/library/het71c37.aspx
-  // Pass the size of the failed request in an exception argument.
-  ULONG_PTR exception_args[] = {size};
   ::RaiseException(win::kOomExceptionCode, EXCEPTION_NONCONTINUABLE,
                    std::size(exception_args), exception_args);
 
   // Safety check, make sure process exits here.
   _exit(win::kOomExceptionCode);
 #else
-  size_t tmp_size = size;
-  internal::base::debug::Alias(&tmp_size);
-
   // Note: Don't add anything that may allocate here. Depending on the
   // allocator, this may be called from within the allocator (e.g. with
   // PartitionAlloc), and would deadlock as our locks are not recursive.

src/base/allocator/partition_allocator/src/partition_alloc/oom.h

@@ -22,8 +22,8 @@ namespace partition_alloc {
 // |size| is the size of the failed allocation, or 0 if not known.
 // Crash reporting classifies such crashes as OOM.
 // Must be allocation-safe.
-PA_COMPONENT_EXPORT(PARTITION_ALLOC)
+[[noreturn]] PA_NOT_TAIL_CALLED PA_COMPONENT_EXPORT(
-void TerminateBecauseOutOfMemory(size_t size);
+    PARTITION_ALLOC) void TerminateBecauseOutOfMemory(size_t size);
 
 // Records the size of the allocation that caused the current OOM crash, for
 // consumption by Breakpad.

src/base/allocator/partition_allocator/src/partition_alloc/page_allocator.cc

@@ -363,6 +363,14 @@ void DiscardSystemPages(void* address, size_t length) {
   DiscardSystemPages(reinterpret_cast<uintptr_t>(address), length);
 }
 
+bool SealSystemPages(uintptr_t address, size_t length) {
+  PA_DCHECK(!(length & internal::SystemPageOffsetMask()));
+  return internal::SealSystemPagesInternal(address, length);
+}
+bool SealSystemPages(void* address, size_t length) {
+  return SealSystemPages(reinterpret_cast<uintptr_t>(address), length);
+}
+
 bool ReserveAddressSpace(size_t size) {
   // To avoid deadlock, call only SystemAllocPages.
   internal::ScopedGuard guard(GetReserveLock());

src/base/allocator/partition_allocator/src/partition_alloc/page_allocator.h

@@ -345,6 +345,24 @@ void DiscardSystemPages(uintptr_t address, size_t length);
 PA_COMPONENT_EXPORT(PARTITION_ALLOC)
 void DiscardSystemPages(void* address, size_t length);
 
+// Seal a number of system pages starting at |address|. Returns |true| on
+// success.
+//
+// This blocks various modifications to the pages such as unmapping, remapping
+// or changing page permissions. Note that it doesn't change the accessibility
+// of the memory, sealed writable pages will still be writable.
+//
+// This is mainly useful for non-writable memory (either via page permissions or
+// other hardware features like pkeys) that is bound to the process lifetime.
+//
+// While unmapping the pages gets blocked, it can still be possible to release
+// the memory using |DiscardSystemPages()|, though note that at least on Linux,
+// it requires write access to the page to succeed.
+PA_COMPONENT_EXPORT(PARTITION_ALLOC)
+bool SealSystemPages(uintptr_t address, size_t length);
+PA_COMPONENT_EXPORT(PARTITION_ALLOC)
+bool SealSystemPages(void* address, size_t length);
+
 // Rounds up |address| to the next multiple of |SystemPageSize()|. Returns
 // 0 for an |address| of 0.
 PA_ALWAYS_INLINE PAGE_ALLOCATOR_CONSTANTS_DECLARE_CONSTEXPR uintptr_t

src/base/allocator/partition_allocator/src/partition_alloc/page_allocator_constants.h

@@ -26,7 +26,7 @@
 #define PAGE_ALLOCATOR_CONSTANTS_DECLARE_CONSTEXPR __attribute__((const))
 
 #elif (PA_BUILDFLAG(IS_ANDROID) && PA_BUILDFLAG(PA_ARCH_CPU_64_BITS)) || \
-    (PA_BUILDFLAG(IS_LINUX) && PA_BUILDFLAG(PA_ARCH_CPU_ARM64)) || \
+    (PA_BUILDFLAG(IS_LINUX) && PA_BUILDFLAG(PA_ARCH_CPU_ARM64)) ||       \
     (PA_BUILDFLAG(IS_LINUX) && PA_BUILDFLAG(PA_ARCH_CPU_PPC64))
 // This should work for all POSIX (if needed), but currently all other
 // supported OS/architecture combinations use either hard-coded values
@@ -39,6 +39,7 @@
 #define PAGE_ALLOCATOR_CONSTANTS_DECLARE_CONSTEXPR __attribute__((const))
 
 #include <unistd.h>
+
 #include <atomic>
 
 namespace partition_alloc::internal {
@@ -69,9 +70,30 @@ extern PageCharacteristics page_characteristics;
 
 // Ability to name anonymous VMAs is available on some, but not all Linux-based
 // systems.
-#if PA_BUILDFLAG(IS_ANDROID) || PA_BUILDFLAG(IS_LINUX)
+#if PA_BUILDFLAG(IS_ANDROID) || PA_BUILDFLAG(IS_LINUX) || \
+    PA_BUILDFLAG(IS_CHROMEOS)
 #include <sys/prctl.h>
 
+#if (PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)) && \
+    !(defined(PR_SET_VMA) && defined(PR_SET_VMA_ANON_NAME))
+
+// The PR_SET_VMA* symbols are originally from
+// https://android.googlesource.com/platform/bionic/+/lollipop-release/libc/private/bionic_prctl.h
+// and were subsequently added to mainline Linux in Jan 2022, see
+// https://github.com/torvalds/linux/commit/9a10064f5625d5572c3626c1516e0bebc6c9fe9b.
+//
+// Define them to support compiling with older headers.
+#if !defined(PR_SET_VMA)
+#define PR_SET_VMA 0x53564d41
+#endif
+
+#if !defined(PR_SET_VMA_ANON_NAME)
+#define PR_SET_VMA_ANON_NAME 0
+#endif
+
+#endif  // (PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)) &&
+        // !(defined(PR_SET_VMA) && defined(PR_SET_VMA_ANON_NAME))
+
 #if defined(PR_SET_VMA) && defined(PR_SET_VMA_ANON_NAME)
 #define LINUX_NAME_REGION 1
 #endif
@@ -91,7 +113,7 @@ PageAllocationGranularityShift() {
   // arm64 supports 4kb (shift = 12), 16kb (shift = 14), and 64kb (shift = 16)
   // page sizes. Retrieve from or initialize cache.
   size_t shift = page_characteristics.shift.load(std::memory_order_relaxed);
-  if (PA_UNLIKELY(shift == 0)) {
+  if (shift == 0) [[unlikely]] {
     shift = static_cast<size_t>(
         __builtin_ctz((unsigned int)PageAllocationGranularity()));
     page_characteristics.shift.store(shift, std::memory_order_relaxed);
@@ -132,7 +154,7 @@ PageAllocationGranularity() {
   // arm64 supports 4kb, 16kb, and 64kb page sizes. Retrieve from or
   // initialize cache.
   size_t size = page_characteristics.size.load(std::memory_order_relaxed);
-  if (PA_UNLIKELY(size == 0)) {
+  if (size == 0) [[unlikely]] {
     size = static_cast<size_t>(getpagesize());
     page_characteristics.size.store(size, std::memory_order_relaxed);
   }

src/base/allocator/partition_allocator/src/partition_alloc/page_allocator_internals_fuchsia.h

@@ -28,8 +28,6 @@
 
 namespace partition_alloc::internal {
 
-namespace {
-
 zx::resource GetVmexResource() {
   auto vmex_resource_client =
       component::Connect<fuchsia_kernel::VmexResource>();
@@ -94,8 +92,6 @@ zx_vm_option_t PageAccessibilityToZxVmOptions(
   PA_NOTREACHED();
 }
 
-}  // namespace
-
 // zx_vmar_map() will fail if the VMO cannot be mapped at |vmar_offset|, i.e.
 // |hint| is not advisory.
 constexpr bool kHintIsAdvisory = false;
@@ -210,6 +206,10 @@ void DiscardSystemPagesInternal(uint64_t address, size_t length) {
   PA_ZX_CHECK(status == ZX_OK, status);
 }
 
+bool SealSystemPagesInternal(uint64_t address, size_t length) {
+  return false;
+}
+
 void DecommitSystemPagesInternal(
     uint64_t address,
     size_t length,

src/base/allocator/partition_allocator/src/partition_alloc/page_allocator_internals_posix.cc

@@ -7,10 +7,39 @@
 #include "partition_alloc/build_config.h"
 #include "partition_alloc/buildflags.h"
 #include "partition_alloc/page_allocator.h"
+#include "partition_alloc/partition_alloc_base/notreached.h"
+
+#if PA_BUILDFLAG(IS_APPLE)
+#include "partition_alloc/partition_alloc_base/apple/foundation_util.h"
+#if PA_BUILDFLAG(IS_IOS)
+#include "partition_alloc/partition_alloc_base/ios/ios_util.h"
+#elif PA_BUILDFLAG(IS_MAC)
+#include "partition_alloc/partition_alloc_base/mac/mac_util.h"
+#else
+#error "Unknown platform"
+#endif
+#include <Availability.h>
+#include <Security/Security.h>
+#include <mach/mach.h>
+
+#include "partition_alloc/partition_alloc_base/apple/scoped_cftyperef.h"
+#endif
+
+#if PA_BUILDFLAG(IS_MAC)
+
+// SecTaskGetCodeSignStatus is marked as unavailable on macOS, although it’s
+// available on iOS and other Apple operating systems. It is, in fact, present
+// on the system since macOS 10.12.
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wavailability"
+uint32_t SecTaskGetCodeSignStatus(SecTaskRef task) API_AVAILABLE(macos(10.12));
+#pragma clang diagnostic pop
+
+#endif  // PA_BUILDFLAG(IS_MAC)
 
 #if PA_BUILDFLAG(HAS_MEMORY_TAGGING) ||                                        \
     (defined(__ARM_FEATURE_BTI_DEFAULT) && (__ARM_FEATURE_BTI_DEFAULT == 1) && \
-     !defined(__MUSL__))
+     __has_include(<sys/ifunc.h>))
 struct __ifunc_arg_t;
 
 #include "partition_alloc/aarch64_support.h"
@@ -91,4 +120,88 @@ int GetAccessFlags(PageAccessibilityConfiguration accessibility)
 }
 #endif
 
+#if defined(LINUX_NAME_REGION)
+
+void NameRegion(void* start, size_t length, PageTag page_tag) {
+  // Important: All the names should be string literals. As per prctl.h in
+  // //third_party/android_toolchain/ndk the kernel keeps a pointer to the name
+  // instead of copying it.
+  //
+  // Having the name in .rodata ensures that the pointer remains valid as
+  // long as the mapping is alive.
+  const char* name = nullptr;
+  switch (page_tag) {
+    case PageTag::kSimulation:
+      name = "simulation";
+      break;
+    case PageTag::kBlinkGC:
+      name = "blink_gc";
+      break;
+    case PageTag::kPartitionAlloc:
+      name = "partition_alloc";
+      break;
+    case PageTag::kChromium:
+      name = "chromium";
+      break;
+    case PageTag::kV8:
+      name = "v8";
+      break;
+    default:
+      PA_NOTREACHED();
+  }
+
+  // No error checking on purpose, used for debugging only.
+  prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, start, length, name);
+}
+
+#endif  // defined(LINUX_NAME_REGION)
+
+#if PA_BUILDFLAG(IS_MAC)
+// Tests whether the version of macOS supports the MAP_JIT flag and if the
+// current process is signed with the hardened runtime and the allow-jit
+// entitlement, returning whether MAP_JIT should be used to allocate regions
+// that will contain JIT-compiled executable code.
+bool UseMapJit() {
+  // Until determining that the hardened runtime is enabled, early returns will
+  // return true, so that MAP_JIT will be used. This is important on arm64,
+  // which only allows pages to be simultaneously writable and executable when
+  // in a region allocated with MAP_JIT, regardless of code signing options. On
+  // arm64, an attempt to set a non-MAP_JIT page as simultaneously writable and
+  // executable fails with EPERM. Although this is not enforced on x86_64,
+  // MAP_JIT is harmless in that case.
+
+  base::apple::ScopedCFTypeRef<SecTaskRef> task(
+      SecTaskCreateFromSelf(kCFAllocatorDefault));
+  if (!task) {
+    return true;
+  }
+
+  uint32_t flags = SecTaskGetCodeSignStatus(task);
+  if (!(flags & kSecCodeSignatureRuntime)) {
+    // The hardened runtime is not enabled. Note that kSecCodeSignatureRuntime
+    // == CS_RUNTIME.
+    return true;
+  }
+
+  // The hardened runtime is enabled. From this point on, early returns must
+  // return false, indicating that MAP_JIT is not to be used. It’s an error
+  // (EINVAL) to use MAP_JIT with the hardened runtime unless the JIT
+  // entitlement is specified.
+
+  base::apple::ScopedCFTypeRef<CFTypeRef> jit_entitlement(
+      SecTaskCopyValueForEntitlement(
+          task.get(), CFSTR("com.apple.security.cs.allow-jit"), nullptr));
+  if (!jit_entitlement) {
+    return false;
+  }
+
+  return base::apple::CFCast<CFBooleanRef>(jit_entitlement.get()) ==
+         kCFBooleanTrue;
+}
+#elif PA_BUILDFLAG(IS_IOS)
+bool UseMapJit() {
+  return true;
+}
+#endif  // PA_BUILDFLAG(IS_IOS)
+
 }  // namespace partition_alloc::internal

src/base/allocator/partition_allocator/src/partition_alloc/page_allocator_internals_posix.h

@@ -6,6 +6,7 @@
 #define PARTITION_ALLOC_PAGE_ALLOCATOR_INTERNALS_POSIX_H_
 
 #include <sys/mman.h>
+#include <sys/syscall.h>
 
 #include <algorithm>
 #include <atomic>
@@ -18,29 +19,14 @@
 #include "partition_alloc/oom.h"
 #include "partition_alloc/page_allocator.h"
 #include "partition_alloc/page_allocator_constants.h"
-#include "partition_alloc/partition_alloc_base/notreached.h"
 #include "partition_alloc/partition_alloc_base/posix/eintr_wrapper.h"
 #include "partition_alloc/partition_alloc_check.h"
 #include "partition_alloc/thread_isolation/thread_isolation.h"
 
-#if PA_BUILDFLAG(IS_APPLE)
-#include "partition_alloc/partition_alloc_base/apple/foundation_util.h"
-#if PA_BUILDFLAG(IS_IOS)
-#include "partition_alloc/partition_alloc_base/ios/ios_util.h"
-#elif PA_BUILDFLAG(IS_MAC)
-#include "partition_alloc/partition_alloc_base/mac/mac_util.h"
-#else
-#error "Unknown platform"
-#endif
-#include "partition_alloc/partition_alloc_base/apple/scoped_cftyperef.h"
-
-#include <Availability.h>
-#include <Security/Security.h>
-#include <mach/mach.h>
-#endif
 #if PA_BUILDFLAG(IS_ANDROID) || PA_BUILDFLAG(IS_LINUX)
 #include <sys/prctl.h>
 #endif
+
 #if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
 #include <sys/resource.h>
 #endif
@@ -49,114 +35,19 @@
 #define MAP_ANONYMOUS MAP_ANON
 #endif
 
