- Add patch for CVE-2023-42917
This commit is contained in:
commit
75e17ac97c
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
SOURCES/webkitgtk-2.38.5.tar.xz
|
SOURCES/webkitgtk-2.40.5.tar.xz
|
||||||
SOURCES/webkitgtk-keys.gpg
|
SOURCES/webkitgtk-keys.gpg
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
1774390c628bb3a524d4ed76f11de4a878078db6 SOURCES/webkitgtk-2.38.5.tar.xz
|
2f4d06b021115eb4106177f7d5f534f45b5d3b2e SOURCES/webkitgtk-2.40.5.tar.xz
|
||||||
cf57cbbadf2a07c6ede1c886f9742b7d352460c0 SOURCES/webkitgtk-keys.gpg
|
cf57cbbadf2a07c6ede1c886f9742b7d352460c0 SOURCES/webkitgtk-keys.gpg
|
||||||
|
@ -1,167 +0,0 @@
|
|||||||
From 8efa99e7b5d5a37aefb476cc27ee24c2be4da0c7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michael Saboff <msaboff@apple.com>
|
|
||||||
Date: Mon, 22 May 2023 13:40:46 -0700
|
|
||||||
Subject: [PATCH] Cherry-pick 264365@main (698c6e293734).
|
|
||||||
https://bugs.webkit.org/show_bug.cgi?id=254930
|
|
||||||
|
|
||||||
[JSC] RegExpGlobalData::performMatch issue leading to OOB read
|
|
||||||
https://bugs.webkit.org/show_bug.cgi?id=254930
|
|
||||||
rdar://107436732
|
|
||||||
|
|
||||||
Reviewed by Alexey Shvayka.
|
|
||||||
|
|
||||||
Fixed two issues:
|
|
||||||
1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
|
|
||||||
characters. Since it is an assertion, we shouldn't advance the character position.
|
|
||||||
Made the same fix to matchAssertionEOL().
|
|
||||||
2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
|
|
||||||
a non-BMP character for the case where the RegExp match is empty.
|
|
||||||
|
|
||||||
* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
|
|
||||||
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
|
|
||||||
(JSC::replaceUsingRegExpSearch):
|
|
||||||
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
|
|
||||||
(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
|
|
||||||
(JSC::Yarr::Interpreter::matchAssertionBOL):
|
|
||||||
(JSC::Yarr::Interpreter::matchAssertionEOL):
|
|
||||||
|
|
||||||
Originally-landed-as: 259548.551@safari-7615-branch (e34edaa74575). rdar://107436732
|
|
||||||
Canonical link: https://commits.webkit.org/264365@main
|
|
||||||
---
|
|
||||||
...place-regexp-matchBOL-correct-advancing.js | 35 ++++++++++++++++++
|
|
||||||
.../runtime/StringPrototype.cpp | 10 ++++++
|
|
||||||
.../JavaScriptCore/yarr/YarrInterpreter.cpp | 36 +++++++++++++++++--
|
|
||||||
3 files changed, 79 insertions(+), 2 deletions(-)
|
|
||||||
create mode 100644 JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
|
|
||||||
|
|
||||||
diff --git a/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000000..25b1a70b81d2
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
|
|
||||||
@@ -0,0 +1,35 @@
|
|
||||||
+// Check that we don't advance for BOL assertions when matching a non-BMP character in the YARR interpreter
|
|
||||||
+// and that we do advance in String.replace() when processing an empty match.
|
|
||||||
+
|
|
||||||
+let expected = "|";
|
|
||||||
+
|
|
||||||
+for (let i = 0; i < 11; ++i)
|
|
||||||
+ expected += String.fromCodePoint(128512) + '|';
|
|
||||||
+
|
|
||||||
+let str = String.fromCodePoint(128512).repeat(11);
|
|
||||||
+
|
|
||||||
+let result1 = str.replace(/(?!(?=^a|()+()+x)(abc))/gmu, r => {
|
|
||||||
+ return '|';
|
|
||||||
+});
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+if (result1 !== expected)
|
|
||||||
+ print("FAILED: \"" + result1 + " !== " + expected + '"');
|
|
||||||
+
|
|
||||||
+let result2= str.replace(/(?!(?=^a|x)(abc))/gmu, r => {
|
|
||||||
+ return '|';
|
|
||||||
+});
|
|
||||||
+
|
|
||||||
+if (result2 !== expected)
|
|
||||||
+ print("FAILED: \"" + result2 + " !== " + expected + '"');
|
|
||||||
+
|
|
||||||
+expected = "|" + String.fromCodePoint(128512);
|
|
||||||
+
|
|
||||||
+str = String.fromCodePoint(128512).repeat(1);
|
|
||||||
+
|
|
||||||
+let result3= str.replace(/(?!(?=^a|x)(abc))/mu, r => {
|
|
||||||
+ return '|';
|
|
||||||
+});
|
|
||||||
+
|
|
||||||
+if (result3 !== expected)
|
|
||||||
+ print("FAILED: \"" + result3 + " !== " + expected + '"');
|
|
||||||
diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
|
|
||||||
index 08104b1dbfa9..459295f728a7 100644
|
|
||||||
--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
|
|
||||||
+++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
|
|
||||||
@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
|
|
||||||
startPosition++;
|
|
||||||
if (startPosition > sourceLen)
|
|
||||||
break;
|
|
||||||
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
|
|
||||||
+ startPosition++;
|
|
||||||
+ if (startPosition > sourceLen)
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
|
|
||||||
startPosition++;
|
|
||||||
if (startPosition > sourceLen)
|
|
||||||
break;
|
|
||||||
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
|
|
||||||
+ startPosition++;
|
|
||||||
+ if (startPosition > sourceLen)
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
} while (global);
|
|
||||||
}
|
|
||||||
diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
|
|
||||||
index 95a848a1a66d..b1a22b253866 100644
|
|
||||||
--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
|
|
||||||
+++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
|
|
||||||
@@ -209,6 +209,38 @@ public:
|
|
||||||
}
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ int readCheckedDontAdvance(unsigned negativePositionOffest)
|
|
||||||
+ {
|
|
||||||
+ RELEASE_ASSERT(pos >= negativePositionOffest);
|
|
||||||
+ unsigned p = pos - negativePositionOffest;
|
|
||||||
+ ASSERT(p < length);
|
|
||||||
+ int result = input[p];
|
|
||||||
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
|
|
||||||
+ if (atEnd())
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
|
|
||||||
+ }
|
|
||||||
+ return result;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // readForCharacterDump() is only for use by the DUMP_CURR_CHAR macro.
|
|
||||||
+ // We don't want any side effects like the next() in readChecked() above.
|
|
||||||
+ int readForCharacterDump(unsigned negativePositionOffest)
|
|
||||||
+ {
|
|
||||||
+ RELEASE_ASSERT(pos >= negativePositionOffest);
|
|
||||||
+ unsigned p = pos - negativePositionOffest;
|
|
||||||
+ ASSERT(p < length);
|
|
||||||
+ int result = input[p];
|
|
||||||
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
|
|
||||||
+ if (atEnd())
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
|
|
||||||
+ }
|
|
||||||
+ return result;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
int readSurrogatePairChecked(unsigned negativePositionOffset)
|
|
||||||
{
|
|
||||||
@@ -482,13 +514,13 @@ public:
|
|
||||||
|
|
||||||
bool matchAssertionBOL(ByteTerm& term)
|
|
||||||
{
|
|
||||||
- return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
|
|
||||||
+ return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
|
|
||||||
}
|
|
||||||
|
|
||||||
bool matchAssertionEOL(ByteTerm& term)
|
|
||||||
{
|
|
||||||
if (term.inputPosition)
|
|
||||||
- return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
|
|
||||||
+ return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
|
|
||||||
|
|
||||||
return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read()));
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.40.1
|
|
||||||
|
|
@ -1,648 +0,0 @@
|
|||||||
From b315f620c349e001a697dd7d4c501bdd07fe18c5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mark Lam <mark.lam@apple.com>
|
|
||||||
Date: Fri, 31 Mar 2023 10:49:49 -0700
|
|
||||||
Subject: [PATCH] Cherry-pick 2c49ff7b0481. rdar://problem/107369977
|
|
||||||
|
|
||||||
CloneDeserializer::deserialize() should store cell pointers in a MarkedVector.
|
|
||||||
https://bugs.webkit.org/show_bug.cgi?id=254797
|
|
||||||
rdar://107369977
|
|
||||||
|
|
||||||
Reviewed by Justin Michaud.
|
|
||||||
|
|
||||||
Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects
|
|
||||||
in a few Vectors. This is problematic because the GC is not aware of Vectors, and cannot
|
|
||||||
scan them. In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector
|
|
||||||
template class that offer 2 enhancements:
|
|
||||||
|
|
||||||
1. It can be configured to store specific types of cell pointer types. This avoids us
|
|
||||||
having to constantly cast JSValues into these pointers.
|
|
||||||
|
|
||||||
2. It allows us to specify the type of OverflowHandler we want to use. In this case,
|
|
||||||
we want to use CrashOnOverflow. The previous MarkedArgumentBuffer always assumes
|
|
||||||
RecordOnOverflow. This allows us to avoid having to manually check for overflows,
|
|
||||||
or have to use appendWithCrashOnOverflow. For our current needs, MarkedVector can be
|
|
||||||
used as a drop in replacement for Vector.
|
|
||||||
|
|
||||||
And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors
|
|
||||||
with MarkedVector instead.
|
|
||||||
|
|
||||||
* Source/JavaScriptCore/heap/Heap.cpp:
|
|
||||||
(JSC::Heap::addCoreConstraints):
|
|
||||||
* Source/JavaScriptCore/heap/Heap.h:
|
|
||||||
* Source/JavaScriptCore/heap/HeapInlines.h:
|
|
||||||
* Source/JavaScriptCore/runtime/ArgList.cpp:
|
|
||||||
(JSC::MarkedVectorBase::addMarkSet):
|
|
||||||
(JSC::MarkedVectorBase::markLists):
|
|
||||||
(JSC::MarkedVectorBase::slowEnsureCapacity):
|
|
||||||
(JSC::MarkedVectorBase::expandCapacity):
|
|
||||||
(JSC::MarkedVectorBase::slowAppend):
|
|
||||||
(JSC::MarkedArgumentBufferBase::addMarkSet): Deleted.
