import webkit2gtk3-2.36.7-1.el9_1.1

c9 imports/c9/webkit2gtk3-2.36.7-1.el9_1.1
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
parent 0951a6e821
commit 3ca674197a

@ -0,0 +1,78 @@
From 98940f219ba0e3eb6d958af483b73dd9cc75c28c Mon Sep 17 00:00:00 2001
From: Mark Lam <mark.lam@apple.com>
Date: Mon, 19 Dec 2022 17:32:15 -0800
Subject: [PATCH] Cherry-pick 252432.839@safari-7614-branch (71cdc1c09ef1).
rdar://102531234
The provenType filtering in FTL's speculateRealNumber is incorrect.
https://bugs.webkit.org/show_bug.cgi?id=248266
<rdar://problem/102531234>
Reviewed by Justin Michaud.
speculateRealNumber does a doubleEqual compare, which filters out double values which
are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block,
the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble.
Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal,
SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and
SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering
of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given
a proven type of
{ SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN }
which yields
{ SpecInt32Only }.
As a result, the compiler will think that that isNotIn32() check will always fail. This
is not correct if the actual incoming value for that edge is actually a PureNaN. In this
case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that
the isNotInt32() check will always fail and elide the check altogether.
In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also
rename the `intCase` block to `intOrNaNCase` to document what it actually handles.
* JSTests/stress/speculate-real-number-in-object-is.js: Added.
(test.object_is_opt):
(test):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch
Canonical link: https://commits.webkit.org/258113@main
---
.../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++----
2 files changed, 26 insertions(+), 4 deletions(-)
create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js
diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
index 3ba2d21b8072..18d13f1941bb 100644
--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
@@ -20574,18 +20574,18 @@ IGNORE_CLANG_WARNINGS_END
LValue value = lowJSValue(edge, ManualOperandSpeculation);
LValue doubleValue = unboxDouble(value);
- LBasicBlock intCase = m_out.newBlock();
+ LBasicBlock intOrNaNCase = m_out.newBlock();
LBasicBlock continuation = m_out.newBlock();
m_out.branch(
m_out.doubleEqual(doubleValue, doubleValue),
- usually(continuation), rarely(intCase));
+ usually(continuation), rarely(intOrNaNCase));
- LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
+ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation);
typeCheck(
jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
- isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble));
+ isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal));
m_out.jump(continuation);
m_out.appendTo(continuation, lastNext);

@ -17,7 +17,7 @@
Name: webkit2gtk3 Name: webkit2gtk3
Version: 2.36.7 Version: 2.36.7
Release: 1%{?dist} Release: 1%{?dist}.1
Summary: GTK Web content engine library Summary: GTK Web content engine library
License: LGPLv2 License: LGPLv2
@ -35,6 +35,9 @@ Source2: webkitgtk-keys.gpg
Patch0: aarch64-page-size.patch Patch0: aarch64-page-size.patch
%endif %endif
# https://bugzilla.redhat.com/show_bug.cgi?id=2153683
Patch1: CVE-2022-42856.patch
BuildRequires: bison BuildRequires: bison
BuildRequires: bubblewrap BuildRequires: bubblewrap
BuildRequires: cmake BuildRequires: cmake
@ -320,9 +323,45 @@ export NINJA_STATUS="[%f/%t][%e] "
%endif %endif
%changelog %changelog
* Wed Dec 21 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.1
- Add patch for CVE-2022-42856
Resolves: #2153738
* Wed Aug 24 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1 * Wed Aug 24 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1
- Update to 2.36.7 - Update to 2.36.7
Related: #2123430 Related: #2061996
* Tue Aug 09 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.6-1
- Update to 2.36.6
Related: #2061996
* Tue Aug 02 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.5-2
- Fix Eclipse after update to 2.36.5
Related: #2061996
* Thu Jul 28 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.5-1
- Update to 2.36.5
Related: #2061996
* Tue Jul 05 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.4-1
- Update to 2.36.4
Related: #2061996
* Thu Jun 02 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.3-1
- Update to 2.36.3
- Related: #2061996
- Resolves: #2092749
* Wed May 18 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.2-1
- Update to 2.36.2
Related: #2061996
* Thu Apr 21 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.1-1
- Update to 2.36.1
Related: #2061996
- Resolves: #2075493
- Resolves: #2075495
- Resolves: #2075497
* Thu Feb 17 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.34.6-1 * Thu Feb 17 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.34.6-1
- Update to 2.34.6 - Update to 2.34.6

Loading…
Cancel
Save