diff --git a/.gitignore b/.gitignore index b869c65..6604850 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/webkitgtk-2.36.7.tar.xz +SOURCES/webkitgtk-2.38.5.tar.xz SOURCES/webkitgtk-keys.gpg diff --git a/.webkit2gtk3.metadata b/.webkit2gtk3.metadata index 427716f..3cff2b7 100644 --- a/.webkit2gtk3.metadata +++ b/.webkit2gtk3.metadata @@ -1,2 +1,2 @@ -36078148b6e0ef002f0279b25b1caf173f851ac8 SOURCES/webkitgtk-2.36.7.tar.xz +1774390c628bb3a524d4ed76f11de4a878078db6 SOURCES/webkitgtk-2.38.5.tar.xz cf57cbbadf2a07c6ede1c886f9742b7d352460c0 SOURCES/webkitgtk-keys.gpg diff --git a/SOURCES/CVE-2022-42856.patch b/SOURCES/CVE-2022-42856.patch deleted file mode 100644 index 34f4d74..0000000 --- a/SOURCES/CVE-2022-42856.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 98940f219ba0e3eb6d958af483b73dd9cc75c28c Mon Sep 17 00:00:00 2001 -From: Mark Lam -Date: Mon, 19 Dec 2022 17:32:15 -0800 -Subject: [PATCH] Cherry-pick 252432.839@safari-7614-branch (71cdc1c09ef1). - rdar://102531234 - - The provenType filtering in FTL's speculateRealNumber is incorrect. - https://bugs.webkit.org/show_bug.cgi?id=248266 - - - Reviewed by Justin Michaud. - - speculateRealNumber does a doubleEqual compare, which filters out double values which - are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block, - the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble. - - Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal, - SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and - SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering - of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given - a proven type of - - { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN } - - which yields - - { SpecInt32Only }. - - As a result, the compiler will think that that isNotIn32() check will always fail. This - is not correct if the actual incoming value for that edge is actually a PureNaN. In this - case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that - the isNotInt32() check will always fail and elide the check altogether. - - In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also - rename the `intCase` block to `intOrNaNCase` to document what it actually handles. - - * JSTests/stress/speculate-real-number-in-object-is.js: Added. - (test.object_is_opt): - (test): - * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: - (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): - - Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch - -Canonical link: https://commits.webkit.org/258113@main ---- - .../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++ - Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++---- - 2 files changed, 26 insertions(+), 4 deletions(-) - create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js - -diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp -index 3ba2d21b8072..18d13f1941bb 100644 ---- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp -+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp -@@ -20574,18 +20574,18 @@ IGNORE_CLANG_WARNINGS_END - LValue value = lowJSValue(edge, ManualOperandSpeculation); - LValue doubleValue = unboxDouble(value); - -- LBasicBlock intCase = m_out.newBlock(); -+ LBasicBlock intOrNaNCase = m_out.newBlock(); - LBasicBlock continuation = m_out.newBlock(); - - m_out.branch( - m_out.doubleEqual(doubleValue, doubleValue), -- usually(continuation), rarely(intCase)); -+ usually(continuation), rarely(intOrNaNCase)); - -- LBasicBlock lastNext = m_out.appendTo(intCase, continuation); -+ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation); - - typeCheck( - jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber, -- isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble)); -+ isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal)); - m_out.jump(continuation); - - m_out.appendTo(continuation, lastNext); diff --git a/SOURCES/CVE-2023-23529.patch b/SOURCES/CVE-2023-23529.patch deleted file mode 100644 index df0ef56..0000000 --- a/SOURCES/CVE-2023-23529.patch +++ /dev/null @@ -1,55 +0,0 @@ -From d44ded97d14cdb5ac2eb011203e5f4c45dfd94b9 Mon Sep 17 00:00:00 2001 -From: Yusuke Suzuki -Date: Wed, 8 Feb 2023 15:32:00 -0800 -Subject: [PATCH] Cherry-pick 1b2eb138ef92. rdar://problem/105236768 - - [JSC] ToThis object folding should check if AbstractValue is always an object - https://bugs.webkit.org/show_bug.cgi?id=251944 - rdar://105175786 - - Reviewed by Geoffrey Garen and Mark Lam. - - ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding. - This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects. - This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example. - - * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::isToThisAnIdentity): - - Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch ---- - .../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h -index ea7bcd6b7b31..ef3f6bbe376e 100644 ---- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h -+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h -@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue& - } - } - -- if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) { -+ bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject); -+ if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) { - bool allStructuresAreJSScope = !valueForNode.m_structure.isClear(); - bool overridesToThis = false; - valueForNode.m_structure.forEach([&](RegisteredStructure structure) { -@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue& - // If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation. - allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis; - }); -+ -+ // This is correct for strict mode even if this can have non objects, since the right semantics is Identity. - if (!overridesToThis) - return ToThisResult::Identity; -- if (allStructuresAreJSScope) { -+ -+ // But this folding is available only if input is always an object. -+ if (onlyObjects && allStructuresAreJSScope) { - if (ecmaMode.isStrict()) - return ToThisResult::Undefined; - return ToThisResult::GlobalThis; --- -2.39.1 - diff --git a/SOURCES/CVE-2023-28205.patch b/SOURCES/CVE-2023-28205.patch deleted file mode 100644 index 4c72ad1..0000000 --- a/SOURCES/CVE-2023-28205.patch +++ /dev/null @@ -1,652 +0,0 @@ -From 162f94957f5a65aa0177bdea2b5810d44b637b5a Mon Sep 17 00:00:00 2001 -From: Mark Lam -Date: Fri, 31 Mar 2023 10:49:49 -0700 -Subject: [PATCH] Cherry-pick 259548.395@safari-7615.1.26.11-branch - (1039f0c3235f). - - Cherry-pick 2c49ff7b0481. rdar://problem/107369977 - - CloneDeserializer::deserialize() should store cell pointers in a MarkedVector. - https://bugs.webkit.org/show_bug.cgi?id=254797 - rdar://107369977 - - Reviewed by Justin Michaud. - - Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects - in a few Vectors. This is problematic because the GC is not aware of Vectors, and cannot - scan them. In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector - template class that offer 2 enhancements: - - 1. It can be configured to store specific types of cell pointer types. This avoids us - having to constantly cast JSValues into these pointers. - - 2. It allows us to specify the type of OverflowHandler we want to use. In this case, - we want to use CrashOnOverflow. The previous MarkedArgumentBuffer always assumes - RecordOnOverflow. This allows us to avoid having to manually check for overflows, - or have to use appendWithCrashOnOverflow. For our current needs, MarkedVector can be - used as a drop in replacement for Vector. - - And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors - with MarkedVector instead. - - * Source/JavaScriptCore/heap/Heap.cpp: - (JSC::Heap::addCoreConstraints): - * Source/JavaScriptCore/heap/Heap.h: - * Source/JavaScriptCore/heap/HeapInlines.h: - * Source/JavaScriptCore/runtime/ArgList.cpp: - (JSC::MarkedVectorBase::addMarkSet): - (JSC::MarkedVectorBase::markLists): - (JSC::MarkedVectorBase::slowEnsureCapacity): - (JSC::MarkedVectorBase::expandCapacity): - (JSC::MarkedVectorBase::slowAppend): - (JSC::MarkedArgumentBufferBase::addMarkSet): Deleted. - (JSC::MarkedArgumentBufferBase::markLists): Deleted. - (JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted. - (JSC::MarkedArgumentBufferBase::expandCapacity): Deleted. - (JSC::MarkedArgumentBufferBase::slowAppend): Deleted. - * Source/JavaScriptCore/runtime/ArgList.h: - (JSC::MarkedVectorWithSize::MarkedVectorWithSize): - (JSC::MarkedVectorWithSize::at const): - (JSC::MarkedVectorWithSize::clear): - (JSC::MarkedVectorWithSize::append): - (JSC::MarkedVectorWithSize::appendWithCrashOnOverflow): - (JSC::MarkedVectorWithSize::last const): - (JSC::MarkedVectorWithSize::takeLast): - (JSC::MarkedVectorWithSize::ensureCapacity): - (JSC::MarkedVectorWithSize::hasOverflowed): - (JSC::MarkedVectorWithSize::fill): - (JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted. - * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp: - (WebCore::AudioWorkletProcessor::buildJSArguments): - * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h: - * Source/WebCore/bindings/js/SerializedScriptValue.cpp: - (WebCore::CloneDeserializer::deserialize): - - Canonical link: https://commits.webkit.org/259548.530@safari-7615-branch - - Identifier: 259548.395@safari-7615.1.26.11-branch ---- - Source/JavaScriptCore/heap/Heap.cpp | 6 +- - Source/JavaScriptCore/heap/Heap.h | 8 +- - Source/JavaScriptCore/heap/HeapInlines.h | 6 +- - Source/JavaScriptCore/runtime/ArgList.cpp | 46 ++-- - Source/JavaScriptCore/runtime/ArgList.h | 206 ++++++++++-------- - .../webaudio/AudioWorkletProcessor.cpp | 4 +- - .../Modules/webaudio/AudioWorkletProcessor.h | 7 +- - .../bindings/js/SerializedScriptValue.cpp | 11 +- - 8 files changed, 160 insertions(+), 134 deletions(-) - -diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp -index 8e53ddead1fd..7e3f8487f3db 100644 ---- a/Source/JavaScriptCore/heap/Heap.cpp -+++ b/Source/JavaScriptCore/heap/Heap.cpp -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2003-2022 Apple Inc. All rights reserved. -+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved. - * Copyright (C) 2007 Eric Seidel - * - * This library is free software; you can redistribute it and/or -@@ -2836,9 +2836,9 @@ void Heap::addCoreConstraints() - visitor.appendUnbarriered(pair.key); - } - -- if (m_markListSet && m_markListSet->size()) { -+ if (!m_markListSet.isEmpty()) { - SetRootMarkReasonScope rootScope(visitor, RootMarkReason::ConservativeScan); -- MarkedArgumentBufferBase::markLists(visitor, *m_markListSet); -+ MarkedVectorBase::markLists(visitor, m_markListSet); - } - - { -diff --git a/Source/JavaScriptCore/heap/Heap.h b/Source/JavaScriptCore/heap/Heap.h -index af0e4c46a6ce..fd8cf668baae 100644 ---- a/Source/JavaScriptCore/heap/Heap.h -+++ b/Source/JavaScriptCore/heap/Heap.h -@@ -1,7 +1,7 @@ - /* - * Copyright (C) 1999-2000 Harri Porten (porten@kde.org) - * Copyright (C) 2001 Peter Kelly (pmk@post.com) -- * Copyright (C) 2003-2022 Apple Inc. All rights reserved. -+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public -@@ -85,7 +85,7 @@ class MarkStackArray; - class MarkStackMergingConstraint; - class MarkedJSValueRefArray; - class BlockDirectory; --class MarkedArgumentBufferBase; -+class MarkedVectorBase; - class MarkingConstraint; - class MarkingConstraintSet; - class MutatorScheduler; -@@ -410,7 +410,7 @@ public: - JS_EXPORT_PRIVATE std::unique_ptr protectedObjectTypeCounts(); - JS_EXPORT_PRIVATE std::unique_ptr objectTypeCounts(); - -- HashSet& markListSet(); -+ HashSet& markListSet(); - void addMarkedJSValueRefArray(MarkedJSValueRefArray*); - - template void forEachProtectedCell(const Functor&); -@@ -779,7 +779,7 @@ private: - size_t m_deprecatedExtraMemorySize { 0 }; - - ProtectCountSet m_protectedValues; -- std::unique_ptr> m_markListSet; -+ HashSet m_markListSet; - SentinelLinkedList> m_markedJSValueRefArrays; - - std::unique_ptr m_machineThreads; -diff --git a/Source/JavaScriptCore/heap/HeapInlines.h b/Source/JavaScriptCore/heap/HeapInlines.h -index 39c06b659d9c..4d767a564d5f 100644 ---- a/Source/JavaScriptCore/heap/HeapInlines.h -+++ b/Source/JavaScriptCore/heap/HeapInlines.h -@@ -206,11 +206,9 @@ inline void Heap::decrementDeferralDepthAndGCIfNeeded() - } - } - --inline HashSet& Heap::markListSet() -+inline HashSet& Heap::markListSet() - { -- if (!m_markListSet) -- m_markListSet = makeUnique>(); -- return *m_markListSet; -+ return m_markListSet; - } - - inline void Heap::reportExtraMemoryAllocated(size_t size) -diff --git a/Source/JavaScriptCore/runtime/ArgList.cpp b/Source/JavaScriptCore/runtime/ArgList.cpp -index f2815b80c8c7..a72dea74a56f 100644 ---- a/Source/JavaScriptCore/runtime/ArgList.cpp -+++ b/Source/JavaScriptCore/runtime/ArgList.cpp -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2003-2021 Apple Inc. All rights reserved. -+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Library General Public -@@ -27,7 +27,7 @@ using std::min; - - namespace JSC { - --void MarkedArgumentBufferBase::addMarkSet(JSValue v) -+void MarkedVectorBase::addMarkSet(JSValue v) - { - if (m_markSet) - return; -@@ -52,47 +52,47 @@ void ArgList::getSlice(int startIndex, ArgList& result) const - } - - template --void MarkedArgumentBufferBase::markLists(Visitor& visitor, ListSet& markSet) -+void MarkedVectorBase::markLists(Visitor& visitor, ListSet& markSet) - { - ListSet::iterator end = markSet.end(); - for (ListSet::iterator it = markSet.begin(); it != end; ++it) { -- MarkedArgumentBufferBase* list = *it; -+ MarkedVectorBase* list = *it; - for (int i = 0; i < list->m_size; ++i) - visitor.appendUnbarriered(JSValue::decode(list->slotFor(i))); - } - } - --template void MarkedArgumentBufferBase::markLists(AbstractSlotVisitor&, ListSet&); --template void MarkedArgumentBufferBase::markLists(SlotVisitor&, ListSet&); -+template void MarkedVectorBase::markLists(AbstractSlotVisitor&, ListSet&); -+template void MarkedVectorBase::markLists(SlotVisitor&, ListSet&); - --void MarkedArgumentBufferBase::slowEnsureCapacity(size_t requestedCapacity) -+auto MarkedVectorBase::slowEnsureCapacity(size_t requestedCapacity) -> Status - { - setNeedsOverflowCheck(); - auto checkedNewCapacity = CheckedInt32(requestedCapacity); - if (UNLIKELY(checkedNewCapacity.hasOverflowed())) -- return this->overflowed(); -- expandCapacity(checkedNewCapacity); -+ return Status::Overflowed; -+ return expandCapacity(checkedNewCapacity); - } - --void MarkedArgumentBufferBase::expandCapacity() -+auto MarkedVectorBase::expandCapacity() -> Status - { - setNeedsOverflowCheck(); - auto checkedNewCapacity = CheckedInt32(m_capacity) * 2; - if (UNLIKELY(checkedNewCapacity.hasOverflowed())) -- return this->overflowed(); -- expandCapacity(checkedNewCapacity); -+ return Status::Overflowed; -+ return expandCapacity(checkedNewCapacity); - } - --void MarkedArgumentBufferBase::expandCapacity(int newCapacity) -+auto MarkedVectorBase::expandCapacity(int newCapacity) -> Status - { - setNeedsOverflowCheck(); - ASSERT(m_capacity < newCapacity); - auto checkedSize = CheckedSize(newCapacity) * sizeof(EncodedJSValue); - if (UNLIKELY(checkedSize.hasOverflowed())) -- return this->overflowed(); -+ return Status::Overflowed; - EncodedJSValue* newBuffer = static_cast(Gigacage::tryMalloc(Gigacage::JSValue, checkedSize)); - if (!newBuffer) -- return this->overflowed(); -+ return Status::Overflowed; - for (int i = 0; i < m_size; ++i) { - newBuffer[i] = m_buffer[i]; - addMarkSet(JSValue::decode(m_buffer[i])); -@@ -103,21 +103,23 @@ void MarkedArgumentBufferBase::expandCapacity(int newCapacity) - - m_buffer = newBuffer; - m_capacity = newCapacity; -+ return Status::Success; - } - --void MarkedArgumentBufferBase::slowAppend(JSValue v) -+auto MarkedVectorBase::slowAppend(JSValue v) -> Status - { - ASSERT(m_size <= m_capacity); -- if (m_size == m_capacity) -- expandCapacity(); -- if (UNLIKELY(Base::hasOverflowed())) { -- ASSERT(m_needsOverflowCheck); -- return; -+ if (m_size == m_capacity) { -+ auto status = expandCapacity(); -+ if (status == Status::Overflowed) { -+ ASSERT(m_needsOverflowCheck); -+ return status; -+ } - } -- - slotFor(m_size) = JSValue::encode(v); - ++m_size; - addMarkSet(v); -+ return Status::Success; - } - - } // namespace JSC -diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h -index 8ea9b0e308b8..07632263266b 100644 ---- a/Source/JavaScriptCore/runtime/ArgList.h -+++ b/Source/JavaScriptCore/runtime/ArgList.h -@@ -28,20 +28,20 @@ - - namespace JSC { - --class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordOverflow { -- WTF_MAKE_NONCOPYABLE(MarkedArgumentBufferBase); -- WTF_MAKE_NONMOVABLE(MarkedArgumentBufferBase); -+class alignas(alignof(EncodedJSValue)) MarkedVectorBase { -+ WTF_MAKE_NONCOPYABLE(MarkedVectorBase); -+ WTF_MAKE_NONMOVABLE(MarkedVectorBase); - WTF_FORBID_HEAP_ALLOCATION; - friend class VM; - friend class ArgList; - -+protected: -+ enum class Status { Success, Overflowed }; - public: -- using Base = RecordOverflow; -- typedef HashSet ListSet; -+ typedef HashSet ListSet; - -- ~MarkedArgumentBufferBase() -+ ~MarkedVectorBase() - { -- ASSERT(!m_needsOverflowCheck); - if (m_markSet) - m_markSet->remove(this); - -@@ -52,92 +52,20 @@ public: - size_t size() const { return m_size; } - bool isEmpty() const { return !m_size; } - -- JSValue at(int i) const -- { -- if (i >= m_size) -- return jsUndefined(); -- -- return JSValue::decode(slotFor(i)); -- } -- -- void clear() -- { -- ASSERT(!m_needsOverflowCheck); -- clearOverflow(); -- m_size = 0; -- } -- -- enum OverflowCheckAction { -- CrashOnOverflow, -- WillCheckLater -- }; -- template -- void appendWithAction(JSValue v) -- { -- ASSERT(m_size <= m_capacity); -- if (m_size == m_capacity || mallocBase()) { -- slowAppend(v); -- if (action == CrashOnOverflow) -- RELEASE_ASSERT(!hasOverflowed()); -- return; -- } -- -- slotFor(m_size) = JSValue::encode(v); -- ++m_size; -- } -- void append(JSValue v) { appendWithAction(v); } -- void appendWithCrashOnOverflow(JSValue v) { appendWithAction(v); } -- - void removeLast() - { - ASSERT(m_size); - m_size--; - } - -- JSValue last() -- { -- ASSERT(m_size); -- return JSValue::decode(slotFor(m_size - 1)); -- } -- -- JSValue takeLast() -- { -- JSValue result = last(); -- removeLast(); -- return result; -- } -- - template static void markLists(Visitor&, ListSet&); - -- void ensureCapacity(size_t requestedCapacity) -- { -- if (requestedCapacity > static_cast(m_capacity)) -- slowEnsureCapacity(requestedCapacity); -- } -- -- bool hasOverflowed() -- { -- clearNeedsOverflowCheck(); -- return Base::hasOverflowed(); -- } -- - void overflowCheckNotNeeded() { clearNeedsOverflowCheck(); } - -- template -- void fill(size_t count, const Functor& func) -- { -- ASSERT(!m_size); -- ensureCapacity(count); -- if (Base::hasOverflowed()) -- return; -- m_size = count; -- func(reinterpret_cast(&slotFor(0))); -- } -- - protected: - // Constructor for a read-write list, to which you may append values. - // FIXME: Remove all clients of this API, then remove this API. -- MarkedArgumentBufferBase(size_t capacity) -+ MarkedVectorBase(size_t capacity) - : m_size(0) - , m_capacity(capacity) - , m_buffer(inlineBuffer()) -@@ -147,17 +75,16 @@ protected: - - EncodedJSValue* inlineBuffer() - { -- return bitwise_cast(bitwise_cast(this) + sizeof(MarkedArgumentBufferBase)); -+ return bitwise_cast(bitwise_cast(this) + sizeof(MarkedVectorBase)); - } - --private: -- void expandCapacity(); -- void expandCapacity(int newCapacity); -- void slowEnsureCapacity(size_t requestedCapacity); -+ Status expandCapacity(); -+ Status expandCapacity(int newCapacity); -+ Status slowEnsureCapacity(size_t requestedCapacity); - - void addMarkSet(JSValue); - -- JS_EXPORT_PRIVATE void slowAppend(JSValue); -+ JS_EXPORT_PRIVATE Status slowAppend(JSValue); - - EncodedJSValue& slotFor(int item) const - { -@@ -172,11 +99,14 @@ private: - } - - #if ASSERT_ENABLED -- void setNeedsOverflowCheck() { m_needsOverflowCheck = true; } -+ void disableNeedsOverflowCheck() { m_overflowCheckEnabled = false; } -+ void setNeedsOverflowCheck() { m_needsOverflowCheck = m_overflowCheckEnabled; } - void clearNeedsOverflowCheck() { m_needsOverflowCheck = false; } - - bool m_needsOverflowCheck { false }; -+ bool m_overflowCheckEnabled { true }; - #else -+ void disableNeedsOverflowCheck() { } - void setNeedsOverflowCheck() { } - void clearNeedsOverflowCheck() { } - #endif // ASSERT_ENABLED -@@ -186,22 +116,114 @@ private: - ListSet* m_markSet; - }; - --template --class MarkedArgumentBufferWithSize : public MarkedArgumentBufferBase { -+template -+class MarkedVector : public OverflowHandler, public MarkedVectorBase { - public: - static constexpr