|
|
||||||
(JSC::MarkedArgumentBufferBase::markLists): Deleted.
|
|
||||||
(JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted.
|
|
||||||
(JSC::MarkedArgumentBufferBase::expandCapacity): Deleted.
|
|
||||||
(JSC::MarkedArgumentBufferBase::slowAppend): Deleted.
|
|
||||||
* Source/JavaScriptCore/runtime/ArgList.h:
|
|
||||||
(JSC::MarkedVectorWithSize::MarkedVectorWithSize):
|
|
||||||
(JSC::MarkedVectorWithSize::at const):
|
|
||||||
(JSC::MarkedVectorWithSize::clear):
|
|
||||||
(JSC::MarkedVectorWithSize::append):
|
|
||||||
(JSC::MarkedVectorWithSize::appendWithCrashOnOverflow):
|
|
||||||
(JSC::MarkedVectorWithSize::last const):
|
|
||||||
(JSC::MarkedVectorWithSize::takeLast):
|
|
||||||
(JSC::MarkedVectorWithSize::ensureCapacity):
|
|
||||||
(JSC::MarkedVectorWithSize::hasOverflowed):
|
|
||||||
(JSC::MarkedVectorWithSize::fill):
|
|
||||||
(JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted.
|
|
||||||
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
|
|
||||||
(WebCore::AudioWorkletProcessor::buildJSArguments):
|
|
||||||
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h:
|
|
||||||
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
|
|
||||||
(WebCore::CloneDeserializer::deserialize):
|
|
||||||
|
|
||||||
Canonical link: https://commits.webkit.org/259548.530@safari-7615-branch
|
|
||||||
|
|
||||||
Identifier: 259548.395@safari-7615.1.26.11-branch
|
|
||||||
---
|
|
||||||
Source/JavaScriptCore/heap/Heap.cpp | 4 +-
|
|
||||||
Source/JavaScriptCore/heap/Heap.h | 8 +-
|
|
||||||
Source/JavaScriptCore/heap/HeapInlines.h | 2 +-
|
|
||||||
Source/JavaScriptCore/runtime/ArgList.cpp | 46 ++--
|
|
||||||
Source/JavaScriptCore/runtime/ArgList.h | 207 ++++++++++--------
|
|
||||||
.../webaudio/AudioWorkletProcessor.cpp | 4 +-
|
|
||||||
.../Modules/webaudio/AudioWorkletProcessor.h | 7 +-
|
|
||||||
.../bindings/js/SerializedScriptValue.cpp | 11 +-
|
|
||||||
8 files changed, 159 insertions(+), 130 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp
|
|
||||||
index 8a4c082cb36e..632b01f14546 100644
|
|
||||||
--- a/Source/JavaScriptCore/heap/Heap.cpp
|
|
||||||
+++ b/Source/JavaScriptCore/heap/Heap.cpp
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (C) 2003-2022 Apple Inc. All rights reserved.
|
|
||||||
+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved.
|
|
||||||
* Copyright (C) 2007 Eric Seidel <eric@webkit.org>
|
|
||||||
*
|
|
||||||
* This library is free software; you can redistribute it and/or
|
|
||||||
@@ -2847,7 +2847,7 @@ void Heap::addCoreConstraints()
|
|
||||||
|
|
||||||
if (!m_markListSet.isEmpty()) {
|
|
||||||
SetRootMarkReasonScope rootScope(visitor, RootMarkReason::ConservativeScan);
|
|
||||||
- MarkedArgumentBufferBase::markLists(visitor, m_markListSet);
|
|
||||||
+ MarkedVectorBase::markLists(visitor, m_markListSet);
|
|
||||||
}
|
|
||||||
|
|
||||||
{
|
|
||||||
diff --git a/Source/JavaScriptCore/heap/Heap.h b/Source/JavaScriptCore/heap/Heap.h
|
|
||||||
index 418f24fd1212..8df576acf7f8 100644
|
|
||||||
--- a/Source/JavaScriptCore/heap/Heap.h
|
|
||||||
+++ b/Source/JavaScriptCore/heap/Heap.h
|
|
||||||
@@ -1,7 +1,7 @@
|
|
||||||
/*
|
|
||||||
* Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
|
|
||||||
* Copyright (C) 2001 Peter Kelly (pmk@post.com)
|
|
||||||
- * Copyright (C) 2003-2022 Apple Inc. All rights reserved.
|
|
||||||
+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved.
|
|
||||||
*
|
|
||||||
* This library is free software; you can redistribute it and/or
|
|
||||||
* modify it under the terms of the GNU Lesser General Public
|
|
||||||
@@ -85,7 +85,7 @@ class MarkStackArray;
|
|
||||||
class MarkStackMergingConstraint;
|
|
||||||
class MarkedJSValueRefArray;
|
|
||||||
class BlockDirectory;
|
|
||||||
-class MarkedArgumentBufferBase;
|
|
||||||
+class MarkedVectorBase;
|
|
||||||
class MarkingConstraint;
|
|
||||||
class MarkingConstraintSet;
|
|
||||||
class MutatorScheduler;
|
|
||||||
@@ -409,7 +409,7 @@ public:
|
|
||||||
JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> protectedObjectTypeCounts();
|
|
||||||
JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> objectTypeCounts();
|
|
||||||
|
|
||||||
- HashSet<MarkedArgumentBufferBase*>& markListSet();
|
|
||||||
+ HashSet<MarkedVectorBase*>& markListSet();
|
|
||||||
void addMarkedJSValueRefArray(MarkedJSValueRefArray*);
|
|
||||||
|
|
||||||
template<typename Functor> void forEachProtectedCell(const Functor&);
|
|
||||||
@@ -778,7 +778,7 @@ private:
|
|
||||||
size_t m_deprecatedExtraMemorySize { 0 };
|
|
||||||
|
|
||||||
ProtectCountSet m_protectedValues;
|
|
||||||
- HashSet<MarkedArgumentBufferBase*> m_markListSet;
|
|
||||||
+ HashSet<MarkedVectorBase*> m_markListSet;
|
|
||||||
SentinelLinkedList<MarkedJSValueRefArray, BasicRawSentinelNode<MarkedJSValueRefArray>> m_markedJSValueRefArrays;
|
|
||||||
|
|
||||||
std::unique_ptr<MachineThreads> m_machineThreads;
|
|
||||||
diff --git a/Source/JavaScriptCore/heap/HeapInlines.h b/Source/JavaScriptCore/heap/HeapInlines.h
|
|
||||||
index 66d8317e317c..4d767a564d5f 100644
|
|
||||||
--- a/Source/JavaScriptCore/heap/HeapInlines.h
|
|
||||||
+++ b/Source/JavaScriptCore/heap/HeapInlines.h
|
|
||||||
@@ -206,7 +206,7 @@ inline void Heap::decrementDeferralDepthAndGCIfNeeded()
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-inline HashSet<MarkedArgumentBufferBase*>& Heap::markListSet()
|
|
||||||
+inline HashSet<MarkedVectorBase*>& Heap::markListSet()
|
|
||||||
{
|
|
||||||
return m_markListSet;
|
|
||||||
}
|
|
||||||
diff --git a/Source/JavaScriptCore/runtime/ArgList.cpp b/Source/JavaScriptCore/runtime/ArgList.cpp
|
|
||||||
index f2815b80c8c7..a72dea74a56f 100644
|
|
||||||
--- a/Source/JavaScriptCore/runtime/ArgList.cpp
|
|
||||||
+++ b/Source/JavaScriptCore/runtime/ArgList.cpp
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (C) 2003-2021 Apple Inc. All rights reserved.
|
|
||||||
+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved.
