Merge remote-tracking branch 'origin/5.14.2' into 5.14

Change-Id: I5f7aab6031f1c1ca289d5ba408d408684849031c

10 files changed, 201 insertions, 46 deletions

diff --git a/configure.pri b/configure.pri
index 3a144e3f8..3cfce71e0 100644
--- a/configure.pri
+++ b/configure.pri
@@ -163,7 +163,7 @@ defineTest(qtConfTest_detectNinja) {
     !isEmpty(ninja) {
         qtLog("Found ninja from path: $$ninja")
         qtRunLoggedCommand("$$ninja --version", version)|return(false)
-        contains(version, "1.[7-9].*"): return(true)
+        contains(version, "1\.([7-9]|1[0-9])\..*"): return(true)
         qtLog("Ninja version too old")
     }
     qtLog("Building own ninja")
diff --git a/dist/changes-5.14.2 b/dist/changes-5.14.2
new file mode 100644
index 000000000..3cf48a4f4
--- /dev/null
+++ b/dist/changes-5.14.2
@@ -0,0 +1,107 @@
+Qt 5.14.2 is a bug-fix release. It maintains both forward and backward
+compatibility (source and binary) with Qt 5.14.0 through 5.14.1.
+
+For more details, refer to the online documentation included in this
+distribution. The documentation is also available online:
+
+https://doc.qt.io/qt-5/index.html
+
+The Qt version 5.14 series is binary compatible with the 5.13.x series.
+Applications compiled for 5.13 will continue to run with 5.14.
+
+Some of the changes listed in this file include issue tracking numbers
+corresponding to tasks in the Qt Bug Tracker:
+
+https://bugreports.qt.io/
+
+Each of these identifiers can be entered in the bug tracker to obtain more
+information about a particular change.
+
+****************************************************************************
+*                              Qt 5.14.2 Changes                           *
+****************************************************************************
+
+General
+-------
+
+  - [QTBUG-78284] Fixed conversion of tabpanel aria role
+  - [QTBUG-81206] Fixed overriding shortcuts in password input fields on Windows
+  - [QTBUG-80234] Fixed media playback issue on custom urls by supporting
+                  HTTP ranges headers
+  - [QTBUG-81521] Update navigation actions when load finishes in a subframe
+  - [QTBUG-82109] Fixed name filters of GTK file picker
+  - [QTBUG-78284] Fixed widget accessibility on macOS
+  - [QTBUG-78284] Fixed quick accessibility on macOS
+  - [QTBUG-81783] Fixed event.key for Ctrl key combinations on Windows
+  - [QTBUG-81574] Clear previous page text selection on new navigation unconditionally
+  - [QTBUG-78284] Fixed VoiceOver navigation on web pages on macOS
+  - [QTBUG-81539] Update accessibility focus on FocusIn events for Quick
+  - [QTBUG-82715] Support build with system ninja >= 1.10.0
+  - Fixed deadlocks on WebEngineContext destruction
+  - Suppress error message on ACCESSIBILITY_EVENTS permission type
+  - Example 'quicknanobrowser' improvements
+
+Chromium
+--------
+
+  - Fixed build with gcc 5
+  - Fixed -no-webengine-spellchecker build
+
+  - Security fixes from Chromium up to version 80.0.3987.132, including:
+
+    * CVE-2019-19880
+    * CVE-2019-19923 - Out of bounds memory access in SQLite
+    * CVE-2019-19925 - Multiple vulnerabilities in SQLite
+    * CVE-2019-19926 - Inappropriate implementation in SQLite
+    * CVE-2019-18197 - Multiple vulnerabilities in XML
+    * CVE-2019-20503 - Out of bounds read in usersctplib
+    * CVE-2020-6381 - Integer overflow in Javascript
+    * CVE-2020-6383 - Type confusion in V8
+    * CVE-2020-6384 - Use after free in WebAudio
+    * CVE-2020-6385 - Insufficient policy enforcement in storage
+    * CVE-2020-6387 - Out of bounds write in WebRTC
+    * CVE-2020-6388 - Out of bounds memory access in WebAudio
+    * CVE-2020-6389 - Out of bounds write in WebRTC
+    * CVE-2020-6390 - Out of bounds memory access in streams
+    * CVE-2020-6391 - Insufficient validation of untrusted input in Blink
+    * CVE-2020-6392 - Insufficient policy enforcement in extensions
+    * CVE-2020-6393 - Insufficient policy enforcement in Blink
+    * CVE-2020-6394 - Insufficient policy enforcement in Blink
+    * CVE-2020-6395 - Out of bounds read in JavaScript
+    * CVE-2020-6396 - Inappropriate implementation in Skia
+    * CVE-2020-6398 - Uninitialized use in PDFium
+    * CVE-2020-6399 - Insufficient policy enforcement in AppCache
+    * CVE-2020-6400 - Inappropriate implementation in CORS
+    * CVE-2020-6401
+    * CVE-2020-6404 - Inappropriate implementation in Blink
+    * CVE-2020-6405 - Out of bounds read in SQLite
+    * CVE-2020-6406 - Use after free in audio
+    * CVE-2020-6407 - Out of bounds memory access in streams
+    * CVE-2020-6410 - Insufficient policy enforcement in navigation
+    * CVE-2020-6411
+    * CVE-2020-6412 - Insufficient validation of untrusted input in Omnibox
+    * CVE-2020-6413 - Inappropriate implementation in Blink
+    * CVE-2020-6415
+    * CVE-2020-6418 - Type confusion in V8
+    * CVE-2020-6420 - Insufficient policy enforcement in media
+    * CVE-2020-6422 - Use after free in WebGL.
+    * CVE-2020-6426 - Inappropriate implementation in V8.
+    * CVE-2020-6427 - Use after free in audio.
+    * CVE-2020-6428 - Use after free in audio.
+    * CVE-2020-6429 - Use after free in audio.
+    * CVE-2020-6449 - Use after free in audio.
+    * Security bug 925035
+    * Security bug 1016038
+    * Security bug 1016506
+    * Security bug 1018629
+    * Security bug 1020031
+    * Security bug 1025442
+    * Security bug 1026293
+    * Security bug 1029865
+    * Security bug 1031909
+    * Security bug 1033461
+    * Security bug 1035723
+    * Security bug 1040700
+    * Security bug 1044570
+    * Security bug 1047097
+
diff --git a/src/3rdparty b/src/3rdparty
-Subproject 12a57d9c943eaa80d87481712fe58f7bf6678ba
+Subproject 6c9be50c2d901e66119679155fb3c7c9200448d
diff --git a/src/core/common/qt_messages.h b/src/core/common/qt_messages.h
index b99204b74..43f07c9a6 100644
--- a/src/core/common/qt_messages.h
+++ b/src/core/common/qt_messages.h
@@ -36,6 +36,9 @@ IPC_MESSAGE_ROUTED1(RenderViewObserverQt_FetchDocumentMarkup,
 IPC_MESSAGE_ROUTED1(RenderViewObserverQt_FetchDocumentInnerText,
                     uint64_t /* requestId */)
 
