- Add patch for CVE-2023-42917
This commit is contained in:
commit
75e17ac97c
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/webkitgtk-2.38.5.tar.xz
|
||||
SOURCES/webkitgtk-2.40.5.tar.xz
|
||||
SOURCES/webkitgtk-keys.gpg
|
||||
|
@ -1,2 +1,2 @@
|
||||
1774390c628bb3a524d4ed76f11de4a878078db6 SOURCES/webkitgtk-2.38.5.tar.xz
|
||||
2f4d06b021115eb4106177f7d5f534f45b5d3b2e SOURCES/webkitgtk-2.40.5.tar.xz
|
||||
cf57cbbadf2a07c6ede1c886f9742b7d352460c0 SOURCES/webkitgtk-keys.gpg
|
||||
|
@ -1,167 +0,0 @@
|
||||
From 8efa99e7b5d5a37aefb476cc27ee24c2be4da0c7 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Saboff <msaboff@apple.com>
|
||||
Date: Mon, 22 May 2023 13:40:46 -0700
|
||||
Subject: [PATCH] Cherry-pick 264365@main (698c6e293734).
|
||||
https://bugs.webkit.org/show_bug.cgi?id=254930
|
||||
|
||||
[JSC] RegExpGlobalData::performMatch issue leading to OOB read
|
||||
https://bugs.webkit.org/show_bug.cgi?id=254930
|
||||
rdar://107436732
|
||||
|
||||
Reviewed by Alexey Shvayka.
|
||||
|
||||
Fixed two issues:
|
||||
1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
|
||||
characters. Since it is an assertion, we shouldn't advance the character position.
|
||||
Made the same fix to matchAssertionEOL().
|
||||
2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
|
||||
a non-BMP character for the case where the RegExp match is empty.
|
||||
|
||||
* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
|
||||
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
|
||||
(JSC::replaceUsingRegExpSearch):
|
||||
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
|
||||
(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
|
||||
(JSC::Yarr::Interpreter::matchAssertionBOL):
|
||||
(JSC::Yarr::Interpreter::matchAssertionEOL):
|
||||
|
||||
Originally-landed-as: 259548.551@safari-7615-branch (e34edaa74575). rdar://107436732
|
||||
Canonical link: https://commits.webkit.org/264365@main
|
||||
---
|
||||
...place-regexp-matchBOL-correct-advancing.js | 35 ++++++++++++++++++
|
||||
.../runtime/StringPrototype.cpp | 10 ++++++
|
||||
.../JavaScriptCore/yarr/YarrInterpreter.cpp | 36 +++++++++++++++++--
|
||||
3 files changed, 79 insertions(+), 2 deletions(-)
|
||||
create mode 100644 JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
|
||||
|
||||
diff --git a/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
|
||||
new file mode 100644
|
||||
index 000000000000..25b1a70b81d2
|
||||
--- /dev/null
|
||||
+++ b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
|
||||
@@ -0,0 +1,35 @@
|
||||
+// Check that we don't advance for BOL assertions when matching a non-BMP character in the YARR interpreter
|
||||
+// and that we do advance in String.replace() when processing an empty match.
|
||||
+
|
||||
+let expected = "|";
|
||||
+
|
||||
+for (let i = 0; i < 11; ++i)
|
||||
+ expected += String.fromCodePoint(128512) + '|';
|
||||
+
|
||||
+let str = String.fromCodePoint(128512).repeat(11);
|
||||
+
|
||||
+let result1 = str.replace(/(?!(?=^a|()+()+x)(abc))/gmu, r => {
|
||||
+ return '|';
|
||||
+});
|
||||
+
|
||||
+
|
||||
+if (result1 !== expected)
|
||||
+ print("FAILED: \"" + result1 + " !== " + expected + '"');
|
||||
+
|
||||
+let result2= str.replace(/(?!(?=^a|x)(abc))/gmu, r => {
|
||||
+ return '|';
|
||||
+});
|
||||
+
|
||||
+if (result2 !== expected)
|
||||
+ print("FAILED: \"" + result2 + " !== " + expected + '"');
|
||||
+
|
||||
+expected = "|" + String.fromCodePoint(128512);
|
||||
+
|
||||
+str = String.fromCodePoint(128512).repeat(1);
|
||||
+
|
||||
+let result3= str.replace(/(?!(?=^a|x)(abc))/mu, r => {
|
||||
+ return '|';
|
||||
+});
|
||||
+
|
||||
+if (result3 !== expected)
|
||||
+ print("FAILED: \"" + result3 + " !== " + expected + '"');
|
||||
diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
|
||||
index 08104b1dbfa9..459295f728a7 100644
|
||||
--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
|
||||
+++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
|
||||
@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
|
||||
startPosition++;
|
||||
if (startPosition > sourceLen)
|
||||
break;
|
||||
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
|
||||
+ startPosition++;
|
||||
+ if (startPosition > sourceLen)
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
|
||||
startPosition++;
|
||||
if (startPosition > sourceLen)
|
||||
break;
|
||||
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
|
||||
+ startPosition++;
|
||||
+ if (startPosition > sourceLen)
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
} while (global);
|
||||
}
|
||||
diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
|
||||
index 95a848a1a66d..b1a22b253866 100644
|
||||
--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
|
||||
+++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
|
||||
@@ -209,6 +209,38 @@ public:
|
||||
}
|
||||
return result;
|
||||
}
|
||||
+
|
||||
+ int readCheckedDontAdvance(unsigned negativePositionOffest)
|
||||
+ {
|
||||
+ RELEASE_ASSERT(pos >= negativePositionOffest);
|
||||
+ unsigned p = pos - negativePositionOffest;
|
||||
+ ASSERT(p < length);
|
||||
+ int result = input[p];
|
||||
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
|
||||
+ if (atEnd())
|
||||
+ return -1;
|
||||
+
|
||||
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
|
||||
+ }
|
||||
+ return result;
|
||||
+ }
|
||||
+
|
||||
+ // readForCharacterDump() is only for use by the DUMP_CURR_CHAR macro.
|
||||
+ // We don't want any side effects like the next() in readChecked() above.
|
||||
+ int readForCharacterDump(unsigned negativePositionOffest)
|
||||
+ {
|
||||
+ RELEASE_ASSERT(pos >= negativePositionOffest);
|
||||
+ unsigned p = pos - negativePositionOffest;
|
||||
+ ASSERT(p < length);
|
||||
+ int result = input[p];
|
||||
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
|
||||
+ if (atEnd())
|
||||
+ return -1;
|
||||
+
|
||||
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
|
||||
+ }
|
||||
+ return result;
|
||||
+ }
|
||||
|
||||
int readSurrogatePairChecked(unsigned negativePositionOffset)
|
||||
{
|
||||
@@ -482,13 +514,13 @@ public:
|
||||
|
||||
bool matchAssertionBOL(ByteTerm& term)
|
||||
{
|
||||
- return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
|
||||
+ return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
|
||||
}
|
||||
|
||||
bool matchAssertionEOL(ByteTerm& term)
|
||||
{
|
||||
if (term.inputPosition)
|
||||
- return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
|
||||
+ return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
|
||||
|
||||
return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read()));
|
||||
}
|
||||
--
|
||||
2.40.1
|
||||
|
@ -1,648 +0,0 @@
|
||||
From b315f620c349e001a697dd7d4c501bdd07fe18c5 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Lam <mark.lam@apple.com>
|
||||
Date: Fri, 31 Mar 2023 10:49:49 -0700
|
||||
Subject: [PATCH] Cherry-pick 2c49ff7b0481. rdar://problem/107369977
|
||||
|
||||
CloneDeserializer::deserialize() should store cell pointers in a MarkedVector.
|
||||
https://bugs.webkit.org/show_bug.cgi?id=254797
|
||||
rdar://107369977
|
||||
|
||||
Reviewed by Justin Michaud.
|
||||
|
||||
Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects
|
||||
in a few Vectors. This is problematic because the GC is not aware of Vectors, and cannot
|
||||
scan them. In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector
|
||||
template class that offer 2 enhancements:
|
||||
|
||||
1. It can be configured to store specific types of cell pointer types. This avoids us
|
||||
having to constantly cast JSValues into these pointers.
|
||||
|
||||
2. It allows us to specify the type of OverflowHandler we want to use. In this case,
|
||||
we want to use CrashOnOverflow. The previous MarkedArgumentBuffer always assumes
|
||||
RecordOnOverflow. This allows us to avoid having to manually check for overflows,
|
||||
or have to use appendWithCrashOnOverflow. For our current needs, MarkedVector can be
|
||||
used as a drop in replacement for Vector.
|
||||
|
||||
And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors
|
||||
with MarkedVector instead.