-#if PA_BUILDFLAG(IS_MAC)
-
-// SecTaskGetCodeSignStatus is marked as unavailable on macOS, although it’s
-// available on iOS and other Apple operating systems. It is, in fact, present
-// on the system since macOS 10.12.
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wavailability"
-uint32_t SecTaskGetCodeSignStatus(SecTaskRef task) API_AVAILABLE(macos(10.12));
-#pragma clang diagnostic pop
-
-#endif  // PA_BUILDFLAG(IS_MAC)
-
 namespace partition_alloc::internal {
 
-namespace {
-
 #if defined(LINUX_NAME_REGION)
-
+void NameRegion(void* start, size_t length, PageTag page_tag);
-void NameRegion(void* start, size_t length, PageTag page_tag) {
-  // Important: All the names should be string literals. As per prctl.h in
-  // //third_party/android_toolchain/ndk the kernel keeps a pointer to the name
-  // instead of copying it.
-  //
-  // Having the name in .rodata ensures that the pointer remains valid as
-  // long as the mapping is alive.
-  const char* name = nullptr;
-  switch (page_tag) {
-    case PageTag::kSimulation:
-      name = "simulation";
-      break;
-    case PageTag::kBlinkGC:
-      name = "blink_gc";
-      break;
-    case PageTag::kPartitionAlloc:
-      name = "partition_alloc";
-      break;
-    case PageTag::kChromium:
-      name = "chromium";
-      break;
-    case PageTag::kV8:
-      name = "v8";
-      break;
-    default:
-      PA_NOTREACHED();
-      break;
-  }
-
-  // No error checking on purpose, testing only.
-  prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, start, length, name);
-}
-
 #endif  // defined(LINUX_NAME_REGION)
 
-#if PA_BUILDFLAG(IS_MAC)
+#if PA_BUILDFLAG(IS_APPLE)
 // Tests whether the version of macOS supports the MAP_JIT flag and if the
 // current process is signed with the hardened runtime and the allow-jit
 // entitlement, returning whether MAP_JIT should be used to allocate regions
 // that will contain JIT-compiled executable code.
-bool UseMapJit() {
+bool UseMapJit();
-  // Until determining that the hardened runtime is enabled, early returns will
-  // return true, so that MAP_JIT will be used. This is important on arm64,
-  // which only allows pages to be simultaneously writable and executable when
-  // in a region allocated with MAP_JIT, regardless of code signing options. On
-  // arm64, an attempt to set a non-MAP_JIT page as simultaneously writable and
-  // executable fails with EPERM. Although this is not enforced on x86_64,
-  // MAP_JIT is harmless in that case.
-
-  base::apple::ScopedCFTypeRef<SecTaskRef> task(
-      SecTaskCreateFromSelf(kCFAllocatorDefault));
-  if (!task) {
-    return true;
-  }
-
-  uint32_t flags = SecTaskGetCodeSignStatus(task);
-  if (!(flags & kSecCodeSignatureRuntime)) {
-    // The hardened runtime is not enabled. Note that kSecCodeSignatureRuntime
-    // == CS_RUNTIME.
-    return true;
-  }
-
-  // The hardened runtime is enabled. From this point on, early returns must
-  // return false, indicating that MAP_JIT is not to be used. It’s an error
-  // (EINVAL) to use MAP_JIT with the hardened runtime unless the JIT
-  // entitlement is specified.
-
-  base::apple::ScopedCFTypeRef<CFTypeRef> jit_entitlement(
-      SecTaskCopyValueForEntitlement(
-          task.get(), CFSTR("com.apple.security.cs.allow-jit"), nullptr));
-  if (!jit_entitlement) {
-    return false;
-  }
-
-  return base::apple::CFCast<CFBooleanRef>(jit_entitlement.get()) ==
-         kCFBooleanTrue;
-}
-#elif PA_BUILDFLAG(IS_IOS)
-bool UseMapJit() {
-// Always enable MAP_JIT in simulator as it is supported unconditionally.
-#if TARGET_IPHONE_SIMULATOR
-  return true;
-#else
-  // TODO(crbug.com/40255826): Fill this out when the API it is
-  // available.
-  return false;
-#endif  // TARGET_IPHONE_SIMULATOR
-}
 #endif  // PA_BUILDFLAG(IS_IOS)
-}  // namespace
 
 // |mmap| uses a nearby address if the hint address is blocked.
 constexpr bool kHintIsAdvisory = true;
@@ -192,6 +83,13 @@ uintptr_t SystemAllocPagesInternal(uintptr_t hint,
           PageAccessibilityConfiguration::kInaccessibleWillJitLater &&
       kUseMapJit) {
     map_flags |= MAP_JIT;
+    // iOS devices do not support toggling the page permissions after a MAP_JIT
+    // call, they must be set initially. iOS has per-thread W^X state that
+    // takes precedence over the mapping's permissions for MAP_JIT regions.
+    // See https://developer.apple.com/forums/thread/672804
+#if PA_BUILDFLAG(IS_IOS)
+    access_flag = PROT_READ | PROT_WRITE | PROT_EXEC;
+#endif
   }
 #endif
 
@@ -432,6 +330,17 @@ void DiscardSystemPagesInternal(uintptr_t address, size_t length) {
 #endif  // PA_BUILDFLAG(IS_APPLE)
 }
 
+bool SealSystemPagesInternal(uintptr_t address, size_t length) {
+  // TODO(sroettger): we either need to ensure that __NR_mseal is defined in the
+  // headers used by builders or define it ourselves.
+#if PA_BUILDFLAG(IS_LINUX) && defined(__NR_mseal)
+  long ret = syscall(__NR_mseal, address, length, 0);
+  return ret == 0;
+#else
+  return false;
+#endif
+}
+
 }  // namespace partition_alloc::internal
 
 #endif  // PARTITION_ALLOC_PAGE_ALLOCATOR_INTERNALS_POSIX_H_

src/base/allocator/partition_allocator/src/partition_alloc/page_allocator_internals_win.h

@@ -238,6 +238,10 @@ void DiscardSystemPagesInternal(uintptr_t address, size_t length) {
   }
 }
 
+bool SealSystemPagesInternal(uintptr_t address, size_t length) {
+  return false;
+}
+
 }  // namespace partition_alloc::internal
 
 #endif  // PARTITION_ALLOC_PAGE_ALLOCATOR_INTERNALS_WIN_H_

src/base/allocator/partition_allocator/src/partition_alloc/partition_address_space.cc

@@ -7,6 +7,7 @@
 #include <array>
 #include <cstddef>
 #include <cstdint>
+#include <cstring>
 #include <ostream>
 #include <string>
 
@@ -18,6 +19,7 @@
 #include "partition_alloc/partition_alloc_base/bits.h"
 #include "partition_alloc/partition_alloc_base/compiler_specific.h"
 #include "partition_alloc/partition_alloc_base/debug/alias.h"
+#include "partition_alloc/partition_alloc_base/files/platform_file.h"
 #include "partition_alloc/partition_alloc_check.h"
 #include "partition_alloc/partition_alloc_config.h"
 #include "partition_alloc/partition_alloc_constants.h"
@@ -80,7 +82,7 @@ PA_NOINLINE void HandlePoolAllocFailure() {
 
 }  // namespace
 
-PartitionAddressSpace::PoolSetup PartitionAddressSpace::setup_;
+PA_CONSTINIT PartitionAddressSpace::PoolSetup PartitionAddressSpace::setup_;
 
 #if PA_CONFIG(ENABLE_SHADOW_METADATA)
 std::ptrdiff_t PartitionAddressSpace::regular_pool_shadow_offset_ = 0;
@@ -88,9 +90,12 @@ std::ptrdiff_t PartitionAddressSpace::brp_pool_shadow_offset_ = 0;
 std::ptrdiff_t PartitionAddressSpace::configurable_pool_shadow_offset_ = 0;
 
 // File descriptors for shared mappings.
-int PartitionAddressSpace::regular_pool_fd_ = -1;
+base::PlatformFile PartitionAddressSpace::regular_pool_fd_ =
-int PartitionAddressSpace::brp_pool_fd_ = -1;
+    base::kInvalidPlatformFile;
-int PartitionAddressSpace::configurable_pool_fd_ = -1;
+base::PlatformFile PartitionAddressSpace::brp_pool_fd_ =
+    base::kInvalidPlatformFile;
+base::PlatformFile PartitionAddressSpace::configurable_pool_fd_ =
+    base::kInvalidPlatformFile;
 
 uintptr_t PartitionAddressSpace::pool_shadow_address_ =
     PartitionAddressSpace::kUninitializedPoolBaseAddress;
@@ -101,8 +106,7 @@ uintptr_t PartitionAddressSpace::pool_shadow_address_ =
 #error Dynamic pool size is only supported on iOS.
 #endif
 
-namespace {
+bool PartitionAddressSpace::IsIOSTestProcess() {
-bool IsIOSTestProcess() {
   // On iOS, only applications with the extended virtual addressing entitlement
   // can use a large address space. Since Earl Grey test runner apps cannot get
   // entitlements, they must use a much smaller pool size. Similarly,
@@ -133,28 +137,15 @@ bool IsIOSTestProcess() {
 
   return has_suffix("Runner") || has_suffix("ios_web_view_inttests");
 }
-}  // namespace
-
-PA_ALWAYS_INLINE size_t PartitionAddressSpace::RegularPoolSize() {
-  return IsIOSTestProcess() ? kRegularPoolSizeForIOSTestProcess
-                            : kRegularPoolSize;
-}
-PA_ALWAYS_INLINE size_t PartitionAddressSpace::BRPPoolSize() {
-  return IsIOSTestProcess() ? kBRPPoolSizeForIOSTestProcess : kBRPPoolSize;
-}
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
 
 #if PA_CONFIG(ENABLE_SHADOW_METADATA)
-size_t PartitionAddressSpace::RegularPoolShadowSize() {
+size_t PartitionAddressSpace::CorePoolShadowSize() {
-  return (RegularPoolSize() >> kSuperPageShift) << SystemPageShift();
+  return CorePoolSize();
-}
-
-size_t PartitionAddressSpace::BRPPoolShadowSize() {
-  return (BRPPoolSize() >> kSuperPageShift) << SystemPageShift();
 }
 
 size_t PartitionAddressSpace::ConfigurablePoolShadowSize() {
-  return (kConfigurablePoolMaxSize >> kSuperPageShift) << SystemPageShift();
+  return kConfigurablePoolMaxSize;
 }
 #endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
 
@@ -163,26 +154,16 @@ void PartitionAddressSpace::Init() {
     return;
   }
 
-  const size_t regular_pool_size = RegularPoolSize();
+  const size_t core_pool_size = CorePoolSize();
-  const size_t brp_pool_size = BRPPoolSize();
 
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
+  size_t glued_pool_sizes = core_pool_size * 2;
-  // Gluing core pools (regular & BRP) makes sense only when both pools are of
-  // the same size. This the only way we can check belonging to either of the
-  // two with a single bitmask operation.
-  PA_CHECK(regular_pool_size == brp_pool_size);
-
-  // TODO(crbug.com/40238514): Support PA_ENABLE_SHADOW_METADATA.
-  int pools_fd = -1;
-
-  size_t glued_pool_sizes = regular_pool_size * 2;
   // Note, BRP pool requires to be preceded by a "forbidden zone", which is
   // conveniently taken care of by the last guard page of the regular pool.
   setup_.regular_pool_base_address_ =
       AllocPages(glued_pool_sizes, glued_pool_sizes,
                  PageAccessibilityConfiguration(
                      PageAccessibilityConfiguration::kInaccessible),
-                 PageTag::kPartitionAlloc, pools_fd);
+                 PageTag::kPartitionAlloc);
 #if PA_BUILDFLAG(IS_ANDROID)
   // On Android, Adreno-GSL library fails to mmap if we snatch address
   // 0x400000000. Find a different address instead.
@@ -191,7 +172,7 @@ void PartitionAddressSpace::Init() {
         AllocPages(glued_pool_sizes, glued_pool_sizes,
                    PageAccessibilityConfiguration(
                        PageAccessibilityConfiguration::kInaccessible),
-                   PageTag::kPartitionAlloc, pools_fd);
+                   PageTag::kPartitionAlloc);
     FreePages(setup_.regular_pool_base_address_, glued_pool_sizes);
     setup_.regular_pool_base_address_ = new_base_address;
   }
@@ -200,81 +181,45 @@ void PartitionAddressSpace::Init() {
     HandlePoolAllocFailure();
   }
   setup_.brp_pool_base_address_ =
-      setup_.regular_pool_base_address_ + regular_pool_size;
+      setup_.regular_pool_base_address_ + core_pool_size;
-#else  // PA_BUILDFLAG(GLUE_CORE_POOLS)
-  setup_.regular_pool_base_address_ =
-      AllocPages(regular_pool_size, regular_pool_size,
-                 PageAccessibilityConfiguration(
-                     PageAccessibilityConfiguration::kInaccessible),
-                 PageTag::kPartitionAlloc);
-  if (!setup_.regular_pool_base_address_) {
-    HandlePoolAllocFailure();
-  }
-
-  // Reserve an extra allocation granularity unit before the BRP pool, but keep
-  // the pool aligned at BRPPoolSize(). A pointer immediately past an allocation
-  // is a valid pointer, and having a "forbidden zone" before the BRP pool
-  // prevents such a pointer from "sneaking into" the pool.
-  const size_t kForbiddenZoneSize = PageAllocationGranularity();
-  uintptr_t base_address = AllocPagesWithAlignOffset(
-      0, brp_pool_size + kForbiddenZoneSize, brp_pool_size,
-      brp_pool_size - kForbiddenZoneSize,
-      PageAccessibilityConfiguration(
-          PageAccessibilityConfiguration::kInaccessible),
-      PageTag::kPartitionAlloc, -1);
-  if (!base_address) {
-    HandlePoolAllocFailure();
-  }
-  setup_.brp_pool_base_address_ = base_address + kForbiddenZoneSize;
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
 
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-  setup_.regular_pool_base_mask_ = ~(regular_pool_size - 1);
+  setup_.core_pool_base_mask_ = ~(core_pool_size - 1);
-  setup_.brp_pool_base_mask_ = ~(brp_pool_size - 1);
+  // The BRP pool is placed at the end of the regular pool, effectively forming
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
+  // one virtual pool of a twice bigger size. Adjust the mask appropriately.
-  // When PA_GLUE_CORE_POOLS is on, the BRP pool is placed at the end of the
+  setup_.glued_pools_base_mask_ = setup_.core_pool_base_mask_ << 1;
-  // regular pool, effectively forming one virtual pool of a twice bigger
-  // size. Adjust the mask appropriately.
-  setup_.core_pools_base_mask_ = setup_.regular_pool_base_mask_ << 1;
-  PA_DCHECK(setup_.core_pools_base_mask_ == (setup_.brp_pool_base_mask_ << 1));
-#endif
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
 
   AddressPoolManager::GetInstance().Add(
-      kRegularPoolHandle, setup_.regular_pool_base_address_, regular_pool_size);
+      kRegularPoolHandle, setup_.regular_pool_base_address_, core_pool_size);
   AddressPoolManager::GetInstance().Add(
-      kBRPPoolHandle, setup_.brp_pool_base_address_, brp_pool_size);
+      kBRPPoolHandle, setup_.brp_pool_base_address_, core_pool_size);
 
