[webkit-changes] [WebKit/WebKit] 60edab: Versioning.

Jonathan Bedard noreply at github.com
Tue May 14 14:28:32 PDT 2024


  Branch: refs/heads/safari-7619.1.11.111-branch
  Home:   https://github.com/WebKit/WebKit
  Commit: 60edaba8a9087df0a89766b74d81a5c22d1390ec
      https://github.com/WebKit/WebKit/commit/60edaba8a9087df0a89766b74d81a5c22d1390ec
  Author: Mohsin Qureshi <mohsinq at apple.com>
  Date:   2024-05-03 (Fri, 03 May 2024)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7619.1.11.111.1

Canonical link: https://commits.webkit.org/278096.6@safari-7619.1.11.111-branch


  Commit: 1574b2f9833c2cd553c7046756f810bbf2db8d2a
      https://github.com/WebKit/WebKit/commit/1574b2f9833c2cd553c7046756f810bbf2db8d2a
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2024-05-03 (Fri, 03 May 2024)

  Changed paths:
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
    M Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
    M Source/JavaScriptCore/jit/ThunkGenerators.cpp
    M Source/JavaScriptCore/llint/LLIntThunks.cpp
    M Source/JavaScriptCore/runtime/Options.cpp
    M Source/JavaScriptCore/runtime/OptionsList.h
    M Source/WTF/wtf/PtrTag.h
    M Source/WebKit/WebProcess/WebProcess.cpp
    M Tools/Scripts/run-jsc-stress-tests

  Log Message:
  -----------
  Cherry-pick f442fbe222f3. rdar://125596635

    Make it harder to get a PAC signing gadget in JIT code.
    https://bugs.webkit.org/show_bug.cgi?id=272750
    rdar://125596635

    Reviewed by Yusuke Suzuki.

    Right now if an attacker can control where code is allocated they can overlap code to create a PAC bypass.
    This patch makes that harder (in the WebContent process) by only allowing pacibsp and pacizb. This means
    that during arity fixup we now tag the return PC with pacizb. This is ok because we don't use the zero
    diversifier for anything. For reifying inlined call frames during OSR exit things are a bit more complicated.
    First we have be careful to only move signed return addresses into lr then untag them there. Also, we have
    to shuffle SP to point to where it would in reified frame. This means that there is technically live data
    below our SP, which on many OSes causes problems. Talking to our kernel folks however this isn't a problem
    as long as we don't have any signal handlers or run lldb expressions in this window. We don't use signal
    handlers in the WebContent process and this patch tries to limit/document the window of JIT code where lldb
    would trash the stack.

    * Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:
    (JSC::MacroAssemblerARM64E::tagPtr):
    * Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp:
    (JSC::DFG::reifyInlinedCallFrames):
    (JSC::AssemblyHelpers::transferReturnPC):
    * Source/JavaScriptCore/jit/ThunkGenerators.cpp:
    (JSC::arityFixupGenerator):
    * Source/JavaScriptCore/llint/LLIntThunks.cpp:
    (JSC::LLInt::tagGateThunk):
    (JSC::LLInt::untagGateThunk):
    * Source/JavaScriptCore/runtime/OptionsList.h:
    * Source/WTF/wtf/PtrTag.h:
    * Source/WebKit/WebProcess/WebProcess.cpp:
    (WebKit::WebProcess::initializeProcess):
    * Tools/Scripts/run-jsc-stress-tests:

    Canonical link: https://commits.webkit.org/272448.948@safari-7618-branch


  Commit: f13b66e06c476ae22146e6b5d1de07448227bf47
      https://github.com/WebKit/WebKit/commit/f13b66e06c476ae22146e6b5d1de07448227bf47
  Author: Mohsin Qureshi <mohsinq at apple.com>
  Date:   2024-05-06 (Mon, 06 May 2024)

  Changed paths:
    M Configurations/Version.xcconfig

  Log Message:
  -----------
  Versioning.

WebKit-7619.1.11.111.2

Canonical link: https://commits.webkit.org/278096.8@safari-7619.1.11.111-branch


Compare: https://github.com/WebKit/WebKit/compare/60edaba8a908%5E...f13b66e06c47

To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications


More information about the webkit-changes mailing list