|
||||
|
||||
* Source/JavaScriptCore/heap/Heap.cpp:
|
||||
(JSC::Heap::addCoreConstraints):
|
||||
* Source/JavaScriptCore/heap/Heap.h:
|
||||
* Source/JavaScriptCore/heap/HeapInlines.h:
|
||||
* Source/JavaScriptCore/runtime/ArgList.cpp:
|
||||
(JSC::MarkedVectorBase::addMarkSet):
|
||||
(JSC::MarkedVectorBase::markLists):
|
||||
(JSC::MarkedVectorBase::slowEnsureCapacity):
|
||||
(JSC::MarkedVectorBase::expandCapacity):
|
||||
(JSC::MarkedVectorBase::slowAppend):
|
||||
(JSC::MarkedArgumentBufferBase::addMarkSet): Deleted.
|
||||
(JSC::MarkedArgumentBufferBase::markLists): Deleted.
|
||||
(JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted.
|
||||
(JSC::MarkedArgumentBufferBase::expandCapacity): Deleted.
|
||||
(JSC::MarkedArgumentBufferBase::slowAppend): Deleted.
|
||||
* Source/JavaScriptCore/runtime/ArgList.h:
|
||||
(JSC::MarkedVectorWithSize::MarkedVectorWithSize):
|
||||
(JSC::MarkedVectorWithSize::at const):
|
||||
(JSC::MarkedVectorWithSize::clear):
|
||||
(JSC::MarkedVectorWithSize::append):
|
||||
(JSC::MarkedVectorWithSize::appendWithCrashOnOverflow):
|
||||
(JSC::MarkedVectorWithSize::last const):
|
||||
(JSC::MarkedVectorWithSize::takeLast):
|
||||
(JSC::MarkedVectorWithSize::ensureCapacity):
|
||||
(JSC::MarkedVectorWithSize::hasOverflowed):
|
||||
(JSC::MarkedVectorWithSize::fill):
|
||||
(JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted.
|
||||
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
|
||||
(WebCore::AudioWorkletProcessor::buildJSArguments):
|
||||
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h:
|
||||
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
|
||||
(WebCore::CloneDeserializer::deserialize):
|
||||
|
||||
Canonical link: https://commits.webkit.org/259548.530@safari-7615-branch
|
||||
|
||||
Identifier: 259548.395@safari-7615.1.26.11-branch
|
||||
---
|
||||
Source/JavaScriptCore/heap/Heap.cpp | 4 +-
|
||||
Source/JavaScriptCore/heap/Heap.h | 8 +-
|
||||
Source/JavaScriptCore/heap/HeapInlines.h | 2 +-
|
||||
Source/JavaScriptCore/runtime/ArgList.cpp | 46 ++--
|
||||
Source/JavaScriptCore/runtime/ArgList.h | 207 ++++++++++--------
|
||||
.../webaudio/AudioWorkletProcessor.cpp | 4 +-
|
||||
.../Modules/webaudio/AudioWorkletProcessor.h | 7 +-
|
||||
.../bindings/js/SerializedScriptValue.cpp | 11 +-
|
||||
8 files changed, 159 insertions(+), 130 deletions(-)
|
||||
|
||||
diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp
|
||||
index 8a4c082cb36e..632b01f14546 100644
|
||||
--- a/Source/JavaScriptCore/heap/Heap.cpp
|
||||
+++ b/Source/JavaScriptCore/heap/Heap.cpp
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (C) 2003-2022 Apple Inc. All rights reserved.
|
||||
+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved.
|
||||
* Copyright (C) 2007 Eric Seidel <eric@webkit.org>
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
@@ -2847,7 +2847,7 @@ void Heap::addCoreConstraints()
|
||||
|
||||
if (!m_markListSet.isEmpty()) {
|
||||
SetRootMarkReasonScope rootScope(visitor, RootMarkReason::ConservativeScan);
|
||||
- MarkedArgumentBufferBase::markLists(visitor, m_markListSet);
|
||||
+ MarkedVectorBase::markLists(visitor, m_markListSet);
|
||||
}
|
||||
|
||||
{
|
||||
diff --git a/Source/JavaScriptCore/heap/Heap.h b/Source/JavaScriptCore/heap/Heap.h
|
||||
index 418f24fd1212..8df576acf7f8 100644
|
||||
--- a/Source/JavaScriptCore/heap/Heap.h
|
||||
+++ b/Source/JavaScriptCore/heap/Heap.h
|
||||
@@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
|
||||
* Copyright (C) 2001 Peter Kelly (pmk@post.com)
|
||||
- * Copyright (C) 2003-2022 Apple Inc. All rights reserved.
|
||||
+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
@@ -85,7 +85,7 @@ class MarkStackArray;
|
||||
class MarkStackMergingConstraint;
|
||||
class MarkedJSValueRefArray;
|
||||
class BlockDirectory;
|
||||
-class MarkedArgumentBufferBase;
|
||||
+class MarkedVectorBase;
|
||||
class MarkingConstraint;
|
||||
class MarkingConstraintSet;
|
||||
class MutatorScheduler;
|
||||
@@ -409,7 +409,7 @@ public:
|
||||
JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> protectedObjectTypeCounts();
|
||||
JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> objectTypeCounts();
|
||||
|
||||
- HashSet<MarkedArgumentBufferBase*>& markListSet();
|
||||
+ HashSet<MarkedVectorBase*>& markListSet();
|
||||
void addMarkedJSValueRefArray(MarkedJSValueRefArray*);
|
||||
|
||||
template<typename Functor> void forEachProtectedCell(const Functor&);
|
||||
@@ -778,7 +778,7 @@ private:
|
||||
size_t m_deprecatedExtraMemorySize { 0 };
|
||||
|
||||
ProtectCountSet m_protectedValues;
|
||||
- HashSet<MarkedArgumentBufferBase*> m_markListSet;
|
||||
+ HashSet<MarkedVectorBase*> m_markListSet;
|
||||
SentinelLinkedList<MarkedJSValueRefArray, BasicRawSentinelNode<MarkedJSValueRefArray>> m_markedJSValueRefArrays;
|
||||
|
||||
std::unique_ptr<MachineThreads> m_machineThreads;
|
||||
diff --git a/Source/JavaScriptCore/heap/HeapInlines.h b/Source/JavaScriptCore/heap/HeapInlines.h
|
||||
index 66d8317e317c..4d767a564d5f 100644
|
||||
--- a/Source/JavaScriptCore/heap/HeapInlines.h
|
||||
+++ b/Source/JavaScriptCore/heap/HeapInlines.h
|
||||
@@ -206,7 +206,7 @@ inline void Heap::decrementDeferralDepthAndGCIfNeeded()
|
||||
}
|
||||
}
|
||||
|
||||
-inline HashSet<MarkedArgumentBufferBase*>& Heap::markListSet()
|
||||
+inline HashSet<MarkedVectorBase*>& Heap::markListSet()
|
||||
{
|
||||
return m_markListSet;
|
||||
}
|
||||
diff --git a/Source/JavaScriptCore/runtime/ArgList.cpp b/Source/JavaScriptCore/runtime/ArgList.cpp
|
||||
index f2815b80c8c7..a72dea74a56f 100644
|
||||
--- a/Source/JavaScriptCore/runtime/ArgList.cpp
|
||||
+++ b/Source/JavaScriptCore/runtime/ArgList.cpp
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (C) 2003-2021 Apple Inc. All rights reserved.
