commit webkit2gtk3 for openSUSE:Factory

Source-Sync Fri, 26 Jan 2024 13:46:33 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package webkit2gtk3 for openSUSE:Factory 
checked in at 2024-01-26 22:45:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/webkit2gtk3 (Old)
 and      /work/SRC/openSUSE:Factory/.webkit2gtk3.new.1815 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "webkit2gtk3"

Fri Jan 26 22:45:36 2024 rev:185 rq:1141440 version:2.42.4

Changes:
--------
--- /work/SRC/openSUSE:Factory/webkit2gtk3/webkit2gtk3.changes  2023-12-18 
22:55:30.390652452 +0100
+++ /work/SRC/openSUSE:Factory/.webkit2gtk3.new.1815/webkit2gtk3.changes        
2024-01-26 22:45:43.072847966 +0100
@@ -1,0 +2,6 @@
+Wed Jan 24 19:33:03 UTC 2024 - Michael Gorse <mgo...@suse.com>
+
+- Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue
+  (bsc#1219113 CVE-2024-23222).
+
+-------------------------------------------------------------------

New:
----
  webkit2gtk3-CVE-2024-23222.patch

BETA DEBUG BEGIN:
  New:
- Add webkit2gtk3-CVE-2024-23222.patch: fix a type confusion issue
  (bsc#1219113 CVE-2024-23222).
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ webkit2gtk3.spec ++++++
--- /var/tmp/diff_new_pack.fIuwi3/_old  2024-01-26 22:45:44.804910543 +0100
+++ /var/tmp/diff_new_pack.fIuwi3/_new  2024-01-26 22:45:44.820911121 +0100
@@ -1,7 +1,7 @@
 #
 # spec file
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -91,6 +91,8 @@
 Patch1:         webkit2gtk3-create-destroy-egl-image.patch
 # PATCH-FIX-UPSTREAM webkit2gtk3-disable-dmabuf-nvidia.patch boo#1216778 
mgo...@suse.com -- disable the DMABuf renderer for NVIDIA proprietary drivers.
 Patch2:         webkit2gtk3-disable-dmabuf-nvidia.patch
+# PATCH-FIX-UPSTREAM webkit2gtk3-CVE-2024-23222.patch bsc#1219113 
mgo...@suse.com -- fix a type confusion issue.
+Patch3:         webkit2gtk3-CVE-2024-23222.patch
 
 BuildRequires:  Mesa-libEGL-devel
 BuildRequires:  Mesa-libGL-devel
@@ -429,8 +431,8 @@
 
 
 
-# Expand %%lang_package to Obsoletes its older-name counterpart
 
+# Expand %%lang_package to Obsoletes its older-name counterpart
 %package -n WebKitGTK-%{_apiver}-lang
 Summary:        Translations for package %{name}
 Group:          System/Localization

++++++ webkit2gtk3-CVE-2024-23222.patch ++++++
>From 0e5a485821858b7acb5c7be586c177b15ae14a91 Mon Sep 17 00:00:00 2001
From: Dan Robson <dan_rob...@apple.com>
Date: Fri, 5 Jan 2024 15:44:27 -0800
Subject: [PATCH] [JSC] DFG constant property load should check the validity at
 the main thread

This webkitglib/2.42 backport commit squashes changes from the following
three Safari commits, which add and then remove a considerable amount of
code. It's much simpler if we take the changes all together as one.

Cherry-pick 267815.671@safari-7617.2.4.11-branch (61d47f64edd9). 
https://bugs.webkit.org/show_bug.cgi?id=267134

    Apply patch. rdar://120560604

        [JSC] DFG constant property load should check the validity at the main 
thread
        https://bugs.webkit.org/show_bug.cgi?id=267134
        rdar://120443399

        Reviewed by Mark Lam.

        Consider the following case,

            CheckStructure O, S1 | S3
            GetByOffset O, offset

        And S1 -> S2 -> S3 structure transition happens.
        By changing object concurrently with the compiler, it is possible that 
we will constant fold the property with O + S2.
        While we insert watchpoints into S1 and S3, we cannot notice the change 
of the property in S2.
        If we change O to S3 before running code, CheckStructure passes and we 
can use a value loaded from O + S2.

        1. If S1 and S3 transitions are both already watched by DFG / FTL, then 
we do not need to care about the issue.
           CheckStructure ensures that O is S1 or S3. And both has watchpoints 
which fires when transition happens.
           So, if we are transitioning from S1 to S2 while compiling, it 
already invalidates the code.
        2. If there is only one Structure (S1), then we can keep the current 
optimization by checking this condition at the main thread.
           CheckStructure ensures that O is S1. And this means that if the 
assumption is met at the main thread, then we can continue
           using this code safely. To check this condition, we added 
DesiredObjectProperties, which records JSObject*, offset, value, and structure.
           And at the end of compilation, in the main thread, we check this 
assumption is still met.

        * Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
        * Source/JavaScriptCore/Sources.txt:
        * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Added.
        (JSC::DFG::DesiredObjectProperties::addLazily):
        (JSC::DFG::DesiredObjectProperties::areStillValidOnMainThread):
        * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Added.
        * Source/JavaScriptCore/dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::tryGetConstantProperty):
        * Source/JavaScriptCore/dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::cancel):
        (JSC::DFG::Plan::isStillValidOnMainThread):
        * Source/JavaScriptCore/dfg/DFGPlan.h:

        Canonical link: https://commits.webkit.org/272448.7@safari-7618-branch

Cherry-pick 31601205b6f3. https://bugs.webkit.org/show_bug.cgi?id=267134

    [JSC] DFG constant property load should check the validity at the main 
thread
    https://bugs.webkit.org/show_bug.cgi?id=267134
    rdar://120443399

    Reviewed by Mark Lam.