|
|
||||||
*
|
|
||||||
* This library is free software; you can redistribute it and/or
|
|
||||||
* modify it under the terms of the GNU Library General Public
|
|
||||||
@@ -27,7 +27,7 @@ using std::min;
|
|
||||||
|
|
||||||
namespace JSC {
|
|
||||||
|
|
||||||
-void MarkedArgumentBufferBase::addMarkSet(JSValue v)
|
|
||||||
+void MarkedVectorBase::addMarkSet(JSValue v)
|
|
||||||
{
|
|
||||||
if (m_markSet)
|
|
||||||
return;
|
|
||||||
@@ -52,47 +52,47 @@ void ArgList::getSlice(int startIndex, ArgList& result) const
|
|
||||||
}
|
|
||||||
|
|
||||||
template<typename Visitor>
|
|
||||||
-void MarkedArgumentBufferBase::markLists(Visitor& visitor, ListSet& markSet)
|
|
||||||
+void MarkedVectorBase::markLists(Visitor& visitor, ListSet& markSet)
|
|
||||||
{
|
|
||||||
ListSet::iterator end = markSet.end();
|
|
||||||
for (ListSet::iterator it = markSet.begin(); it != end; ++it) {
|
|
||||||
- MarkedArgumentBufferBase* list = *it;
|
|
||||||
+ MarkedVectorBase* list = *it;
|
|
||||||
for (int i = 0; i < list->m_size; ++i)
|
|
||||||
visitor.appendUnbarriered(JSValue::decode(list->slotFor(i)));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-template void MarkedArgumentBufferBase::markLists(AbstractSlotVisitor&, ListSet&);
|
|
||||||
-template void MarkedArgumentBufferBase::markLists(SlotVisitor&, ListSet&);
|
|
||||||
+template void MarkedVectorBase::markLists(AbstractSlotVisitor&, ListSet&);
|
|
||||||
+template void MarkedVectorBase::markLists(SlotVisitor&, ListSet&);
|
|
||||||
|
|
||||||
-void MarkedArgumentBufferBase::slowEnsureCapacity(size_t requestedCapacity)
|
|
||||||
+auto MarkedVectorBase::slowEnsureCapacity(size_t requestedCapacity) -> Status
|
|
||||||
{
|
|
||||||
setNeedsOverflowCheck();
|
|
||||||
auto checkedNewCapacity = CheckedInt32(requestedCapacity);
|
|
||||||
if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
|
|
||||||
- return this->overflowed();
|
|
||||||
- expandCapacity(checkedNewCapacity);
|
|
||||||
+ return Status::Overflowed;
|
|
||||||
+ return expandCapacity(checkedNewCapacity);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void MarkedArgumentBufferBase::expandCapacity()
|
|
||||||
+auto MarkedVectorBase::expandCapacity() -> Status
|
|
||||||
{
|
|
||||||
setNeedsOverflowCheck();
|
|
||||||
auto checkedNewCapacity = CheckedInt32(m_capacity) * 2;
|
|
||||||
if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
|
|
||||||
- return this->overflowed();
|
|
||||||
- expandCapacity(checkedNewCapacity);
|
|
||||||
+ return Status::Overflowed;
|
|
||||||
+ return expandCapacity(checkedNewCapacity);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
|
|
||||||
+auto MarkedVectorBase::expandCapacity(int newCapacity) -> Status
|
|
||||||
{
|
|
||||||
setNeedsOverflowCheck();
|
|
||||||
ASSERT(m_capacity < newCapacity);
|
|
||||||
auto checkedSize = CheckedSize(newCapacity) * sizeof(EncodedJSValue);
|
|
||||||
if (UNLIKELY(checkedSize.hasOverflowed()))
|
|
||||||
- return this->overflowed();
|
|
||||||
+ return Status::Overflowed;
|
|
||||||
EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::tryMalloc(Gigacage::JSValue, checkedSize));
|
|
||||||
if (!newBuffer)
|
|
||||||
- return this->overflowed();
|
|
||||||
+ return Status::Overflowed;
|
|
||||||
for (int i = 0; i < m_size; ++i) {
|
|
||||||
newBuffer[i] = m_buffer[i];
|
|
||||||
addMarkSet(JSValue::decode(m_buffer[i]));
|
|
||||||
@@ -103,21 +103,23 @@ void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
|
|
||||||
|
|
||||||
m_buffer = newBuffer;
|
|
||||||
m_capacity = newCapacity;
|
|
||||||
+ return Status::Success;
|
|
||||||
}
|
|
||||||
|
|
||||||
-void MarkedArgumentBufferBase::slowAppend(JSValue v)
|
|
||||||
+auto MarkedVectorBase::slowAppend(JSValue v) -> Status
|
|
||||||
{
|
|
||||||
ASSERT(m_size <= m_capacity);
|
|
||||||
- if (m_size == m_capacity)
|
|
||||||
- expandCapacity();
|
|
||||||
- if (UNLIKELY(Base::hasOverflowed())) {
|
|
||||||
- ASSERT(m_needsOverflowCheck);
|
|
||||||
- return;
|
|
||||||
+ if (m_size == m_capacity) {
|
|
||||||
+ auto status = expandCapacity();
|
|
||||||
+ if (status == Status::Overflowed) {
|
|
||||||
+ ASSERT(m_needsOverflowCheck);
|
|
||||||
+ return status;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
-
|
|
||||||
slotFor(m_size) = JSValue::encode(v);
|
|
||||||
++m_size;
|
|
||||||
addMarkSet(v);
|
|
||||||
+ return Status::Success;
|
|
||||||
}
|
|
||||||
|
|
||||||
} // namespace JSC
|
|
||||||
diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h
|
|
||||||
index 8ea9b0e308b8..01a6d5e0e5dc 100644
|
|
||||||
--- a/Source/JavaScriptCore/runtime/ArgList.h
|
|
||||||
+++ b/Source/JavaScriptCore/runtime/ArgList.h
|
|
||||||
@@ -22,26 +22,27 @@
|
|
||||||
#pragma once
|
|
||||||
|
|
||||||
#include "CallFrame.h"
|
|
||||||
+#include "JSCast.h"
|
|
||||||
#include <wtf/CheckedArithmetic.h>
|
|
||||||
#include <wtf/ForbidHeapAllocation.h>
|
|
||||||
#include <wtf/HashSet.h>
|
|
||||||
|
|
||||||
namespace JSC {
|
|
||||||
|
|
||||||
-class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordOverflow {
|
|
||||||
- WTF_MAKE_NONCOPYABLE(MarkedArgumentBufferBase);
|
|
||||||
- WTF_MAKE_NONMOVABLE(MarkedArgumentBufferBase);
|
|
||||||
+class alignas(alignof(EncodedJSValue)) MarkedVectorBase {
|
|
||||||
+ WTF_MAKE_NONCOPYABLE(MarkedVectorBase);
|
|
||||||
+ WTF_MAKE_NONMOVABLE(MarkedVectorBase);
|
|
||||||
WTF_FORBID_HEAP_ALLOCATION;
|
|
||||||
friend class VM;
|
|
||||||
friend class ArgList;
|
|
||||||
|
|
||||||
+protected:
|
|
||||||
+ enum class Status { Success, Overflowed };
|
|
||||||
public:
|
|
||||||
- using Base = RecordOverflow;
|
|
||||||
- typedef HashSet<MarkedArgumentBufferBase*> ListSet;
|
|
||||||
+ typedef HashSet<MarkedVectorBase*> ListSet;
|
|
||||||
|
|
||||||
- ~MarkedArgumentBufferBase()
|
|
||||||
+ ~MarkedVectorBase()
|
|
||||||
{
|
|
||||||
- ASSERT(!m_needsOverflowCheck);
|
|
||||||
if (m_markSet)
|
|
||||||
m_markSet->remove(this);
|
|
||||||
|
|
||||||
@@ -52,92 +53,20 @@ public:
|
|
||||||
size_t size() const { return m_size; }
|
|
||||||
bool isEmpty() const { return !m_size; }
|
|
||||||
|
|
||||||
- JSValue at(int i) const
|
|
||||||
- {
|
|
||||||
- if (i >= m_size)
|
|
||||||
- return jsUndefined();
|
|
||||||
-
|
|
||||||
- return JSValue::decode(slotFor(i));
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- void clear()
|
|
||||||
- {
|
|
||||||
- ASSERT(!m_needsOverflowCheck);
|
|
||||||
- clearOverflow();
|
|
||||||
- m_size = 0;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- enum OverflowCheckAction {
|
|
||||||
- CrashOnOverflow,
|
|
||||||
- WillCheckLater
|
|
||||||
- };
|
|
||||||
- template<OverflowCheckAction action>
|
|
||||||
- void appendWithAction(JSValue v)
|
|
||||||
- {
|
|
||||||
- ASSERT(m_size <= m_capacity);
|
|
||||||
- if (m_size == m_capacity || mallocBase()) {
|
|
||||||
- slowAppend(v);
|
|
||||||
- if (action == CrashOnOverflow)
|
|
||||||
- RELEASE_ASSERT(!hasOverflowed());
|
|
||||||
- return;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- slotFor(m_size) = JSValue::encode(v);
|
|
||||||
- ++m_size;
|
|
||||||
- }
|
|
||||||
- void append(JSValue v) { appendWithAction<WillCheckLater>(v); }
|
|
||||||
- void appendWithCrashOnOverflow(JSValue v) { appendWithAction<CrashOnOverflow>(v); }
|
|
||||||
-
|
|
||||||
void removeLast()
|
|
||||||
{
|
|
||||||
ASSERT(m_size);
|
|
||||||
m_size--;
|
|
||||||
}
|
|
||||||
|
|
||||||
- JSValue last()
|
|
||||||
- {
|
|
||||||
- ASSERT(m_size);
|
|
||||||
- return JSValue::decode(slotFor(m_size - 1));
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- JSValue takeLast()
|
|
||||||
- {
|
|
||||||
- JSValue result = last();
|
|
||||||
- removeLast();
|
|
||||||
- return result;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
template<typename Visitor> static void markLists(Visitor&, ListSet&);
|
|
||||||
|
|
||||||
- void ensureCapacity(size_t requestedCapacity)
|
|
||||||
- {
|
|
||||||
- if (requestedCapacity > static_cast<size_t>(m_capacity))
|
|
||||||
- slowEnsureCapacity(requestedCapacity);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- bool hasOverflowed()
|
|
||||||
- {
|
|
||||||
- clearNeedsOverflowCheck();
|
|
||||||
- return Base::hasOverflowed();
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
void overflowCheckNotNeeded() { clearNeedsOverflowCheck(); }
|
|
||||||
|
|
||||||
- template<typename Functor>
|
|
||||||
- void fill(size_t count, const Functor& func)
|
|
||||||
- {
|
|
||||||
- ASSERT(!m_size);
|
|
||||||
- ensureCapacity(count);
|
|
||||||
- if (Base::hasOverflowed())
|
|
||||||
- return;
|
|
||||||
- m_size = count;
|
|
||||||
- func(reinterpret_cast<JSValue*>(&slotFor(0)));
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
protected:
|
|
||||||
// Constructor for a read-write list, to which you may append values.
|
|
||||||
// FIXME: Remove all clients of this API, then remove this API.