|
||||
+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Library General Public
|
||||
@@ -27,7 +27,7 @@ using std::min;
|
||||
|
||||
namespace JSC {
|
||||
|
||||
-void MarkedArgumentBufferBase::addMarkSet(JSValue v)
|
||||
+void MarkedVectorBase::addMarkSet(JSValue v)
|
||||
{
|
||||
if (m_markSet)
|
||||
return;
|
||||
@@ -52,47 +52,47 @@ void ArgList::getSlice(int startIndex, ArgList& result) const
|
||||
}
|
||||
|
||||
template<typename Visitor>
|
||||
-void MarkedArgumentBufferBase::markLists(Visitor& visitor, ListSet& markSet)
|
||||
+void MarkedVectorBase::markLists(Visitor& visitor, ListSet& markSet)
|
||||
{
|
||||
ListSet::iterator end = markSet.end();
|
||||
for (ListSet::iterator it = markSet.begin(); it != end; ++it) {
|
||||
- MarkedArgumentBufferBase* list = *it;
|
||||
+ MarkedVectorBase* list = *it;
|
||||
for (int i = 0; i < list->m_size; ++i)
|
||||
visitor.appendUnbarriered(JSValue::decode(list->slotFor(i)));
|
||||
}
|
||||
}
|
||||
|
||||
-template void MarkedArgumentBufferBase::markLists(AbstractSlotVisitor&, ListSet&);
|
||||
-template void MarkedArgumentBufferBase::markLists(SlotVisitor&, ListSet&);
|
||||
+template void MarkedVectorBase::markLists(AbstractSlotVisitor&, ListSet&);
|
||||
+template void MarkedVectorBase::markLists(SlotVisitor&, ListSet&);
|
||||
|
||||
-void MarkedArgumentBufferBase::slowEnsureCapacity(size_t requestedCapacity)
|
||||
+auto MarkedVectorBase::slowEnsureCapacity(size_t requestedCapacity) -> Status
|
||||
{
|
||||
setNeedsOverflowCheck();
|
||||
auto checkedNewCapacity = CheckedInt32(requestedCapacity);
|
||||
if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
|
||||
- return this->overflowed();
|
||||
- expandCapacity(checkedNewCapacity);
|
||||
+ return Status::Overflowed;
|
||||
+ return expandCapacity(checkedNewCapacity);
|
||||
}
|
||||
|
||||
-void MarkedArgumentBufferBase::expandCapacity()
|
||||
+auto MarkedVectorBase::expandCapacity() -> Status
|
||||
{
|
||||
setNeedsOverflowCheck();
|
||||
auto checkedNewCapacity = CheckedInt32(m_capacity) * 2;
|
||||
if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
|
||||
- return this->overflowed();
|
||||
- expandCapacity(checkedNewCapacity);
|
||||
+ return Status::Overflowed;
|
||||
+ return expandCapacity(checkedNewCapacity);
|
||||
}
|
||||
|
||||
-void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
|
||||
+auto MarkedVectorBase::expandCapacity(int newCapacity) -> Status
|
||||
{
|
||||
setNeedsOverflowCheck();
|
||||
ASSERT(m_capacity < newCapacity);
|
||||
auto checkedSize = CheckedSize(newCapacity) * sizeof(EncodedJSValue);
|
||||
if (UNLIKELY(checkedSize.hasOverflowed()))
|
||||
- return this->overflowed();
|
||||
+ return Status::Overflowed;
|
||||
EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::tryMalloc(Gigacage::JSValue, checkedSize));
|
||||
if (!newBuffer)
|
||||
- return this->overflowed();
|
||||
+ return Status::Overflowed;
|
||||
for (int i = 0; i < m_size; ++i) {
|
||||
newBuffer[i] = m_buffer[i];
|
||||
addMarkSet(JSValue::decode(m_buffer[i]));
|
||||
@@ -103,21 +103,23 @@ void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
|
||||
|
||||
m_buffer = newBuffer;
|
||||
m_capacity = newCapacity;
|
||||
+ return Status::Success;
|
||||
}
|
||||
|
||||
-void MarkedArgumentBufferBase::slowAppend(JSValue v)
|
||||
+auto MarkedVectorBase::slowAppend(JSValue v) -> Status
|
||||
{
|
||||
ASSERT(m_size <= m_capacity);
|
||||
- if (m_size == m_capacity)
|
||||
- expandCapacity();
|
||||
- if (UNLIKELY(Base::hasOverflowed())) {
|
||||
- ASSERT(m_needsOverflowCheck);
|
||||
- return;
|
||||
+ if (m_size == m_capacity) {
|
||||
+ auto status = expandCapacity();
|
||||
+ if (status == Status::Overflowed) {
|
||||
+ ASSERT(m_needsOverflowCheck);
|
||||
+ return status;
|
||||
+ }
|
||||
}
|
||||
-
|
||||
slotFor(m_size) = JSValue::encode(v);
|
||||
++m_size;
|
||||
addMarkSet(v);
|
||||
+ return Status::Success;
|
||||
}
|
||||
|
||||
} // namespace JSC
|
||||
diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h
|
||||
index 8ea9b0e308b8..01a6d5e0e5dc 100644
|
||||
--- a/Source/JavaScriptCore/runtime/ArgList.h
|
||||
+++ b/Source/JavaScriptCore/runtime/ArgList.h
|
||||
@@ -22,26 +22,27 @@
|
||||
#pragma once
|
||||
|
||||
#include "CallFrame.h"
|
||||
+#include "JSCast.h"
|
||||
#include <wtf/CheckedArithmetic.h>
|
||||
#include <wtf/ForbidHeapAllocation.h>
|
||||
#include <wtf/HashSet.h>
|
||||
|
||||
namespace JSC {
|
||||
|
||||
-class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordOverflow {
|
||||
- WTF_MAKE_NONCOPYABLE(MarkedArgumentBufferBase);
|
||||
- WTF_MAKE_NONMOVABLE(MarkedArgumentBufferBase);
|
||||
+class alignas(alignof(EncodedJSValue)) MarkedVectorBase {
|
||||
+ WTF_MAKE_NONCOPYABLE(MarkedVectorBase);
|
||||
+ WTF_MAKE_NONMOVABLE(MarkedVectorBase);
|
||||
WTF_FORBID_HEAP_ALLOCATION;
|
||||
friend class VM;
|
||||
friend class ArgList;
|
||||
|
||||
+protected:
|
||||
+ enum class Status { Success, Overflowed };
|
||||
public:
|
||||
- using Base = RecordOverflow;
|
||||
- typedef HashSet<MarkedArgumentBufferBase*> ListSet;
|
||||
+ typedef HashSet<MarkedVectorBase*> ListSet;
|
||||
|
||||
- ~MarkedArgumentBufferBase()
|
||||
+ ~MarkedVectorBase()
|
||||
{
|
||||
- ASSERT(!m_needsOverflowCheck);
|
||||
if (m_markSet)
|
||||
m_markSet->remove(this);
|
||||
|
||||
@@ -52,92 +53,20 @@ public:
|
||||
size_t size() const { return m_size; }
|
||||
bool isEmpty() const { return !m_size; }
|
||||
|
||||
- JSValue at(int i) const
|
||||
- {
|
||||
- if (i >= m_size)
|
||||
- return jsUndefined();
|
||||
-
|
||||
- return JSValue::decode(slotFor(i));
|
||||
- }
|
||||
-
|
||||
- void clear()
|
||||
- {
|
||||
- ASSERT(!m_needsOverflowCheck);
|
||||
- clearOverflow();
|
||||
- m_size = 0;
|
||||
- }
|
||||
-
|
||||
- enum OverflowCheckAction {
|
||||
- CrashOnOverflow,
|
||||
- WillCheckLater
|
||||
- };
|
||||
- template<OverflowCheckAction action>
|
||||
- void appendWithAction(JSValue v)
|
||||
- {
|
||||
- ASSERT(m_size <= m_capacity);
|
||||
- if (m_size == m_capacity || mallocBase()) {
|
||||
- slowAppend(v);
|
||||
- if (action == CrashOnOverflow)
|
||||
- RELEASE_ASSERT(!hasOverflowed());
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- slotFor(m_size) = JSValue::encode(v);
|
||||
- ++m_size;
|
||||
- }
|
||||
- void append(JSValue v) { appendWithAction<WillCheckLater>(v); }
|
||||
- void appendWithCrashOnOverflow(JSValue v) { appendWithAction<CrashOnOverflow>(v); }
|
||||
-
|
||||
void removeLast()
|
||||
{
|
||||
ASSERT(m_size);
|
||||
m_size--;
|
||||
}
|
||||
|
||||
- JSValue last()
|
||||
- {
|
||||
- ASSERT(m_size);
|
||||
- return JSValue::decode(slotFor(m_size - 1));
|
||||
- }
|
||||
-
|
||||
- JSValue takeLast()
|
||||
- {
|
||||
- JSValue result = last();
|
||||
- removeLast();
|
||||
- return result;
|
||||
- }
|
||||
-
|
||||
template<typename Visitor> static void markLists(Visitor&, ListSet&);
|
||||
|
||||
- void ensureCapacity(size_t requestedCapacity)
|
||||
- {
|
||||
- if (requestedCapacity > static_cast<size_t>(m_capacity))
|
||||
- slowEnsureCapacity(requestedCapacity);
|
||||
- }
|
||||
-
|
||||
- bool hasOverflowed()
|
||||
- {
|
||||
- clearNeedsOverflowCheck();
|
||||
- return Base::hasOverflowed();
|
||||
- }
|
||||
-
|
||||
void overflowCheckNotNeeded() { clearNeedsOverflowCheck(); }
|
||||
|
||||
- template<typename Functor>
|
||||
- void fill(size_t count, const Functor& func)
|
||||
- {
|
||||
- ASSERT(!m_size);
|
||||
- ensureCapacity(count);
|
||||
- if (Base::hasOverflowed())
|
||||
- return;
|
||||
- m_size = count;
|
||||
- func(reinterpret_cast<JSValue*>(&slotFor(0)));
|
||||
- }
|
||||
-
|
||||
protected:
|
||||
// Constructor for a read-write list, to which you may append values.
