import webkit2gtk3-2.40.5-1.el9_3.1

c9 imports/c9/webkit2gtk3-2.40.5-1.el9_3.1
MSVSphere Packaging Team 1 year ago
parent fffcc0c1fd
commit d345afdca2

@ -0,0 +1,80 @@
From 00352dd86bfa102b6e4b792120e3ef3498a27d1e Mon Sep 17 00:00:00 2001
From: Russell Epstein <repstein@apple.com>
Date: Fri, 17 Nov 2023 15:48:32 -0800
Subject: [PATCH] Cherry-pick b0a755e34426.
https://bugs.webkit.org/show_bug.cgi?id=265067
Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
https://bugs.webkit.org/show_bug.cgi?id=265067
rdar://118548733
Reviewed by Justin Michaud and Mark Lam.
Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.
This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.
* Source/JavaScriptCore/runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch
Canonical link: https://commits.webkit.org/265870.632@safari-7616.2.9.10-branch
---
Source/JavaScriptCore/runtime/Structure.cpp | 28 +++++++++++++++------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp
index 2922e2478794c..9d094e2c8adc8 100644
--- a/Source/JavaScriptCore/runtime/Structure.cpp
+++ b/Source/JavaScriptCore/runtime/Structure.cpp
@@ -913,17 +913,31 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
checkOffsetConsistency();
ASSERT(isDictionary());
ASSERT(object->structure() == this);
-
- GCSafeConcurrentJSLocker locker(m_lock, vm);
-
- object->setStructureIDDirectly(id().nuke());
- WTF::storeStoreFence();
+ Locker<JSCellLock> cellLocker(NoLockingNecessary);
+
+ PropertyTable* table = nullptr;
size_t beforeOutOfLineCapacity = this->outOfLineCapacity();
+ size_t afterOutOfLineCapacity = beforeOutOfLineCapacity;
if (isUncacheableDictionary()) {
- PropertyTable* table = propertyTableOrNull();
+ table = propertyTableOrNull();
ASSERT(table);
+ PropertyOffset maxOffset = invalidOffset;
+ if (unsigned propertyCount = table->size())
+ maxOffset = offsetForPropertyNumber(propertyCount - 1, m_inlineCapacity);
+ afterOutOfLineCapacity = outOfLineCapacity(maxOffset);
+ }
+ // This is the only case we shrink butterfly in this function. We should take a cell lock to protect against concurrent access to the butterfly.
+ if (beforeOutOfLineCapacity != afterOutOfLineCapacity)
+ cellLocker = Locker { object->cellLock() };
+
+ GCSafeConcurrentJSLocker locker(m_lock, vm);
+
+ object->setStructureIDDirectly(id().nuke());
+ WTF::storeStoreFence();
+
+ if (isUncacheableDictionary()) {
size_t propertyCount = table->size();
// Holds our values compacted by insertion order. This is OK since GC is deferred.
@@ -955,7 +969,7 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
setDictionaryKind(NoneDictionaryKind);
setHasBeenFlattenedBefore(true);
- size_t afterOutOfLineCapacity = this->outOfLineCapacity();
+ ASSERT(this->outOfLineCapacity() == afterOutOfLineCapacity);
if (object->butterfly() && beforeOutOfLineCapacity != afterOutOfLineCapacity) {
ASSERT(beforeOutOfLineCapacity > afterOutOfLineCapacity);

@ -12,7 +12,7 @@
Name: webkit2gtk3 Name: webkit2gtk3
Version: 2.40.5 Version: 2.40.5
Release: 1%{?dist} Release: 1%{?dist}.1
Summary: GTK Web content engine library Summary: GTK Web content engine library
License: LGPLv2 License: LGPLv2
@ -24,6 +24,8 @@ Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc
# $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B > webkitgtk-keys.gpg # $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B > webkitgtk-keys.gpg
Source2: webkitgtk-keys.gpg Source2: webkitgtk-keys.gpg
Patch: CVE-2023-42917.patch
BuildRequires: bison BuildRequires: bison
BuildRequires: bubblewrap BuildRequires: bubblewrap
BuildRequires: cmake BuildRequires: cmake
@ -291,6 +293,10 @@ export NINJA_STATUS="[%f/%t][%e] "
%{_datadir}/gir-1.0/JavaScriptCore-4.0.gir %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir
%changelog %changelog
* Tue Dec 05 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.5-1.1
- Add patch for CVE-2023-42917
Resolves: RHEL-18173
* Tue Aug 01 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.5-1 * Tue Aug 01 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.5-1
- Update to 2.40.5 - Update to 2.40.5
Related: #2176270 Related: #2176270

Loading…
Cancel
Save