|
|
||||||
- MarkedArgumentBufferBase(size_t capacity)
|
|
||||||
+ MarkedVectorBase(size_t capacity)
|
|
||||||
: m_size(0)
|
|
||||||
, m_capacity(capacity)
|
|
||||||
, m_buffer(inlineBuffer())
|
|
||||||
@@ -147,17 +76,16 @@ protected:
|
|
||||||
|
|
||||||
EncodedJSValue* inlineBuffer()
|
|
||||||
{
|
|
||||||
- return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedArgumentBufferBase));
|
|
||||||
+ return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedVectorBase));
|
|
||||||
}
|
|
||||||
|
|
||||||
-private:
|
|
||||||
- void expandCapacity();
|
|
||||||
- void expandCapacity(int newCapacity);
|
|
||||||
- void slowEnsureCapacity(size_t requestedCapacity);
|
|
||||||
+ Status expandCapacity();
|
|
||||||
+ Status expandCapacity(int newCapacity);
|
|
||||||
+ Status slowEnsureCapacity(size_t requestedCapacity);
|
|
||||||
|
|
||||||
void addMarkSet(JSValue);
|
|
||||||
|
|
||||||
- JS_EXPORT_PRIVATE void slowAppend(JSValue);
|
|
||||||
+ JS_EXPORT_PRIVATE Status slowAppend(JSValue);
|
|
||||||
|
|
||||||
EncodedJSValue& slotFor(int item) const
|
|
||||||
{
|
|
||||||
@@ -172,11 +100,14 @@ private:
|
|
||||||
}
|
|
||||||
|
|
||||||
#if ASSERT_ENABLED
|
|
||||||
- void setNeedsOverflowCheck() { m_needsOverflowCheck = true; }
|
|
||||||
+ void disableNeedsOverflowCheck() { m_overflowCheckEnabled = false; }
|
|
||||||
+ void setNeedsOverflowCheck() { m_needsOverflowCheck = m_overflowCheckEnabled; }
|
|
||||||
void clearNeedsOverflowCheck() { m_needsOverflowCheck = false; }
|
|
||||||
|
|
||||||
bool m_needsOverflowCheck { false };
|
|
||||||
+ bool m_overflowCheckEnabled { true };
|
|
||||||
#else
|
|
||||||
+ void disableNeedsOverflowCheck() { }
|
|
||||||
void setNeedsOverflowCheck() { }
|
|
||||||
void clearNeedsOverflowCheck() { }
|
|
||||||
#endif // ASSERT_ENABLED
|
|
||||||
@@ -186,22 +117,114 @@ private:
|
|
||||||
ListSet* m_markSet;
|
|
||||||
};
|
|
||||||
|
|
||||||
-template<size_t passedInlineCapacity = 8>
|
|
||||||
-class MarkedArgumentBufferWithSize : public MarkedArgumentBufferBase {
|
|
||||||
+template<typename T, size_t passedInlineCapacity = 8, class OverflowHandler = CrashOnOverflow>
|
|
||||||
+class MarkedVector : public OverflowHandler, public MarkedVectorBase {
|
|
||||||
public:
|
|
||||||
static constexpr size_t inlineCapacity = passedInlineCapacity;
|
|
||||||
|
|
||||||
- MarkedArgumentBufferWithSize()
|
|
||||||
- : MarkedArgumentBufferBase(inlineCapacity)
|
|
||||||
+ MarkedVector()
|
|
||||||
+ : MarkedVectorBase(inlineCapacity)
|
|
||||||
{
|
|
||||||
ASSERT(inlineBuffer() == m_inlineBuffer);
|
|
||||||
+ if constexpr (std::is_same_v<OverflowHandler, CrashOnOverflow>) {
|
|
||||||
+ // CrashOnOverflow handles overflows immediately. So, we do not
|
|
||||||
+ // need to check for it after.
|
|
||||||
+ disableNeedsOverflowCheck();
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ auto at(int i) const -> decltype(auto)
|
|
||||||
+ {
|
|
||||||
+ if constexpr (std::is_same_v<T, JSValue>) {
|
|
||||||
+ if (i >= m_size)
|
|
||||||
+ return jsUndefined();
|
|
||||||
+ return JSValue::decode(slotFor(i));
|
|
||||||
+ } else {
|
|
||||||
+ if (i >= m_size)
|
|
||||||
+ return static_cast<T>(nullptr);
|
|
||||||
+ return jsCast<T>(JSValue::decode(slotFor(i)).asCell());
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ void clear()
|
|
||||||
+ {
|
|
||||||
+ ASSERT(!m_needsOverflowCheck);
|
|
||||||
+ OverflowHandler::clearOverflow();
|
|
||||||
+ m_size = 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ void append(T v)
|
|
||||||
+ {
|
|
||||||
+ ASSERT(m_size <= m_capacity);
|
|
||||||
+ if (m_size == m_capacity || mallocBase()) {
|
|
||||||
+ if (slowAppend(v) == Status::Overflowed)
|
|
||||||
+ this->overflowed();
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ slotFor(m_size) = JSValue::encode(v);
|
|
||||||
+ ++m_size;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ void appendWithCrashOnOverflow(T v)
|
|
||||||
+ {
|
|
||||||
+ append(v);
|
|
||||||
+ if constexpr (!std::is_same<OverflowHandler, CrashOnOverflow>::value)
|
|
||||||
+ RELEASE_ASSERT(!this->hasOverflowed());
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ auto last() const -> decltype(auto)
|
|
||||||
+ {
|
|
||||||
+ if constexpr (std::is_same_v<T, JSValue>) {
|
|
||||||
+ ASSERT(m_size);
|
|
||||||
+ return JSValue::decode(slotFor(m_size - 1));
|
|
||||||
+ } else {
|
|
||||||
+ ASSERT(m_size);
|
|
||||||
+ return jsCast<T>(JSValue::decode(slotFor(m_size - 1)).asCell());
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ JSValue takeLast()
|
|
||||||
+ {
|
|
||||||
+ JSValue result = last();
|
|
||||||
+ removeLast();
|
|
||||||
+ return result;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ void ensureCapacity(size_t requestedCapacity)
|
|
||||||
+ {
|
|
||||||
+ if (requestedCapacity > static_cast<size_t>(m_capacity)) {
|
|
||||||
+ if (slowEnsureCapacity(requestedCapacity) == Status::Overflowed)
|
|
||||||
+ this->overflowed();
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ bool hasOverflowed()
|
|
||||||
+ {
|
|
||||||
+ clearNeedsOverflowCheck();
|
|
||||||
+ return OverflowHandler::hasOverflowed();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ template<typename Functor>
|
|
||||||
+ void fill(size_t count, const Functor& func)
|
|
||||||
+ {
|
|
||||||
+ ASSERT(!m_size);
|
|
||||||
+ ensureCapacity(count);
|
|
||||||
+ if (OverflowHandler::hasOverflowed())
|
|
||||||
+ return;
|
|
||||||
+ m_size = count;
|
|
||||||
+ func(reinterpret_cast<JSValue*>(&slotFor(0)));
|
|
||||||
}
|
|
||||||
|
|
||||||
private:
|
|
||||||
EncodedJSValue m_inlineBuffer[inlineCapacity] { };
|
|
||||||
};
|
|
||||||
|
|
||||||
-using MarkedArgumentBuffer = MarkedArgumentBufferWithSize<>;
|
|
||||||
+template<size_t passedInlineCapacity>
|
|
||||||
+class MarkedArgumentBufferWithSize : public MarkedVector<JSValue, passedInlineCapacity, RecordOverflow> {
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;
|
|
||||||
|
|
||||||
class ArgList {
|
|
||||||
WTF_MAKE_FAST_ALLOCATED;
|
|
||||||
diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
|
|
||||||
index 13d04e3bdb3b..f827b2ec6a6b 100644
|
|
||||||
--- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
|
|
||||||
+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (C) 2020 Apple Inc. All rights reserved.
|
|
||||||
+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
@@ -219,7 +219,7 @@ AudioWorkletProcessor::AudioWorkletProcessor(AudioWorkletGlobalScope& globalScop
|
|
||||||
ASSERT(!isMainThread());
|
|
||||||
}
|
|
||||||
|
|
||||||
-void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBufferBase& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)
|
|
||||||
+void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBuffer& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)
|
|
||||||
{
|
|
||||||
// For performance reasons, we cache the arrays passed to JS and reconstruct them only when the topology changes.
|
|
||||||
if (!copyDataFromBusesToJSArray(globalObject, inputs, toJSArray(m_jsInputs)))
|
|
||||||
diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
|
|
||||||
index 3f3d708c7ae4..b0bce3609198 100644
|
|
||||||
--- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
|
|
||||||
+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright (C) 2020 Apple Inc. All rights reserved.
|
|
||||||
+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved.
|
|
||||||
*
|
|
||||||
* Redistribution and use in source and binary forms, with or without
|
|
||||||
* modification, are permitted provided that the following conditions
|
|
||||||
@@ -41,7 +41,8 @@
|
|
||||||
|
|
||||||
namespace JSC {
|
|
||||||
class JSArray;
|
|
||||||
-class MarkedArgumentBufferBase;
|
|
||||||
+template<typename T, size_t, class> class MarkedVector;
|
|
||||||
+using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;
|
|
||||||
}
|
|
||||||
|
|
||||||
namespace WebCore {
|
|
||||||
@@ -71,7 +72,7 @@ public:
|
|
||||||
|
|
||||||
private:
|
|
||||||
explicit AudioWorkletProcessor(AudioWorkletGlobalScope&, const AudioWorkletProcessorConstructionData&);
|
|
||||||
- void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBufferBase&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);
|
|
||||||
+ void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBuffer&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);
|
|
||||||
|
|
||||||
AudioWorkletGlobalScope& m_globalScope;
|
|
||||||
String m_name;
|
|
||||||
diff --git a/Source/WebCore/bindings/js/SerializedScriptValue.cpp b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
|
|
||||||
index e0d4316a169f..5897e1066512 100644
|
|
||||||
--- a/Source/WebCore/bindings/js/SerializedScriptValue.cpp
|
|
||||||
+++ b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
|
|
||||||
@@ -540,6 +540,7 @@ static const unsigned StringDataIs8BitFlag = 0x80000000;
|
|
||||||
using DeserializationResult = std::pair<JSC::JSValue, SerializationReturnCode>;
|
|
||||||
|
|
||||||
class CloneBase {
|
|
||||||
+ WTF_FORBID_HEAP_ALLOCATION;
|
|
||||||
protected:
|
|
||||||
CloneBase(JSGlobalObject* lexicalGlobalObject)
|
|
||||||
: m_lexicalGlobalObject(lexicalGlobalObject)
|
|
||||||
@@ -617,6 +618,7 @@ template <> bool writeLittleEndian<uint8_t>(Vector<uint8_t>& buffer, const uint8
|
|
||||||
}
|
|
||||||
|
|
||||||
class CloneSerializer : CloneBase {
|
|
||||||
+ WTF_FORBID_HEAP_ALLOCATION;
|
|
||||||
public:
|
|
||||||
static SerializationReturnCode serialize(JSGlobalObject* lexicalGlobalObject, JSValue value, Vector<RefPtr<MessagePort>>& messagePorts, Vector<RefPtr<JSC::ArrayBuffer>>& arrayBuffers, const Vector<RefPtr<ImageBitmap>>& imageBitmaps,
|
|
||||||
#if ENABLE(OFFSCREEN_CANVAS_IN_WORKERS)
|
|
||||||
@@ -2150,6 +2152,7 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in)
|
|
||||||
}
|
|
||||||
|
|
||||||
class CloneDeserializer : CloneBase {
|
|
||||||
+ WTF_FORBID_HEAP_ALLOCATION;
|
|
||||||
public:
|
|
||||||
static String deserializeString(const Vector<uint8_t>& buffer)
|
|
||||||
{
|
|
||||||
@@ -3921,10 +3924,10 @@ DeserializationResult CloneDeserializer::deserialize()
|
|
||||||
|
|
||||||
Vector<uint32_t, 16> indexStack;
|
|
||||||
Vector<Identifier, 16> propertyNameStack;
|
|
||||||
- Vector<JSObject*, 32> outputObjectStack;
|
|
||||||
- Vector<JSValue, 4> mapKeyStack;
|
|
||||||
- Vector<JSMap*, 4> mapStack;
|
|
||||||
- Vector<JSSet*, 4> setStack;
|
|
||||||
+ MarkedVector<JSObject*, 32> outputObjectStack;
|
|
||||||
+ MarkedVector<JSValue, 4> mapKeyStack;
|
|
||||||
+ MarkedVector<JSMap*, 4> mapStack;
|
|
||||||
+ MarkedVector<JSSet*, 4> setStack;
|
|
||||||
Vector<WalkerState, 16> stateStack;
|
|
||||||
WalkerState lexicalGlobalObject = StateUnknown;
|
|
||||||
JSValue outValue;
|
|
||||||
--
|
|
||||||
2.40.0
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Antoine Quint <graouts@webkit.org>
|
|
||||||
Date: Mon, 22 May 2023 13:37:32 -0700
|
|
||||||
Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles
|
|
||||||
https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873
|
|
||||||
|
|
||||||
Reviewed by Dean Jackson and Darin Adler.