|
||||
// FIXME: Remove all clients of this API, then remove this API.
|
||||
- MarkedArgumentBufferBase(size_t capacity)
|
||||
+ MarkedVectorBase(size_t capacity)
|
||||
: m_size(0)
|
||||
, m_capacity(capacity)
|
||||
, m_buffer(inlineBuffer())
|
||||
@@ -147,17 +76,16 @@ protected:
|
||||
|
||||
EncodedJSValue* inlineBuffer()
|
||||
{
|
||||
- return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedArgumentBufferBase));
|
||||
+ return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedVectorBase));
|
||||
}
|
||||
|
||||
-private:
|
||||
- void expandCapacity();
|
||||
- void expandCapacity(int newCapacity);
|
||||
- void slowEnsureCapacity(size_t requestedCapacity);
|
||||
+ Status expandCapacity();
|
||||
+ Status expandCapacity(int newCapacity);
|
||||
+ Status slowEnsureCapacity(size_t requestedCapacity);
|
||||
|
||||
void addMarkSet(JSValue);
|
||||
|
||||
- JS_EXPORT_PRIVATE void slowAppend(JSValue);
|
||||
+ JS_EXPORT_PRIVATE Status slowAppend(JSValue);
|
||||
|
||||
EncodedJSValue& slotFor(int item) const
|
||||
{
|
||||
@@ -172,11 +100,14 @@ private:
|
||||
}
|
||||
|
||||
#if ASSERT_ENABLED
|
||||
- void setNeedsOverflowCheck() { m_needsOverflowCheck = true; }
|
||||
+ void disableNeedsOverflowCheck() { m_overflowCheckEnabled = false; }
|
||||
+ void setNeedsOverflowCheck() { m_needsOverflowCheck = m_overflowCheckEnabled; }
|
||||
void clearNeedsOverflowCheck() { m_needsOverflowCheck = false; }
|
||||
|
||||
bool m_needsOverflowCheck { false };
|
||||
+ bool m_overflowCheckEnabled { true };
|
||||
#else
|
||||
+ void disableNeedsOverflowCheck() { }
|
||||
void setNeedsOverflowCheck() { }
|
||||
void clearNeedsOverflowCheck() { }
|
||||
#endif // ASSERT_ENABLED
|
||||
@@ -186,22 +117,114 @@ private:
|
||||
ListSet* m_markSet;
|
||||
};
|
||||
|
||||
-template<size_t passedInlineCapacity = 8>
|
||||
-class MarkedArgumentBufferWithSize : public MarkedArgumentBufferBase {
|
||||
+template<typename T, size_t passedInlineCapacity = 8, class OverflowHandler = CrashOnOverflow>
|
||||
+class MarkedVector : public OverflowHandler, public MarkedVectorBase {
|
||||
public:
|
||||
static constexpr size_t inlineCapacity = passedInlineCapacity;
|
||||
|
||||
- MarkedArgumentBufferWithSize()
|
||||
- : MarkedArgumentBufferBase(inlineCapacity)
|
||||
+ MarkedVector()
|
||||
+ : MarkedVectorBase(inlineCapacity)
|
||||
{
|
||||
ASSERT(inlineBuffer() == m_inlineBuffer);
|
||||
+ if constexpr (std::is_same_v<OverflowHandler, CrashOnOverflow>) {
|
||||
+ // CrashOnOverflow handles overflows immediately. So, we do not
|
||||
+ // need to check for it after.
|
||||
+ disableNeedsOverflowCheck();
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ auto at(int i) const -> decltype(auto)
|
||||
+ {
|
||||
+ if constexpr (std::is_same_v<T, JSValue>) {
|
||||
+ if (i >= m_size)
|
||||
+ return jsUndefined();
|
||||
+ return JSValue::decode(slotFor(i));
|
||||
+ } else {
|
||||
+ if (i >= m_size)
|
||||
+ return static_cast<T>(nullptr);
|
||||
+ return jsCast<T>(JSValue::decode(slotFor(i)).asCell());
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ void clear()
|
||||
+ {
|
||||
+ ASSERT(!m_needsOverflowCheck);
|
||||
+ OverflowHandler::clearOverflow();
|
||||
+ m_size = 0;
|
||||
+ }
|
||||
+
|
||||
+ void append(T v)
|
||||
+ {
|
||||
+ ASSERT(m_size <= m_capacity);
|
||||
+ if (m_size == m_capacity || mallocBase()) {
|
||||
+ if (slowAppend(v) == Status::Overflowed)
|
||||
+ this->overflowed();
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ slotFor(m_size) = JSValue::encode(v);
|
||||
+ ++m_size;
|
||||
+ }
|
||||
+
|
||||
+ void appendWithCrashOnOverflow(T v)
|
||||
+ {
|
||||
+ append(v);
|
||||
+ if constexpr (!std::is_same<OverflowHandler, CrashOnOverflow>::value)
|
||||
+ RELEASE_ASSERT(!this->hasOverflowed());
|
||||
+ }
|
||||
+
|
||||
+ auto last() const -> decltype(auto)
|
||||
+ {
|
||||
+ if constexpr (std::is_same_v<T, JSValue>) {
|
||||
+ ASSERT(m_size);
|
||||
+ return JSValue::decode(slotFor(m_size - 1));
|
||||
+ } else {
|
||||
+ ASSERT(m_size);
|
||||
+ return jsCast<T>(JSValue::decode(slotFor(m_size - 1)).asCell());
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ JSValue takeLast()
|
||||
+ {
|
||||
+ JSValue result = last();
|
||||
+ removeLast();
|
||||
+ return result;
|
||||
+ }
|
||||
+
|
||||
+ void ensureCapacity(size_t requestedCapacity)
|
||||
+ {
|
||||
+ if (requestedCapacity > static_cast<size_t>(m_capacity)) {
|
||||
+ if (slowEnsureCapacity(requestedCapacity) == Status::Overflowed)
|
||||
+ this->overflowed();
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ bool hasOverflowed()
|
||||
+ {
|
||||
+ clearNeedsOverflowCheck();
|
||||
+ return OverflowHandler::hasOverflowed();
|
||||
+ }
|
||||
+
|
||||
+ template<typename Functor>
|
||||
+ void fill(size_t count, const Functor& func)
|
||||
+ {
|
||||
+ ASSERT(!m_size);
|
||||
+ ensureCapacity(count);
|
||||
+ if (OverflowHandler::hasOverflowed())
|
||||
+ return;
|
||||
+ m_size = count;
|
||||
+ func(reinterpret_cast<JSValue*>(&slotFor(0)));
|
||||
}
|
||||
|
||||
private:
|
||||
EncodedJSValue m_inlineBuffer[inlineCapacity] { };
|
||||
};
|
||||
|
||||
-using MarkedArgumentBuffer = MarkedArgumentBufferWithSize<>;
|
||||
+template<size_t passedInlineCapacity>
|
||||
+class MarkedArgumentBufferWithSize : public MarkedVector<JSValue, passedInlineCapacity, RecordOverflow> {
|
||||
+};
|
||||
+
|
||||
+using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;
|
||||
|
||||
class ArgList {
|
||||
WTF_MAKE_FAST_ALLOCATED;
|
||||
diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
|
||||
index 13d04e3bdb3b..f827b2ec6a6b 100644
|
||||
--- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
|
||||
+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (C) 2020 Apple Inc. All rights reserved.
|
||||
+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -219,7 +219,7 @@ AudioWorkletProcessor::AudioWorkletProcessor(AudioWorkletGlobalScope& globalScop
|
||||
ASSERT(!isMainThread());
|
||||
}
|
||||
|
||||
-void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBufferBase& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)
|
||||
+void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBuffer& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)
|
||||
{
|
||||
// For performance reasons, we cache the arrays passed to JS and reconstruct them only when the topology changes.
|
||||
if (!copyDataFromBusesToJSArray(globalObject, inputs, toJSArray(m_jsInputs)))
|
||||
diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
|
||||
index 3f3d708c7ae4..b0bce3609198 100644
|
||||
--- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
|
||||
+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (C) 2020 Apple Inc. All rights reserved.