    Consider the following case,

        CheckStructure O, S1 | S3
        GetByOffset O, offset

    And S1 -> S2 -> S3 structure transition happens.
    By changing object concurrently with the compiler, it is possible that we 
will constant fold the property with O + S2.
    While we insert watchpoints into S1 and S3, we cannot notice the change of 
the property in S2.
    If we change O to S3 before running code, CheckStructure passes and we can 
use a value loaded from O + S2.

    1. If S1 and S3 transitions are both already watched by DFG / FTL, then we 
do not need to care about the issue.
       CheckStructure ensures that O is S1 or S3. And both has watchpoints 
which fires when transition happens.
       So, if we are transitioning from S1 to S2 while compiling, it already 
invalidates the code.
    2. If there is only one Structure (S1), then we can keep the current 
optimization by checking this condition at the main thread.
       CheckStructure ensures that O is S1. And this means that if the 
assumption is met at the main thread, then we can continue
       using this code safely. To check this condition, we added 
DesiredObjectProperties, which records JSObject*, offset, value, and structure.
       And at the end of compilation, in the main thread, we check this 
assumption is still met.

    * Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
    * Source/JavaScriptCore/Sources.txt:
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Added.
    (JSC::DFG::DesiredObjectProperties::addLazily):
    (JSC::DFG::DesiredObjectProperties::areStillValidOnMainThread):
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Added.
    * Source/JavaScriptCore/dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::tryGetConstantProperty):
    * Source/JavaScriptCore/dfg/DFGPlan.cpp:
    (JSC::DFG::Plan::cancel):
    (JSC::DFG::Plan::isStillValidOnMainThread):
    * Source/JavaScriptCore/dfg/DFGPlan.h:

    Canonical link: https://commits.webkit.org/272448.7@safari-7618-branch

    Canonical link: 
https://commits.webkit.org/267815.672@safari-7617.2.4.11-branch

Cherry-pick a8b53bc4d7b3. https://bugs.webkit.org/show_bug.cgi?id=267134

    [JSC] Remove DFGDesiredObjectProperties
    https://bugs.webkit.org/show_bug.cgi?id=267134
    rdar://120443399

    Reviewed by Mark Lam.

    When we limit the structure only one, there is no way to change the 
property without firing
    property replacement watchpoint while keeping object's structure as 
specified. So removing DFGDesiredObjectProperties.

    * Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
    * Source/JavaScriptCore/Sources.txt:
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Removed.
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Removed.
    * Source/JavaScriptCore/dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::tryGetConstantProperty):
    * Source/JavaScriptCore/dfg/DFGPlan.cpp:
    (JSC::DFG::Plan::cancel):
    (JSC::DFG::Plan::isStillValidOnMainThread):
    * Source/JavaScriptCore/dfg/DFGPlan.h:

    Canonical link: https://commits.webkit.org/272448.8@safari-7618-branch

    Canonical link: 
https://commits.webkit.org/267815.673@safari-7617.2.4.11-branch
---
 Source/JavaScriptCore/dfg/DFGGraph.cpp | 35 +++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/Source/JavaScriptCore/dfg/DFGGraph.cpp 
b/Source/JavaScriptCore/dfg/DFGGraph.cpp
index fe7855e8cd77..c4c93c04fd44 100644
--- a/Source/JavaScriptCore/dfg/DFGGraph.cpp
+++ b/Source/JavaScriptCore/dfg/DFGGraph.cpp
@@ -1341,12 +1341,39 @@ JSValue Graph::tryGetConstantProperty(
     // incompatible with the getDirect we're trying to do. The easiest way to 
do that is to
     // determine if the structure belongs to the proven set.
 
-    Locker cellLock { object->cellLock() };
-    Structure* structure = object->structure();
-    if (!structureSet.toStructureSet().contains(structure))
+    JSValue result;
+    auto set = structureSet.toStructureSet();
+    {
+        Locker cellLock { object->cellLock() };
+        Structure* structure = object->structure();
+        if (!set.contains(structure))
+            return JSValue();
+        result = object->getDirectConcurrently(cellLock, structure, offset);
+    }
+
+    if (!result)
+        return JSValue();
+
+    // If all structures are watched, we don't need to consider whether object 
transitions and changes the value.
+    // If the object gets transition while compiling, then it invalidates the 
code.
+    bool allAreWatched = true;
+    for (unsigned i = structureSet.size(); i--;) {
+        RegisteredStructure structure = structureSet[i];
+        if (!structure->dfgShouldWatch()) {
+            allAreWatched = false;
+            break;
+        }
+    }
+    if (allAreWatched)
+        return result;
+
+    // However, if structures transitions are not watched, then object can get 
to the one of the structures transitively while it is changing the value.
+    // But we can still optimize it if StructureSet is only one: in that case, 
there is no way to fulfill Structure requirement while changing the property
+    // and avoiding the replacement watchpoint firing.
+    if (structureSet.size() != 1)
         return JSValue();
 
-    return object->getDirectConcurrently(cellLock, structure, offset);
+    return result;
 }
 
 JSValue Graph::tryGetConstantProperty(JSValue base, Structure* structure, 
PropertyOffset offset)
-- 
2.43.0

commit webkit2gtk3 for openSUSE:Factory

Reply via email to