|
|
||||||
|
|
||||||
Ensure that the animation's effect and target are kept alive for the duration of this method
|
|
||||||
since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
|
|
||||||
these two pointers could be changed to a null value using the Web Animations API.
|
|
||||||
|
|
||||||
* Source/WebCore/animation/WebAnimation.cpp:
|
|
||||||
(WebCore::WebAnimation::commitStyles):
|
|
||||||
|
|
||||||
Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873
|
|
||||||
Canonical link: https://commits.webkit.org/264363@main
|
|
||||||
---
|
|
||||||
Source/WebCore/animation/WebAnimation.cpp | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
|
|
||||||
index 68ea47985807..ae20c79c36cf 100644
|
|
||||||
--- a/Source/WebCore/animation/WebAnimation.cpp
|
|
||||||
+++ b/Source/WebCore/animation/WebAnimation.cpp
|
|
||||||
@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
|
|
||||||
// https://drafts.csswg.org/web-animations-1/#commit-computed-styles
|
|
||||||
|
|
||||||
// 1. Let targets be the set of all effect targets for animation effects associated with animation.
|
|
||||||
- auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
|
|
||||||
- auto* target = effect ? effect->target() : nullptr;
|
|
||||||
+ RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
|
|
||||||
+ RefPtr target = effect ? effect->target() : nullptr;
|
|
||||||
|
|
||||||
// 2. For each target in targets:
|
|
||||||
//
|
|
80
SOURCES/CVE-2023-42917.patch
Normal file
80
SOURCES/CVE-2023-42917.patch
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
From 00352dd86bfa102b6e4b792120e3ef3498a27d1e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Russell Epstein <repstein@apple.com>
|
||||||
|
Date: Fri, 17 Nov 2023 15:48:32 -0800
|
||||||
|
Subject: [PATCH] Cherry-pick b0a755e34426.
|
||||||
|
https://bugs.webkit.org/show_bug.cgi?id=265067
|
||||||
|
|
||||||
|
Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
|
||||||
|
https://bugs.webkit.org/show_bug.cgi?id=265067
|
||||||
|
rdar://118548733
|
||||||
|
|
||||||
|
Reviewed by Justin Michaud and Mark Lam.
|
||||||
|
|
||||||
|
Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
|
||||||
|
Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
|
||||||
|
in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.
|
||||||
|
|
||||||
|
This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
|
||||||
|
And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.
|
||||||
|
|
||||||
|
* Source/JavaScriptCore/runtime/Structure.cpp:
|
||||||
|
(JSC::Structure::flattenDictionaryStructure):
|
||||||
|
|
||||||
|
Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch
|
||||||
|
|
||||||
|
Canonical link: https://commits.webkit.org/265870.632@safari-7616.2.9.10-branch
|
||||||
|
---
|
||||||
|
Source/JavaScriptCore/runtime/Structure.cpp | 28 +++++++++++++++------
|
||||||
|
1 file changed, 21 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp
|
||||||
|
index 2922e2478794c..9d094e2c8adc8 100644
|
||||||
|
--- a/Source/JavaScriptCore/runtime/Structure.cpp
|
||||||
|
+++ b/Source/JavaScriptCore/runtime/Structure.cpp
|
||||||
|
@@ -913,17 +913,31 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
|
||||||
|
checkOffsetConsistency();
|
||||||
|
ASSERT(isDictionary());
|
||||||
|
ASSERT(object->structure() == this);
|
||||||
|
-
|
||||||
|
- GCSafeConcurrentJSLocker locker(m_lock, vm);
|
||||||
|
-
|
||||||
|
- object->setStructureIDDirectly(id().nuke());
|
||||||
|
- WTF::storeStoreFence();
|
||||||
|
|
||||||
|
+ Locker<JSCellLock> cellLocker(NoLockingNecessary);
|
||||||
|
+
|
||||||
|
+ PropertyTable* table = nullptr;
|
||||||
|
size_t beforeOutOfLineCapacity = this->outOfLineCapacity();
|
||||||
|
+ size_t afterOutOfLineCapacity = beforeOutOfLineCapacity;
|
||||||
|
if (isUncacheableDictionary()) {
|
||||||
|
- PropertyTable* table = propertyTableOrNull();
|
||||||
|
+ table = propertyTableOrNull();
|
||||||
|
ASSERT(table);
|
||||||
|
+ PropertyOffset maxOffset = invalidOffset;
|
||||||
|
+ if (unsigned propertyCount = table->size())
|
||||||
|
+ maxOffset = offsetForPropertyNumber(propertyCount - 1, m_inlineCapacity);
|
||||||
|
+ afterOutOfLineCapacity = outOfLineCapacity(maxOffset);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
+ // This is the only case we shrink butterfly in this function. We should take a cell lock to protect against concurrent access to the butterfly.
|
||||||
|
+ if (beforeOutOfLineCapacity != afterOutOfLineCapacity)
|
||||||
|
+ cellLocker = Locker { object->cellLock() };
|
||||||
|
+
|
||||||
|
+ GCSafeConcurrentJSLocker locker(m_lock, vm);
|
||||||
|
+
|
||||||
|
+ object->setStructureIDDirectly(id().nuke());
|
||||||
|
+ WTF::storeStoreFence();
|
||||||
|
+
|
||||||
|
+ if (isUncacheableDictionary()) {
|
||||||
|
size_t propertyCount = table->size();
|
||||||
|
|
||||||
|
// Holds our values compacted by insertion order. This is OK since GC is deferred.
|
||||||
|
@@ -955,7 +969,7 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
|
||||||
|
setDictionaryKind(NoneDictionaryKind);
|
||||||
|
setHasBeenFlattenedBefore(true);
|
||||||
|
|
||||||
|
- size_t afterOutOfLineCapacity = this->outOfLineCapacity();
|
||||||
|
+ ASSERT(this->outOfLineCapacity() == afterOutOfLineCapacity);
|
||||||
|
|
||||||
|
if (object->butterfly() && beforeOutOfLineCapacity != afterOutOfLineCapacity) {
|
||||||
|
ASSERT(beforeOutOfLineCapacity > afterOutOfLineCapacity);
|
@ -1,26 +1,14 @@
|
|||||||
From ffe84688fc8a91b1e6d1c4462120fc44349a7c05 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
|
||||||
Date: Thu, 27 Oct 2022 19:12:43 -0500
|
|
||||||
Subject: [PATCH] Force Evolution to use single secondary process
|
|
||||||
|
|
||||||
---
|
|
||||||
Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
|
diff --git a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
|
||||||
index 6bb6767869af..2a05a69d9b0d 100644
|
index a30f5b13be26..72ad006cde21 100644
|
||||||
--- a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
|
--- a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
|
||||||
+++ b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
|
+++ b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
|
||||||
@@ -431,6 +431,9 @@ static void webkitWebContextConstructed(GObject* object)
|
@@ -438,6 +438,9 @@ static void webkitWebContextConstructed(GObject* object)
|
||||||
}
|
}
|
||||||
configuration.setTimeZoneOverride(String::fromUTF8(priv->timeZoneOverride.data(), priv->timeZoneOverride.length()));
|
configuration.setTimeZoneOverride(String::fromUTF8(priv->timeZoneOverride.data(), priv->timeZoneOverride.length()));
|
||||||
|
|
||||||
+ if (!g_strcmp0(g_get_prgname(), "evolution"))
|
+ if (!g_strcmp0(g_get_prgname(), "evolution"))
|
||||||
+ configuration.setUsesSingleWebProcess(true);
|
+ configuration.setUsesSingleWebProcess(true);
|
||||||
+
|
+
|
||||||
|
#if !ENABLE(2022_GLIB_API)
|
||||||
if (!priv->websiteDataManager)
|
if (!priv->websiteDataManager)
|
||||||
priv->websiteDataManager = adoptGRef(webkit_website_data_manager_new("local-storage-directory", priv->localStorageDirectory.data(), nullptr));
|
priv->websiteDataManager = adoptGRef(webkit_website_data_manager_new("local-storage-directory", priv->localStorageDirectory.data(), nullptr));
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
||||||
|
19
SOURCES/glib-dep.patch
Normal file
19
SOURCES/glib-dep.patch
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
diff --git a/glib-dep.patch b/glib-dep.patch
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..dbc0ab6
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/glib-dep.patch
|
||||||
|
@@ -0,0 +1,13 @@
|
||||||
|
+diff --git a/Source/WTF/wtf/glib/Sandbox.cpp b/Source/WTF/wtf/glib/Sandbox.cpp
|
||||||
|
+index 9b07bb8cb5a9b..a8169511fe851 100644
|
||||||
|
+--- a/Source/WTF/wtf/glib/Sandbox.cpp
|
||||||
|
++++ b/Source/WTF/wtf/glib/Sandbox.cpp
|
||||||
|
+@@ -58,7 +58,7 @@ bool isInsideUnsupportedContainer()
|
||||||
|
+ int waitStatus = 0;
|
||||||
|
+ gboolean spawnSucceeded = g_spawn_sync(nullptr, const_cast<char**>(bwrapArgs), nullptr,
|
||||||
|
+ G_SPAWN_STDERR_TO_DEV_NULL, nullptr, nullptr, nullptr, nullptr, &waitStatus, nullptr);
|
||||||
|
+- supportedContainer = spawnSucceeded && g_spawn_check_wait_status(waitStatus, nullptr);
|
||||||
|
++ supportedContainer = spawnSucceeded && g_spawn_check_exit_status(waitStatus, nullptr);
|
||||||
|
+ if (!supportedContainer)
|
||||||
|
+ WTFLogAlways("Bubblewrap does not work inside of this container, sandboxing will be disabled.");
|
||||||
|
+ }
|
57
SOURCES/gstreamer-1.16.1.patch
Normal file
57
SOURCES/gstreamer-1.16.1.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
diff --git a/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp b/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp
|
||||||
|
index a861b913ccfc..df21a1f67e98 100644
|
||||||
|
--- a/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp
|
||||||
|
+++ b/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp
|
||||||
|
@@ -88,7 +88,25 @@ static void webKitGLVideoSinkConstructed(GObject* object)
|
||||||
|
ASSERT(colorconvert);
|
||||||
|
gst_bin_add_many(GST_BIN_CAST(sink), upload, colorconvert, sink->priv->appSink.get(), nullptr);
|
||||||
|
|
||||||
|
- GRefPtr<GstCaps> caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) " GST_GL_CAPS_FORMAT));
|
||||||
|
+ // Workaround until we can depend on GStreamer 1.16.2.