|
||||
+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -41,7 +41,8 @@
|
||||
|
||||
namespace JSC {
|
||||
class JSArray;
|
||||
-class MarkedArgumentBufferBase;
|
||||
+template<typename T, size_t, class> class MarkedVector;
|
||||
+using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;
|
||||
}
|
||||
|
||||
namespace WebCore {
|
||||
@@ -71,7 +72,7 @@ public:
|
||||
|
||||
private:
|
||||
explicit AudioWorkletProcessor(AudioWorkletGlobalScope&, const AudioWorkletProcessorConstructionData&);
|
||||
- void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBufferBase&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);
|
||||
+ void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBuffer&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);
|
||||
|
||||
AudioWorkletGlobalScope& m_globalScope;
|
||||
String m_name;
|
||||
diff --git a/Source/WebCore/bindings/js/SerializedScriptValue.cpp b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
|
||||
index e0d4316a169f..5897e1066512 100644
|
||||
--- a/Source/WebCore/bindings/js/SerializedScriptValue.cpp
|
||||
+++ b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
|
||||
@@ -540,6 +540,7 @@ static const unsigned StringDataIs8BitFlag = 0x80000000;
|
||||
using DeserializationResult = std::pair<JSC::JSValue, SerializationReturnCode>;
|
||||
|
||||
class CloneBase {
|
||||
+ WTF_FORBID_HEAP_ALLOCATION;
|
||||
protected:
|
||||
CloneBase(JSGlobalObject* lexicalGlobalObject)
|
||||
: m_lexicalGlobalObject(lexicalGlobalObject)
|
||||
@@ -617,6 +618,7 @@ template <> bool writeLittleEndian<uint8_t>(Vector<uint8_t>& buffer, const uint8
|
||||
}
|
||||
|
||||
class CloneSerializer : CloneBase {
|
||||
+ WTF_FORBID_HEAP_ALLOCATION;
|
||||
public:
|
||||
static SerializationReturnCode serialize(JSGlobalObject* lexicalGlobalObject, JSValue value, Vector<RefPtr<MessagePort>>& messagePorts, Vector<RefPtr<JSC::ArrayBuffer>>& arrayBuffers, const Vector<RefPtr<ImageBitmap>>& imageBitmaps,
|
||||
#if ENABLE(OFFSCREEN_CANVAS_IN_WORKERS)
|
||||
@@ -2150,6 +2152,7 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in)
|
||||
}
|
||||
|
||||
class CloneDeserializer : CloneBase {
|
||||
+ WTF_FORBID_HEAP_ALLOCATION;
|
||||
public:
|
||||
static String deserializeString(const Vector<uint8_t>& buffer)
|
||||
{
|
||||
@@ -3921,10 +3924,10 @@ DeserializationResult CloneDeserializer::deserialize()
|
||||
|
||||
Vector<uint32_t, 16> indexStack;
|
||||
Vector<Identifier, 16> propertyNameStack;
|
||||
- Vector<JSObject*, 32> outputObjectStack;
|
||||
- Vector<JSValue, 4> mapKeyStack;
|
||||
- Vector<JSMap*, 4> mapStack;
|
||||
- Vector<JSSet*, 4> setStack;
|
||||
+ MarkedVector<JSObject*, 32> outputObjectStack;
|
||||
+ MarkedVector<JSValue, 4> mapKeyStack;
|
||||
+ MarkedVector<JSMap*, 4> mapStack;
|
||||
+ MarkedVector<JSSet*, 4> setStack;
|
||||
Vector<WalkerState, 16> stateStack;
|
||||
WalkerState lexicalGlobalObject = StateUnknown;
|
||||
JSValue outValue;
|
||||
--
|
||||
2.40.0
|
||||
|
@ -1,36 +0,0 @@
|
||||
From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001
|
||||
From: Antoine Quint <graouts@webkit.org>
|
||||
Date: Mon, 22 May 2023 13:37:32 -0700
|
||||
Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles
|
||||
https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873
|
||||
|
||||
Reviewed by Dean Jackson and Darin Adler.
|
||||
|
||||
Ensure that the animation's effect and target are kept alive for the duration of this method
|
||||
since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
|
||||
these two pointers could be changed to a null value using the Web Animations API.
|
||||
|
||||
* Source/WebCore/animation/WebAnimation.cpp:
|
||||
(WebCore::WebAnimation::commitStyles):
|
||||
|
||||
Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873
|
||||
Canonical link: https://commits.webkit.org/264363@main
|
||||
---
|
||||
Source/WebCore/animation/WebAnimation.cpp | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
|
||||
index 68ea47985807..ae20c79c36cf 100644
|
||||
--- a/Source/WebCore/animation/WebAnimation.cpp
|
||||
+++ b/Source/WebCore/animation/WebAnimation.cpp
|
||||
@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
|
||||
// https://drafts.csswg.org/web-animations-1/#commit-computed-styles
|
||||
|
||||
// 1. Let targets be the set of all effect targets for animation effects associated with animation.
|
||||
- auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
|
||||
- auto* target = effect ? effect->target() : nullptr;
|
||||
+ RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
|
||||
+ RefPtr target = effect ? effect->target() : nullptr;
|
||||
|
||||
// 2. For each target in targets:
|
||||
//
|
80
SOURCES/CVE-2023-42917.patch
Normal file
80
SOURCES/CVE-2023-42917.patch
Normal file
@ -0,0 +1,80 @@
|
||||
From 00352dd86bfa102b6e4b792120e3ef3498a27d1e Mon Sep 17 00:00:00 2001
|
||||
From: Russell Epstein <repstein@apple.com>
|
||||
Date: Fri, 17 Nov 2023 15:48:32 -0800
|
||||
Subject: [PATCH] Cherry-pick b0a755e34426.
|
||||
https://bugs.webkit.org/show_bug.cgi?id=265067
|
||||
|
||||
Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
|
||||
https://bugs.webkit.org/show_bug.cgi?id=265067
|
||||
rdar://118548733
|
||||
|
||||
Reviewed by Justin Michaud and Mark Lam.
|
||||
|
||||
Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
|
||||
Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
|
||||
in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.
|
||||
|
||||
This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
|
||||
And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.
|
||||
|
||||
* Source/JavaScriptCore/runtime/Structure.cpp:
|
||||
(JSC::Structure::flattenDictionaryStructure):
|
||||
|
||||
Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch
|
||||
|
||||
Canonical link: https://commits.webkit.org/265870.632@safari-7616.2.9.10-branch
|
||||
---
|
||||
Source/JavaScriptCore/runtime/Structure.cpp | 28 +++++++++++++++------
|
||||
1 file changed, 21 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp
|
||||
index 2922e2478794c..9d094e2c8adc8 100644
|
||||
--- a/Source/JavaScriptCore/runtime/Structure.cpp
|
||||
+++ b/Source/JavaScriptCore/runtime/Structure.cpp
|
||||
@@ -913,17 +913,31 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
|
||||
checkOffsetConsistency();
|
||||
ASSERT(isDictionary());
|
||||
ASSERT(object->structure() == this);
|
||||
-
|
||||
- GCSafeConcurrentJSLocker locker(m_lock, vm);
|
||||
-
|
||||
- object->setStructureIDDirectly(id().nuke());
|
||||
- WTF::storeStoreFence();
|
||||
|
||||
+ Locker<JSCellLock> cellLocker(NoLockingNecessary);
|
||||
+
|
||||
+ PropertyTable* table = nullptr;
|
||||
size_t beforeOutOfLineCapacity = this->outOfLineCapacity();
|
||||
+ size_t afterOutOfLineCapacity = beforeOutOfLineCapacity;
|
||||
if (isUncacheableDictionary()) {
|
||||
- PropertyTable* table = propertyTableOrNull();
|
||||
+ table = propertyTableOrNull();
|
||||
ASSERT(table);
|
||||
+ PropertyOffset maxOffset = invalidOffset;
|
||||
+ if (unsigned propertyCount = table->size())
|
||||
+ maxOffset = offsetForPropertyNumber(propertyCount - 1, m_inlineCapacity);
|
||||
+ afterOutOfLineCapacity = outOfLineCapacity(maxOffset);
|
||||
+ }
|
||||
|
||||
+ // This is the only case we shrink butterfly in this function. We should take a cell lock to protect against concurrent access to the butterfly.
|
||||
+ if (beforeOutOfLineCapacity != afterOutOfLineCapacity)
|
||||
+ cellLocker = Locker { object->cellLock() };
|
||||
+
|
||||
+ GCSafeConcurrentJSLocker locker(m_lock, vm);
|
||||
+
|
||||
+ object->setStructureIDDirectly(id().nuke());
|
||||
+ WTF::storeStoreFence();
|
||||
+
|
||||
+ if (isUncacheableDictionary()) {
|
||||
size_t propertyCount = table->size();
|
||||
|
||||
// Holds our values compacted by insertion order. This is OK since GC is deferred.