   // Sanity check pool alignment.
-  PA_DCHECK(!(setup_.regular_pool_base_address_ & (regular_pool_size - 1)));
+  PA_DCHECK(!(setup_.regular_pool_base_address_ & (core_pool_size - 1)));
-  PA_DCHECK(!(setup_.brp_pool_base_address_ & (brp_pool_size - 1)));
+  PA_DCHECK(!(setup_.brp_pool_base_address_ & (core_pool_size - 1)));
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
   PA_DCHECK(!(setup_.regular_pool_base_address_ & (glued_pool_sizes - 1)));
-#endif
 
   // Sanity check pool belonging.
   PA_DCHECK(!IsInRegularPool(setup_.regular_pool_base_address_ - 1));
   PA_DCHECK(IsInRegularPool(setup_.regular_pool_base_address_));
-  PA_DCHECK(IsInRegularPool(setup_.regular_pool_base_address_ +
-                            regular_pool_size - 1));
   PA_DCHECK(
-      !IsInRegularPool(setup_.regular_pool_base_address_ + regular_pool_size));
+      IsInRegularPool(setup_.regular_pool_base_address_ + core_pool_size - 1));
+  PA_DCHECK(
+      !IsInRegularPool(setup_.regular_pool_base_address_ + core_pool_size));
   PA_DCHECK(!IsInBRPPool(setup_.brp_pool_base_address_ - 1));
   PA_DCHECK(IsInBRPPool(setup_.brp_pool_base_address_));
-  PA_DCHECK(IsInBRPPool(setup_.brp_pool_base_address_ + brp_pool_size - 1));
+  PA_DCHECK(IsInBRPPool(setup_.brp_pool_base_address_ + core_pool_size - 1));
-  PA_DCHECK(!IsInBRPPool(setup_.brp_pool_base_address_ + brp_pool_size));
+  PA_DCHECK(!IsInBRPPool(setup_.brp_pool_base_address_ + core_pool_size));
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
   PA_DCHECK(!IsInCorePools(setup_.regular_pool_base_address_ - 1));
   PA_DCHECK(IsInCorePools(setup_.regular_pool_base_address_));
   PA_DCHECK(
-      IsInCorePools(setup_.regular_pool_base_address_ + regular_pool_size - 1));
+      IsInCorePools(setup_.regular_pool_base_address_ + core_pool_size - 1));
-  PA_DCHECK(
+  PA_DCHECK(IsInCorePools(setup_.regular_pool_base_address_ + core_pool_size));
-      IsInCorePools(setup_.regular_pool_base_address_ + regular_pool_size));
   PA_DCHECK(IsInCorePools(setup_.brp_pool_base_address_ - 1));
   PA_DCHECK(IsInCorePools(setup_.brp_pool_base_address_));
-  PA_DCHECK(IsInCorePools(setup_.brp_pool_base_address_ + brp_pool_size - 1));
+  PA_DCHECK(IsInCorePools(setup_.brp_pool_base_address_ + core_pool_size - 1));
-  PA_DCHECK(!IsInCorePools(setup_.brp_pool_base_address_ + brp_pool_size));
+  PA_DCHECK(!IsInCorePools(setup_.brp_pool_base_address_ + core_pool_size));
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
 
 #if PA_BUILDFLAG(ENABLE_POINTER_COMPRESSION)
   CompressedPointerBaseGlobal::SetBase(setup_.regular_pool_base_address_);
@@ -356,18 +301,9 @@ void PartitionAddressSpace::UninitForTesting() {
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
   UninitThreadIsolatedPoolForTesting();  // IN-TEST
 #endif
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
   // The core pools (regular & BRP) were allocated using a single allocation of
   // double size.
-  FreePages(setup_.regular_pool_base_address_, 2 * RegularPoolSize());
+  FreePages(setup_.regular_pool_base_address_, 2 * CorePoolSize());
-#else   // PA_BUILDFLAG(GLUE_CORE_POOLS)
-  FreePages(setup_.regular_pool_base_address_, RegularPoolSize());
-  // For BRP pool, the allocation region includes a "forbidden zone" before the
-  // pool.
-  const size_t kForbiddenZoneSize = PageAllocationGranularity();
-  FreePages(setup_.brp_pool_base_address_ - kForbiddenZoneSize,
-            BRPPoolSize() + kForbiddenZoneSize);
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
   // Do not free pages for the configurable pool, because its memory is owned
   // by someone else, but deinitialize it nonetheless.
   setup_.regular_pool_base_address_ = kUninitializedPoolBaseAddress;
@@ -421,9 +357,10 @@ void PartitionAddressSpace::UninitThreadIsolatedPoolForTesting() {
 
 namespace {
 
-int CreateAnonymousFileForMapping([[maybe_unused]] const char* name,
+base::PlatformFile CreateAnonymousFileForMapping(
-                                  [[maybe_unused]] size_t size) {
+    [[maybe_unused]] const char* name,
-  int fd = -1;
+    [[maybe_unused]] size_t size) {
+  base::PlatformFile fd = base::kInvalidPlatformFile;
 #if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
   // TODO(crbug.com/40238514): if memfd_secret() is available, try
   // memfd_secret() first.
@@ -444,7 +381,7 @@ void PartitionAddressSpace::InitShadowMetadata(PoolHandleMask mask) {
     // Reserve 1 address space for all pools.
     const size_t shadow_pool_size =
         std::max(ConfigurablePoolShadowSize(),
-                 std::max(RegularPoolShadowSize(), BRPPoolShadowSize()));
+                 std::max(CorePoolShadowSize(), CorePoolShadowSize()));
 
     // Reserve virtual address space for the shadow pool.
     uintptr_t pool_shadow_address =
@@ -461,7 +398,7 @@ void PartitionAddressSpace::InitShadowMetadata(PoolHandleMask mask) {
 
   // Set up a memory file for the given pool, and init |offset|.
   if (ContainsFlags(mask, PoolHandleMask::kConfigurable)) {
-    if (configurable_pool_fd_ == -1) {
+    if (configurable_pool_fd_ == base::kInvalidPlatformFile) {
       PA_DCHECK(pool_shadow_address_);
       PA_DCHECK(configurable_pool_shadow_offset_ == 0);
       configurable_pool_fd_ = CreateAnonymousFileForMapping(
@@ -472,22 +409,22 @@ void PartitionAddressSpace::InitShadowMetadata(PoolHandleMask mask) {
     }
   }
   if (ContainsFlags(mask, PoolHandleMask::kBRP)) {
-    if (brp_pool_fd_ == -1) {
+    if (brp_pool_fd_ == base::kInvalidPlatformFile) {
       PA_DCHECK(pool_shadow_address_);
       PA_DCHECK(brp_pool_shadow_offset_ == 0);
-      brp_pool_fd_ =
+      brp_pool_fd_ = CreateAnonymousFileForMapping("brp_pool_shadow",
-          CreateAnonymousFileForMapping("brp_pool_shadow", BRPPoolShadowSize());
+                                                   CorePoolShadowSize());
       brp_pool_shadow_offset_ =
           pool_shadow_address_ - BRPPoolBase() +
           SystemPageSize() * kSystemPageOffsetOfBRPPoolShadow;
     }
   }
   if (ContainsFlags(mask, PoolHandleMask::kRegular)) {
-    if (regular_pool_fd_ == -1) {
+    if (regular_pool_fd_ == base::kInvalidPlatformFile) {
       PA_DCHECK(pool_shadow_address_);
       PA_DCHECK(regular_pool_shadow_offset_ == 0);
       regular_pool_fd_ = CreateAnonymousFileForMapping("regular_pool_shadow",
-                                                       RegularPoolShadowSize());
+                                                       CorePoolShadowSize());
       regular_pool_shadow_offset_ =
           pool_shadow_address_ - RegularPoolBase() +
           SystemPageSize() * kSystemPageOffsetOfRegularPoolShadow;
@@ -502,7 +439,7 @@ void PartitionAddressSpace::MapMetadata(uintptr_t super_page,
   PA_DCHECK(pool_shadow_address_);
   PA_DCHECK(0u == (super_page & kSuperPageOffsetMask));
   std::ptrdiff_t offset;
-  int pool_fd = -1;
+  base::PlatformFile pool_fd = base::kInvalidPlatformFile;
   uintptr_t base_address;
 
   if (IsInRegularPool(super_page)) {
@@ -533,7 +470,7 @@ void PartitionAddressSpace::MapMetadata(uintptr_t super_page,
   PA_CHECK(ptr != MAP_FAILED);
   PA_CHECK(ptr == reinterpret_cast<void*>(writable_metadata));
 
-  if (PA_UNLIKELY(copy_metadata)) {
+  if (copy_metadata) [[unlikely]] {
     // Copy the metadata from the private and copy-on-write page to
     // the shared page. (=update the memory file)
     memcpy(reinterpret_cast<void*>(writable_metadata),
@@ -561,13 +498,13 @@ void PartitionAddressSpace::UnmapShadowMetadata(uintptr_t super_page,
   switch (pool) {
     case kRegularPoolHandle:
       PA_DCHECK(RegularPoolBase() <= super_page);
-      PA_DCHECK((super_page - RegularPoolBase()) < RegularPoolSize());
+      PA_DCHECK((super_page - RegularPoolBase()) < CorePoolSize());
       PA_DCHECK(IsShadowMetadataEnabled(kRegularPoolHandle));
       offset = regular_pool_shadow_offset_;
       break;
     case kBRPPoolHandle:
       PA_DCHECK(BRPPoolBase() <= super_page);
-      PA_DCHECK((super_page - BRPPoolBase()) < BRPPoolSize());
+      PA_DCHECK((super_page - BRPPoolBase()) < CorePoolSize());
       PA_DCHECK(IsShadowMetadataEnabled(kBRPPoolHandle));
       offset = brp_pool_shadow_offset_;
       break;

src/base/allocator/partition_allocator/src/partition_alloc/partition_address_space.h

@@ -15,6 +15,7 @@
 #include "partition_alloc/partition_alloc_base/bits.h"
 #include "partition_alloc/partition_alloc_base/compiler_specific.h"
 #include "partition_alloc/partition_alloc_base/component_export.h"
+#include "partition_alloc/partition_alloc_base/files/platform_file.h"
 #include "partition_alloc/partition_alloc_base/notreached.h"
 #include "partition_alloc/partition_alloc_check.h"
 #include "partition_alloc/partition_alloc_config.h"
@@ -46,18 +47,12 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   };
 
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-  PA_ALWAYS_INLINE static uintptr_t BRPPoolBaseMask() {
+  PA_ALWAYS_INLINE static uintptr_t CorePoolBaseMask() {
-    return setup_.brp_pool_base_mask_;
+    return setup_.core_pool_base_mask_;
-  }
-  PA_ALWAYS_INLINE static uintptr_t RegularPoolBaseMask() {
-    return setup_.regular_pool_base_mask_;
   }
 #else
-  PA_ALWAYS_INLINE static constexpr uintptr_t BRPPoolBaseMask() {
+  PA_ALWAYS_INLINE static constexpr uintptr_t CorePoolBaseMask() {
-    return kBRPPoolBaseMask;
+    return kCorePoolBaseMask;
-  }
-  PA_ALWAYS_INLINE static constexpr uintptr_t RegularPoolBaseMask() {
-    return kRegularPoolBaseMask;
   }
 #endif
 
@@ -73,13 +68,13 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
     if (IsInBRPPool(address)) {
       pool = kBRPPoolHandle;
       base = setup_.brp_pool_base_address_;
-      base_mask = BRPPoolBaseMask();
+      base_mask = CorePoolBaseMask();
     } else
 #endif  // PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
       if (IsInRegularPool(address)) {
         pool = kRegularPoolHandle;
         base = setup_.regular_pool_base_address_;
-        base_mask = RegularPoolBaseMask();
+        base_mask = CorePoolBaseMask();
       } else if (IsInConfigurablePool(address)) {
         PA_DCHECK(IsConfigurablePoolInitialized());
         pool = kConfigurablePoolHandle;
@@ -150,9 +145,9 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   // Returns false for nullptr.
   PA_ALWAYS_INLINE static bool IsInRegularPool(uintptr_t address) {
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-    const uintptr_t regular_pool_base_mask = setup_.regular_pool_base_mask_;
+    const uintptr_t regular_pool_base_mask = setup_.core_pool_base_mask_;
 #else
-    constexpr uintptr_t regular_pool_base_mask = kRegularPoolBaseMask;
+    constexpr uintptr_t regular_pool_base_mask = kCorePoolBaseMask;
 #endif
     return (address & regular_pool_base_mask) ==
            setup_.regular_pool_base_address_;
@@ -165,34 +160,29 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   // Returns false for nullptr.
   PA_ALWAYS_INLINE static bool IsInBRPPool(uintptr_t address) {
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-    const uintptr_t brp_pool_base_mask = setup_.brp_pool_base_mask_;
+    const uintptr_t brp_pool_base_mask = setup_.core_pool_base_mask_;
 #else
-    constexpr uintptr_t brp_pool_base_mask = kBRPPoolBaseMask;
+    constexpr uintptr_t brp_pool_base_mask = kCorePoolBaseMask;
 #endif
     return (address & brp_pool_base_mask) == setup_.brp_pool_base_address_;
   }
 
 #if PA_CONFIG(ENABLE_SHADOW_METADATA)
   PA_ALWAYS_INLINE static uintptr_t BRPPoolBase() {
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
+    return RegularPoolBase() + CorePoolSize();
-    return RegularPoolBase() + RegularPoolSize();
-#else
-    return setup_.brp_pool_base_address_;
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
   }
 #endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
 
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
   // Checks whether the address belongs to either regular or BRP pool.
   // Returns false for nullptr.
   PA_ALWAYS_INLINE static bool IsInCorePools(uintptr_t address) {
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-    const uintptr_t core_pools_base_mask = setup_.core_pools_base_mask_;
+    const uintptr_t core_pools_base_mask = setup_.glued_pools_base_mask_;
 #else
-    // When PA_GLUE_CORE_POOLS is on, the BRP pool is placed at the end of the
+    // The BRP pool is placed at the end of the regular pool, effectively
-    // regular pool, effectively forming one virtual pool of a twice bigger
+    // forming one virtual pool of a twice bigger size. Adjust the mask
-    // size. Adjust the mask appropriately.
+    // appropriately.
-    constexpr uintptr_t core_pools_base_mask = kRegularPoolBaseMask << 1;
+    constexpr uintptr_t core_pools_base_mask = kCorePoolBaseMask << 1;
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
     bool ret =
         (address & core_pools_base_mask) == setup_.regular_pool_base_address_;
@@ -200,15 +190,12 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
     return ret;
   }
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-  PA_ALWAYS_INLINE static size_t CorePoolsSize() {
+  PA_ALWAYS_INLINE static size_t CorePoolsSize() { return CorePoolSize() * 2; }
-    return RegularPoolSize() * 2;
-  }
 #else
   PA_ALWAYS_INLINE static constexpr size_t CorePoolsSize() {
-    return RegularPoolSize() * 2;
+    return CorePoolSize() * 2;
   }
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
 
   PA_ALWAYS_INLINE static uintptr_t OffsetInBRPPool(uintptr_t address) {
     PA_DCHECK(IsInBRPPool(address));
@@ -235,15 +222,15 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
 
