Compare commits
3 Commits
Author | SHA1 | Date |
---|---|---|
eabdullin | cb3209b8b1 | |
eabdullin | 75e17ac97c | |
Andrew Lukoshko | f4a4460d0f |
|
@ -0,0 +1,80 @@
|
||||||
|
From 00352dd86bfa102b6e4b792120e3ef3498a27d1e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Russell Epstein <repstein@apple.com>
|
||||||
|
Date: Fri, 17 Nov 2023 15:48:32 -0800
|
||||||
|
Subject: [PATCH] Cherry-pick b0a755e34426.
|
||||||
|
https://bugs.webkit.org/show_bug.cgi?id=265067
|
||||||
|
|
||||||
|
Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
|
||||||
|
https://bugs.webkit.org/show_bug.cgi?id=265067
|
||||||
|
rdar://118548733
|
||||||
|
|
||||||
|
Reviewed by Justin Michaud and Mark Lam.
|
||||||
|
|
||||||
|
Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
|
||||||
|
Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
|
||||||
|
in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.
|
||||||
|
|
||||||
|
This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
|
||||||
|
And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.
|
||||||
|
|
||||||
|
* Source/JavaScriptCore/runtime/Structure.cpp:
|
||||||
|
(JSC::Structure::flattenDictionaryStructure):
|
||||||
|
|
||||||
|
Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch
|
||||||
|
|
||||||
|
Canonical link: https://commits.webkit.org/265870.632@safari-7616.2.9.10-branch
|
||||||
|
---
|
||||||
|
Source/JavaScriptCore/runtime/Structure.cpp | 28 +++++++++++++++------
|
||||||
|
1 file changed, 21 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp
|
||||||
|
index 2922e2478794c..9d094e2c8adc8 100644
|
||||||
|
--- a/Source/JavaScriptCore/runtime/Structure.cpp
|
||||||
|
+++ b/Source/JavaScriptCore/runtime/Structure.cpp
|
||||||
|
@@ -913,17 +913,31 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
|
||||||
|
checkOffsetConsistency();
|
||||||
|
ASSERT(isDictionary());
|
||||||
|
ASSERT(object->structure() == this);
|
||||||
|
-
|
||||||
|
- GCSafeConcurrentJSLocker locker(m_lock, vm);
|
||||||
|
-
|
||||||
|
- object->setStructureIDDirectly(id().nuke());
|
||||||
|
- WTF::storeStoreFence();
|
||||||
|
|
||||||
|
+ Locker<JSCellLock> cellLocker(NoLockingNecessary);
|
||||||
|
+
|
||||||
|
+ PropertyTable* table = nullptr;
|
||||||
|
size_t beforeOutOfLineCapacity = this->outOfLineCapacity();
|
||||||
|
+ size_t afterOutOfLineCapacity = beforeOutOfLineCapacity;
|
||||||
|
if (isUncacheableDictionary()) {
|
||||||
|
- PropertyTable* table = propertyTableOrNull();
|
||||||
|
+ table = propertyTableOrNull();
|
||||||
|
ASSERT(table);
|
||||||
|
+ PropertyOffset maxOffset = invalidOffset;
|
||||||
|
+ if (unsigned propertyCount = table->size())
|
||||||
|
+ maxOffset = offsetForPropertyNumber(propertyCount - 1, m_inlineCapacity);
|
||||||
|
+ afterOutOfLineCapacity = outOfLineCapacity(maxOffset);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
+ // This is the only case we shrink butterfly in this function. We should take a cell lock to protect against concurrent access to the butterfly.