|
||||
@@ -955,7 +969,7 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
|
||||
setDictionaryKind(NoneDictionaryKind);
|
||||
setHasBeenFlattenedBefore(true);
|
||||
|
||||
- size_t afterOutOfLineCapacity = this->outOfLineCapacity();
|
||||
+ ASSERT(this->outOfLineCapacity() == afterOutOfLineCapacity);
|
||||
|
||||
if (object->butterfly() && beforeOutOfLineCapacity != afterOutOfLineCapacity) {
|
||||
ASSERT(beforeOutOfLineCapacity > afterOutOfLineCapacity);
|
@ -1,26 +1,14 @@
|
||||
From ffe84688fc8a91b1e6d1c4462120fc44349a7c05 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
||||
Date: Thu, 27 Oct 2022 19:12:43 -0500
|
||||
Subject: [PATCH] Force Evolution to use single secondary process
|
||||
|
||||
---
|
||||
Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
|
||||
index 6bb6767869af..2a05a69d9b0d 100644
|
||||
index a30f5b13be26..72ad006cde21 100644
|
||||
--- a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
|
||||
+++ b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
|
||||
@@ -431,6 +431,9 @@ static void webkitWebContextConstructed(GObject* object)
|
||||
@@ -438,6 +438,9 @@ static void webkitWebContextConstructed(GObject* object)
|
||||
}
|
||||
configuration.setTimeZoneOverride(String::fromUTF8(priv->timeZoneOverride.data(), priv->timeZoneOverride.length()));
|
||||
|
||||
+ if (!g_strcmp0(g_get_prgname(), "evolution"))
|
||||
+ configuration.setUsesSingleWebProcess(true);
|
||||
+
|
||||
#if !ENABLE(2022_GLIB_API)
|
||||
if (!priv->websiteDataManager)
|
||||
priv->websiteDataManager = adoptGRef(webkit_website_data_manager_new("local-storage-directory", priv->localStorageDirectory.data(), nullptr));
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
19
SOURCES/glib-dep.patch
Normal file
19
SOURCES/glib-dep.patch
Normal file
@ -0,0 +1,19 @@
|
||||
diff --git a/glib-dep.patch b/glib-dep.patch
|
||||
new file mode 100644
|
||||
index 0000000..dbc0ab6
|
||||
--- /dev/null
|
||||
+++ b/glib-dep.patch
|
||||
@@ -0,0 +1,13 @@
|
||||
+diff --git a/Source/WTF/wtf/glib/Sandbox.cpp b/Source/WTF/wtf/glib/Sandbox.cpp
|
||||
+index 9b07bb8cb5a9b..a8169511fe851 100644
|
||||
+--- a/Source/WTF/wtf/glib/Sandbox.cpp
|
||||
++++ b/Source/WTF/wtf/glib/Sandbox.cpp
|
||||
+@@ -58,7 +58,7 @@ bool isInsideUnsupportedContainer()
|
||||
+ int waitStatus = 0;
|
||||
+ gboolean spawnSucceeded = g_spawn_sync(nullptr, const_cast<char**>(bwrapArgs), nullptr,
|
||||
+ G_SPAWN_STDERR_TO_DEV_NULL, nullptr, nullptr, nullptr, nullptr, &waitStatus, nullptr);
|
||||
+- supportedContainer = spawnSucceeded && g_spawn_check_wait_status(waitStatus, nullptr);
|
||||
++ supportedContainer = spawnSucceeded && g_spawn_check_exit_status(waitStatus, nullptr);
|
||||
+ if (!supportedContainer)
|
||||
+ WTFLogAlways("Bubblewrap does not work inside of this container, sandboxing will be disabled.");
|
||||
+ }
|
57
SOURCES/gstreamer-1.16.1.patch
Normal file
57
SOURCES/gstreamer-1.16.1.patch
Normal file
@ -0,0 +1,57 @@
|
||||
diff --git a/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp b/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp
|
||||
index a861b913ccfc..df21a1f67e98 100644
|
||||
--- a/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp
|
||||
+++ b/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp
|
||||
@@ -88,7 +88,25 @@ static void webKitGLVideoSinkConstructed(GObject* object)
|
||||
ASSERT(colorconvert);
|
||||
gst_bin_add_many(GST_BIN_CAST(sink), upload, colorconvert, sink->priv->appSink.get(), nullptr);
|
||||
|
||||
- GRefPtr<GstCaps> caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) " GST_GL_CAPS_FORMAT));
|
||||
+ // Workaround until we can depend on GStreamer 1.16.2.
|
||||
+ // https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/commit/8d32de090554cf29fe359f83aa46000ba658a693
|
||||
+ // Forcing a color conversion to RGBA here allows glupload to internally use
|
||||
+ // an uploader that adds a VideoMeta, through the TextureUploadMeta caps
|
||||
+ // feature, without needing the patch above. However this specific caps
|
||||
+ // feature is going to be removed from GStreamer so it is considered a
|
||||
+ // short-term workaround. This code path most likely will have a negative
|
||||
+ // performance impact on embedded platforms as well. Downstream embedders
|
||||
+ // are highly encouraged to cherry-pick the patch linked above in their BSP
|
||||
+ // and set the WEBKIT_GST_NO_RGBA_CONVERSION environment variable until
|
||||
+ // GStreamer 1.16.2 is released.
|
||||
+ // See also https://bugs.webkit.org/show_bug.cgi?id=201422
|
||||
+ GRefPtr<GstCaps> caps;
|
||||
+ if (webkitGstCheckVersion(1, 16, 2) || getenv("WEBKIT_GST_NO_RGBA_CONVERSION"))
|
||||
+ caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) " GST_GL_CAPS_FORMAT));
|
||||
+ else {
|
||||
+ GST_INFO_OBJECT(sink, "Forcing RGBA as GStreamer is not new enough.");
|
||||
+ caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) RGBA"));
|
||||
+ }
|
||||
gst_caps_set_features(caps.get(), 0, gst_caps_features_new(GST_CAPS_FEATURE_MEMORY_GL_MEMORY, nullptr));
|
||||
g_object_set(sink->priv->appSink.get(), "caps", caps.get(), nullptr);
|
||||
|
||||
diff --git a/Source/cmake/GStreamerChecks.cmake b/Source/cmake/GStreamerChecks.cmake
|
||||
index ba8423e2795c..df9d3204910d 100644
|
||||
--- a/Source/cmake/GStreamerChecks.cmake
|
||||
+++ b/Source/cmake/GStreamerChecks.cmake
|
||||
@@ -36,7 +36,7 @@ if (ENABLE_VIDEO OR ENABLE_WEB_AUDIO)
|
||||
list(APPEND GSTREAMER_COMPONENTS webrtc)
|
||||
endif ()
|
||||
|
||||
- find_package(GStreamer 1.16.2 REQUIRED COMPONENTS ${GSTREAMER_COMPONENTS})
|
||||
+ find_package(GStreamer 1.16.0 REQUIRED COMPONENTS ${GSTREAMER_COMPONENTS})
|
||||
|
||||
if (ENABLE_WEB_AUDIO)
|
||||
if (NOT PC_GSTREAMER_AUDIO_FOUND OR NOT PC_GSTREAMER_FFT_FOUND)
|
||||
|
||||
diff --git a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
|
||||
index 0b81e04559f0..4c6ae470e49f 100644
|
||||
--- a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
|
||||
+++ b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
|
||||
@@ -479,7 +479,6 @@ bool MediaPlayerPrivateGStreamer::doSeek(const MediaTime& position, float rate)
|
||||
|
||||
auto seekStart = toGstClockTime(startTime);
|
||||
auto seekStop = toGstClockTime(endTime);
|
||||
- GST_DEBUG_OBJECT(pipeline(), "[Seek] Performing actual seek to %" GST_TIMEP_FORMAT " (endTime: %" GST_TIMEP_FORMAT ") at rate %f", &seekStart, &seekStop, rate);
|
||||
return gst_element_seek(m_pipeline.get(), rate, GST_FORMAT_TIME, m_seekFlags, GST_SEEK_TYPE_SET, seekStart, GST_SEEK_TYPE_SET, seekStop);
|
||||
}
|
||||
|
@ -1,17 +1,3 @@
|
||||
From 833cfdd150b6f7f0fb021ac5de7890dff158f5fd Mon Sep 17 00:00:00 2001