size_t inlineCapacity = passedInlineCapacity; - -- MarkedArgumentBufferWithSize() -- : MarkedArgumentBufferBase(inlineCapacity) -+ MarkedVector() -+ : MarkedVectorBase(inlineCapacity) - { - ASSERT(inlineBuffer() == m_inlineBuffer); -+ if constexpr (std::is_same_v) { -+ // CrashOnOverflow handles overflows immediately. So, we do not -+ // need to check for it after. -+ disableNeedsOverflowCheck(); -+ } -+ } -+ -+ auto at(int i) const -> decltype(auto) -+ { -+ if constexpr (std::is_same_v) { -+ if (i >= m_size) -+ return jsUndefined(); -+ return JSValue::decode(slotFor(i)); -+ } else { -+ if (i >= m_size) -+ return static_cast(nullptr); -+ return jsCast(JSValue::decode(slotFor(i)).asCell()); -+ } -+ } -+ -+ void clear() -+ { -+ ASSERT(!m_needsOverflowCheck); -+ OverflowHandler::clearOverflow(); -+ m_size = 0; -+ } -+ -+ void append(T v) -+ { -+ ASSERT(m_size <= m_capacity); -+ if (m_size == m_capacity || mallocBase()) { -+ if (slowAppend(v) == Status::Overflowed) -+ this->overflowed(); -+ return; -+ } -+ -+ slotFor(m_size) = JSValue::encode(v); -+ ++m_size; -+ } -+ -+ void appendWithCrashOnOverflow(T v) -+ { -+ append(v); -+ if constexpr (!std::is_same::value) -+ RELEASE_ASSERT(!this->hasOverflowed()); -+ } -+ -+ auto last() const -> decltype(auto) -+ { -+ if constexpr (std::is_same_v) { -+ ASSERT(m_size); -+ return JSValue::decode(slotFor(m_size - 1)); -+ } else { -+ ASSERT(m_size); -+ return jsCast(JSValue::decode(slotFor(m_size - 1)).asCell()); -+ } -+ } -+ -+ JSValue takeLast() -+ { -+ JSValue result = last(); -+ removeLast(); -+ return result; -+ } -+ -+ void ensureCapacity(size_t requestedCapacity) -+ { -+ if (requestedCapacity > static_cast(m_capacity)) { -+ if (slowEnsureCapacity(requestedCapacity) == Status::Overflowed) -+ this->overflowed(); -+ } -+ } -+ -+ bool hasOverflowed() -+ { -+ clearNeedsOverflowCheck(); -+ return OverflowHandler::hasOverflowed(); -+ } -+ -+ template -+ void fill(size_t count, const Functor& func) -+ { -+ ASSERT(!m_size); -+ ensureCapacity(count); -+ if (OverflowHandler::hasOverflowed()) -+ return; -+ m_size = count; -+ func(reinterpret_cast(&slotFor(0))); - } - - private: - EncodedJSValue m_inlineBuffer[inlineCapacity] { }; - }; - --using MarkedArgumentBuffer = MarkedArgumentBufferWithSize<>; -+template -+class MarkedArgumentBufferWithSize : public MarkedVector { -+}; -+ -+using MarkedArgumentBuffer = MarkedVector; - - class ArgList { - WTF_MAKE_FAST_ALLOCATED; -diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp -index c8c486a6e9a6..4f0a26574132 100644 ---- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp -+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2020 Apple Inc. All rights reserved. -+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -218,7 +218,7 @@ AudioWorkletProcessor::AudioWorkletProcessor(AudioWorkletGlobalScope& globalScop - ASSERT(!isMainThread()); - } - --void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBufferBase& args, const Vector>& inputs, Vector>& outputs, const HashMap>& paramValuesMap) -+void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBuffer& args, const Vector>& inputs, Vector>& outputs, const HashMap>& paramValuesMap) - { - // For performance reasons, we cache the arrays passed to JS and reconstruct them only when the topology changes. - if (!copyDataFromBusesToJSArray(vm, globalObject, inputs, toJSArray(m_jsInputs))) -diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h -index 7d256ea557bb..9ad78225ee51 100644 ---- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h -+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2020 Apple Inc. All rights reserved. -+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -40,7 +40,8 @@ - - namespace JSC { - class JSArray; --class MarkedArgumentBufferBase; -+template class MarkedVector; -+using MarkedArgumentBuffer = MarkedVector; - } - - namespace WebCore { -@@ -69,7 +70,7 @@ public: - - private: - explicit AudioWorkletProcessor(AudioWorkletGlobalScope&, const AudioWorkletProcessorConstructionData&); -- void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBufferBase&, const Vector>& inputs, Vector>& outputs, const