|
||||||
|
+ // https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/commit/8d32de090554cf29fe359f83aa46000ba658a693
|
||||||
|
+ // Forcing a color conversion to RGBA here allows glupload to internally use
|
||||||
|
+ // an uploader that adds a VideoMeta, through the TextureUploadMeta caps
|
||||||
|
+ // feature, without needing the patch above. However this specific caps
|
||||||
|
+ // feature is going to be removed from GStreamer so it is considered a
|
||||||
|
+ // short-term workaround. This code path most likely will have a negative
|
||||||
|
+ // performance impact on embedded platforms as well. Downstream embedders
|
||||||
|
+ // are highly encouraged to cherry-pick the patch linked above in their BSP
|
||||||
|
+ // and set the WEBKIT_GST_NO_RGBA_CONVERSION environment variable until
|
||||||
|
+ // GStreamer 1.16.2 is released.
|
||||||
|
+ // See also https://bugs.webkit.org/show_bug.cgi?id=201422
|
||||||
|
+ GRefPtr<GstCaps> caps;
|
||||||
|
+ if (webkitGstCheckVersion(1, 16, 2) || getenv("WEBKIT_GST_NO_RGBA_CONVERSION"))
|
||||||
|
+ caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) " GST_GL_CAPS_FORMAT));
|
||||||
|
+ else {
|
||||||
|
+ GST_INFO_OBJECT(sink, "Forcing RGBA as GStreamer is not new enough.");
|
||||||
|
+ caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) RGBA"));
|
||||||
|
+ }
|
||||||
|
gst_caps_set_features(caps.get(), 0, gst_caps_features_new(GST_CAPS_FEATURE_MEMORY_GL_MEMORY, nullptr));
|
||||||
|
g_object_set(sink->priv->appSink.get(), "caps", caps.get(), nullptr);
|
||||||
|
|
||||||
|
diff --git a/Source/cmake/GStreamerChecks.cmake b/Source/cmake/GStreamerChecks.cmake
|
||||||
|
index ba8423e2795c..df9d3204910d 100644
|
||||||
|
--- a/Source/cmake/GStreamerChecks.cmake
|
||||||
|
+++ b/Source/cmake/GStreamerChecks.cmake
|
||||||
|
@@ -36,7 +36,7 @@ if (ENABLE_VIDEO OR ENABLE_WEB_AUDIO)
|
||||||
|
list(APPEND GSTREAMER_COMPONENTS webrtc)
|
||||||
|
endif ()
|
||||||
|
|
||||||
|
- find_package(GStreamer 1.16.2 REQUIRED COMPONENTS ${GSTREAMER_COMPONENTS})
|
||||||
|
+ find_package(GStreamer 1.16.0 REQUIRED COMPONENTS ${GSTREAMER_COMPONENTS})
|
||||||
|
|
||||||
|
if (ENABLE_WEB_AUDIO)
|
||||||
|
if (NOT PC_GSTREAMER_AUDIO_FOUND OR NOT PC_GSTREAMER_FFT_FOUND)
|
||||||
|
|
||||||
|
diff --git a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
|
||||||
|
index 0b81e04559f0..4c6ae470e49f 100644
|
||||||
|
--- a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
|
||||||
|
+++ b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
|
||||||
|
@@ -479,7 +479,6 @@ bool MediaPlayerPrivateGStreamer::doSeek(const MediaTime& position, float rate)
|
||||||
|
|
||||||
|
auto seekStart = toGstClockTime(startTime);
|
||||||
|
auto seekStop = toGstClockTime(endTime);
|
||||||
|
- GST_DEBUG_OBJECT(pipeline(), "[Seek] Performing actual seek to %" GST_TIMEP_FORMAT " (endTime: %" GST_TIMEP_FORMAT ") at rate %f", &seekStart, &seekStop, rate);
|
||||||
|
return gst_element_seek(m_pipeline.get(), rate, GST_FORMAT_TIME, m_seekFlags, GST_SEEK_TYPE_SET, seekStart, GST_SEEK_TYPE_SET, seekStop);
|
||||||
|
}
|
||||||
|
|
@ -1,17 +1,3 @@
|
|||||||
From 833cfdd150b6f7f0fb021ac5de7890dff158f5fd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
|
||||||
Date: Thu, 27 Oct 2022 16:32:43 -0500
|
|
||||||
Subject: [PATCH] Build against ICU 60
|
|
||||||
|
|
||||||
---
|
|
||||||
Source/JavaScriptCore/runtime/IntlCache.cpp | 3 +++
|
|
||||||
Source/JavaScriptCore/runtime/IntlCache.h | 3 +++
|
|
||||||
Source/JavaScriptCore/runtime/IntlDisplayNames.cpp | 11 +++++++++++
|
|
||||||
Source/JavaScriptCore/runtime/IntlDisplayNames.h | 7 +++++++
|
|
||||||
Source/JavaScriptCore/runtime/IntlObject.cpp | 6 +++++-
|
|
||||||
Source/cmake/OptionsGTK.cmake | 2 +-
|
|
||||||
6 files changed, 30 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Source/JavaScriptCore/runtime/IntlCache.cpp b/Source/JavaScriptCore/runtime/IntlCache.cpp
|
diff --git a/Source/JavaScriptCore/runtime/IntlCache.cpp b/Source/JavaScriptCore/runtime/IntlCache.cpp
|
||||||
index b17d7340df56..94a5474059b6 100644
|
index b17d7340df56..94a5474059b6 100644
|
||||||
--- a/Source/JavaScriptCore/runtime/IntlCache.cpp
|
--- a/Source/JavaScriptCore/runtime/IntlCache.cpp
|
||||||
@ -62,7 +48,7 @@ index 058b2423786d..e7a8c82f392b 100644
|
|||||||
private:
|
private:
|
||||||
UDateTimePatternGenerator* getSharedPatternGenerator(const CString& locale, UErrorCode& status)
|
UDateTimePatternGenerator* getSharedPatternGenerator(const CString& locale, UErrorCode& status)
|
||||||
diff --git a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
|
diff --git a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
|
||||||
index c281f796eaee..1bc3c0c8a8c6 100644
|
index f38161e7f95b..068613ce8feb 100644
|
||||||
--- a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
|
--- a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
|
||||||
+++ b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
|
+++ b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
|
||||||
@@ -110,6 +110,7 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa
|
@@ -110,6 +110,7 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa
|
||||||
@ -73,7 +59,7 @@ index c281f796eaee..1bc3c0c8a8c6 100644
|
|||||||
UErrorCode status = U_ZERO_ERROR;
|
UErrorCode status = U_ZERO_ERROR;
|
||||||
|
|
||||||
UDisplayContext contexts[] = {
|
UDisplayContext contexts[] = {
|
||||||
@@ -137,6 +138,10 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa
|
@@ -137,15 +138,19 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa
|
||||||
throwTypeError(globalObject, scope, "failed to initialize DisplayNames"_s);
|
throwTypeError(globalObject, scope, "failed to initialize DisplayNames"_s);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -84,7 +70,9 @@ index c281f796eaee..1bc3c0c8a8c6 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
// https://tc39.es/proposal-intl-displaynames/#sec-Intl.DisplayNames.prototype.of
|
// https://tc39.es/proposal-intl-displaynames/#sec-Intl.DisplayNames.prototype.of
|
||||||
@@ -146,6 +151,7 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co
|
JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) const
|
||||||
|
{
|
||||||
|
-
|
||||||
VM& vm = globalObject->vm();
|
VM& vm = globalObject->vm();
|
||||||
auto scope = DECLARE_THROW_SCOPE(vm);
|
auto scope = DECLARE_THROW_SCOPE(vm);
|
||||||
|
|
||||||
@ -92,7 +80,7 @@ index c281f796eaee..1bc3c0c8a8c6 100644
|
|||||||
ASSERT(m_displayNames);
|
ASSERT(m_displayNames);
|
||||||
auto code = codeValue.toWTFString(globalObject);
|
auto code = codeValue.toWTFString(globalObject);
|
||||||
RETURN_IF_EXCEPTION(scope, { });
|
RETURN_IF_EXCEPTION(scope, { });
|
||||||
@@ -350,6 +356,11 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co
|
@@ -350,6 +355,11 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co
|
||||||
return throwTypeError(globalObject, scope, "Failed to query a display name."_s);
|
return throwTypeError(globalObject, scope, "Failed to query a display name."_s);
|
||||||
}
|
}
|
||||||
return jsString(vm, String(WTFMove(buffer)));
|
return jsString(vm, String(WTFMove(buffer)));
|
||||||
@ -123,18 +111,18 @@ index d80dc3d83a15..f2bf36275c79 100644
