Dominique Leuenberger
c0d0b237a2
- Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue (bsc#1219113 CVE-2024-23222). OBS-URL: https://build.opensuse.org/request/show/1141336 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/webkit2gtk3?expand=0&rev=440
177 lines
8.4 KiB
Diff
177 lines
8.4 KiB
Diff
From 0e5a485821858b7acb5c7be586c177b15ae14a91 Mon Sep 17 00:00:00 2001
|
|
From: Dan Robson <dan_robson@apple.com>
|
|
Date: Fri, 5 Jan 2024 15:44:27 -0800
|
|
Subject: [PATCH] [JSC] DFG constant property load should check the validity at
|
|
the main thread
|
|
|
|
This webkitglib/2.42 backport commit squashes changes from the following
|
|
three Safari commits, which add and then remove a considerable amount of
|
|
code. It's much simpler if we take the changes all together as one.
|
|
|
|
Cherry-pick 267815.671@safari-7617.2.4.11-branch (61d47f64edd9). https://bugs.webkit.org/show_bug.cgi?id=267134
|
|
|
|
Apply patch. rdar://120560604
|
|
|
|
[JSC] DFG constant property load should check the validity at the main thread
|
|
https://bugs.webkit.org/show_bug.cgi?id=267134
|
|
rdar://120443399
|
|
|
|
Reviewed by Mark Lam.
|
|
|
|
Consider the following case,
|
|
|
|
CheckStructure O, S1 | S3
|
|
GetByOffset O, offset
|
|
|
|
And S1 -> S2 -> S3 structure transition happens.
|
|
By changing object concurrently with the compiler, it is possible that we will constant fold the property with O + S2.
|
|
While we insert watchpoints into S1 and S3, we cannot notice the change of the property in S2.
|
|
If we change O to S3 before running code, CheckStructure passes and we can use a value loaded from O + S2.
|
|
|
|
1. If S1 and S3 transitions are both already watched by DFG / FTL, then we do not need to care about the issue.
|
|
CheckStructure ensures that O is S1 or S3. And both has watchpoints which fires when transition happens.
|
|
So, if we are transitioning from S1 to S2 while compiling, it already invalidates the code.
|
|
2. If there is only one Structure (S1), then we can keep the current optimization by checking this condition at the main thread.
|
|
CheckStructure ensures that O is S1. And this means that if the assumption is met at the main thread, then we can continue
|
|
using this code safely. To check this condition, we added DesiredObjectProperties, which records JSObject*, offset, value, and structure.
|
|
And at the end of compilation, in the main thread, we check this assumption is still met.
|
|
|
|
* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
|
|
* Source/JavaScriptCore/Sources.txt:
|
|
* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Added.
|
|
(JSC::DFG::DesiredObjectProperties::addLazily):
|
|
(JSC::DFG::DesiredObjectProperties::areStillValidOnMainThread):
|
|
* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Added.
|
|
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
|
|
(JSC::DFG::Graph::tryGetConstantProperty):
|
|
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
|
|
(JSC::DFG::Plan::cancel):
|
|
(JSC::DFG::Plan::isStillValidOnMainThread):
|
|
* Source/JavaScriptCore/dfg/DFGPlan.h:
|
|
|
|
Canonical link: https://commits.webkit.org/272448.7@safari-7618-branch
|
|
|
|
Cherry-pick 31601205b6f3. https://bugs.webkit.org/show_bug.cgi?id=267134
|
|
|
|
[JSC] DFG constant property load should check the validity at the main thread
|
|
https://bugs.webkit.org/show_bug.cgi?id=267134
|
|
rdar://120443399
|
|
|
|
Reviewed by Mark Lam.
|
|
|
|
Consider the following case,
|
|
|
|
CheckStructure O, S1 | S3
|
|
GetByOffset O, offset
|
|
|
|
And S1 -> S2 -> S3 structure transition happens.
|
|
By changing object concurrently with the compiler, it is possible that we will constant fold the property with O + S2.
|
|
While we insert watchpoints into S1 and S3, we cannot notice the change of the property in S2.
|
|
If we change O to S3 before running code, CheckStructure passes and we can use a value loaded from O + S2.
|
|
|
|
1. If S1 and S3 transitions are both already watched by DFG / FTL, then we do not need to care about the issue.
|
|
CheckStructure ensures that O is S1 or S3. And both has watchpoints which fires when transition happens.
|
|
So, if we are transitioning from S1 to S2 while compiling, it already invalidates the code.
|
|
2. If there is only one Structure (S1), then we can keep the current optimization by checking this condition at the main thread.
|
|
CheckStructure ensures that O is S1. And this means that if the assumption is met at the main thread, then we can continue
|
|
using this code safely. To check this condition, we added DesiredObjectProperties, which records JSObject*, offset, value, and structure.