HashMap>& paramValuesMap); -+ void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBuffer&, const Vector>& inputs, Vector>& outputs, const HashMap>& paramValuesMap); - - AudioWorkletGlobalScope& m_globalScope; - String m_name; -diff --git a/Source/WebCore/bindings/js/SerializedScriptValue.cpp b/Source/WebCore/bindings/js/SerializedScriptValue.cpp -index 2e6038948a8a..a9841fe057b8 100644 ---- a/Source/WebCore/bindings/js/SerializedScriptValue.cpp -+++ b/Source/WebCore/bindings/js/SerializedScriptValue.cpp -@@ -539,6 +539,7 @@ static const unsigned StringDataIs8BitFlag = 0x80000000; - using DeserializationResult = std::pair; - - class CloneBase { -+ WTF_FORBID_HEAP_ALLOCATION; - protected: - CloneBase(JSGlobalObject* lexicalGlobalObject) - : m_lexicalGlobalObject(lexicalGlobalObject) -@@ -616,6 +617,7 @@ template <> bool writeLittleEndian(Vector& buffer, const uint8 - } - - class CloneSerializer : CloneBase { -+ WTF_FORBID_HEAP_ALLOCATION; - public: - static SerializationReturnCode serialize(JSGlobalObject* lexicalGlobalObject, JSValue value, Vector>& messagePorts, Vector>& arrayBuffers, const Vector>& imageBitmaps, - #if ENABLE(OFFSCREEN_CANVAS_IN_WORKERS) -@@ -2148,6 +2150,7 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in) - } - - class CloneDeserializer : CloneBase { -+ WTF_FORBID_HEAP_ALLOCATION; - public: - static String deserializeString(const Vector& buffer) - { -@@ -3920,10 +3923,10 @@ DeserializationResult CloneDeserializer::deserialize() - - Vector indexStack; - Vector propertyNameStack; -- Vector outputObjectStack; -- Vector mapKeyStack; -- Vector mapStack; -- Vector setStack; -+ MarkedVector outputObjectStack; -+ MarkedVector mapKeyStack; -+ MarkedVector mapStack; -+ MarkedVector setStack; - Vector stateStack; - WalkerState lexicalGlobalObject = StateUnknown; - JSValue outValue; --- -2.40.0 - diff --git a/SOURCES/aarch64-page-size.patch b/SOURCES/aarch64-page-size.patch deleted file mode 100644 index 15aaacb..0000000 --- a/SOURCES/aarch64-page-size.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/Source/WTF/wtf/PageBlock.h b/Source/WTF/wtf/PageBlock.h -index 9bb7fffcc1ae..3e1e24aa69f5 100644 ---- a/Source/WTF/wtf/PageBlock.h -+++ b/Source/WTF/wtf/PageBlock.h -@@ -45,11 +45,11 @@ namespace WTF { - // On Linux, Power systems normally use 64 KiB pages. - // - // Use 64 KiB for any unknown CPUs to be conservative. --#if OS(DARWIN) || PLATFORM(PLAYSTATION) || CPU(MIPS) || CPU(MIPS64) || (OS(LINUX) && CPU(ARM64)) -+#if OS(DARWIN) || PLATFORM(PLAYSTATION) || CPU(MIPS) || CPU(MIPS64) - constexpr size_t CeilingOnPageSize = 16 * KB; --#elif CPU(PPC) || CPU(PPC64) || CPU(PPC64LE) || CPU(UNKNOWN) -+#elif CPU(PPC) || CPU(PPC64) || CPU(PPC64LE) || CPU(UNKNOWN) || CPU(ARM64) - constexpr size_t CeilingOnPageSize = 64 * KB; --#elif OS(WINDOWS) || CPU(X86) || CPU(X86_64) || CPU(ARM) || CPU(ARM64) || CPU(RISCV64) -+#elif OS(WINDOWS) || CPU(X86) || CPU(X86_64) || CPU(ARM) || CPU(RISCV64) - constexpr size_t CeilingOnPageSize = 4 * KB; - #else - #error Must set CeilingOnPageSize in PageBlock.h when adding a new CPU architecture! diff --git a/SOURCES/webkitgtk-2.36.7.tar.xz.asc b/SOURCES/webkitgtk-2.36.7.tar.xz.asc deleted file mode 100644 index 55b27a8..0000000 --- a/SOURCES/webkitgtk-2.36.7.tar.xz.asc +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iF0EABECAB0WIQRao7wzT9fjNp58d7KRxVnb5MkSOwUCYwaNMwAKCRCRxVnb5MkS -OwFGAJ9cz5+l3fKydXxOgJWDLBvlavsI1ACfbkmK0bmhBExS7febO1y16Ftd91Q= -=Zhg7 ------END PGP SIGNATURE----- diff --git a/SOURCES/webkitgtk-2.38.5.tar.xz.asc b/SOURCES/webkitgtk-2.38.5.tar.xz.asc new file mode 100644 index 0000000..a285466 --- /dev/null +++ b/SOURCES/webkitgtk-2.38.5.tar.xz.