File webkit2gtk3-CVE-2024-23222.patch of Package webkit2gtk3.32320

Overview Repositories Revisions Requests Users Attributes Meta

File webkit2gtk3-CVE-2024-23222.patch of Package webkit2gtk3.32320

From 0e5a485821858b7acb5c7be586c177b15ae14a91 Mon Sep 17 00:00:00 2001
From: Dan Robson <dan_robson@apple.com>
Date: Fri, 5 Jan 2024 15:44:27 -0800
Subject: [PATCH] [JSC] DFG constant property load should check the validity at
 the main thread

This webkitglib/2.42 backport commit squashes changes from the following
three Safari commits, which add and then remove a considerable amount of
code. It's much simpler if we take the changes all together as one.

Cherry-pick 267815.671@safari-7617.2.4.11-branch (61d47f64edd9). https://bugs.webkit.org/show_bug.cgi?id=267134

Apply patch. rdar://120560604

[JSC] DFG constant property load should check the validity at the main thread
    	https://bugs.webkit.org/show_bug.cgi?id=267134
    	rdar://120443399

Reviewed by Mark Lam.

Consider the following case,

CheckStructure O, S1 | S3
    	    GetByOffset O, offset

And S1 -> S2 -> S3 structure transition happens.
    	By changing object concurrently with the compiler, it is possible that we will constant fold the property with O + S2.
    	While we insert watchpoints into S1 and S3, we cannot notice the change of the property in S2.
    	If we change O to S3 before running code, CheckStructure passes and we can use a value loaded from O + S2.

1. If S1 and S3 transitions are both already watched by DFG / FTL, then we do not need to care about the issue.
    	   CheckStructure ensures that O is S1 or S3. And both has watchpoints which fires when transition happens.
    	   So, if we are transitioning from S1 to S2 while compiling, it already invalidates the code.
    	2. If there is only one Structure (S1), then we can keep the current optimization by checking this condition at the main thread.
    	   CheckStructure ensures that O is S1. And this means that if the assumption is met at the main thread, then we can continue
    	   using this code safely. To check this condition, we added DesiredObjectProperties, which records JSObject*, offset, value, and structure.
    	   And at the end of compilation, in the main thread, we check this assumption is still met.

* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
    	* Source/JavaScriptCore/Sources.txt:
    	* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Added.
    	(JSC::DFG::DesiredObjectProperties::addLazily):
    	(JSC::DFG::DesiredObjectProperties::areStillValidOnMainThread):
    	* Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Added.
    	* Source/JavaScriptCore/dfg/DFGGraph.cpp:
    	(JSC::DFG::Graph::tryGetConstantProperty):
    	* Source/JavaScriptCore/dfg/DFGPlan.cpp:
    	(JSC::DFG::Plan::cancel):
    	(JSC::DFG::Plan::isStillValidOnMainThread):
    	* Source/JavaScriptCore/dfg/DFGPlan.h:

Canonical link: https://commits.webkit.org/272448.7@safari-7618-branch

Cherry-pick 31601205b6f3. https://bugs.webkit.org/show_bug.cgi?id=267134

[JSC] DFG constant property load should check the validity at the main thread
    https://bugs.webkit.org/show_bug.cgi?id=267134
    rdar://120443399

Reviewed by Mark Lam.

Consider the following case,

CheckStructure O, S1 | S3
        GetByOffset O, offset

And S1 -> S2 -> S3 structure transition happens.
    By changing object concurrently with the compiler, it is possible that we will constant fold the property with O + S2.
    While we insert watchpoints into S1 and S3, we cannot notice the change of the property in S2.
    If we change O to S3 before running code, CheckStructure passes and we can use a value loaded from O + S2.

1. If S1 and S3 transitions are both already watched by DFG / FTL, then we do not need to care about the issue.
       CheckStructure ensures that O is S1 or S3. And both has watchpoints which fires when transition happens.
       So, if we are transitioning from S1 to S2 while compiling, it already invalidates the code.
    2. If there is only one Structure (S1), then we can keep the current optimization by checking this condition at the main thread.
       CheckStructure ensures that O is S1. And this means that if the assumption is met at the main thread, then we can continue
       using this code safely. To check this condition, we added DesiredObjectProperties, which records JSObject*, offset, value, and structure.
       And at the end of compilation, in the main thread, we check this assumption is still met.

* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
    * Source/JavaScriptCore/Sources.txt:
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Added.
    (JSC::DFG::DesiredObjectProperties::addLazily):
    (JSC::DFG::DesiredObjectProperties::areStillValidOnMainThread):
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Added.
    * Source/JavaScriptCore/dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::tryGetConstantProperty):
    * Source/JavaScriptCore/dfg/DFGPlan.cpp:
    (JSC::DFG::Plan::cancel):
    (JSC::DFG::Plan::isStillValidOnMainThread):
    * Source/JavaScriptCore/dfg/DFGPlan.h:

Canonical link: https://commits.webkit.org/272448.7@safari-7618-branch

Canonical link: https://commits.webkit.org/267815.672@safari-7617.2.4.11-branch

Cherry-pick a8b53bc4d7b3. https://bugs.webkit.org/show_bug.cgi?id=267134

[JSC] Remove DFGDesiredObjectProperties
    https://bugs.webkit.org/show_bug.cgi?id=267134
    rdar://120443399

Reviewed by Mark Lam.

When we limit the structure only one, there is no way to change the property without firing
    property replacement watchpoint while keeping object's structure as specified. So removing DFGDesiredObjectProperties.

* Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
    * Source/JavaScriptCore/Sources.txt:
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Removed.
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Removed.
    * Source/JavaScriptCore/dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::tryGetConstantProperty):
    * Source/JavaScriptCore/dfg/DFGPlan.cpp:
    (JSC::DFG::Plan::cancel):
    (JSC::DFG::Plan::isStillValidOnMainThread):
    * Source/JavaScriptCore/dfg/DFGPlan.h:

Canonical link: https://commits.webkit.org/272448.8@safari-7618-branch

Canonical link: https://commits.webkit.org/267815.673@safari-7617.2.4.11-branch
---
 Source/JavaScriptCore/dfg/DFGGraph.cpp | 35 +++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/Source/JavaScriptCore/dfg/DFGGraph.cpp b/Source/JavaScriptCore/dfg/DFGGraph.cpp
index fe7855e8cd77..c4c93c04fd44 100644
--- a/Source/JavaScriptCore/dfg/DFGGraph.cpp
+++ b/Source/JavaScriptCore/dfg/DFGGraph.cpp
@@ -1341,12 +1341,39 @@ JSValue Graph::tryGetConstantProperty(
     // incompatible with the getDirect we're trying to do. The easiest way to do that is to
     // determine if the structure belongs to the proven set.
 
-    Locker cellLock { object->cellLock() };
-    Structure* structure = object->structure();
-    if (!structureSet.toStructureSet().contains(structure))
+    JSValue result;
+    auto set = structureSet.toStructureSet();
+    {
+        Locker cellLock { object->cellLock() };
+        Structure* structure = object->structure();
+        if (!set.contains(structure))
+            return JSValue();
+        result = object->getDirectConcurrently(cellLock, structure, offset);
+    }
+
+    if (!result)
+        return JSValue();
+
+    // If all structures are watched, we don't need to consider whether object transitions and changes the value.
+    // If the object gets transition while compiling, then it invalidates the code.
+    bool allAreWatched = true;
+    for (unsigned i = structureSet.size(); i--;) {
+        RegisteredStructure structure = structureSet[i];
+        if (!structure->dfgShouldWatch()) {
+            allAreWatched = false;
+            break;
+        }
+    }
+    if (allAreWatched)
+        return result;
+
+    // However, if structures transitions are not watched, then object can get to the one of the structures transitively while it is changing the value.
+    // But we can still optimize it if StructureSet is only one: in that case, there is no way to fulfill Structure requirement while changing the property
+    // and avoiding the replacement watchpoint firing.
+    if (structureSet.size() != 1)
         return JSValue();
 
-    return object->getDirectConcurrently(cellLock, structure, offset);
+    return result;
 }
 
 JSValue Graph::tryGetConstantProperty(JSValue base, Structure* structure, PropertyOffset offset)
-- 
2.43.0

Places

File webkit2gtk3-CVE-2024-23222.patch of Package webkit2gtk3.32320

Places