+IPC_MESSAGE_ROUTED1(RenderViewObserverQt_SetBackgroundColor,
+                    uint32_t /* color */)
+
 // User scripts messages
 IPC_MESSAGE_ROUTED1(RenderFrameObserverHelper_AddScript,
                     UserScriptData /* script */)
@@ -65,9 +68,6 @@ IPC_MESSAGE_ROUTED2(RenderViewObserverHostQt_DidFetchDocumentInnerText,
                     uint64_t /* requestId */,
                     base::string16 /* innerText */)
 
-IPC_MESSAGE_ROUTED1(RenderViewObserverQt_SetBackgroundColor,
-                    uint32_t /* color */)
-
 IPC_MESSAGE_ROUTED0(RenderViewObserverHostQt_DidFirstVisuallyNonEmptyLayout)
 
 //-----------------------------------------------------------------------------
diff --git a/src/core/core_module.pro b/src/core/core_module.pro
index 4b9268e1a..d7e2ab8da 100644
--- a/src/core/core_module.pro
+++ b/src/core/core_module.pro
@@ -107,7 +107,7 @@ resources.files = $$REPACK_DIR/qtwebengine_resources.pak \
 
 icu.files = $$OUT_PWD/$$getConfigDir()/icudtl.dat
 
-!debug_and_release|!build_all|CONFIG(release, debug|release) {
+!qtConfig(debug_and_release)|!qtConfig(build_all)|CONFIG(release, debug|release) {
     qtConfig(framework) {
         locales.version = Versions
         locales.path = Resources/qtwebengine_locales
@@ -146,7 +146,7 @@ icu.files = $$OUT_PWD/$$getConfigDir()/icudtl.dat
     }
 }
 
