import webkit2gtk3-2.36.7-1.el8_7.1

This commit is contained in:
CentOS Sources 2023-01-11 04:34:11 -05:00 committed by Stepan Oksanichenko
parent b492ea06be
commit 303423e441
2 changed files with 121 additions and 3 deletions

View File

@ -0,0 +1,78 @@
From 98940f219ba0e3eb6d958af483b73dd9cc75c28c Mon Sep 17 00:00:00 2001
From: Mark Lam <mark.lam@apple.com>
Date: Mon, 19 Dec 2022 17:32:15 -0800
Subject: [PATCH] Cherry-pick 252432.839@safari-7614-branch (71cdc1c09ef1).
rdar://102531234
The provenType filtering in FTL's speculateRealNumber is incorrect.
https://bugs.webkit.org/show_bug.cgi?id=248266
<rdar://problem/102531234>
Reviewed by Justin Michaud.
speculateRealNumber does a doubleEqual compare, which filters out double values which
are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block,
the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble.
Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal,
SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and
SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering
of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given
a proven type of
{ SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN }
which yields
{ SpecInt32Only }.
As a result, the compiler will think that that isNotIn32() check will always fail. This
is not correct if the actual incoming value for that edge is actually a PureNaN. In this
case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that
the isNotInt32() check will always fail and elide the check altogether.
In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also
rename the `intCase` block to `intOrNaNCase` to document what it actually handles.
* JSTests/stress/speculate-real-number-in-object-is.js: Added.
(test.object_is_opt):
(test):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch
Canonical link: https://commits.webkit.org/258113@main
---
.../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++----
2 files changed, 26 insertions(+), 4 deletions(-)
create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js
diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
index 3ba2d21b8072..18d13f1941bb 100644
--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
@@ -20574,18 +20574,18 @@ IGNORE_CLANG_WARNINGS_END
LValue value = lowJSValue(edge, ManualOperandSpeculation);
LValue doubleValue = unboxDouble(value);
- LBasicBlock intCase = m_out.newBlock();
+ LBasicBlock intOrNaNCase = m_out.newBlock();
LBasicBlock continuation = m_out.newBlock();
m_out.branch(
m_out.doubleEqual(doubleValue, doubleValue),
- usually(continuation), rarely(intCase));
+ usually(continuation), rarely(intOrNaNCase));
- LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
+ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation);
typeCheck(
jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
- isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble));
+ isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal));
m_out.jump(continuation);
m_out.appendTo(continuation, lastNext);

View File

@ -12,7 +12,7 @@
Name: webkit2gtk3 Name: webkit2gtk3
Version: 2.36.7 Version: 2.36.7
Release: 1%{?dist} Release: 1%{?dist}.1
Summary: GTK Web content engine library Summary: GTK Web content engine library
License: LGPLv2 License: LGPLv2
@ -34,6 +34,9 @@ Patch1: aarch64-page-size.patch
# https://bugs.webkit.org/show_bug.cgi?id=235367 # https://bugs.webkit.org/show_bug.cgi?id=235367
Patch2: icu60.patch Patch2: icu60.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2153683
Patch3: CVE-2022-42856.patch
BuildRequires: bison BuildRequires: bison
BuildRequires: cmake BuildRequires: cmake
BuildRequires: flex BuildRequires: flex
@ -303,9 +306,46 @@ export NINJA_STATUS="[%f/%t][%e] "
%endif %endif
%changelog %changelog
* Fri Sep 02 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1 * Wed Dec 21 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.1
- Add patch for CVE-2022-42856
Resolves: #2153735
* Wed Aug 24 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1
- Update to 2.36.7 - Update to 2.36.7
Related: #2123429 Related: #2061994
* Tue Aug 09 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.6-1
- Update to 2.36.6
Related: #2061994
* Tue Aug 02 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.5-2
- Fix Eclipse after update to 2.36.5
Related: #2061994
* Thu Jul 28 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.5-1
- Update to 2.36.5
Related: #2061994
Resolves: #2099334
* Tue Jul 05 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.4-1
- Update to 2.36.4
Related: #2061994
* Thu Jun 02 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.3-1
- Update to 2.36.3
- Related: #2061994
- Resolves: #2092748
* Wed May 18 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.2-1
- Update to 2.36.2
Related: #2061994
* Thu Apr 21 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.1-1
- Update to 2.36.1
Related: #2061994
- Resolves: #2075492
- Resolves: #2075494
- Resolves: #2075496
* Thu Feb 17 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.34.6-1 * Thu Feb 17 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.34.6-1
- Update to 2.34.6 - Update to 2.34.6