|
|
And at the end of compilation, in the main thread, we check this assumption is still met.
|
|
|
|
* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
|
|
* Source/JavaScriptCore/Sources.txt:
|
|
* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Added.
|
|
(JSC::DFG::DesiredObjectProperties::addLazily):
|
|
(JSC::DFG::DesiredObjectProperties::areStillValidOnMainThread):
|
|
* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Added.
|
|
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
|
|
(JSC::DFG::Graph::tryGetConstantProperty):
|
|
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
|
|
(JSC::DFG::Plan::cancel):
|
|
(JSC::DFG::Plan::isStillValidOnMainThread):
|
|
* Source/JavaScriptCore/dfg/DFGPlan.h:
|
|
|
|
Canonical link: https://commits.webkit.org/272448.7@safari-7618-branch
|
|
|
|
Canonical link: https://commits.webkit.org/267815.672@safari-7617.2.4.11-branch
|
|
|
|
Cherry-pick a8b53bc4d7b3. https://bugs.webkit.org/show_bug.cgi?id=267134
|
|
|
|
[JSC] Remove DFGDesiredObjectProperties
|
|
https://bugs.webkit.org/show_bug.cgi?id=267134
|
|
rdar://120443399
|
|
|
|
Reviewed by Mark Lam.
|
|
|
|
When we limit the structure only one, there is no way to change the property without firing
|
|
property replacement watchpoint while keeping object's structure as specified. So removing DFGDesiredObjectProperties.
|
|
|
|
* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
|
|
* Source/JavaScriptCore/Sources.txt:
|
|
* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Removed.
|
|
* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Removed.
|
|
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
|
|
(JSC::DFG::Graph::tryGetConstantProperty):
|
|
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
|
|
(JSC::DFG::Plan::cancel):
|
|
(JSC::DFG::Plan::isStillValidOnMainThread):
|
|
* Source/JavaScriptCore/dfg/DFGPlan.h:
|
|
|
|
Canonical link: https://commits.webkit.org/272448.8@safari-7618-branch
|
|
|
|
Canonical link: https://commits.webkit.org/267815.673@safari-7617.2.4.11-branch
|
|
---
|
|
Source/JavaScriptCore/dfg/DFGGraph.cpp | 35 +++++++++++++++++++++++---
|
|
1 file changed, 31 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/Source/JavaScriptCore/dfg/DFGGraph.cpp b/Source/JavaScriptCore/dfg/DFGGraph.cpp
|
|
index fe7855e8cd77..c4c93c04fd44 100644
|
|
--- a/Source/JavaScriptCore/dfg/DFGGraph.cpp
|
|
+++ b/Source/JavaScriptCore/dfg/DFGGraph.cpp
|
|
@@ -1341,12 +1341,39 @@ JSValue Graph::tryGetConstantProperty(
|
|
// incompatible with the getDirect we're trying to do. The easiest way to do that is to
|
|
// determine if the structure belongs to the proven set.
|
|
|
|
- Locker cellLock { object->cellLock() };
|
|
- Structure* structure = object->structure();
|
|
- if (!structureSet.toStructureSet().contains(structure))
|
|
+ JSValue result;
|
|
+ auto set = structureSet.toStructureSet();
|
|
+ {
|
|
+ Locker cellLock { object->cellLock() };
|
|
+ Structure* structure = object->structure();
|
|
+ if (!set.contains(structure))
|
|
+ return JSValue();
|
|
+ result = object->getDirectConcurrently(cellLock, structure, offset);
|
|
+ }
|
|
+
|
|
+ if (!result)
|
|
+ return JSValue();
|
|
+
|
|
+ // If all structures are watched, we don't need to consider whether object transitions and changes the value.
|
|
+ // If the object gets transition while compiling, then it invalidates the code.
|
|
+ bool allAreWatched = true;
|
|
+ for (unsigned i = structureSet.size(); i--;) {
|
|
+ RegisteredStructure structure = structureSet[i];
|
|
+ if (!structure->dfgShouldWatch()) {
|
|
+ allAreWatched = false;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ if (allAreWatched)
|
|
+ return result;
|
|
+
|
|
+ // However, if structures transitions are not watched, then object can get to the one of the structures transitively while it is changing the value.
|
|
+ // But we can still optimize it if StructureSet is only one: in that case, there is no way to fulfill Structure requirement while changing the property
|
|
+ // and avoiding the replacement watchpoint firing.
|
|
+ if (structureSet.size() != 1)
|
|
return JSValue();
|
|
|
|
- return object->getDirectConcurrently(cellLock, structure, offset);
|
|
+ return result;
|
|
}
|
|
|
|
JSValue Graph::tryGetConstantProperty(JSValue base, Structure* structure, PropertyOffset offset)
|
|
--
|
|
2.43.0
|
|
|