 #if PA_CONFIG(ENABLE_SHADOW_METADATA)
   PA_ALWAYS_INLINE static bool IsShadowMetadataEnabledOnRegularPool() {
-    return regular_pool_fd_ != -1;
+    return regular_pool_fd_ != base::kInvalidPlatformFile;
   }
 
   PA_ALWAYS_INLINE static bool IsShadowMetadataEnabledOnBRPPool() {
-    return brp_pool_fd_ != -1;
+    return brp_pool_fd_ != base::kInvalidPlatformFile;
   }
 
   PA_ALWAYS_INLINE static bool IsShadowMetadataEnabledOnConfigurablePool() {
-    return configurable_pool_fd_ != -1;
+    return configurable_pool_fd_ != base::kInvalidPlatformFile;
   }
 
   PA_ALWAYS_INLINE static bool IsShadowMetadataEnabled(pool_handle pool) {
@@ -290,8 +277,7 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   static constexpr size_t kSystemPageOffsetOfBRPPoolShadow = 2u;
   static constexpr size_t kSystemPageOffsetOfConfigurablePoolShadow = 4u;
 
-  static size_t RegularPoolShadowSize();
+  static size_t CorePoolShadowSize();
-  static size_t BRPPoolShadowSize();
   static size_t ConfigurablePoolShadowSize();
 
   PA_ALWAYS_INLINE static std::ptrdiff_t RegularPoolShadowOffset() {
@@ -320,12 +306,14 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   // reserved for the regular and brp shadow. However the result |true| doesn't
   // mean the given |ptr| is valid. Because we don't use the entire address
   // space for the shadow. We only use 2 SystemPageSize() / kSuperPageSize(%)
-  // of the space. See PoolShadowOffset().
+  // of the space.
+  //
+  // TODO(crbug.com/40238514) This is an unused function. Start using it in
+  // tests and/or in production code.
   PA_ALWAYS_INLINE static bool IsInPoolShadow(const void* ptr) {
     uintptr_t ptr_as_uintptr = reinterpret_cast<uintptr_t>(ptr);
     return (pool_shadow_address_ <= ptr_as_uintptr &&
-            (ptr_as_uintptr < pool_shadow_address_ + RegularPoolSize() ||
+            (ptr_as_uintptr < pool_shadow_address_ + CorePoolSize() ||
-             ptr_as_uintptr < pool_shadow_address_ + BRPPoolSize() ||
              ptr_as_uintptr < pool_shadow_address_ + kConfigurablePoolMaxSize));
   }
 #endif  // PA_BUILDFLAG(DCHECKS_ARE_ON)
@@ -343,15 +331,15 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
 
  private:
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-  PA_ALWAYS_INLINE static size_t RegularPoolSize();
+  static bool IsIOSTestProcess();
-  PA_ALWAYS_INLINE static size_t BRPPoolSize();
+
+  PA_ALWAYS_INLINE static size_t CorePoolSize() {
+    return IsIOSTestProcess() ? kCorePoolSizeForIOSTestProcess : kCorePoolSize;
+  }
 #else
   // The pool sizes should be as large as maximum whenever possible.
-  PA_ALWAYS_INLINE static constexpr size_t RegularPoolSize() {
+  PA_ALWAYS_INLINE static constexpr size_t CorePoolSize() {
-    return kRegularPoolSize;
+    return kCorePoolSize;
-  }
-  PA_ALWAYS_INLINE static constexpr size_t BRPPoolSize() {
-    return kBRPPoolSize;
   }
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
 
@@ -380,10 +368,8 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   // certain PA allocations must be located inside a given virtual address
   // region. One use case for this Pool is V8 Sandbox, which requires that
   // ArrayBuffers be located inside of it.
-  static constexpr size_t kRegularPoolSize = kPoolMaxSize;
+  static constexpr size_t kCorePoolSize = kPoolMaxSize;
-  static constexpr size_t kBRPPoolSize = kPoolMaxSize;
+  static_assert(base::bits::HasSingleBit(kCorePoolSize));
-  static_assert(base::bits::HasSingleBit(kRegularPoolSize));
-  static_assert(base::bits::HasSingleBit(kBRPPoolSize));
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
   static constexpr size_t kThreadIsolatedPoolSize = kGiB / 4;
   static_assert(base::bits::HasSingleBit(kThreadIsolatedPoolSize));
@@ -403,22 +389,16 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   // We can't afford pool sizes as large as kPoolMaxSize in iOS EarlGrey tests,
   // since the test process cannot use an extended virtual address space (see
   // crbug.com/1250788).
-  static constexpr size_t kRegularPoolSizeForIOSTestProcess = kGiB / 4;
+  static constexpr size_t kCorePoolSizeForIOSTestProcess = kGiB / 4;
-  static constexpr size_t kBRPPoolSizeForIOSTestProcess = kGiB / 4;
+  static_assert(kCorePoolSizeForIOSTestProcess < kCorePoolSize);
-  static_assert(kRegularPoolSizeForIOSTestProcess < kRegularPoolSize);
+  static_assert(base::bits::HasSingleBit(kCorePoolSizeForIOSTestProcess));
-  static_assert(kBRPPoolSizeForIOSTestProcess < kBRPPoolSize);
-  static_assert(base::bits::HasSingleBit(kRegularPoolSizeForIOSTestProcess));
-  static_assert(base::bits::HasSingleBit(kBRPPoolSizeForIOSTestProcess));
 #endif  // PA_BUILDFLAG(IOS_IOS)
 
 #if !PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
   // Masks used to easy determine belonging to a pool.
-  static constexpr uintptr_t kRegularPoolOffsetMask =
+  static constexpr uintptr_t kCorePoolOffsetMask =
-      static_cast<uintptr_t>(kRegularPoolSize) - 1;
+      static_cast<uintptr_t>(kCorePoolSize) - 1;
-  static constexpr uintptr_t kRegularPoolBaseMask = ~kRegularPoolOffsetMask;
+  static constexpr uintptr_t kCorePoolBaseMask = ~kCorePoolOffsetMask;
-  static constexpr uintptr_t kBRPPoolOffsetMask =
-      static_cast<uintptr_t>(kBRPPoolSize) - 1;
-  static constexpr uintptr_t kBRPPoolBaseMask = ~kBRPPoolOffsetMask;
 #endif  // !PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
 
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
@@ -448,11 +428,8 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
         kUninitializedPoolBaseAddress;
 #endif
 #if PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
-    uintptr_t regular_pool_base_mask_ = 0;
+    uintptr_t core_pool_base_mask_ = 0;
-    uintptr_t brp_pool_base_mask_ = 0;
+    uintptr_t glued_pools_base_mask_ = 0;
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
-    uintptr_t core_pools_base_mask_ = 0;
-#endif
 #endif  // PA_CONFIG(DYNAMICALLY_SELECT_POOL_SIZE)
     uintptr_t configurable_pool_base_mask_ = 0;
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
@@ -472,16 +449,15 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC) PartitionAddressSpace {
   // These are write-once fields, frequently accessed thereafter. Make sure they
   // don't share a cacheline with other, potentially writeable data, through
   // alignment and padding.
-  static PoolSetup setup_ PA_CONSTINIT;
+  PA_CONSTINIT static PoolSetup setup_;
 
 #if PA_CONFIG(ENABLE_SHADOW_METADATA)
   static std::ptrdiff_t regular_pool_shadow_offset_;
   static std::ptrdiff_t brp_pool_shadow_offset_;
   static std::ptrdiff_t configurable_pool_shadow_offset_;
-  // TODO(crbug.com/40238514): Use platform file handles instead of |int|.
+  static base::PlatformFile regular_pool_fd_;
-  static int regular_pool_fd_;
+  static base::PlatformFile brp_pool_fd_;
-  static int brp_pool_fd_;
+  static base::PlatformFile configurable_pool_fd_;
-  static int configurable_pool_fd_;
   static uintptr_t pool_shadow_address_;
 #endif  // PA_CONFIG(ENABLE_SHADOW_METADATA)
 
@@ -513,10 +489,8 @@ PA_ALWAYS_INLINE bool IsManagedByPartitionAlloc(uintptr_t address) {
 #if !PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
   PA_DCHECK(!internal::PartitionAddressSpace::IsInBRPPool(address));
 #endif
-  return internal::PartitionAddressSpace::IsInRegularPool(address)
+
-#if PA_BUILDFLAG(ENABLE_BACKUP_REF_PTR_SUPPORT)
+  return internal::PartitionAddressSpace::IsInCorePools(address)
-         || internal::PartitionAddressSpace::IsInBRPPool(address)
-#endif
 #if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
          || internal::PartitionAddressSpace::IsInThreadIsolatedPool(address)
 #endif
@@ -533,13 +507,11 @@ PA_ALWAYS_INLINE bool IsManagedByPartitionAllocBRPPool(uintptr_t address) {
   return internal::PartitionAddressSpace::IsInBRPPool(address);
 }
 
-#if PA_BUILDFLAG(GLUE_CORE_POOLS)
 // Checks whether the address belongs to either regular or BRP pool.
 // Returns false for nullptr.
 PA_ALWAYS_INLINE bool IsManagedByPartitionAllocCorePools(uintptr_t address) {
   return internal::PartitionAddressSpace::IsInCorePools(address);
 }
-#endif  // PA_BUILDFLAG(GLUE_CORE_POOLS)
 
 // Returns false for nullptr.
 PA_ALWAYS_INLINE bool IsManagedByPartitionAllocConfigurablePool(

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc-inl.h

@@ -65,7 +65,7 @@ PA_ALWAYS_INLINE void DebugMemset(void* ptr, int value, size_t size) {
   // faster. Note that for direct-mapped allocations, memory is decomitted at
   // free() time, so freed memory usage cannot happen.
 
-#if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION)
+#if PA_BUILDFLAG(ENABLE_THREAD_ISOLATION) && PA_BUILDFLAG(ENABLE_PKEYS)
   LiftThreadIsolationScope lift_thread_isolation_restrictions;
 #endif
   size_t size_to_memset = std::min(size, size_t{1} << 19);
@@ -79,7 +79,7 @@ PA_ALWAYS_INLINE void DebugMemset(void* ptr, int value, size_t size) {
 #if !PA_BUILDFLAG(DCHECKS_ARE_ON)
 PA_ALWAYS_INLINE bool RandomPeriod() {
   static thread_local uint8_t counter = 0;
-  if (PA_UNLIKELY(counter == 0)) {
+  if (counter == 0) [[unlikely]] {
     // It's OK to truncate this value.
     counter = static_cast<uint8_t>(RandomValue());
   }

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc.cc

@@ -46,7 +46,12 @@ void PartitionAllocGlobalInit(OomFunction on_out_of_memory) {
       (internal::PartitionPageSize() & internal::SystemPageOffsetMask()) == 0,
       "ok partition page multiple");
   static_assert(
-      sizeof(internal::PartitionPageMetadata) <= internal::kPageMetadataSize,
+      sizeof(
+          internal::PartitionPageMetadata<internal::MetadataKind::kReadOnly>) <=
+              internal::kPageMetadataSize &&
+          sizeof(internal::PartitionPageMetadata<
+                 internal::MetadataKind::kWritable>) <=
+              internal::kPageMetadataSize,
       "PartitionPage should not be too big");
   STATIC_ASSERT_OR_PA_CHECK(
       internal::kPageMetadataSize * internal::NumPartitionPagesPerSuperPage() <=

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/augmentations/compiler_specific.h

@@ -9,6 +9,18 @@
 
 #include "partition_alloc/partition_alloc_base/compiler_specific.h"
 
+// Indicate whether `operator<=>()` is supported by both language and library.
+// This can be removed once the minimum C++ version is C++20.
+#if __has_include(<version>)
+#include <version>
+#endif
+#if defined(__cpp_lib_three_way_comparison) && \
+    __cpp_lib_three_way_comparison >= 201907L
+#define PA_HAVE_SPACESHIP_OPERATOR 1
+#else
+#define PA_HAVE_SPACESHIP_OPERATOR 0
+#endif
+
 // PA_ATTRIBUTE_RETURNS_NONNULL
 //
 // Tells the compiler that a function never returns a null pointer.

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/bits.h

@@ -87,24 +87,22 @@ PA_ALWAYS_INLINE constexpr
     typename std::enable_if<std::is_unsigned_v<T> && sizeof(T) <= 8, int>::type
     CountlZero(T value) {
   static_assert(bits > 0, "invalid instantiation");
+  if (value) [[likely]] {
 #if PA_BUILDFLAG(PA_COMPILER_MSVC) && !defined(__clang__)
-  // We would prefer to use the _BitScanReverse(64) intrinsics, but they
+    // We would prefer to use the _BitScanReverse(64) intrinsics, but they
-  // aren't constexpr and thus unusable here.
+    // aren't constexpr and thus unusable here.
-  if (PA_LIKELY(value)) {
     int leading_zeros = 0;
     constexpr T kMostSignificantBitMask = 1ull << (bits - 1);
     for (; !(value & kMostSignificantBitMask); value <<= 1, ++leading_zeros) {
     }
     return leading_zeros;
+#else
+    return bits == 64
+               ? __builtin_clzll(static_cast<uint64_t>(value))
+               : __builtin_clz(static_cast<uint32_t>(value)) - (32 - bits);
+#endif
   }
   return bits;
-#else
-  return PA_LIKELY(value)
-             ? bits == 64
-                   ? __builtin_clzll(static_cast<uint64_t>(value))
-                   : __builtin_clz(static_cast<uint32_t>(value)) - (32 - bits)
-             : bits;
-#endif  // PA_BUILDFLAG(PA_COMPILER_MSVC) && !defined(__clang__)
 }
 
 // Backport of C++20 std::countr_zero in <bit>.
@@ -115,24 +113,21 @@ template <typename T, int bits = sizeof(T) * 8>
 PA_ALWAYS_INLINE constexpr
     typename std::enable_if<std::is_unsigned_v<T> && sizeof(T) <= 8, int>::type
     CountrZero(T value) {
+  if (value) [[likely]] {
 #if PA_BUILDFLAG(PA_COMPILER_MSVC) && !defined(__clang__)
-  // We would prefer to use the _BitScanForward(64) intrinsics, but they
+    // We would prefer to use the _BitScanForward(64) intrinsics, but they
-  // aren't constexpr and thus unusable here.
+    // aren't constexpr and thus unusable here.
-  if (PA_LIKELY(value)) {
     int trailing_zeros = 0;
     constexpr T kLeastSignificantBitMask = 1ull;
     for (; !(value & kLeastSignificantBitMask); value >>= 1, ++trailing_zeros) {
     }
     return trailing_zeros;
+#else
+    return bits == 64 ? __builtin_ctzll(static_cast<uint64_t>(value))
+                      : __builtin_ctz(static_cast<uint32_t>(value));
+#endif
   }
   return bits;
-
-#else
-  return PA_LIKELY(value) ? bits == 64
-                                ? __builtin_ctzll(static_cast<uint64_t>(value))
-                                : __builtin_ctz(static_cast<uint32_t>(value))
-                          : bits;
-#endif  // PA_BUILDFLAG(PA_COMPILER_MSVC) && !defined(__clang__)
 }
 
 // Backport of C++20 std::bit_width in <bit>.