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCY+yu2QAKCRDz0yLQ7EWC +w7UkAKCS0EoptKZRn3/Z+WgGerHQEQXaFQCg51h2++dwb1bqVZ05Q1YtHmoT2gk= +=or/S +-----END PGP SIGNATURE----- diff --git a/SPECS/webkit2gtk3.spec b/SPECS/webkit2gtk3.spec index 1c4be2a..3dbfc73 100644 --- a/SPECS/webkit2gtk3.spec +++ b/SPECS/webkit2gtk3.spec @@ -10,14 +10,9 @@ %global with_gamepad 1 %endif -# Build documentation by default (use `rpmbuild --without docs` to override it). -# This is used by Coverity. Coverity injects custom compiler warnings, but -# any warning during WebKit docs build is fatal! -%bcond_without docs - Name: webkit2gtk3 -Version: 2.36.7 -Release: 1%{?dist}.3 +Version: 2.38.5 +Release: 1%{?dist} Summary: GTK Web content engine library License: LGPLv2 @@ -29,19 +24,6 @@ Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc # $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B > webkitgtk-keys.gpg Source2: webkitgtk-keys.gpg -%if 0%{?rhel} -# https://bugs.webkit.org/show_bug.cgi?id=217989 -# https://bugs.webkit.org/show_bug.cgi?id=227905 -Patch0: aarch64-page-size.patch -%endif - -# https://bugzilla.redhat.com/show_bug.cgi?id=2153683 -Patch1: CVE-2022-42856.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2169934 -Patch2: CVE-2023-23529.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2185744 -Patch3: CVE-2023-28205.patch - BuildRequires: bison BuildRequires: bubblewrap BuildRequires: cmake @@ -51,7 +33,6 @@ BuildRequires: gettext BuildRequires: git BuildRequires: gnupg2 BuildRequires: gperf -BuildRequires: gtk-doc BuildRequires: hyphen-devel BuildRequires: libatomic BuildRequires: ninja-build @@ -135,6 +116,10 @@ Provides: webkitgtk4 = %{version}-%{release} Obsoletes: webkit2gtk3-plugin-process-gtk2 < %{version}-%{release} Provides: webkit2gtk3-plugin-process-gtk2 = %{version}-%{release} +# Don't build documentation anymore to avoid gi-docgen dependency +Obsoletes: webkit2gtk3-doc < %{version}-%{release} +Provides: webkit2gtk3-doc = %{version}-%{release} + # We're supposed to specify versions here, but these libraries don't do # normal releases. Accordingly, they're not suitable to be system libs. Provides: bundled(angle) @@ -164,18 +149,6 @@ Provides: webkitgtk4-devel = %{version}-%{release} The %{name}-devel package contains libraries, build data, and header files for developing applications that use %{name}. -%if %{with docs} -%package doc -Summary: Documentation files for %{name} -BuildArch: noarch -Requires: %{name} = %{version}-%{release} -Obsoletes: webkitgtk4-doc < %{version}-%{release} -Provides: webkitgtk4-doc = %{version}-%{release} - -%description doc -This package contains developer documentation for %{name}. -%endif - %package jsc Summary: JavaScript engine from %{name} Obsoletes: webkitgtk4-jsc < %{version}-%{release} @@ -231,11 +204,8 @@ rm -rf Source/ThirdParty/qunit/ -GNinja \ -DPORT=GTK \ -DCMAKE_BUILD_TYPE=Release \ - -DENABLE_MINIBROWSER=ON \ -DUSE_SOUP2=ON \ -%if %{with docs} - -DENABLE_GTKDOC=ON \ -%endif + -DENABLE_DOCUMENTATION=OFF \ %if !0%{?with_gamepad} -DENABLE_GAMEPAD=OFF \ %endif @@ -244,8 +214,7 @@ rm -rf Source/ThirdParty/qunit/ %endif %if 0%{?rhel} %ifarch aarch64 - -DENABLE_JIT=OFF \ - -DUSE_SYSTEM_MALLOC=ON \ + -DUSE_64KB_PAGE_BLOCK=ON \ %endif %endif %{nil} @@ -317,27 +286,30 @@ export NINJA_STATUS="[%f/%t][%e] " %dir %{_datadir}/gir-1.0 %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir -%if %{with docs} -%files doc -%dir %{_datadir}/gtk-doc -%dir %{_datadir}/gtk-doc/html -%{_datadir}/gtk-doc/html/jsc-glib-4.0/ -%{_datadir}/gtk-doc/html/webkit2gtk-4.0/ -%{_datadir}/gtk-doc/html/webkitdomgtk-4.0/ -%endif - %changelog -* Tue Apr 11 2023 Michael Catanzaro - 2.36.7-1.3 -- Add patch for CVE-2023-28205 - Resolves: #2185744 +* Wed Feb 15 2023 Michael Catanzaro - 2.38.5-1 +- Update to 2.38.5 + Related: #2127467 + +* Thu Feb 02 2023 Michael Catanzaro - 2.38.4-1 +- Update to 2.38.4 + Related: #2127467 + +* Thu Dec 22 2022 Michael Catanzaro - 2.38.3-1 +- Update to 2.38.3 + Related: #2127467 + +* Fri Nov 04 2022 Michael Catanzaro - 2.38.2-1 +- Update to 2.38.2 + Related: #2127467 -* Wed Feb 15 2023 Michael Catanzaro - 2.36.7-1.2 -- Add patch for CVE-2023-23529 - Resolves: #2170000 +* Mon Oct 31 2022 Michael Catanzaro - 2.38.1-2 +- Fix use with aarch64 64 KiB page size + Related: #2127467 -* Wed Dec 21 2022 Michael Catanzaro - 2.36.7-1.1 -- Add patch for CVE-2022-42856 - Resolves: #2153738 +* Mon Oct 24 2022 Michael Catanzaro - 2.38.1-1 +- Update to 2.38.1 + Resolves: #2127467 * Wed Aug 24 2022 Michael Catanzaro - 2.36.7-1 - Update to 2.36.7