[Webkit-unassigned] [Bug 245697] New: Support branch target identification on aarch64
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Sep 26 14:55:46 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=245697
Bug ID: 245697
Summary: Support branch target identification on aarch64
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at gnome.org
It seems JSC crashes immediately if run using a Linux kernel built with CONFIG_ARM64_BTI=y, when using hardware that actually supports BTI (e.g. Apple M2 Macbook Air running Linux). Backtrace from the downstream bug:
Module libvulkan.so.1 with build-id
67d50cfbcd9385a604b088608e38177128818e19
Stack trace of thread 2:
#0 0x0000ffff5711b8b0 llint_program_prologue
(libjavascriptcoregtk-4.0.so.18 + 0x13b8b0)
#1 0x0000ffff5711844c vmEntryToJavaScript
(libjavascriptcoregtk-4.0.so.18 + 0x13844c)
#2 0x0000ffff57dcf7d8
_ZN3JSC11Interpreter14executeProgramERKNS_10SourceCodeEPNS_14JSGlobalObje$
#3 0x0000ffff11600000 n/a (n/a + 0x0)
I found some documentation from ARM here:
https://developer.arm.com/documentation/ddi0596/2020-12/Base-Instructions/BTI--Branch-Target-Identification-
And here:
https://developer.arm.com/documentation/102433/0100/Jump-oriented-programming
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220926/bd8bd191/attachment.htm>
More information about the webkit-unassigned
mailing list