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/check.h

@@ -20,11 +20,12 @@
 // This header defines the CHECK, DCHECK, and DPCHECK macros.
 //
 // CHECK dies with a fatal error if its condition is not true. It is not
-// controlled by NDEBUG, so the check will be executed regardless of compilation
+// controlled by PA_BUILDFLAG(IS_DEBUG), so the check will be executed
-// mode.
+// regardless of compilation mode.
 //
-// DCHECK, the "debug mode" check, is enabled depending on NDEBUG and
+// DCHECK, the "debug mode" check, is enabled depending on
-// DCHECK_ALWAYS_ON, and its severity depends on DCHECK_IS_CONFIGURABLE.
+// PA_BUILDFLAG(IS_DEBUG) and PA_BUILDFLAG(DCHECK_ALWAYS_ON), and its severity
+// depends on PA_BUILDFLAG(DCHECK_IS_CONFIGURABLE).
 //
 // (D)PCHECK is like (D)CHECK, but includes the system error code (c.f.
 // perror(3)).
@@ -141,29 +142,37 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC_BASE) NotImplemented
 
 }  // namespace check_error
 
-#if defined(OFFICIAL_BUILD) && !defined(NDEBUG)
+#if defined(OFFICIAL_BUILD) && PA_BUILDFLAG(IS_DEBUG)
 #error "Debug builds are not expected to be optimized as official builds."
-#endif  // defined(OFFICIAL_BUILD) && !defined(NDEBUG)
+#endif  // defined(OFFICIAL_BUILD) && BUILDFLAG(IS_DEBUG)
 
 #if defined(OFFICIAL_BUILD) && !PA_BUILDFLAG(DCHECKS_ARE_ON)
 
+// TODO(crbug.com/357081797): Use `[[unlikely]]` instead when there's a way to
+// switch the expression below to a statement without breaking
+// -Wthread-safety-analysis.
+#if PA_HAS_BUILTIN(__builtin_expect)
+#define PA_BASE_INTERNAL_EXPECT_FALSE(cond) __builtin_expect(!(cond), 0)
+#else
+#define PA_BASE_INTERNAL_EXPECT_FALSE(cond) !(cond)
+#endif
 // Discard log strings to reduce code bloat.
 //
 // This is not calling BreakDebugger since this is called frequently, and
 // calling an out-of-line function instead of a noreturn inline macro prevents
 // compiler optimizations.
-#define PA_BASE_CHECK(condition)                   \
+#define PA_BASE_CHECK(cond)                                  \
-  PA_UNLIKELY(!(condition)) ? PA_IMMEDIATE_CRASH() \
+  PA_BASE_INTERNAL_EXPECT_FALSE(cond) ? PA_IMMEDIATE_CRASH() \
-                            : PA_EAT_CHECK_STREAM_PARAMS()
+                                      : PA_EAT_CHECK_STREAM_PARAMS()
 
 #define PA_BASE_CHECK_WILL_STREAM() false
 
-#define PA_BASE_PCHECK(condition)                                         \
+#define PA_BASE_PCHECK(cond)                                              \
   PA_LAZY_CHECK_STREAM(                                                   \
       ::partition_alloc::internal::logging::check_error::PCheck(__FILE__, \
                                                                 __LINE__) \
           .stream(),                                                      \
-      PA_UNLIKELY(!(condition)))
+      PA_BASE_INTERNAL_EXPECT_FALSE(cond))
 
 #else
 

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/compiler_specific.h

@@ -6,98 +6,168 @@
 #define PARTITION_ALLOC_PARTITION_ALLOC_BASE_COMPILER_SPECIFIC_H_
 
 #include "partition_alloc/build_config.h"
+#include "partition_alloc/buildflags.h"
 
-// A wrapper around `__has_cpp_attribute`.
+// A wrapper around `__has_cpp_attribute()`, which is in C++20 and thus not yet
+// available for all targets PA supports (since PA's minimum C++ version is 17).
+// This works similarly to `PA_HAS_ATTRIBUTE()` below, in that where it's
+// unavailable it will map to `0`.
 #if defined(__has_cpp_attribute)
 #define PA_HAS_CPP_ATTRIBUTE(x) __has_cpp_attribute(x)
 #else
 #define PA_HAS_CPP_ATTRIBUTE(x) 0
 #endif
 
-// A wrapper around `__has_attribute`, similar to PA_HAS_CPP_ATTRIBUTE.
+// A wrapper around `__has_attribute()`, which is similar to the C++20-standard
+// `__has_cpp_attribute()`, but tests for support for `__attribute__(())`s.
+// Compilers that do not support this (e.g. MSVC) are also assumed not to
+// support `__attribute__`, so this is simply mapped to `0` there.
+//
+// See also:
+//   https://clang.llvm.org/docs/LanguageExtensions.html#has-attribute
 #if defined(__has_attribute)
 #define PA_HAS_ATTRIBUTE(x) __has_attribute(x)
 #else
 #define PA_HAS_ATTRIBUTE(x) 0
 #endif
 
-// A wrapper around `__has_builtin`, similar to PA_HAS_CPP_ATTRIBUTE.
+// A wrapper around `__has_builtin`, similar to `PA_HAS_ATTRIBUTE()`.
+//
+// See also:
+//   https://clang.llvm.org/docs/LanguageExtensions.html#has-builtin
 #if defined(__has_builtin)
 #define PA_HAS_BUILTIN(x) __has_builtin(x)
 #else
 #define PA_HAS_BUILTIN(x) 0
 #endif
 
-// Annotate a function indicating it should not be inlined.
+// A wrapper around `__has_feature`, similar to `PA_HAS_ATTRIBUTE()`.
-// Use like:
+//
-//   NOINLINE void DoStuff() { ... }
+// See also:
-#if defined(__clang__) && PA_HAS_ATTRIBUTE(noinline)
+//   https://clang.llvm.org/docs/LanguageExtensions.html#has-feature-and-has-extension
-#define PA_NOINLINE [[clang::noinline]]
+#if defined(__has_feature)
-#elif PA_BUILDFLAG(PA_COMPILER_GCC) && PA_HAS_ATTRIBUTE(noinline)
+#define PA_HAS_FEATURE(FEATURE) __has_feature(FEATURE)
-#define PA_NOINLINE __attribute__((noinline))
+#else
-#elif PA_BUILDFLAG(PA_COMPILER_MSVC)
+#define PA_HAS_FEATURE(FEATURE) 0
-#define PA_NOINLINE __declspec(noinline)
+#endif
+
+// Annotates a function indicating it should not be inlined.
+//
+// Note that this may still fail to preserve function calls in the most trivial
+// cases, due to optimizations like constant folding; see
+// https://stackoverflow.com/questions/54481855/clang-ignoring-attribute-noinline/54482070#54482070.
+//
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#noinline
+//
+// Usage:
+// ```
+//   PA_NOINLINE void Func() {
+//     // This body will not be inlined into callers.
+//   }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(gnu::noinline)
+#define PA_NOINLINE [[gnu::noinline]]
+#elif PA_HAS_CPP_ATTRIBUTE(msvc::noinline)
+#define PA_NOINLINE [[msvc::noinline]]
 #else
 #define PA_NOINLINE
 #endif
 
-#if defined(__clang__) && defined(NDEBUG) && PA_HAS_ATTRIBUTE(always_inline)
+// Annotates a function indicating it should always be inlined.
+//
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#always-inline-force-inline
+//
+// Usage:
+// ```
+//   PA_ALWAYS_INLINE void Func() {
+//     // This body will be inlined into callers whenever possible.
+//   }
+// ```
+//
+// Since `ALWAYS_INLINE` is performance-oriented but can hamper debugging,
+// ignore it in debug mode.
+#if !PA_BUILDFLAG(IS_DEBUG)
+#if PA_HAS_CPP_ATTRIBUTE(clang::always_inline)
 #define PA_ALWAYS_INLINE [[clang::always_inline]] inline
-#elif PA_BUILDFLAG(PA_COMPILER_GCC) && defined(NDEBUG) && \
+#elif PA_HAS_CPP_ATTRIBUTE(gnu::always_inline)
-    PA_HAS_ATTRIBUTE(always_inline)
+#define PA_ALWAYS_INLINE [[gnu::always_inline]] inline
-#define PA_ALWAYS_INLINE inline __attribute__((__always_inline__))
+#elif defined(PA_COMPILER_MSVC)
-#elif PA_BUILDFLAG(PA_COMPILER_MSVC) && defined(NDEBUG)
 #define PA_ALWAYS_INLINE __forceinline
-#else
+#endif
+#endif  // !PA_BUILDFLAG(IS_DEBUG)
+#if !defined(PA_ALWAYS_INLINE)
 #define PA_ALWAYS_INLINE inline
 #endif
 
-// Annotate a function indicating it should never be tail called. Useful to make
+// Annotates a function indicating it should never be tail called. Useful to
-// sure callers of the annotated function are never omitted from call-stacks.
+// make sure callers of the annotated function are never omitted from call
-// To provide the complementary behavior (prevent the annotated function from
+// stacks. Often useful with `PA_NOINLINE` to make sure the function itself is
-// being omitted) look at NOINLINE. Also note that this doesn't prevent code
+// also not omitted from call stacks. Note: this does not prevent code folding
-// folding of multiple identical caller functions into a single signature. To
+// of multiple identical callers into a single signature; to do that, see
-// prevent code folding, see NO_CODE_FOLDING() in base/debug/alias.h.
+// `PA_NO_CODE_FOLDING()` in partition_alloc_base/debug/alias.h.
-// Use like:
+//
-//   void NOT_TAIL_CALLED FooBar();
+// See also:
-#if defined(__clang__) && PA_HAS_ATTRIBUTE(not_tail_called)
+//   https://clang.llvm.org/docs/AttributeReference.html#not-tail-called
+//
+// Usage:
+// ```
+//   // Calls to this method will not be tail calls.
+//   PA_NOT_TAIL_CALLED void Func();
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(clang::not_tail_called)
 #define PA_NOT_TAIL_CALLED [[clang::not_tail_called]]
 #else
 #define PA_NOT_TAIL_CALLED
 #endif
 
-// Specify memory alignment for structs, classes, etc.
+// Annotates a return statement indicating the compiler must convert it to a
-// Use like:
+// tail call. Can be used only on return statements, even for functions
-//   class PA_ALIGNAS(16) MyClass { ... }
+// returning void. Caller and callee must have the same number of arguments and
-//   PA_ALIGNAS(16) int array[4];
+// the argument types must be "similar". While the compiler may automatically
+// convert compatible calls to tail calls when optimizing, this annotation
+// requires it to occur if doing so is valid, and will not compile otherwise.
 //
-// In most places you can use the C++11 keyword "alignas", which is preferred.
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#musttail
 //
-// Historically, compilers had trouble mixing __attribute__((...)) syntax with
+// Usage:
-// alignas(...) syntax. However, at least Clang is very accepting nowadays. It
+// ```
-// may be that this macro can be removed entirely.
+//   int Func1(double);
-#if defined(__clang__)
+//   int Func2(double d) {
-#define PA_ALIGNAS(byte_alignment) alignas(byte_alignment)
+//     PA_MUSTTAIL return Func1(d + 1);  // `Func1()` will be tail-called.
-#elif PA_BUILDFLAG(PA_COMPILER_MSVC)
+//   }
-#define PA_ALIGNAS(byte_alignment) __declspec(align(byte_alignment))
+// ```
-#elif PA_BUILDFLAG(PA_COMPILER_GCC) && PA_HAS_ATTRIBUTE(aligned)
+#if PA_HAS_CPP_ATTRIBUTE(clang::musttail) && !defined(__MIPSEL__)
-#define PA_ALIGNAS(byte_alignment) __attribute__((aligned(byte_alignment)))
+#define PA_MUSTTAIL [[clang::musttail]]
+#else
+#define PA_MUSTTAIL
 #endif
 
-// In case the compiler supports it PA_NO_UNIQUE_ADDRESS evaluates to the C++20
+// Annotates a data member indicating it need not have an address distinct from
-// attribute [[no_unique_address]]. This allows annotating data members so that
+// all other non-static data members of the class, and its tail padding may be
-// they need not have an address distinct from all other non-static data members
+// used for other objects' storage. This can have subtle and dangerous effects,
-// of its class.
+// including on containing objects; use with caution.
+//
+// See also:
+//   https://en.cppreference.com/w/cpp/language/attributes/no_unique_address
+//   https://wg21.link/dcl.attr.nouniqueaddr
+// Usage:
+// ```
+//   // In the following struct, `t` might not have a unique address from `i`,
+//   // and `t`'s tail padding (if any) may be reused by subsequent objects.
+//   struct S {
+//     int i;
+//     PA_NO_UNIQUE_ADDRESS T t;
+//   };
+// ```
 //
-// References:
-// * https://en.cppreference.com/w/cpp/language/attributes/no_unique_address
-// * https://wg21.link/dcl.attr.nouniqueaddr
-#if PA_BUILDFLAG(PA_COMPILER_MSVC) && \
-    PA_HAS_CPP_ATTRIBUTE(msvc::no_unique_address)
 // Unfortunately MSVC ignores [[no_unique_address]] (see
 // https://devblogs.microsoft.com/cppblog/msvc-cpp20-and-the-std-cpp20-switch/#msvc-extensions-and-abi),
 // and clang-cl matches it for ABI compatibility reasons. We need to prefer
 // [[msvc::no_unique_address]] when available if we actually want any effect.
+#if PA_HAS_CPP_ATTRIBUTE(msvc::no_unique_address)
 #define PA_NO_UNIQUE_ADDRESS [[msvc::no_unique_address]]
 #elif PA_HAS_CPP_ATTRIBUTE(no_unique_address)
 #define PA_NO_UNIQUE_ADDRESS [[no_unique_address]]
@@ -105,211 +175,305 @@
 #define PA_NO_UNIQUE_ADDRESS
 #endif
 
-// Tells the compiler a function is using a printf-style format string.
+// Annotates a function indicating it takes a `printf()`-style format string.
-// |format_param| is the one-based index of the format string parameter;
+// The compiler will check that the provided arguments match the type specifiers
-// |dots_param| is the one-based index of the "..." parameter.
+// in the format string. Useful to detect mismatched format strings/args.
-// For v*printf functions (which take a va_list), pass 0 for dots_param.
+//
-// (This is undocumented but matches what the system C headers do.)
+// `format_param` is the one-based index of the format string parameter;
-// For member functions, the implicit this parameter counts as index 1.
+// `dots_param` is the one-based index of the "..." parameter.
-#if (PA_BUILDFLAG(PA_COMPILER_GCC) || defined(__clang__)) && \
+// For `v*printf()` functions (which take a `va_list`), `dots_param` should be
-    PA_HAS_ATTRIBUTE(format)
+// 0. For member functions, the implicit `this` parameter is at index 1.
+//
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#format
+//   https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-format-function-attribute
+//
+// Usage:
+// ```
+//   PA_PRINTF_FORMAT(1, 2)
+//   void Print(const char* format, ...);
+//   void Func() {
+//     // The following call will not compile; diagnosed as format and argument
+//     // types mismatching.
+//     Print("%s", 1);
+//   }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(gnu::format)
 #define PA_PRINTF_FORMAT(format_param, dots_param) \
-  __attribute__((format(printf, format_param, dots_param)))
+  [[gnu::format(printf, format_param, dots_param)]]
 #else
 #define PA_PRINTF_FORMAT(format_param, dots_param)
 #endif
 