|
||||||
|
+ if (beforeOutOfLineCapacity != afterOutOfLineCapacity)
|
||||||
|
+ cellLocker = Locker { object->cellLock() };
|
||||||
|
+
|
||||||
|
+ GCSafeConcurrentJSLocker locker(m_lock, vm);
|
||||||
|
+
|
||||||
|
+ object->setStructureIDDirectly(id().nuke());
|
||||||
|
+ WTF::storeStoreFence();
|
||||||
|
+
|
||||||
|
+ if (isUncacheableDictionary()) {
|
||||||
|
size_t propertyCount = table->size();
|
||||||
|
|
||||||
|
// Holds our values compacted by insertion order. This is OK since GC is deferred.
|
||||||
|
@@ -955,7 +969,7 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
|
||||||
|
setDictionaryKind(NoneDictionaryKind);
|
||||||
|
setHasBeenFlattenedBefore(true);
|
||||||
|
|
||||||
|
- size_t afterOutOfLineCapacity = this->outOfLineCapacity();
|
||||||
|
+ ASSERT(this->outOfLineCapacity() == afterOutOfLineCapacity);
|
||||||
|
|
||||||
|
if (object->butterfly() && beforeOutOfLineCapacity != afterOutOfLineCapacity) {
|
||||||
|
ASSERT(beforeOutOfLineCapacity > afterOutOfLineCapacity);
|
|
@ -7,7 +7,7 @@
|
||||||
|
|
||||||
Name: webkit2gtk3
|
Name: webkit2gtk3
|
||||||
Version: 2.40.5
|
Version: 2.40.5
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}.1.alma.1
|
||||||
Summary: GTK Web content engine library
|
Summary: GTK Web content engine library
|
||||||
|
|
||||||
License: LGPLv2
|
License: LGPLv2
|
||||||
|
@ -31,6 +31,10 @@ Patch2: glib-dep.patch
|
||||||
# Partial revert of https://github.com/WebKit/WebKit/pull/6087
|
# Partial revert of https://github.com/WebKit/WebKit/pull/6087
|
||||||
Patch3: gstreamer-1.16.1.patch
|
Patch3: gstreamer-1.16.1.patch
|
||||||
|
|
||||||
|
# Patches were taken from:
|
||||||
|
# https://git.almalinux.org/rpms/webkit2gtk3/commit/876f553c6cd33386eb8b184bbc7618a1b03a2826
|
||||||
|
Patch4: CVE-2023-42917.patch
|
||||||
|
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
BuildRequires: flex
|
BuildRequires: flex
|
||||||
|
@ -213,6 +217,7 @@ pushd %{_target_platform}
|
||||||
-DUSE_SYSTEM_MALLOC=ON \
|
-DUSE_SYSTEM_MALLOC=ON \
|
||||||
-DENABLE_JIT=OFF \
|
-DENABLE_JIT=OFF \
|
||||||
-DENABLE_BUBBLEWRAP_SANDBOX=OFF \
|
-DENABLE_BUBBLEWRAP_SANDBOX=OFF \
|
||||||
|
-DENABLE_JIT=OFF \
|
||||||
-DUSE_SOUP2=ON \
|
-DUSE_SOUP2=ON \
|
||||||
-DUSE_AVIF=OFF \
|
-DUSE_AVIF=OFF \
|
||||||
-DENABLE_DOCUMENTATION=OFF \
|
-DENABLE_DOCUMENTATION=OFF \
|
||||||
|
@ -293,6 +298,9 @@ export NINJA_STATUS="[%f/%t][%e] "
|
||||||
%{_datadir}/gir-1.0/JavaScriptCore-4.0.gir
|
%{_datadir}/gir-1.0/JavaScriptCore-4.0.gir
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 12 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.40.5-1.1.alma.1
|
||||||
|
- Add patch for CVE-2023-42917
|
||||||
|
|
||||||
* Tue Aug 01 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.5-1
|
* Tue Aug 01 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.5-1
|
||||||
- Upgrade to 2.40.5. Also, disable JIT
|
- Upgrade to 2.40.5. Also, disable JIT
|
||||||
Resolves: #2176269
|
Resolves: #2176269
|
||||||
|
|
Loading…
Reference in New Issue