-!build_pass:debug_and_release {
+!build_pass:qtConfig(debug_and_release) {
     # Special GNU make target that ensures linking isn't done for both debug and release builds
     # at the same time.
     notParallel.target = .NOTPARALLEL
diff --git a/src/core/render_widget_host_view_qt.cpp b/src/core/render_widget_host_view_qt.cpp
index e9be587cf..7a5118837 100644
--- a/src/core/render_widget_host_view_qt.cpp
+++ b/src/core/render_widget_host_view_qt.cpp
@@ -48,6 +48,7 @@
 #include "touch_selection_controller_client_qt.h"
 #include "touch_selection_menu_controller.h"
 #include "type_conversion.h"
+#include "web_contents_adapter.h"
 #include "web_contents_adapter_client.h"
 #include "web_event_factory.h"
 
@@ -488,23 +489,20 @@ gfx::Rect RenderWidgetHostViewQt::GetViewBounds()
 
 void RenderWidgetHostViewQt::UpdateBackgroundColor()
 {
+    DCHECK(GetBackgroundColor());
+    SkColor color = *GetBackgroundColor();
+
+    m_delegate->setClearColor(toQt(color));
+
     if (m_enableViz) {
-        DCHECK(GetBackgroundColor());
-        SkColor color = *GetBackgroundColor();
         bool opaque = SkColorGetA(color) == SK_AlphaOPAQUE;
         m_rootLayer->SetFillsBoundsOpaquely(opaque);
         m_rootLayer->SetColor(color);
         m_uiCompositor->SetBackgroundColor(color);
-        m_delegate->setClearColor(toQt(color));
-        host()->Send(new RenderViewObserverQt_SetBackgroundColor(host()->GetRoutingID(), color));
-        return;
     }
 
-    auto color = GetBackgroundColor();
-    if (color) {
-        m_delegate->setClearColor(toQt(*color));
-        host()->Send(new RenderViewObserverQt_SetBackgroundColor(host()->GetRoutingID(), *color));
-    }
+    content::RenderViewHost *rvh = content::RenderViewHost::From(host());
+    host()->Send(new RenderViewObserverQt_SetBackgroundColor(rvh->GetRoutingID(), color));
 }
 
 // Return value indicates whether the mouse is locked successfully or not.
diff --git a/src/core/web_engine_context.cpp b/src/core/web_engine_context.cpp
index c34d3c612..286842a20 100644
--- a/src/core/web_engine_context.cpp
+++ b/src/core/web_engine_context.cpp
@@ -49,6 +49,9 @@
 #include "base/task/sequence_manager/thread_controller_with_message_pump_impl.h"
 #include "base/threading/thread_restrictions.h"
 #include "cc/base/switches.h"
+#include "content/gpu/gpu_child_thread.h"
+#include "content/browser/compositor/surface_utils.h"
+#include "components/viz/host/host_frame_sink_manager.h"
 #if QT_CONFIG(webengine_printing_and_pdf)
 #include "chrome/browser/printing/print_job_manager.h"
 #include "components/printing/browser/features.h"
@@ -211,6 +214,26 @@ bool usingSoftwareDynamicGL()
 #endif
 }
 
+static bool waitForViz = false;
+static void completeVizCleanup()
+{
+    waitForViz = false;
+}
+
+static void cleanupVizProcess()
+{
+    auto gpuChildThread = content::GpuChildThread::instance();
+    if (!gpuChildThread)
+        return;
+    auto vizMain = gpuChildThread->viz_main();
+    auto vizCompositorThreadRunner = vizMain->viz_compositor_thread_runner();
+    if (!vizCompositorThreadRunner)
+        return;
+    waitForViz = true;
+    content::GetHostFrameSinkManager()->SetConnectionLostCallback(base::DoNothing());
+    vizCompositorThreadRunner->CleanupForShutdown(base::BindOnce(&completeVizCleanup));
+}
+
 scoped_refptr<QtWebEngineCore::WebEngineContext> WebEngineContext::m_handle;
 bool WebEngineContext::m_destroyed = false;
 