-// Sanitizers annotations.
+// Annotates a function disabling the named sanitizer within its body.
-#if PA_HAS_ATTRIBUTE(no_sanitize)
+//
-#define PA_NO_SANITIZE(what) __attribute__((no_sanitize(what)))
+// See also:
-#endif
+//   https://clang.llvm.org/docs/AttributeReference.html#no-sanitize
-#if !defined(PA_NO_SANITIZE)
+//   https://clang.llvm.org/docs/UsersManual.html#controlling-code-generation
-#define PA_NO_SANITIZE(what)
+//
+// Usage:
+// ```
+//   PA_NO_SANITIZE("cfi-icall") void Func() {
+//     // CFI indirect call checks will not be performed in this body.
+//   }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(clang::no_sanitize)
+#define PA_NO_SANITIZE(sanitizer) [[clang::no_sanitize(sanitizer)]]
+#else
+#define PA_NO_SANITIZE(sanitizer)
 #endif
 
-// MemorySanitizer annotations.
+// Annotates a pointer and size directing MSAN to treat that memory region as
+// fully initialized. Useful for e.g. code that deliberately reads uninitialized
+// data, such as a GC scavenging root set pointers from the stack.
+//
+// See also:
+//   https://github.com/google/sanitizers/wiki/MemorySanitizer
+//
+// Usage:
+// ```
+//   T* ptr = ...;
+//   // After the next statement, MSAN will assume `ptr` points to an
+//   // initialized `T`.
+//   PA_MSAN_UNPOISON(ptr, sizeof(T));
+// ```
 #if defined(MEMORY_SANITIZER)
 #include <sanitizer/msan_interface.h>
-
-// Mark a memory region fully initialized.
-// Use this to annotate code that deliberately reads uninitialized data, for
-// example a GC scavenging root set pointers from the stack.
 #define PA_MSAN_UNPOISON(p, size) __msan_unpoison(p, size)
-#else  // MEMORY_SANITIZER
+#else
 #define PA_MSAN_UNPOISON(p, size)
-#endif  // MEMORY_SANITIZER
-
-// Macro for hinting that an expression is likely to be false.
-#if !defined(PA_UNLIKELY)
-#if PA_BUILDFLAG(PA_COMPILER_GCC) || defined(__clang__)
-#define PA_UNLIKELY(x) __builtin_expect(!!(x), 0)
-#else
-#define PA_UNLIKELY(x) (x)
-#endif  // PA_BUILDFLAG(PA_COMPILER_GCC)
-#endif  // !defined(PA_UNLIKELY)
-
-#if !defined(PA_LIKELY)
-#if PA_BUILDFLAG(PA_COMPILER_GCC) || defined(__clang__)
-#define PA_LIKELY(x) __builtin_expect(!!(x), 1)
-#else
-#define PA_LIKELY(x) (x)
-#endif  // PA_BUILDFLAG(PA_COMPILER_GCC)
-#endif  // !defined(PA_LIKELY)
-
-// Compiler feature-detection.
-// clang.llvm.org/docs/LanguageExtensions.html#has-feature-and-has-extension
-#if defined(__has_feature)
-#define PA_HAS_FEATURE(FEATURE) __has_feature(FEATURE)
-#else
-#define PA_HAS_FEATURE(FEATURE) 0
 #endif
 
-#if !defined(PA_CPU_ARM_NEON)
+// Annotates a codepath suppressing static analysis along that path. Useful when
-#if defined(__arm__)
+// code is safe in practice for reasons the analyzer can't detect, e.g. because
-#if !defined(__ARMEB__) && !defined(__ARM_EABI__) && !defined(__EABI__) && \
+// the condition leading to that path guarantees a param is non-null.
-    !defined(__VFP_FP__) && !defined(_WIN32_WCE) && !defined(ANDROID)
-#error Chromium does not support middle endian architecture
-#endif
-#if defined(__ARM_NEON__)
-#define PA_CPU_ARM_NEON 1
-#endif
-#endif  // defined(__arm__)
-#endif  // !defined(CPU_ARM_NEON)
-
-#if !defined(PA_HAVE_MIPS_MSA_INTRINSICS)
-#if defined(__mips_msa) && defined(__mips_isa_rev) && (__mips_isa_rev >= 5)
-#define PA_HAVE_MIPS_MSA_INTRINSICS 1
-#endif
-#endif
-
-// The ANALYZER_ASSUME_TRUE(bool arg) macro adds compiler-specific hints
-// to Clang which control what code paths are statically analyzed,
-// and is meant to be used in conjunction with assert & assert-like functions.
-// The expression is passed straight through if analysis isn't enabled.
 //
-// ANALYZER_SKIP_THIS_PATH() suppresses static analysis for the current
+// Usage:
-// codepath and any other branching codepaths that might follow.
+// ```
+//   if (cond) {
+//     PA_ANALYZER_SKIP_THIS_PATH();
+//     // Static analysis will be disabled for the remainder of this block.
+//     delete ptr;
+//   }
+// ```
 #if defined(__clang_analyzer__)
-
 namespace partition_alloc::internal {
-
+inline constexpr bool AnalyzerNoReturn()
-inline constexpr bool AnalyzerNoReturn() __attribute__((analyzer_noreturn)) {
+#if PA_HAS_ATTRIBUTE(analyzer_noreturn)
+    __attribute__((analyzer_noreturn))
+#endif
+{
   return false;
 }
-
-inline constexpr bool AnalyzerAssumeTrue(bool arg) {
-  // PartitionAllocAnalyzerNoReturn() is invoked and analysis is terminated if
-  // |arg| is false.
-  return arg || AnalyzerNoReturn();
-}
-
 }  // namespace partition_alloc::internal
-
-#define PA_ANALYZER_ASSUME_TRUE(arg) \
-  ::partition_alloc::internal::AnalyzerAssumeTrue(!!(arg))
 #define PA_ANALYZER_SKIP_THIS_PATH() \
   static_cast<void>(::partition_alloc::internal::AnalyzerNoReturn())
-
+#else
-#else  // !defined(__clang_analyzer__)
+// The above definition would be safe even outside the analyzer, but defining
-
+// the macro away entirely avoids the need for the optimizer to eliminate it.
-#define PA_ANALYZER_ASSUME_TRUE(arg) (arg)
 #define PA_ANALYZER_SKIP_THIS_PATH()
+#endif
 
-#endif  // defined(__clang_analyzer__)
+// Annotates a condition directing static analysis to assume it is always true.
+// Evaluates to the provided `arg` as a `bool`.
+//
+// Usage:
+// ```
+//   // Static analysis will assume the following condition always holds.
+//   if (PA_ANALYZER_ASSUME_TRUE(cond)) ...
+// ```
+#if defined(__clang_analyzer__)
+namespace partition_alloc::internal {
+inline constexpr bool AnalyzerAssumeTrue(bool arg) {
+  return arg || AnalyzerNoReturn();
+}
+}  // namespace partition_alloc::internal
+#define PA_ANALYZER_ASSUME_TRUE(arg) \
+  ::partition_alloc::internal::AnalyzerAssumeTrue(!!(arg))
+#else
+// Again, the above definition is safe, this is just simpler for the optimizer.
+#define PA_ANALYZER_ASSUME_TRUE(arg) (arg)
+#endif
 
-// Use nomerge attribute to disable optimization of merging multiple same calls.
+// Annotates a function, function pointer, or statement to disallow
-#if defined(__clang__) && PA_HAS_ATTRIBUTE(nomerge)
+// optimizations that merge calls. Useful to ensure the source locations of such
+// calls are not obscured.
+//
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#nomerge
+//
+// Usage:
+// ```
+//   PA_NOMERGE void Func();  // No direct calls to `Func()` will be merged.
+//
+//   using Ptr = decltype(&Func);
+//   PA_NOMERGE Ptr ptr = &Func;  // No calls through `ptr` will be merged.
+//
+//   PA_NOMERGE if (cond) {
+//     // No calls in this block will be merged.
+//   }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(clang::nomerge)
 #define PA_NOMERGE [[clang::nomerge]]
 #else
 #define PA_NOMERGE
 #endif
 
-// Marks a type as being eligible for the "trivial" ABI despite having a
+// Annotates a type as being suitable for passing in registers despite having a
-// non-trivial destructor or copy/move constructor. Such types can be relocated
+// non-trivial copy or move constructor or destructor. This requires the type
-// after construction by simply copying their memory, which makes them eligible
+// not be concerned about its address remaining constant, be safely usable after
-// to be passed in registers. The canonical example is std::unique_ptr.
+// copying its memory, and have a destructor that may be safely omitted on
+// moved-from instances; an example is `std::unique_ptr`. Unnecessary if the
+// copy/move constructor(s) and destructor are unconditionally trivial; likely
+// ineffective if the type is too large to be passed in one or two registers
+// with the target ABI. However, annotating a type this way will also cause
+// `IS_TRIVIALLY_RELOCATABLE()` to return true for that type, and so may be
+// desirable even for large types, if they are placed in containers that
+// optimize based on that check.
 //
-// Use with caution; this has some subtle effects on constructor/destructor
+// NOTE: Use with caution; this has subtle effects on constructor/destructor
-// ordering and will be very incorrect if the type relies on its address
+// ordering. When used with types passed or returned by value, values may be
-// remaining constant. When used as a function argument (by value), the value
+// constructed in the source stack frame, passed in a register, and then used
-// may be constructed in the caller's stack frame, passed in a register, and
+// and destroyed in the target stack frame.
-// then used and destructed in the callee's stack frame. A similar thing can
-// occur when values are returned.
-//
-// TRIVIAL_ABI is not needed for types which have a trivial destructor and
-// copy/move constructors, such as base::TimeTicks and other POD.
-//
-// It is also not likely to be effective on types too large to be passed in one
-// or two registers on typical target ABIs.
 //
 // See also:
 //   https://clang.llvm.org/docs/AttributeReference.html#trivial-abi
 //   https://libcxx.llvm.org/docs/DesignDocs/UniquePtrTrivialAbi.html
-#if defined(__clang__) && PA_HAS_ATTRIBUTE(trivial_abi)
+//
+// Usage:
+// ```
+//   // Instances of type `S` will be eligible to be passed in registers despite
+//   // `S`'s nontrivial destructor.
+//   struct PA_TRIVIAL_ABI S { ~S(); }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(clang::trivial_abi)
 #define PA_TRIVIAL_ABI [[clang::trivial_abi]]
 #else
 #define PA_TRIVIAL_ABI
 #endif
 
-// Requires constant initialization. See constinit in C++20. Allows to rely on a
+// Makes C++20's `constinit` functionality available even pre-C++20, by falling
-// variable being initialized before execution, and not requiring a global
+// back to a custom attribute.
-// constructor.
+// TODO(crbug.com/365046216): Use `constinit` directly when C++20 is available
-#if PA_HAS_ATTRIBUTE(require_constant_initialization)
+// and all usage sites have been reordered to be compatible with doing so.
-#define PA_CONSTINIT __attribute__((require_constant_initialization))
+//
-#endif
+// See also:
-#if !defined(PA_CONSTINIT)
+//   https://clang.llvm.org/docs/AttributeReference.html#require-constant-initialization-constinit-c-20
+//
+// Usage:
+// ```
+// struct S {
+//   constexpr S() = default;
+//   S(int) {}
+// };
+//
+// // Compiles (constant initialization via `constexpr` default constructor).
+// PA_CONSTINIT S s0;
+//
+// // Will not compile; diagnosed as usage of non-constexpr constructor in a
+// // constant expression.
+// PA_CONSTINIT S s1(1);
+//
+// // Compiles (non-constant initialization via non-`constexpr` constructor).
+// S s2(2);
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(clang::require_constant_initialization)
+#define PA_CONSTINIT [[clang::require_constant_initialization]]
+#else
 #define PA_CONSTINIT
 #endif
 
-#if defined(__clang__)
+// Annotates a type as holding a pointer into an owner object (an appropriate
+// STL or `[[gsl::Owner]]`-annotated type). If an instance of the pointer type
+// is constructed from an instance of the owner type, and the owner instance is
+// destroyed, the pointer instance is considered to be dangling. Useful to
+// diagnose some cases of lifetime errors.
+//
+// See also:
+//   https://clang.llvm.org/docs/AttributeReference.html#pointer
+//
+// Usage:
+// ```
+//  struct [[gsl::Owner]] T {};
+//  struct PA_GSL_POINTER S {
+//    S(const T&);
+//  };
+//  S Func() {
+//    // The following return will not compile; diagnosed as returning address
+//    // of local temporary.
+//    return S(T());
+//  }
+// ```
+#if PA_HAS_CPP_ATTRIBUTE(gsl::Pointer)
 #define PA_GSL_POINTER [[gsl::Pointer]]
 #else
 #define PA_GSL_POINTER
 #endif
 
-// Constexpr destructors were introduced in C++20. PartitionAlloc's minimum
+// Annotates a destructor marking it `constexpr` only if the language supports
-// supported C++ version is C++17.
+// it (C++20 and onward).
+//
+// Usage:
+// ```
+//  struct S {
+//    PA_CONSTEXPR_DTOR ~S() {}  // N.B.: Compiles even pre-C++20
+//  };
+//  // The following declaration will only compile in C++20; diagnosed as an
+//  // invalid constexpr variable of non-literal type otherwise.
+//  constexpr S s;
+// ```
 #if defined(__cpp_constexpr) && __cpp_constexpr >= 201907L
 #define PA_CONSTEXPR_DTOR constexpr
 #else
 #define PA_CONSTEXPR_DTOR
 #endif
 
-// PA_LIFETIME_BOUND indicates that a resource owned by a function parameter or
+// Annotates a pointer or reference parameter or return value for a member
-// implicit object parameter is retained by the return value of the annotated
+// function as having lifetime intertwined with the instance on which the
-// function (or, for a parameter of a constructor, in the value of the
+// function is called. For parameters, the function is assumed to store the
-// constructed object). This attribute causes warnings to be produced if a
+// value into the called-on object, so if the referred-to object is later
-// temporary object does not live long enough.
+// destroyed, the called-on object is also considered to be dangling. For return
+// values, the value is assumed to point into the called-on object, so if that
+// object is destroyed, the returned value is also considered to be dangling.
+// Useful to diagnose some cases of lifetime errors.
 //
-// When applied to a reference parameter, the referenced object is assumed to be
+// See also:
-// retained by the return value of the function. When applied to a non-reference
+//   https://clang.llvm.org/docs/AttributeReference.html#lifetimebound
-// parameter (for example, a pointer or a class type), all temporaries
-// referenced by the parameter are assumed to be retained by the return value of
-// the function.
 //
-// See also the upstream documentation:
+// Usage:
-// https://clang.llvm.org/docs/AttributeReference.html#lifetimebound
+// ```
-//
+//   struct S {
-// This attribute is based on `ABSL_ATTRIBUTE_LIFETIME_BOUND`, but:
+//      S(int* p PA_LIFETIME_BOUND);
-// * A separate definition is provided to avoid PartitionAlloc => Abseil
+//      int* Get() PA_LIFETIME_BOUND;
-//   dependency
+//   };
-// * The definition is tweaked to avoid `__attribute__(lifetime))` because it
+//   S Func1() {
-//   can't be applied in the same places as `[[clang::lifetimebound]]`.  In
+//     int i = 0;
-//   particular `operator T*&() && __attribute__(lifetime))` fails to compile on
+//     // The following return will not compile; diagnosed as returning address
-//   `clang` with the following error: 'lifetimebound' attribute only applies to
+//     // of a stack object.
-//   parameters and implicit object parameters
+//     return S(&i);
+//   }
+//   int* Func2(int* p) {
+//     // The following return will not compile; diagnosed as returning address
+//     // of a local temporary.
+//     return S(p).Get();
+//   }
+// ```
 #if PA_HAS_CPP_ATTRIBUTE(clang::lifetimebound)
 #define PA_LIFETIME_BOUND [[clang::lifetimebound]]
 #else
 #define PA_LIFETIME_BOUND
 #endif
 