|
|||||||
|
|
||||||
enum class RelevantExtensionKey : uint8_t;
|
enum class RelevantExtensionKey : uint8_t;
|
||||||
diff --git a/Source/JavaScriptCore/runtime/IntlObject.cpp b/Source/JavaScriptCore/runtime/IntlObject.cpp
|
diff --git a/Source/JavaScriptCore/runtime/IntlObject.cpp b/Source/JavaScriptCore/runtime/IntlObject.cpp
|
||||||
index f7dc4d578d77..a6ccbe1b9f74 100644
|
index 0080abf51be4..d23c7c021334 100644
|
||||||
--- a/Source/JavaScriptCore/runtime/IntlObject.cpp
|
--- a/Source/JavaScriptCore/runtime/IntlObject.cpp
|
||||||
+++ b/Source/JavaScriptCore/runtime/IntlObject.cpp
|
+++ b/Source/JavaScriptCore/runtime/IntlObject.cpp
|
||||||
@@ -153,7 +153,6 @@ namespace JSC {
|
@@ -164,7 +164,6 @@ namespace JSC {
|
||||||
getCanonicalLocales intlObjectFuncGetCanonicalLocales DontEnum|Function 1
|
supportedValuesOf intlObjectFuncSupportedValuesOf DontEnum|Function 1
|
||||||
Collator createCollatorConstructor DontEnum|PropertyCallback
|
Collator createCollatorConstructor DontEnum|PropertyCallback
|
||||||
DateTimeFormat createDateTimeFormatConstructor DontEnum|PropertyCallback
|
DateTimeFormat createDateTimeFormatConstructor DontEnum|PropertyCallback
|
||||||
- DisplayNames createDisplayNamesConstructor DontEnum|PropertyCallback
|
- DisplayNames createDisplayNamesConstructor DontEnum|PropertyCallback
|
||||||
Locale createLocaleConstructor DontEnum|PropertyCallback
|
Locale createLocaleConstructor DontEnum|PropertyCallback
|
||||||
NumberFormat createNumberFormatConstructor DontEnum|PropertyCallback
|
NumberFormat createNumberFormatConstructor DontEnum|PropertyCallback
|
||||||
PluralRules createPluralRulesConstructor DontEnum|PropertyCallback
|
PluralRules createPluralRulesConstructor DontEnum|PropertyCallback
|
||||||
@@ -239,6 +238,11 @@ void IntlObject::finishCreation(VM& vm, JSGlobalObject* globalObject)
|
@@ -252,6 +251,11 @@ void IntlObject::finishCreation(VM& vm, JSGlobalObject*)
|
||||||
Base::finishCreation(vm);
|
Base::finishCreation(vm);
|
||||||
ASSERT(inherits(info()));
|
ASSERT(inherits(info()));
|
||||||
JSC_TO_STRING_TAG_WITHOUT_TRANSITION();
|
JSC_TO_STRING_TAG_WITHOUT_TRANSITION();
|
||||||
@ -144,21 +132,38 @@ index f7dc4d578d77..a6ccbe1b9f74 100644
|
|||||||
+ UNUSED_PARAM(&createDisplayNamesConstructor);
|
+ UNUSED_PARAM(&createDisplayNamesConstructor);
|
||||||
+#endif
|
+#endif
|
||||||
#if HAVE(ICU_U_LIST_FORMATTER)
|
#if HAVE(ICU_U_LIST_FORMATTER)
|
||||||
putDirectWithoutTransition(vm, vm.propertyNames->ListFormat, createListFormatConstructor(vm, this), static_cast<unsigned>(PropertyAttribute::DontEnum));
|
if (Options::useIntlDurationFormat())
|
||||||
#else
|
putDirectWithoutTransition(vm, vm.propertyNames->DurationFormat, createDurationFormatConstructor(vm, this), static_cast<unsigned>(PropertyAttribute::DontEnum));
|
||||||
diff --git a/Source/cmake/OptionsGTK.cmake b/Source/cmake/OptionsGTK.cmake
|
diff --git a/Source/cmake/OptionsGTK.cmake b/Source/cmake/OptionsGTK.cmake
|
||||||
index 5e653a9e0b5a..0977f2c49037 100644
|
index 8bd6ed347418..9d0a7e88b16a 100644
|
||||||
--- a/Source/cmake/OptionsGTK.cmake
|
--- a/Source/cmake/OptionsGTK.cmake
|
||||||
+++ b/Source/cmake/OptionsGTK.cmake
|
+++ b/Source/cmake/OptionsGTK.cmake
|
||||||
@@ -19,7 +19,7 @@ find_package(Freetype 2.4.2 REQUIRED)
|
@@ -18,7 +18,7 @@ find_package(Fontconfig 2.8.0 REQUIRED)
|
||||||
|
find_package(Freetype 2.4.2 REQUIRED)
|
||||||
find_package(LibGcrypt 1.6.0 REQUIRED)
|
find_package(LibGcrypt 1.6.0 REQUIRED)
|
||||||
find_package(GLIB 2.56.4 REQUIRED COMPONENTS gio gio-unix gobject gthread gmodule)
|
|
||||||
find_package(HarfBuzz 0.9.18 REQUIRED COMPONENTS ICU)
|
find_package(HarfBuzz 0.9.18 REQUIRED COMPONENTS ICU)
|
||||||
-find_package(ICU 61.2 REQUIRED COMPONENTS data i18n uc)
|
-find_package(ICU 61.2 REQUIRED COMPONENTS data i18n uc)
|
||||||
+find_package(ICU 60.2 REQUIRED COMPONENTS data i18n uc)
|
+find_package(ICU 60 REQUIRED COMPONENTS data i18n uc)
|
||||||
find_package(JPEG REQUIRED)
|
find_package(JPEG REQUIRED)
|
||||||
|
find_package(LibEpoxy 1.4.0 REQUIRED)
|
||||||
find_package(LibXml2 2.8.0 REQUIRED)
|
find_package(LibXml2 2.8.0 REQUIRED)
|
||||||
find_package(PNG REQUIRED)
|
diff --git a/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp b/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp
|
||||||
--
|
index fdcaa71f2011..f6aa1b0e3def 100644
|
||||||
2.31.1
|
--- a/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp
|
||||||
|
+++ b/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp
|
||||||
|
@@ -41,7 +41,6 @@
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
#include <unicode/ulistformatter.h>
|
||||||
|
-#include <unicode/unumberformatter.h>
|
||||||
|
#include <unicode/ures.h>
|
||||||
|
#if HAVE(ICU_U_LIST_FORMATTER)
|
||||||
|
#define U_HIDE_DRAFT_API 1
|
||||||
|
@@ -49,6 +48,7 @@
|
||||||
|
|
||||||
|
#if HAVE(ICU_U_LIST_FORMATTER)
|
||||||
|
#include <unicode/uformattedvalue.h>
|
||||||
|
+#include <unicode/unumberformatter.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
namespace JSC {
|
||||||
|
@ -1,6 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCY+yu2QAKCRDz0yLQ7EWC
|
|
||||||
w7UkAKCS0EoptKZRn3/Z+WgGerHQEQXaFQCg51h2++dwb1bqVZ05Q1YtHmoT2gk=
|
|
||||||
=or/S
|
|
||||||
-----END PGP SIGNATURE-----
|
|
6
SOURCES/webkitgtk-2.40.5.tar.xz.asc
Normal file
6
SOURCES/webkitgtk-2.40.5.tar.xz.asc
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCZMjRYQAKCRDz0yLQ7EWC
|
||||||
|
wwPPAJ0XUmEmSr4IFQWpbDfPOR9keXY+lwCfVLyOFL8T55psriGN4vkxVZqq+EM=
|
||||||
|
=nGCs
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -6,8 +6,8 @@
|
|||||||
cp -p %1 _license_files/$(echo '%1' | sed -e 's!/!.!g')
|
cp -p %1 _license_files/$(echo '%1' | sed -e 's!/!.!g')
|
||||||
|
|
||||||
Name: webkit2gtk3
|
Name: webkit2gtk3
|
||||||
Version: 2.38.5
|
Version: 2.40.5
|
||||||
Release: 1%{?dist}.5.alma
|
Release: 1%{?dist}.alma.1
|
||||||
Summary: GTK Web content engine library
|
Summary: GTK Web content engine library
|
||||||
|
|
||||||
License: LGPLv2
|
License: LGPLv2
|
||||||
@ -25,23 +25,28 @@ Patch0: evolution-shared-secondary-process.patch
|
|||||||
# https://bugs.webkit.org/show_bug.cgi?id=235367
|
# https://bugs.webkit.org/show_bug.cgi?id=235367
|
||||||
Patch1: icu60.patch
|
Patch1: icu60.patch
|
||||||
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2209208
|
# https://github.com/WebKit/WebKit/pull/14498
|
||||||
Patch2: CVE-2023-28204.patch
|
Patch2: glib-dep.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2185745
|
|
||||||
Patch3: CVE-2023-28205.patch
|
# Partial revert of https://github.com/WebKit/WebKit/pull/6087
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2209214
|
Patch3: gstreamer-1.16.1.patch
|
||||||
Patch4: CVE-2023-32373.patch
|
|
||||||
|
# Patches were taken from:
|
||||||
|
# https://git.almalinux.org/rpms/webkit2gtk3/commit/876f553c6cd33386eb8b184bbc7618a1b03a2826
|
||||||
|
Patch4: CVE-2023-42917.patch
|
||||||
|
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
BuildRequires: flex
|
BuildRequires: flex
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
|
BuildRequires: gcc-toolset-13
|
||||||
BuildRequires: gettext
|