|
||||
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
||||
Date: Thu, 27 Oct 2022 16:32:43 -0500
|
||||
Subject: [PATCH] Build against ICU 60
|
||||
|
||||
---
|
||||
Source/JavaScriptCore/runtime/IntlCache.cpp | 3 +++
|
||||
Source/JavaScriptCore/runtime/IntlCache.h | 3 +++
|
||||
Source/JavaScriptCore/runtime/IntlDisplayNames.cpp | 11 +++++++++++
|
||||
Source/JavaScriptCore/runtime/IntlDisplayNames.h | 7 +++++++
|
||||
Source/JavaScriptCore/runtime/IntlObject.cpp | 6 +++++-
|
||||
Source/cmake/OptionsGTK.cmake | 2 +-
|
||||
6 files changed, 30 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Source/JavaScriptCore/runtime/IntlCache.cpp b/Source/JavaScriptCore/runtime/IntlCache.cpp
|
||||
index b17d7340df56..94a5474059b6 100644
|
||||
--- a/Source/JavaScriptCore/runtime/IntlCache.cpp
|
||||
@ -62,7 +48,7 @@ index 058b2423786d..e7a8c82f392b 100644
|
||||
private:
|
||||
UDateTimePatternGenerator* getSharedPatternGenerator(const CString& locale, UErrorCode& status)
|
||||
diff --git a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
|
||||
index c281f796eaee..1bc3c0c8a8c6 100644
|
||||
index f38161e7f95b..068613ce8feb 100644
|
||||
--- a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
|
||||
+++ b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
|
||||
@@ -110,6 +110,7 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa
|
||||
@ -73,18 +59,20 @@ index c281f796eaee..1bc3c0c8a8c6 100644
|
||||
UErrorCode status = U_ZERO_ERROR;
|
||||
|
||||
UDisplayContext contexts[] = {
|
||||
@@ -137,6 +138,10 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa
|
||||
@@ -137,15 +138,19 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa
|
||||
throwTypeError(globalObject, scope, "failed to initialize DisplayNames"_s);
|
||||
return;
|
||||
}
|
||||
+#else
|
||||
+ throwTypeError(globalObject, scope, "failed to initialize Intl.DisplayNames since feature is not supported by the ICU version"_s);
|
||||
+ return;
|
||||
+ throwTypeError(globalObject, scope, "failed to initialize Intl.DisplayNames since feature is not supported by the ICU version"_s);
|
||||
+ return;
|
||||
+#endif
|
||||
}
|
||||
|
||||
// https://tc39.es/proposal-intl-displaynames/#sec-Intl.DisplayNames.prototype.of
|
||||
@@ -146,6 +151,7 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co
|
||||
JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) const
|
||||
{
|
||||
-
|
||||
VM& vm = globalObject->vm();
|
||||
auto scope = DECLARE_THROW_SCOPE(vm);
|
||||
|
||||
@ -92,7 +80,7 @@ index c281f796eaee..1bc3c0c8a8c6 100644
|
||||
ASSERT(m_displayNames);
|
||||
auto code = codeValue.toWTFString(globalObject);
|
||||
RETURN_IF_EXCEPTION(scope, { });
|
||||
@@ -350,6 +356,11 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co
|
||||
@@ -350,6 +355,11 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co
|
||||
return throwTypeError(globalObject, scope, "Failed to query a display name."_s);
|
||||
}
|
||||
return jsString(vm, String(WTFMove(buffer)));
|
||||
@ -123,18 +111,18 @@ index d80dc3d83a15..f2bf36275c79 100644
|
||||
|
||||
enum class RelevantExtensionKey : uint8_t;
|
||||
diff --git a/Source/JavaScriptCore/runtime/IntlObject.cpp b/Source/JavaScriptCore/runtime/IntlObject.cpp
|
||||
index f7dc4d578d77..a6ccbe1b9f74 100644
|
||||
index 0080abf51be4..d23c7c021334 100644
|
||||
--- a/Source/JavaScriptCore/runtime/IntlObject.cpp
|
||||
+++ b/Source/JavaScriptCore/runtime/IntlObject.cpp
|
||||
@@ -153,7 +153,6 @@ namespace JSC {
|
||||
getCanonicalLocales intlObjectFuncGetCanonicalLocales DontEnum|Function 1
|
||||
@@ -164,7 +164,6 @@ namespace JSC {
|
||||
supportedValuesOf intlObjectFuncSupportedValuesOf DontEnum|Function 1
|
||||
Collator createCollatorConstructor DontEnum|PropertyCallback
|
||||
DateTimeFormat createDateTimeFormatConstructor DontEnum|PropertyCallback
|
||||
- DisplayNames createDisplayNamesConstructor DontEnum|PropertyCallback
|
||||
Locale createLocaleConstructor DontEnum|PropertyCallback
|
||||
NumberFormat createNumberFormatConstructor DontEnum|PropertyCallback
|
||||
PluralRules createPluralRulesConstructor DontEnum|PropertyCallback
|
||||
@@ -239,6 +238,11 @@ void IntlObject::finishCreation(VM& vm, JSGlobalObject* globalObject)
|
||||
@@ -252,6 +251,11 @@ void IntlObject::finishCreation(VM& vm, JSGlobalObject*)
|
||||
Base::finishCreation(vm);
|
||||
ASSERT(inherits(info()));
|
||||
JSC_TO_STRING_TAG_WITHOUT_TRANSITION();
|
||||
@ -144,21 +132,38 @@ index f7dc4d578d77..a6ccbe1b9f74 100644
|
||||
+ UNUSED_PARAM(&createDisplayNamesConstructor);
|
||||
+#endif
|
||||
#if HAVE(ICU_U_LIST_FORMATTER)
|
||||
putDirectWithoutTransition(vm, vm.propertyNames->ListFormat, createListFormatConstructor(vm, this), static_cast<unsigned>(PropertyAttribute::DontEnum));
|
||||
#else
|
||||
if (Options::useIntlDurationFormat())
|
||||
putDirectWithoutTransition(vm, vm.propertyNames->DurationFormat, createDurationFormatConstructor(vm, this), static_cast<unsigned>(PropertyAttribute::DontEnum));
|
||||
diff --git a/Source/cmake/OptionsGTK.cmake b/Source/cmake/OptionsGTK.cmake
|
||||
index 5e653a9e0b5a..0977f2c49037 100644
|
||||
index 8bd6ed347418..9d0a7e88b16a 100644
|
||||
--- a/Source/cmake/OptionsGTK.cmake
|
||||
+++ b/Source/cmake/OptionsGTK.cmake
|
||||
@@ -19,7 +19,7 @@ find_package(Freetype 2.4.2 REQUIRED)
|
||||
@@ -18,7 +18,7 @@ find_package(Fontconfig 2.8.0 REQUIRED)
|
||||
find_package(Freetype 2.4.2 REQUIRED)
|
||||
find_package(LibGcrypt 1.6.0 REQUIRED)
|
||||
find_package(GLIB 2.56.4 REQUIRED COMPONENTS gio gio-unix gobject gthread gmodule)
|
||||
find_package(HarfBuzz 0.9.18 REQUIRED COMPONENTS ICU)
|
||||
-find_package(ICU 61.2 REQUIRED COMPONENTS data i18n uc)
|
||||
+find_package(ICU 60.2 REQUIRED COMPONENTS data i18n uc)
|
||||
+find_package(ICU 60 REQUIRED COMPONENTS data i18n uc)
|
||||
find_package(JPEG REQUIRED)
|
||||
find_package(LibEpoxy 1.4.0 REQUIRED)
|
||||
find_package(LibXml2 2.8.0 REQUIRED)
|
||||
find_package(PNG REQUIRED)
|
||||
--
|
||||
2.31.1
|
||||
|
||||
diff --git a/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp b/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp
|
||||
index fdcaa71f2011..f6aa1b0e3def 100644
|
||||
--- a/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp
|
||||
+++ b/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp
|
||||
@@ -41,7 +41,6 @@
|
||||
#endif
|
||||
#endif
|
||||
#include <unicode/ulistformatter.h>
|
||||
-#include <unicode/unumberformatter.h>
|
||||
#include <unicode/ures.h>
|
||||
#if HAVE(ICU_U_LIST_FORMATTER)
|
||||
#define U_HIDE_DRAFT_API 1
|
||||
@@ -49,6 +48,7 @@
|
||||
|
||||
#if HAVE(ICU_U_LIST_FORMATTER)
|
||||
#include <unicode/uformattedvalue.h>
|
||||