-// Clang instrumentation may allocate, leading to reentrancy in the allocator,
+// Annotates a function disabling PGO profiling. This may be necessary to avoid
-// and crashes when generating a PGO profile. This attribute disables profiling
+// runtime crashes due to re-entrancy when allocator functions are instrumented
-// for a function.
+// for PGO profiling and the instrumentation attempts to allocate.
 //
-// See
+// See also:
-// https://clang.llvm.org/docs/AttributeReference.html#no-profile-instrument-function
+//   https://clang.llvm.org/docs/AttributeReference.html#no-profile-instrument-function
+//
+// Usage:
+// ```
+// ```
 #if PA_HAS_CPP_ATTRIBUTE(gnu::no_profile_instrument_function)
 #define PA_NOPROFILE [[gnu::no_profile_instrument_function]]
 #else

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/cpu.cc

@@ -97,7 +97,7 @@ uint64_t xgetbv(uint32_t xcr) {
 
 void CPU::Initialize() {
 #if PA_BUILDFLAG(PA_ARCH_CPU_X86_FAMILY)
-  int cpu_info[4] = {-1};
+  int cpu_info[4] = {-1, 0, 0, 0};
 
   // __cpuid with an InfoType argument of 0 returns the number of
   // valid Ids in CPUInfo[0] and the CPU identification string in
@@ -112,7 +112,7 @@ void CPU::Initialize() {
 
   // Interpret CPU feature information.
   if (num_ids > 0) {
-    int cpu_info7[4] = {0};
+    int cpu_info7[4] = {};
     __cpuid(cpu_info, 1);
     if (num_ids >= 7) {
       __cpuid(cpu_info7, 7);

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/debug/alias.h

@@ -35,7 +35,7 @@ namespace partition_alloc::internal::base::debug {
 //   strncpy(name_copy, p->name, sizeof(name_copy)-1);
 //   name_copy[sizeof(name_copy)-1] = '\0';;
 //   base::debug::alias(name_copy);
-//   CHECK(false);
+//   NOTREACHED();
 //
 // Case #2: Prevent a tail call into a function. This is useful to make sure the
 // function containing the call to base::debug::Alias() will be present in the

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/files/platform_file.h

@@ -0,0 +1,39 @@
+// Copyright 2017 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef PARTITION_ALLOC_PARTITION_ALLOC_BASE_FILES_PLATFORM_FILE_H_
+#define PARTITION_ALLOC_PARTITION_ALLOC_BASE_FILES_PLATFORM_FILE_H_
+
+#include "partition_alloc/build_config.h"
+
+#if PA_BUILDFLAG(IS_WIN)
+#include "partition_alloc/partition_alloc_base/win/windows_types.h"
+#endif
+
+// This file defines platform-independent types for dealing with
+// platform-dependent files. If possible, use the higher-level base::File class
+// rather than these primitives.
+
+namespace partition_alloc::internal::base {
+
+#if PA_BUILDFLAG(IS_WIN)
+
+using PlatformFile = HANDLE;
+
+// It would be nice to make this constexpr but INVALID_HANDLE_VALUE is a
+// ((void*)(-1)) which Clang rejects since reinterpret_cast is technically
+// disallowed in constexpr. Visual Studio accepts this, however.
+const PlatformFile kInvalidPlatformFile = INVALID_HANDLE_VALUE;
+
+#elif PA_BUILDFLAG(IS_POSIX) || PA_BUILDFLAG(IS_FUCHSIA)
+
+using PlatformFile = int;
+
+inline constexpr PlatformFile kInvalidPlatformFile = -1;
+
+#endif
+
+}  // namespace partition_alloc::internal::base
+
+#endif  // PARTITION_ALLOC_PARTITION_ALLOC_BASE_FILES_PLATFORM_FILE_H_

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/numerics/checked_math.h

@@ -67,9 +67,11 @@ class CheckedNumeric {
 #endif
   constexpr bool
   AssignIfValid(Dst* result) const {
-    return PA_BASE_NUMERICS_LIKELY(IsValid<Dst>())
+    if (IsValid<Dst>()) [[likely]] {
-               ? ((*result = static_cast<Dst>(state_.value())), true)
+      *result = static_cast<Dst>(state_.value());
-               : false;
+      return true;
+    }
+    return false;
   }
 
   // ValueOrDie() - The primary accessor for the underlying value. If the
@@ -82,9 +84,10 @@ class CheckedNumeric {
   // the underlying value, and it is not available through other means.
   template <typename Dst = T, class CheckHandler = CheckOnFailure>
   constexpr StrictNumeric<Dst> ValueOrDie() const {
-    return PA_BASE_NUMERICS_LIKELY(IsValid<Dst>())
+    if (IsValid<Dst>()) [[likely]] {
-               ? static_cast<Dst>(state_.value())
+      return static_cast<Dst>(state_.value());
-               : CheckHandler::template HandleFailure<Dst>();
+    }
+    return CheckHandler::template HandleFailure<Dst>();
   }
 
   // ValueOrDefault(T default_value) - A convenience method that returns the
@@ -95,9 +98,10 @@ class CheckedNumeric {
   // if the supplied default_value is not within range of the destination type.
   template <typename Dst = T, typename Src>
   constexpr StrictNumeric<Dst> ValueOrDefault(const Src default_value) const {
-    return PA_BASE_NUMERICS_LIKELY(IsValid<Dst>())
+    if (IsValid<Dst>()) [[likely]] {
-               ? static_cast<Dst>(state_.value())
+      return static_cast<Dst>(state_.value());
-               : checked_cast<Dst>(default_value);
+    }
+    return checked_cast<Dst>(default_value);
   }
 
   // Returns a checked numeric of the specified type, cast from the current

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/numerics/checked_math_impl.h

@@ -63,9 +63,8 @@ struct CheckedAddOp<T,
                                   FastPromotion>::type;
     // Fail if either operand is out of range for the promoted type.
     // TODO(jschuh): This could be made to work for a broader range of values.
-    if (PA_BASE_NUMERICS_UNLIKELY(
+    if (!IsValueInRangeForNumericType<Promotion>(x) ||
-            !IsValueInRangeForNumericType<Promotion>(x) ||
+        !IsValueInRangeForNumericType<Promotion>(y)) [[unlikely]] {
-            !IsValueInRangeForNumericType<Promotion>(y))) {
       return false;
     }
 
@@ -130,9 +129,8 @@ struct CheckedSubOp<T,
                                   FastPromotion>::type;
     // Fail if either operand is out of range for the promoted type.
     // TODO(jschuh): This could be made to work for a broader range of values.
-    if (PA_BASE_NUMERICS_UNLIKELY(
+    if (!IsValueInRangeForNumericType<Promotion>(x) ||
-            !IsValueInRangeForNumericType<Promotion>(x) ||
+        !IsValueInRangeForNumericType<Promotion>(y)) [[unlikely]] {
-            !IsValueInRangeForNumericType<Promotion>(y))) {
       return false;
     }
 
@@ -192,10 +190,9 @@ struct CheckedMulOp<T,
 
     using Promotion = typename FastIntegerArithmeticPromotion<T, U>::type;
     // Verify the destination type can hold the result (always true for 0).
-    if (PA_BASE_NUMERICS_UNLIKELY(
+    if ((!IsValueInRangeForNumericType<Promotion>(x) ||
-            (!IsValueInRangeForNumericType<Promotion>(x) ||
+         !IsValueInRangeForNumericType<Promotion>(y)) &&
-             !IsValueInRangeForNumericType<Promotion>(y)) &&
+        x && y) [[unlikely]] {
-            x && y)) {
       return false;
     }
 
@@ -232,27 +229,24 @@ struct CheckedDivOp<T,
   using result_type = typename MaxExponentPromotion<T, U>::type;
   template <typename V>
   static constexpr bool Do(T x, U y, V* result) {
-    if (PA_BASE_NUMERICS_UNLIKELY(!y)) {
+    if (!y) [[unlikely]] {
       return false;
     }
 
     // The overflow check can be compiled away if we don't have the exact
     // combination of types needed to trigger this case.
     using Promotion = typename BigEnoughPromotion<T, U>::type;
-    if (PA_BASE_NUMERICS_UNLIKELY(
+    if (std::is_signed_v<T> && std::is_signed_v<U> &&
-            (std::is_signed_v<T> && std::is_signed_v<U> &&
+        IsTypeInRangeForNumericType<T, Promotion>::value &&
-             IsTypeInRangeForNumericType<T, Promotion>::value &&
+        static_cast<Promotion>(x) == std::numeric_limits<Promotion>::lowest() &&
-             static_cast<Promotion>(x) ==
+        y == static_cast<U>(-1)) [[unlikely]] {
-                 std::numeric_limits<Promotion>::lowest() &&
-             y == static_cast<U>(-1)))) {
       return false;
     }
 
     // This branch always compiles away if the above branch wasn't removed.
-    if (PA_BASE_NUMERICS_UNLIKELY(
+    if ((!IsValueInRangeForNumericType<Promotion>(x) ||
-            (!IsValueInRangeForNumericType<Promotion>(x) ||
+         !IsValueInRangeForNumericType<Promotion>(y)) &&
-             !IsValueInRangeForNumericType<Promotion>(y)) &&
+        x) [[unlikely]] {
-            x)) {
       return false;
     }
 
@@ -276,17 +270,15 @@ struct CheckedModOp<T,
   using result_type = typename MaxExponentPromotion<T, U>::type;
   template <typename V>
   static constexpr bool Do(T x, U y, V* result) {
-    if (PA_BASE_NUMERICS_UNLIKELY(!y)) {
+    if (!y) [[unlikely]] {
       return false;
     }
 
     using Promotion = typename BigEnoughPromotion<T, U>::type;
-    if (PA_BASE_NUMERICS_UNLIKELY(
+    if (std::is_signed_v<T> && std::is_signed_v<U> &&
-            (std::is_signed_v<T> && std::is_signed_v<U> &&
+        IsTypeInRangeForNumericType<T, Promotion>::value &&
-             IsTypeInRangeForNumericType<T, Promotion>::value &&
+        static_cast<Promotion>(x) == std::numeric_limits<Promotion>::lowest() &&
-             static_cast<Promotion>(x) ==
+        y == static_cast<U>(-1)) [[unlikely]] {
-                 std::numeric_limits<Promotion>::lowest() &&
-             y == static_cast<U>(-1)))) {
       *result = 0;
       return true;
     }
@@ -316,9 +308,9 @@ struct CheckedLshOp<T,
   template <typename V>
   static constexpr bool Do(T x, U shift, V* result) {
     // Disallow negative numbers and verify the shift is in bounds.
-    if (PA_BASE_NUMERICS_LIKELY(
+    if (!IsValueNegative(x) &&
-            !IsValueNegative(x) &&
+        as_unsigned(shift) < as_unsigned(std::numeric_limits<T>::digits))
-            as_unsigned(shift) < as_unsigned(std::numeric_limits<T>::digits))) {
+        [[likely]] {
       // Shift as unsigned to avoid undefined behavior.
       *result = static_cast<V>(as_unsigned(x) << shift);
       // If the shift can be reversed, we know it was valid.
@@ -350,8 +342,7 @@ struct CheckedRshOp<T,
   template <typename V>
   static constexpr bool Do(T x, U shift, V* result) {
     // Use sign conversion to push negative values out of range.
-    if (PA_BASE_NUMERICS_UNLIKELY(as_unsigned(shift) >=
+    if (as_unsigned(shift) >= IntegerBitsPlusSign<T>::value) [[unlikely]] {
-                                  IntegerBitsPlusSign<T>::value)) {
       return false;
     }
 

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/numerics/clamped_math_impl.h

@@ -86,9 +86,10 @@ struct ClampedAddOp<T,
                   "provided types.");
     const V saturated = CommonMaxOrMin<V>(IsValueNegative(y));
     V result = {};
-    return PA_BASE_NUMERICS_LIKELY((CheckedAddOp<T, U>::Do(x, y, &result)))
+    if (CheckedAddOp<T, U>::Do(x, y, &result)) [[likely]] {
-               ? result
+      return result;
-               : saturated;
+    }
+    return saturated;
   }
 };
 
@@ -113,9 +114,10 @@ struct ClampedSubOp<T,
                   "provided types.");
     const V saturated = CommonMaxOrMin<V>(!IsValueNegative(y));
     V result = {};
-    return PA_BASE_NUMERICS_LIKELY((CheckedSubOp<T, U>::Do(x, y, &result)))
+    if (CheckedSubOp<T, U>::Do(x, y, &result)) [[likely]] {
-               ? result
+      return result;
-               : saturated;
+    }
+    return saturated;
   }
 };
 
@@ -137,9 +139,10 @@ struct ClampedMulOp<T,
     V result = {};
     const V saturated =
         CommonMaxOrMin<V>(IsValueNegative(x) ^ IsValueNegative(y));
-    return PA_BASE_NUMERICS_LIKELY((CheckedMulOp<T, U>::Do(x, y, &result)))
+    if (CheckedMulOp<T, U>::Do(x, y, &result)) [[likely]] {
-               ? result
+      return result;
-               : saturated;
+    }
+    return saturated;
   }
 };
 
@@ -155,7 +158,7 @@ struct ClampedDivOp<T,
   template <typename V = result_type>
   static constexpr V Do(T x, U y) {
     V result = {};
-    if (PA_BASE_NUMERICS_LIKELY((CheckedDivOp<T, U>::Do(x, y, &result)))) {
+    if ((CheckedDivOp<T, U>::Do(x, y, &result))) [[likely]] {
       return result;
     }
     // Saturation goes to max, min, or NaN (if x is zero).
@@ -176,9 +179,10 @@ struct ClampedModOp<T,
   template <typename V = result_type>
   static constexpr V Do(T x, U y) {
     V result = {};
-    return PA_BASE_NUMERICS_LIKELY((CheckedModOp<T, U>::Do(x, y, &result)))
+    if (CheckedModOp<T, U>::Do(x, y, &result)) [[likely]] {
-               ? result
+      return result;
-               : x;
+    }
+    return x;
   }
 };
 