@@ -257,14 +280,21 @@ void WebEngineContext::destroy()
     if (m_devtoolsServer)
         m_devtoolsServer->stop();
 
-    // Normally the GPU thread is shut down when the GpuProcessHost is destroyed
-    // on IO thread (triggered by ~BrowserMainRunner). But by that time the UI
-    // task runner is not working anymore so we need to do this earlier.
-    destroyGpuProcess(m_threadedGpu);
 
     base::MessagePump::Delegate *delegate =
             static_cast<base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl *>(
                 m_runLoop->delegate_);
+    // Normally the GPU thread is shut down when the GpuProcessHost is destroyed
+    // on IO thread (triggered by ~BrowserMainRunner). But by that time the UI
+    // task runner is not working anymore so we need to do this earlier.
+    if (features::IsVizDisplayCompositorEnabled()) {
+        cleanupVizProcess();
+        while (waitForViz) {
+            while (delegate->DoWork()){}
+            QThread::msleep(50);
+        }
+    }
+    destroyGpuProcess();
     // Flush the UI message loop before quitting.
     while (delegate->DoWork()) { }
 
@@ -412,8 +442,7 @@ static void appendToFeatureSwitch(base::CommandLine *commandLine, const char *fe
 }
 
 WebEngineContext::WebEngineContext()
-    : m_threadedGpu(true)
-    , m_mainDelegate(new ContentMainDelegateQt)
+    : m_mainDelegate(new ContentMainDelegateQt)
     , m_globalQObject(new QObject())
 {
 #if defined(Q_OS_MACOS)
@@ -515,13 +544,13 @@ WebEngineContext::WebEngineContext()
     if (isDesktopGLOrSoftware || isGLES2Context)
         parsedCommandLine->AppendSwitch(switches::kDisableES3GLContext);
 #endif
-
+    bool threadedGpu = false;
 #ifndef QT_NO_OPENGL
-    m_threadedGpu = QOpenGLContext::supportsThreadedOpenGL();
+    threadedGpu = QOpenGLContext::supportsThreadedOpenGL();
 #endif
-    m_threadedGpu = m_threadedGpu && !qEnvironmentVariableIsSet(kDisableInProcGpuThread);
+    threadedGpu = threadedGpu && !qEnvironmentVariableIsSet(kDisableInProcGpuThread);
 
-    bool enableViz = ((m_threadedGpu && !parsedCommandLine->HasSwitch("disable-viz-display-compositor"))
+    bool enableViz = ((threadedGpu && !parsedCommandLine->HasSwitch("disable-viz-display-compositor"))
                       || parsedCommandLine->HasSwitch("enable-viz-display-compositor"));
     parsedCommandLine->RemoveSwitch("disable-viz-display-compositor");
     parsedCommandLine->RemoveSwitch("enable-viz-display-compositor");
@@ -660,7 +689,7 @@ WebEngineContext::WebEngineContext()
         parsedCommandLine->AppendSwitch(switches::kDisableGpu);
     }
 
-    registerMainThreadFactories(m_threadedGpu);
+    registerMainThreadFactories(threadedGpu);
 
     SetContentClient(new ContentClientQt);
 
diff --git a/src/core/web_engine_context.h b/src/core/web_engine_context.h
index edced9b42..ac0536596 100644
--- a/src/core/web_engine_context.h
+++ b/src/core/web_engine_context.h
@@ -129,9 +129,8 @@ private:
     ~WebEngineContext();
 
     static void registerMainThreadFactories(bool threaded);
-    static void destroyGpuProcess(bool threaded);
+    static void destroyGpuProcess();
 