+#include <unicode/unumberformatter.h>
|
||||
#endif
|
||||
|
||||
namespace JSC {
|
||||
|
@ -1,6 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCY+yu2QAKCRDz0yLQ7EWC
|
||||
w7UkAKCS0EoptKZRn3/Z+WgGerHQEQXaFQCg51h2++dwb1bqVZ05Q1YtHmoT2gk=
|
||||
=or/S
|
||||
-----END PGP SIGNATURE-----
|
6
SOURCES/webkitgtk-2.40.5.tar.xz.asc
Normal file
6
SOURCES/webkitgtk-2.40.5.tar.xz.asc
Normal file
@ -0,0 +1,6 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCZMjRYQAKCRDz0yLQ7EWC
|
||||
wwPPAJ0XUmEmSr4IFQWpbDfPOR9keXY+lwCfVLyOFL8T55psriGN4vkxVZqq+EM=
|
||||
=nGCs
|
||||
-----END PGP SIGNATURE-----
|
@ -6,8 +6,8 @@
|
||||
cp -p %1 _license_files/$(echo '%1' | sed -e 's!/!.!g')
|
||||
|
||||
Name: webkit2gtk3
|
||||
Version: 2.38.5
|
||||
Release: 1%{?dist}.5.alma
|
||||
Version: 2.40.5
|
||||
Release: 1%{?dist}.alma.1
|
||||
Summary: GTK Web content engine library
|
||||
|
||||
License: LGPLv2
|
||||
@ -25,23 +25,28 @@ Patch0: evolution-shared-secondary-process.patch
|
||||
# https://bugs.webkit.org/show_bug.cgi?id=235367
|
||||
Patch1: icu60.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2209208
|
||||
Patch2: CVE-2023-28204.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2185745
|
||||
Patch3: CVE-2023-28205.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2209214
|
||||
Patch4: CVE-2023-32373.patch
|
||||
# https://github.com/WebKit/WebKit/pull/14498
|
||||
Patch2: glib-dep.patch
|
||||
|
||||
# Partial revert of https://github.com/WebKit/WebKit/pull/6087
|
||||
Patch3: gstreamer-1.16.1.patch
|
||||
|
||||
# Patches were taken from:
|
||||
# https://git.almalinux.org/rpms/webkit2gtk3/commit/876f553c6cd33386eb8b184bbc7618a1b03a2826
|
||||
Patch4: CVE-2023-42917.patch
|
||||
|
||||
BuildRequires: bison
|
||||
BuildRequires: cmake
|
||||
BuildRequires: flex
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: gcc-toolset-13
|
||||
BuildRequires: gettext
|
||||
BuildRequires: git
|
||||
BuildRequires: gperf
|
||||
BuildRequires: hyphen-devel
|
||||
BuildRequires: libatomic
|
||||
BuildRequires: ninja-build
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: perl(English)
|
||||
BuildRequires: perl(FindBin)
|
||||
BuildRequires: perl(JSON::PP)
|
||||
@ -49,6 +54,8 @@ BuildRequires: python3
|
||||
BuildRequires: ruby
|
||||
BuildRequires: rubygem-json
|
||||
BuildRequires: rubygems
|
||||
BuildRequires: shadow-utils
|
||||
BuildRequires: unifdef
|
||||
|
||||
BuildRequires: pkgconfig(atspi-2)
|
||||
BuildRequires: pkgconfig(cairo)
|
||||
@ -61,16 +68,19 @@ BuildRequires: pkgconfig(enchant-2)
|
||||
%endif
|
||||
BuildRequires: pkgconfig(fontconfig)
|
||||
BuildRequires: pkgconfig(freetype2)
|
||||
BuildRequires: pkgconfig(gbm)
|
||||
BuildRequires: pkgconfig(gl)
|
||||
BuildRequires: pkgconfig(glib-2.0)
|
||||
BuildRequires: pkgconfig(glesv2)
|
||||
BuildRequires: pkgconfig(gobject-introspection-1.0)
|
||||
BuildRequires: pkgconfig(gstreamer-1.0)
|
||||
BuildRequires: pkgconfig(gstreamer-plugins-bad-1.0)
|
||||
BuildRequires: pkgconfig(gstreamer-plugins-base-1.0)
|
||||
BuildRequires: pkgconfig(gtk+-3.0)
|
||||
BuildRequires: pkgconfig(harfbuzz)
|
||||
BuildRequires: pkgconfig(icu-uc)
|
||||
BuildRequires: pkgconfig(lcms2)
|
||||
BuildRequires: pkgconfig(libdrm)
|
||||
BuildRequires: pkgconfig(libjpeg)
|
||||
BuildRequires: pkgconfig(libnotify)
|
||||
BuildRequires: pkgconfig(libopenjp2)
|
||||
@ -191,19 +201,27 @@ rm -rf Source/ThirdParty/qunit/
|
||||
%global optflags %(echo %{optflags} | sed 's/-g /-g1 /')
|
||||
%endif
|
||||
|
||||
# bmalloc and JIT are disabled on aarch64 only in RHEL because of the nonstandard
|
||||
# page size that's causing problems there. WebKit's build system sets appropriate
|
||||
# defaults for all other architectures, and all other distros except RHEL.
|
||||
# The system GCC is too old to build WebKit, so use a GCC Toolset instead.
|
||||
# This prints warnings complaining that it should not be used except in
|
||||
# SCL scriplets, but I can't figure out any other way to make it work.
|
||||
source scl_source enable gcc-toolset-13
|
||||
|
||||
# -DUSE_SYSTEM_MALLOC=ON is really bad for security, but libpas requires
|
||||
# __atomic_compare_exchange_16 which does not seem to be available.
|
||||
mkdir -p %{_target_platform}
|
||||
pushd %{_target_platform}
|
||||
%cmake \
|
||||
-GNinja \
|
||||
-DPORT=GTK \
|
||||
-DCMAKE_BUILD_TYPE=Release \
|
||||
-DUSE_SYSTEM_MALLOC=ON \
|
||||
-DENABLE_JIT=OFF \
|
||||
-DENABLE_BUBBLEWRAP_SANDBOX=OFF \
|
||||
-DENABLE_JIT=OFF \
|
||||
-DUSE_SOUP2=ON \
|
||||
-DUSE_AVIF=OFF \
|
||||
-DENABLE_DOCUMENTATION=OFF \
|
||||
-DUSE_GSTREAMER_TRANSCODER=OFF \
|
||||
-DENABLE_GAMEPAD=OFF \
|
||||
%if 0%{?rhel}
|
||||
%ifarch aarch64
|
||||
@ -220,12 +238,11 @@ export NINJA_STATUS="[%f/%t][%e] "
|
||||
%install
|
||||
%ninja_install -C %{_target_platform}
|
||||
|
||||
%find_lang WebKit2GTK-4.0
|
||||
%find_lang WebKitGTK-4.0
|
||||
|
||||
# Finally, copy over and rename various files for %%license inclusion
|
||||
%add_to_license_files Source/JavaScriptCore/COPYING.LIB
|
||||
%add_to_license_files Source/ThirdParty/ANGLE/LICENSE
|
||||
%add_to_license_files Source/ThirdParty/ANGLE/src/common/third_party/smhasher/LICENSE
|
||||
%add_to_license_files Source/ThirdParty/ANGLE/src/third_party/libXNVCtrl/LICENSE
|
||||
%add_to_license_files Source/WebCore/LICENSE-APPLE
|
||||
%add_to_license_files Source/WebCore/LICENSE-LGPL-2
|
||||
@ -237,7 +254,7 @@ export NINJA_STATUS="[%f/%t][%e] "
|
||||
%add_to_license_files Source/WTF/wtf/dtoa/COPYING
|
||||
%add_to_license_files Source/WTF/wtf/dtoa/LICENSE
|
||||
|
||||
%files -f WebKit2GTK-4.0.lang
|
||||
%files -f WebKitGTK-4.0.lang
|
||||
%license _license_files/*ThirdParty*
|
||||
%license _license_files/*WebCore*
|
||||
%license _license_files/*WebInspectorUI*
|
||||
@ -281,8 +298,18 @@ export NINJA_STATUS="[%f/%t][%e] "
|
||||
%{_datadir}/gir-1.0/JavaScriptCore-4.0.gir
|
||||
|
||||
%changelog
|
||||
* Tue Jul 18 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 2.38.5-1.5.alma
|
||||
- Disable JIT (CVE-2023-32435, CVE-2023-32439)
|
||||
* Tue Dec 12 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.40.5-1.1.alma.1
|
||||
- Add patch for CVE-2023-42917
|
||||
|
||||
* Tue Aug 01 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.5-1
|
||||
- Upgrade to 2.40.5. Also, disable JIT
|
||||
Resolves: #2176269
|
||||
Resolves: #2185742
|
||||
Resolves: #2209728
|
||||
Resolves: #2209745
|
||||
Resolves: #2218649
|
||||
Resolves: #2218651
|
||||
Resolves: #2224611
|
||||
|
||||
* Thu May 25 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.4
|
||||
- Add patch for CVE-2023-28204
|
||||
|
Loading…
Reference in New Issue
Block a user