BuildRequires: gettext
|
||||||
BuildRequires: git
|
BuildRequires: git
|
||||||
BuildRequires: gperf
|
BuildRequires: gperf
|
||||||
BuildRequires: hyphen-devel
|
BuildRequires: hyphen-devel
|
||||||
BuildRequires: libatomic
|
BuildRequires: libatomic
|
||||||
BuildRequires: ninja-build
|
BuildRequires: ninja-build
|
||||||
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: perl(English)
|
BuildRequires: perl(English)
|
||||||
BuildRequires: perl(FindBin)
|
BuildRequires: perl(FindBin)
|
||||||
BuildRequires: perl(JSON::PP)
|
BuildRequires: perl(JSON::PP)
|
||||||
@ -49,6 +54,8 @@ BuildRequires: python3
|
|||||||
BuildRequires: ruby
|
BuildRequires: ruby
|
||||||
BuildRequires: rubygem-json
|
BuildRequires: rubygem-json
|
||||||
BuildRequires: rubygems
|
BuildRequires: rubygems
|
||||||
|
BuildRequires: shadow-utils
|
||||||
|
BuildRequires: unifdef
|
||||||
|
|
||||||
BuildRequires: pkgconfig(atspi-2)
|
BuildRequires: pkgconfig(atspi-2)
|
||||||
BuildRequires: pkgconfig(cairo)
|
BuildRequires: pkgconfig(cairo)
|
||||||
@ -61,16 +68,19 @@ BuildRequires: pkgconfig(enchant-2)
|
|||||||
%endif
|
%endif
|
||||||
BuildRequires: pkgconfig(fontconfig)
|
BuildRequires: pkgconfig(fontconfig)
|
||||||
BuildRequires: pkgconfig(freetype2)
|
BuildRequires: pkgconfig(freetype2)
|
||||||
|
BuildRequires: pkgconfig(gbm)
|
||||||
BuildRequires: pkgconfig(gl)
|
BuildRequires: pkgconfig(gl)
|
||||||
BuildRequires: pkgconfig(glib-2.0)
|
BuildRequires: pkgconfig(glib-2.0)
|
||||||
BuildRequires: pkgconfig(glesv2)
|
BuildRequires: pkgconfig(glesv2)
|
||||||
BuildRequires: pkgconfig(gobject-introspection-1.0)
|
BuildRequires: pkgconfig(gobject-introspection-1.0)
|
||||||
BuildRequires: pkgconfig(gstreamer-1.0)
|
BuildRequires: pkgconfig(gstreamer-1.0)
|
||||||
|
BuildRequires: pkgconfig(gstreamer-plugins-bad-1.0)
|
||||||
BuildRequires: pkgconfig(gstreamer-plugins-base-1.0)
|
BuildRequires: pkgconfig(gstreamer-plugins-base-1.0)
|
||||||
BuildRequires: pkgconfig(gtk+-3.0)
|
BuildRequires: pkgconfig(gtk+-3.0)
|
||||||
BuildRequires: pkgconfig(harfbuzz)
|
BuildRequires: pkgconfig(harfbuzz)
|
||||||
BuildRequires: pkgconfig(icu-uc)
|
BuildRequires: pkgconfig(icu-uc)
|
||||||
BuildRequires: pkgconfig(lcms2)
|
BuildRequires: pkgconfig(lcms2)
|
||||||
|
BuildRequires: pkgconfig(libdrm)
|
||||||
BuildRequires: pkgconfig(libjpeg)
|
BuildRequires: pkgconfig(libjpeg)
|
||||||
BuildRequires: pkgconfig(libnotify)
|
BuildRequires: pkgconfig(libnotify)
|
||||||
BuildRequires: pkgconfig(libopenjp2)
|
BuildRequires: pkgconfig(libopenjp2)
|
||||||
@ -191,19 +201,27 @@ rm -rf Source/ThirdParty/qunit/
|
|||||||
%global optflags %(echo %{optflags} | sed 's/-g /-g1 /')
|
%global optflags %(echo %{optflags} | sed 's/-g /-g1 /')
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# bmalloc and JIT are disabled on aarch64 only in RHEL because of the nonstandard
|
# The system GCC is too old to build WebKit, so use a GCC Toolset instead.
|
||||||
# page size that's causing problems there. WebKit's build system sets appropriate
|
# This prints warnings complaining that it should not be used except in
|
||||||
# defaults for all other architectures, and all other distros except RHEL.
|
# SCL scriplets, but I can't figure out any other way to make it work.
|
||||||
|
source scl_source enable gcc-toolset-13
|
||||||
|
|
||||||
|
# -DUSE_SYSTEM_MALLOC=ON is really bad for security, but libpas requires
|
||||||
|
# __atomic_compare_exchange_16 which does not seem to be available.
|
||||||
mkdir -p %{_target_platform}
|
mkdir -p %{_target_platform}
|
||||||
pushd %{_target_platform}
|
pushd %{_target_platform}
|
||||||
%cmake \
|
%cmake \
|
||||||
-GNinja \
|
-GNinja \
|
||||||
-DPORT=GTK \
|
-DPORT=GTK \
|
||||||
-DCMAKE_BUILD_TYPE=Release \
|
-DCMAKE_BUILD_TYPE=Release \
|
||||||
|
-DUSE_SYSTEM_MALLOC=ON \
|
||||||
|
-DENABLE_JIT=OFF \
|
||||||
-DENABLE_BUBBLEWRAP_SANDBOX=OFF \
|
-DENABLE_BUBBLEWRAP_SANDBOX=OFF \
|
||||||
-DENABLE_JIT=OFF \
|
-DENABLE_JIT=OFF \
|
||||||
-DUSE_SOUP2=ON \
|
-DUSE_SOUP2=ON \
|
||||||
|
-DUSE_AVIF=OFF \
|
||||||
-DENABLE_DOCUMENTATION=OFF \
|
-DENABLE_DOCUMENTATION=OFF \
|
||||||
|
-DUSE_GSTREAMER_TRANSCODER=OFF \
|
||||||
-DENABLE_GAMEPAD=OFF \
|
-DENABLE_GAMEPAD=OFF \
|
||||||
%if 0%{?rhel}
|
%if 0%{?rhel}
|
||||||
%ifarch aarch64
|
%ifarch aarch64
|
||||||
@ -220,12 +238,11 @@ export NINJA_STATUS="[%f/%t][%e] "
|
|||||||
%install
|
%install
|
||||||
%ninja_install -C %{_target_platform}
|
%ninja_install -C %{_target_platform}
|
||||||
|
|
||||||
%find_lang WebKit2GTK-4.0
|
%find_lang WebKitGTK-4.0
|
||||||
|
|
||||||
# Finally, copy over and rename various files for %%license inclusion
|
# Finally, copy over and rename various files for %%license inclusion
|
||||||
%add_to_license_files Source/JavaScriptCore/COPYING.LIB
|
%add_to_license_files Source/JavaScriptCore/COPYING.LIB
|
||||||
%add_to_license_files Source/ThirdParty/ANGLE/LICENSE
|
%add_to_license_files Source/ThirdParty/ANGLE/LICENSE
|
||||||
%add_to_license_files Source/ThirdParty/ANGLE/src/common/third_party/smhasher/LICENSE
|
|
||||||
%add_to_license_files Source/ThirdParty/ANGLE/src/third_party/libXNVCtrl/LICENSE
|
%add_to_license_files Source/ThirdParty/ANGLE/src/third_party/libXNVCtrl/LICENSE
|
||||||
%add_to_license_files Source/WebCore/LICENSE-APPLE
|
%add_to_license_files Source/WebCore/LICENSE-APPLE
|
||||||
%add_to_license_files Source/WebCore/LICENSE-LGPL-2
|
%add_to_license_files Source/WebCore/LICENSE-LGPL-2
|
||||||
@ -237,7 +254,7 @@ export NINJA_STATUS="[%f/%t][%e] "
|
|||||||
%add_to_license_files Source/WTF/wtf/dtoa/COPYING
|
%add_to_license_files Source/WTF/wtf/dtoa/COPYING
|
||||||
%add_to_license_files Source/WTF/wtf/dtoa/LICENSE
|
%add_to_license_files Source/WTF/wtf/dtoa/LICENSE
|
||||||
|
|
||||||
%files -f WebKit2GTK-4.0.lang
|
%files -f WebKitGTK-4.0.lang
|
||||||
%license _license_files/*ThirdParty*
|
%license _license_files/*ThirdParty*
|
||||||
%license _license_files/*WebCore*
|
%license _license_files/*WebCore*
|
||||||
%license _license_files/*WebInspectorUI*
|
%license _license_files/*WebInspectorUI*
|
||||||
@ -281,8 +298,18 @@ export NINJA_STATUS="[%f/%t][%e] "
|
|||||||
%{_datadir}/gir-1.0/JavaScriptCore-4.0.gir
|
%{_datadir}/gir-1.0/JavaScriptCore-4.0.gir
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Jul 18 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 2.38.5-1.5.alma
|
* Tue Dec 12 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.40.5-1.1.alma.1
|
||||||
- Disable JIT (CVE-2023-32435, CVE-2023-32439)
|
- Add patch for CVE-2023-42917
|
||||||
|
|
||||||
|
* Tue Aug 01 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.5-1
|
||||||
|
- Upgrade to 2.40.5. Also, disable JIT
|
||||||
|
Resolves: #2176269
|
||||||
|
Resolves: #2185742
|
||||||
|
Resolves: #2209728
|
||||||
|
Resolves: #2209745
|
||||||
|
Resolves: #2218649
|
||||||
|
Resolves: #2218651
|
||||||
|
Resolves: #2224611
|
||||||
|
|
||||||
* Thu May 25 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.4
|
* Thu May 25 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.4
|
||||||
- Add patch for CVE-2023-28204
|
- Add patch for CVE-2023-28204
|
||||||
|
Loading…
Reference in New Issue
Block a user