-    bool m_threadedGpu;
     std::unique_ptr<base::RunLoop> m_runLoop;
     std::unique_ptr<ContentMainDelegateQt> m_mainDelegate;
     std::unique_ptr<content::ContentMainRunner> m_contentRunner;
diff --git a/src/core/web_engine_context_threads.cpp b/src/core/web_engine_context_threads.cpp
index f0f055676..c7440dd3f 100644
--- a/src/core/web_engine_context_threads.cpp
+++ b/src/core/web_engine_context_threads.cpp
@@ -92,20 +92,6 @@ struct GpuThreadControllerQt : content::GpuThreadController
         s_gpuProcess->set_main_thread(childThread);
     }
 
-    static void cleanupVizProcess()
-    {
-        auto gpuChildThread = content::GpuChildThread::instance();
-        if (!gpuChildThread)
-            return;
-        auto vizMain = gpuChildThread->viz_main();
-        auto vizCompositorThreadRunner = vizMain->viz_compositor_thread_runner();
-        if (!vizCompositorThreadRunner)
-            return;
-        QEventLoop loop;
-        vizCompositorThreadRunner->CleanupForShutdown(base::BindOnce(&QEventLoop::quit, base::Unretained(&loop)));
-        loop.exec();
-    }
-
     static void destroyGpuProcess()
     {
         DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
@@ -133,10 +119,8 @@ static std::unique_ptr<content::GpuThreadController> createGpuThreadController(
 }
 
 // static
-void WebEngineContext::destroyGpuProcess(bool threaded)
+void WebEngineContext::destroyGpuProcess()
 {
-    if (!threaded)
-        GpuThreadControllerQt::cleanupVizProcess();
     GpuThreadControllerQt::destroyGpuProcess();
 }
 
diff --git a/tests/auto/widgets/qwebenginepage/tst_qwebenginepage.cpp b/tests/auto/widgets/qwebenginepage/tst_qwebenginepage.cpp
index d0453e1e6..94ce92e40 100644
--- a/tests/auto/widgets/qwebenginepage/tst_qwebenginepage.cpp
+++ b/tests/auto/widgets/qwebenginepage/tst_qwebenginepage.cpp
@@ -226,6 +226,7 @@ private Q_SLOTS:
 
     void customUserAgentInNewTab();
     void renderProcessCrashed();
+    void backgroundColor();
 
 private:
     static QPoint elementCenter(QWebEnginePage *page, const QString &id);
@@ -4370,6 +4371,43 @@ void tst_QWebEnginePage::renderProcessCrashed()
             status == QWebEnginePage::AbnormalTerminationStatus);
 }
 
+void tst_QWebEnginePage::backgroundColor()
+{
+    QWebEngineProfile profile;
+    QWebEngineView view;
+    QWebEnginePage *page = new QWebEnginePage(&profile, &view);
+
+    view.resize(640, 480);
+    view.show();
+    QPoint center(view.size().width() / 2, view.size().height() / 2);
+
+    QCOMPARE(page->backgroundColor(), Qt::white);
+    QTRY_COMPARE(view.grab().toImage().pixelColor(center), Qt::white);
+
+    page->setBackgroundColor(Qt::red);
+    view.setPage(page);
+
+    QCOMPARE(page->backgroundColor(), Qt::red);
+    QTRY_COMPARE(view.grab().toImage().pixelColor(center), Qt::red);
+
+    page->setHtml(QString("<html>"
+                          "<head><style>html, body { margin:0; padding:0; }</style></head>"
+                          "<body><div style=\"width:100%; height:10px; background-color:black\"/></body>"
+                          "</html>"));
+    QSignalSpy spyFinished(page, &QWebEnginePage::loadFinished);
+    QVERIFY(spyFinished.wait());
+    // Make sure the page is rendered and the test is not grabbing the color of the RenderWidgetHostViewQtDelegateWidget.
+    QTRY_COMPARE(view.grab().toImage().pixelColor(QPoint(5, 5)), Qt::black);
+
+    QCOMPARE(page->backgroundColor(), Qt::red);
+    QCOMPARE(view.grab().toImage().pixelColor(center), Qt::red);
+
+    page->setBackgroundColor(Qt::green);
+
+    QCOMPARE(page->backgroundColor(), Qt::green);
+    QTRY_COMPARE(view.grab().toImage().pixelColor(center), Qt::green);
+}
+
 static QByteArrayList params = {QByteArrayLiteral("--use-fake-device-for-media-stream")};
 W_QTEST_MAIN(tst_QWebEnginePage, params)