@@ -196,11 +200,11 @@ struct ClampedLshOp<T,
   template <typename V = result_type>
   static constexpr V Do(T x, U shift) {
     static_assert(!std::is_signed_v<U>, "Shift value must be unsigned.");
-    if (PA_BASE_NUMERICS_LIKELY(shift < std::numeric_limits<T>::digits)) {
+    if (shift < std::numeric_limits<T>::digits) [[likely]] {
       // Shift as unsigned to avoid undefined behavior.
       V result = static_cast<V>(as_unsigned(x) << shift);
       // If the shift can be reversed, we know it was valid.
-      if (PA_BASE_NUMERICS_LIKELY(result >> shift == x)) {
+      if (result >> shift == x) [[likely]] {
         return result;
       }
     }
@@ -223,9 +227,10 @@ struct ClampedRshOp<T,
     static_assert(!std::is_signed_v<U>, "Shift value must be unsigned.");
     // Signed right shift is odd, because it saturates to -1 or 0.
     const V saturated = as_unsigned(V(0)) - IsValueNegative(x);
-    return PA_BASE_NUMERICS_LIKELY(shift < IntegerBitsPlusSign<T>::value)
+    if (shift < IntegerBitsPlusSign<T>::value) [[likely]] {
-               ? saturated_cast<V>(x >> shift)
+      return saturated_cast<V>(x >> shift);
-               : saturated;
+    }
+    return saturated;
   }
 };
 

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/numerics/safe_conversions.h

@@ -108,9 +108,10 @@ constexpr Dst checked_cast(Src value) {
   // This throws a compile-time error on evaluating the constexpr if it can be
   // determined at compile-time as failing, otherwise it will CHECK at runtime.
   using SrcType = typename internal::UnderlyingType<Src>::type;
-  return PA_BASE_NUMERICS_LIKELY((IsValueInRangeForNumericType<Dst>(value)))
+  if (IsValueInRangeForNumericType<Dst>(value)) [[likely]] {
-             ? static_cast<Dst>(static_cast<SrcType>(value))
+    return static_cast<Dst>(static_cast<SrcType>(value));
-             : CheckHandler::template HandleFailure<Dst>();
+  }
+  return CheckHandler::template HandleFailure<Dst>();
 }
 
 // Default boundaries for integral/float: max/infinity, lowest/-infinity, 0/NaN.
@@ -188,9 +189,10 @@ struct SaturateFastOp<Dst,
     const Dst saturated = CommonMaxOrMin<Dst, Src>(
         IsMaxInRangeForNumericType<Dst, Src>() ||
         (!IsMinInRangeForNumericType<Dst, Src>() && IsValueNegative(value)));
-    return PA_BASE_NUMERICS_LIKELY(IsValueInRangeForNumericType<Dst>(value))
+    if (IsValueInRangeForNumericType<Dst>(value)) [[likely]] {
-               ? static_cast<Dst>(value)
+      return static_cast<Dst>(value);
-               : saturated;
+    }
+    return saturated;
   }
 };
 

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/numerics/safe_conversions_impl.h

@@ -9,13 +9,7 @@
 #include <limits>
 #include <type_traits>
 
-#if defined(__GNUC__) || defined(__clang__)
+#include "partition_alloc/buildflags.h"
-#define PA_BASE_NUMERICS_LIKELY(x) __builtin_expect(!!(x), 1)
-#define PA_BASE_NUMERICS_UNLIKELY(x) __builtin_expect(!!(x), 0)
-#else
-#define PA_BASE_NUMERICS_LIKELY(x) (x)
-#define PA_BASE_NUMERICS_UNLIKELY(x) (x)
-#endif
 
 namespace partition_alloc::internal::base::internal {
 
@@ -91,13 +85,13 @@ constexpr typename std::make_unsigned<T>::type SafeUnsignedAbs(T value) {
 // TODO(jschuh): Debug builds don't reliably propagate constants, so we restrict
 // some accelerated runtime paths to release builds until this can be forced
 // with consteval support in C++20 or C++23.
-#if defined(NDEBUG)
+#if PA_BUILDFLAG(IS_DEBUG)
-constexpr bool kEnableAsmCode = true;
+inline constexpr bool kEnableAsmCode = false;
 #else
-constexpr bool kEnableAsmCode = false;
+inline constexpr bool kEnableAsmCode = true;
 #endif
 
-// Forces a crash, like a CHECK(false). Used for numeric boundary errors.
+// Forces a crash, like a NOTREACHED(). Used for numeric boundary errors.
 // Also used in a constexpr template to trigger a compilation failure on
 // an error condition.
 struct CheckOnFailure {

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/posix/eintr_wrapper.h

@@ -18,6 +18,7 @@
 #define PARTITION_ALLOC_PARTITION_ALLOC_BASE_POSIX_EINTR_WRAPPER_H_
 
 #include "partition_alloc/build_config.h"
+#include "partition_alloc/buildflags.h"
 
 #if PA_BUILDFLAG(IS_POSIX)
 #include <cerrno>
@@ -31,7 +32,7 @@ template <typename Fn>
 inline auto WrapEINTR(Fn fn) {
   return [fn](auto&&... args) {
     int out = -1;
-#if defined(NDEBUG)
+#if !PA_BUILDFLAG(IS_DEBUG)
     while (true)
 #else
     for (int retry_count = 0; retry_count < 100; ++retry_count)

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/strings/cstring_builder.h

@@ -7,13 +7,8 @@
 
 #include <cstddef>
 
-#include "partition_alloc/build_config.h"
 #include "partition_alloc/partition_alloc_base/component_export.h"
 
-#if !PA_BUILDFLAG(IS_WIN)
-#include <unistd.h>
-#endif
-
 namespace partition_alloc::internal::base::strings {
 
 // Similar to std::ostringstream, but creates a C string, i.e. nul-terminated

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/strings/safe_sprintf.cc

@@ -10,8 +10,9 @@
 #include <limits>
 
 #include "partition_alloc/build_config.h"
+#include "partition_alloc/buildflags.h"
 
-#if !defined(NDEBUG)
+#if PA_BUILDFLAG(IS_DEBUG)
 // In debug builds, we use RAW_CHECK() to print useful error messages, if
 // SafeSPrintf() is called with broken arguments.
 // As our contract promises that SafeSPrintf() can be called from any
@@ -41,7 +42,7 @@
     if (x) {           \
     }                  \
   } while (0)
-#endif
+#endif  // PA_BUILDFLAG(IS_DEBUG)
 
 namespace partition_alloc::internal::base::strings {
 
@@ -74,7 +75,7 @@ const char kUpCaseHexDigits[] = "0123456789ABCDEF";
 const char kDownCaseHexDigits[] = "0123456789abcdef";
 }  // namespace
 
-#if defined(NDEBUG)
+#if !PA_BUILDFLAG(IS_DEBUG)
 // We would like to define kSSizeMax as std::numeric_limits<ssize_t>::max(),
 // but C++ doesn't allow us to do that for constants. Instead, we have to
 // use careful casting and shifting. We later use a static_assert to
@@ -82,7 +83,7 @@ const char kDownCaseHexDigits[] = "0123456789abcdef";
 namespace {
 const size_t kSSizeMax = kSSizeMaxConst;
 }
-#else   // defined(NDEBUG)
+#else   // !PA_BUILDFLAG(IS_DEBUG)
 // For efficiency, we really need kSSizeMax to be a constant. But for unit
 // tests, it should be adjustable. This allows us to verify edge cases without
 // having to fill the entire available address space. As a compromise, we make
@@ -101,7 +102,7 @@ size_t GetSafeSPrintfSSizeMaxForTest() {
   return kSSizeMax;
 }
 }  // namespace internal
-#endif  // defined(NDEBUG)
+#endif  // !PA_BUILDFLAG(IS_DEBUG)
 
 namespace {
 class Buffer {
@@ -111,10 +112,7 @@ class Buffer {
   // to ensure that the buffer is at least one byte in size, so that it fits
   // the trailing NUL that will be added by the destructor. The buffer also
   // must be smaller or equal to kSSizeMax in size.
-  Buffer(char* buffer, size_t size)
+  Buffer(char* buffer, size_t size) : buffer_(buffer), size_(size - 1) {
-      : buffer_(buffer),
-        size_(size - 1),  // Account for trailing NUL byte
-        count_(0) {
 // MSVS2013's standard library doesn't mark max() as constexpr yet. cl.exe
 // supports static_cast but doesn't really implement constexpr yet so it doesn't
 // complain, but clang does.
@@ -276,7 +274,7 @@ class Buffer {
   // Number of bytes that would have been emitted to the buffer, if the buffer
   // was sufficiently big. This number always excludes the trailing NUL byte
   // and it is guaranteed to never grow bigger than kSSizeMax-1.
-  size_t count_;
+  size_t count_ = 0;
 };
 
 bool Buffer::IToASCII(bool sign,

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/strings/stringprintf.cc

@@ -12,8 +12,8 @@
 
 namespace partition_alloc::internal::base {
 
-std::string PA_PRINTF_FORMAT(1, 2)
+PA_PRINTF_FORMAT(1, 2)
-    TruncatingStringPrintf(const char* format, ...) {
+std::string TruncatingStringPrintf(const char* format, ...) {
   base::ScopedClearLastError last_error;
   char stack_buf[kMaxLengthOfTruncatingStringPrintfResult + 1];
   va_list arguments;

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/strings/stringprintf.h

@@ -20,8 +20,9 @@ namespace partition_alloc::internal::base {
 static constexpr size_t kMaxLengthOfTruncatingStringPrintfResult = 255U;
 
 // Return a C++ string given printf-like input.
-[[nodiscard]] PA_COMPONENT_EXPORT(PARTITION_ALLOC_BASE) std::string
+[[nodiscard]] PA_PRINTF_FORMAT(1, 2)
-    TruncatingStringPrintf(const char* format, ...) PA_PRINTF_FORMAT(1, 2);
+    PA_COMPONENT_EXPORT(PARTITION_ALLOC_BASE) std::string
+    TruncatingStringPrintf(const char* format, ...);
 
 }  // namespace partition_alloc::internal::base
 

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/threading/platform_thread_posix.cc

@@ -20,6 +20,7 @@
 
 #if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
 #include <sys/syscall.h>
+
 #include <atomic>
 #endif
 
@@ -27,6 +28,10 @@
 #include <zircon/process.h>
 #endif
 
+#if defined(__MUSL__)
+#include "partition_alloc/shim/allocator_shim.h"
+#endif
+
 namespace partition_alloc::internal::base {
 
 #if PA_BUILDFLAG(IS_LINUX) || PA_BUILDFLAG(IS_CHROMEOS)
@@ -58,7 +63,22 @@ thread_local bool g_is_main_thread = true;
 class InitAtFork {
  public:
   InitAtFork() {
+#if defined(__MUSL__)
+    allocator_shim::AllocatorDispatch d =
+        *allocator_shim::GetAllocatorDispatchChainHeadForTesting();
+    d.alloc_function = +[](size_t size, void*) -> void* {
+      // The size of the scratch fits struct atfork_funcs in Musl pthread_atfork.c.
+      static char scratch[5 * sizeof(void*)];
+      return size != sizeof(scratch) ? nullptr : scratch;
+    };
+    allocator_shim::InsertAllocatorDispatch(&d);
+#endif
+
     pthread_atfork(nullptr, nullptr, internal::InvalidateTidCache);
+
+#if defined(__MUSL__)
+    allocator_shim::RemoveAllocatorDispatchForTesting(&d);
+#endif
   }
 };
 

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/threading/platform_thread_win_for_testing.cc

@@ -132,7 +132,6 @@ bool CreateThreadInternal(size_t stack_size,
       case ERROR_COMMITMENT_LIMIT:
       case ERROR_COMMITMENT_MINIMUM:
         TerminateBecauseOutOfMemory(stack_size);
-        break;
 
       default:
         break;

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/time/time.cc

@@ -248,7 +248,7 @@ TimeTicks TimeTicks::Now() {
 
 // static
 TimeTicks TimeTicks::UnixEpoch() {
-  static const TimeTicks epoch([]() {
+  static const TimeTicks epoch([] {
     return subtle::TimeTicksNowIgnoringOverride() -
            (subtle::TimeNowIgnoringOverride() - Time::UnixEpoch());
   }());

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/time/time.h

@@ -873,6 +873,14 @@ class PA_COMPONENT_EXPORT(PARTITION_ALLOC_BASE) TimeTicks
   // realtime clock to establish a reference point.  This function will return
   // the same value for the duration of the application, but will be different
   // in future application runs.
+  // DEPRECATED:
+  // Because TimeTicks increments can get suspended on some platforms (e.g. Mac)
+  // and because this function returns a static value, this value will not get
+  // suspension time into account on those platforms.
+  // As TimeTicks is intended to be used to track a process duration and not an
+  // absolute time, if you plan to use this function, please consider using a
+  // Time instead.
+  // TODO(crbug.com/355423207): Remove function.
   static TimeTicks UnixEpoch();
 
   // Returns |this| snapped to the next tick, given a |tick_phase| and

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/time/time_apple.mm

@@ -31,7 +31,7 @@ namespace {
 
 // Returns a pointer to the initialized Mach timebase info struct.
 mach_timebase_info_data_t* MachTimebaseInfo() {
-  static mach_timebase_info_data_t timebase_info = []() {
+  static mach_timebase_info_data_t timebase_info = [] {
     mach_timebase_info_data_t info;
     kern_return_t kr = mach_timebase_info(&info);
     PA_BASE_DCHECK(kr == KERN_SUCCESS) << "mach_timebase_info";

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/time/time_win.cc

@@ -7,8 +7,9 @@
 // A good article:  http://www.ddj.com/windows/184416651
 // A good mozilla bug:  http://bugzilla.mozilla.org/show_bug.cgi?id=363258
 //
-// The default windows timer, GetSystemTimeAsFileTime is not very precise.
+// The default windows timer, GetSystemTimePreciseAsFileTime is quite precise.
-// It is only good to ~15.5ms.
+// However it is not always fast on some hardware and is slower than the
+// performance counters.
 //
 // QueryPerformanceCounter is the logical choice for a high-precision timer.
 // However, it is known to be buggy on some hardware.  Specifically, it can
@@ -77,7 +78,7 @@ FILETIME MicrosecondsToFileTime(int64_t us) {
 
 int64_t CurrentWallclockMicroseconds() {
   FILETIME ft;
-  ::GetSystemTimeAsFileTime(&ft);
+  ::GetSystemTimePreciseAsFileTime(&ft);
   return FileTimeToMicroseconds(ft);
 }
 
@@ -113,8 +114,8 @@ Time TimeNowIgnoringOverride() {
   }
 
   // We implement time using the high-resolution timers so that we can get
-  // timeouts which are smaller than 10-15ms.  If we just used
+  // timeouts which likely are smaller than those if we just used
-  // CurrentWallclockMicroseconds(), we'd have the less-granular timer.
+  // CurrentWallclockMicroseconds().
   //
   // To make this work, we initialize the clock (g_initial_time) and the
   // counter (initial_ctr).  To compute the initial time, we can check

src/base/allocator/partition_allocator/src/partition_alloc/partition_alloc_base/types/same_as_any.h

@@ -0,0 +1,19 @@
+// Copyright 2024 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef PARTITION_ALLOC_PARTITION_ALLOC_BASE_TYPES_SAME_AS_ANY_H_
+#define PARTITION_ALLOC_PARTITION_ALLOC_BASE_TYPES_SAME_AS_ANY_H_
+
+#include <type_traits>
+
+namespace partition_alloc::internal::base {
+
+// True when `T` is any of the subsequent types.
+// TODO(crbug.com/344963951): Switch to a concept when C++20 is allowed.
+template <typename T, typename... Ts>
+inline constexpr bool kSameAsAny = (std::is_same_v<T, Ts> || ...);
+
+}  // namespace partition_alloc::internal::base
+
+#endif  // PARTITION_ALLOC_PARTITION_ALLOC_BASE_TYPES_SAME_AS_ANY_H_