diff options
Diffstat (limited to 'meta/recipes-sato')
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch | 41 | ||||
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch | 435 | ||||
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch | 104 | ||||
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch | 43 | ||||
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch | 136 | ||||
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch | 67 | ||||
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch | 225 | ||||
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch | 65 | ||||
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch | 127 | ||||
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 9 | ||||
-rw-r--r-- | meta/recipes-sato/webkit/wpebackend-fdo_1.14.2.bb (renamed from meta/recipes-sato/webkit/wpebackend-fdo_1.14.0.bb) | 2 |
11 files changed, 1253 insertions, 1 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch new file mode 100644 index 0000000000..1a6b685450 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32888.patch @@ -0,0 +1,41 @@ +CVE: CVE-2022-32888 +Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/a3dd7dc] + +[1]: https://support.apple.com/en-us/HT213446 +[2]: https://bugs.webkit.org/show_bug.cgi?id=242047 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From a3dd7dc5f60b87a7cfd14c372e40ebd339076763 Mon Sep 17 00:00:00 2001 +From: Yusuke Suzuki <ysuzuki@apple.com> +Date: Mon, 27 Jun 2022 21:34:55 -0700 +Subject: [PATCH] [JSC] Drop wasm stale assertion + https://bugs.webkit.org/show_bug.cgi?id=242047 rdar://95866655 + +Reviewed by Mark Lam. + +This patch drops stale assertion in addDelegateToUnreachable. + +* Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp: +(JSC::Wasm::LLIntGenerator::addDelegateToUnreachable): + +Canonical link: https://commits.webkit.org/251902@main +--- + Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp b/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp +index 39fb39b3331f..d0d2b9725991 100644 +--- a/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp ++++ b/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp +@@ -1182,7 +1182,6 @@ auto LLIntGenerator::addDelegateToUnreachable(ControlType& target, ControlType& + + ControlTry& tryData = std::get<ControlTry>(data); + m_codeBlock->addExceptionHandler({ HandlerType::Delegate, tryData.m_try->location(), delegateLabel->location(), 0, m_tryDepth, targetDepth }); +- checkConsistency(); + return { }; + } + +-- +2.34.1 + diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch new file mode 100644 index 0000000000..60342a14f8 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-32923.patch @@ -0,0 +1,435 @@ +CVE: CVE-2022-32923 +Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ef76e31] + +[1]: https://support.apple.com/en-us/HT213495 +[2]: https://bugs.webkit.org/show_bug.cgi?id=242964 + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From ef76e31a2a066c3d65a9c94a9e2cd88133260c1f Mon Sep 17 00:00:00 2001 +From: Yusuke Suzuki <ysuzuki@apple.com> +Date: Wed, 20 Jul 2022 19:30:48 -0700 +Subject: [PATCH] [JSC] BakcwardPropagationPhase should carry NaN / Infinity + handling https://bugs.webkit.org/show_bug.cgi?id=242964 rdar://96791603 + +Reviewed by Mark Lam. + +For correctness, we should carry NaN / Infinity handling to make it more clear in the code generation site. + +* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp: +(JSC::DFG::BackwardsPropagationPhase::propagate): +* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp: +(JSC::DFG::FixupPhase::fixupArithDivInt32): +(JSC::DFG::FixupPhase::fixupArithDiv): +* Source/JavaScriptCore/dfg/DFGGraph.h: +* Source/JavaScriptCore/dfg/DFGNode.h: +* Source/JavaScriptCore/dfg/DFGNodeFlags.cpp: +(JSC::DFG::dumpNodeFlags): +* Source/JavaScriptCore/dfg/DFGNodeFlags.h: +(JSC::DFG::bytecodeCanIgnoreNaNAndInfinity): +(JSC::DFG::nodeCanSpeculateInt32ForDiv): +* Source/JavaScriptCore/dfg/DFGNodeType.h: + +Canonical link: https://commits.webkit.org/252675@main +--- + .../dfg/DFGBackwardsPropagationPhase.cpp | 51 +++++++++++-------- + Source/JavaScriptCore/dfg/DFGFixupPhase.cpp | 6 ++- + Source/JavaScriptCore/dfg/DFGGraph.h | 11 ++++ + Source/JavaScriptCore/dfg/DFGNode.h | 12 +++-- + Source/JavaScriptCore/dfg/DFGNodeFlags.cpp | 10 ++-- + Source/JavaScriptCore/dfg/DFGNodeFlags.h | 37 +++++++++++--- + Source/JavaScriptCore/dfg/DFGNodeType.h | 3 +- + 7 files changed, 91 insertions(+), 39 deletions(-) + +diff --git a/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp +index 306ea5d6b974..83a08aff7c20 100644 +--- a/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp ++++ b/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp +@@ -272,7 +272,7 @@ private: + case ValueBitNot: + case ArithBitNot: { + flags |= NodeBytecodeUsesAsInt; +- flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther); ++ flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther); + flags &= ~NodeBytecodeUsesAsArrayIndex; + node->child1()->mergeFlags(flags); + break; +@@ -291,7 +291,7 @@ private: + case BitURShift: + case ArithIMul: { + flags |= NodeBytecodeUsesAsInt; +- flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther); ++ flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther); + flags &= ~NodeBytecodeUsesAsArrayIndex; + node->child1()->mergeFlags(flags); + node->child2()->mergeFlags(flags); +@@ -308,9 +308,9 @@ private: + + case StringSlice: { + node->child1()->mergeFlags(NodeBytecodeUsesAsValue); +- node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); + if (node->child3()) +- node->child3()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ node->child3()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); + break; + } + +@@ -320,11 +320,11 @@ private: + if (node->numChildren() == 2) + m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsValue); + else if (node->numChildren() == 3) { +- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); + m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsValue); + } else if (node->numChildren() == 4) { +- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); +- m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); ++ m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); + m_graph.varArgChild(node, 3)->mergeFlags(NodeBytecodeUsesAsValue); + } + break; +@@ -345,6 +345,7 @@ private: + flags |= NodeBytecodeUsesAsNumber; + if (!m_allowNestedOverflowingAdditions) + flags |= NodeBytecodeUsesAsNumber; ++ flags |= NodeBytecodeNeedsNaNOrInfinity; + + node->child1()->mergeFlags(flags); + node->child2()->mergeFlags(flags); +@@ -359,6 +360,7 @@ private: + flags |= NodeBytecodeUsesAsNumber; + if (!m_allowNestedOverflowingAdditions) + flags |= NodeBytecodeUsesAsNumber; ++ flags |= NodeBytecodeNeedsNaNOrInfinity; + + node->child1()->mergeFlags(flags); + node->child2()->mergeFlags(flags); +@@ -366,7 +368,7 @@ private: + } + + case ArithClz32: { +- flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther | ~NodeBytecodeUsesAsArrayIndex); ++ flags &= ~(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther | ~NodeBytecodeUsesAsArrayIndex); + flags |= NodeBytecodeUsesAsInt; + node->child1()->mergeFlags(flags); + break; +@@ -380,6 +382,7 @@ private: + flags |= NodeBytecodeUsesAsNumber; + if (!m_allowNestedOverflowingAdditions) + flags |= NodeBytecodeUsesAsNumber; ++ flags |= NodeBytecodeNeedsNaNOrInfinity; + + node->child1()->mergeFlags(flags); + node->child2()->mergeFlags(flags); +@@ -387,6 +390,7 @@ private: + } + + case ArithNegate: { ++ // negation does not care about NaN, Infinity, -Infinity are converted into 0 if the result is evaluated under the integer context. + flags &= ~NodeBytecodeUsesAsOther; + + node->child1()->mergeFlags(flags); +@@ -401,6 +405,7 @@ private: + flags |= NodeBytecodeUsesAsNumber; + if (!m_allowNestedOverflowingAdditions) + flags |= NodeBytecodeUsesAsNumber; ++ flags |= NodeBytecodeNeedsNaNOrInfinity; + + node->child1()->mergeFlags(flags); + break; +@@ -421,7 +426,7 @@ private: + + node->mergeFlags(flags); + +- flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero; ++ flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity; + flags &= ~NodeBytecodeUsesAsOther; + + node->child1()->mergeFlags(flags); +@@ -431,7 +436,13 @@ private: + + case ValueDiv: + case ArithDiv: { +- flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero; ++ // ArithDiv / ValueDiv need to have NodeBytecodeUsesAsNumber even if it is used in the context of integer. ++ // For example, ++ // ((@x / @y) + @z) | 0 ++ // In this context, (@x / @y) can have integer context at first, but the result can be different if div ++ // generates NaN. Div and Mod are operations that can produce NaN / Infinity though only taking binary Int32 operands. ++ // Thus, we always need to check for overflow since it can affect downstream calculations. ++ flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity; + flags &= ~NodeBytecodeUsesAsOther; + + node->child1()->mergeFlags(flags); +@@ -441,7 +452,7 @@ private: + + case ValueMod: + case ArithMod: { +- flags |= NodeBytecodeUsesAsNumber; ++ flags |= NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity; + flags &= ~NodeBytecodeUsesAsOther; + + node->child1()->mergeFlags(flags); +@@ -452,7 +463,7 @@ private: + case EnumeratorGetByVal: + case GetByVal: { + m_graph.varArgChild(node, 0)->mergeFlags(NodeBytecodeUsesAsValue); +- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsArrayIndex); + break; + } + +@@ -461,13 +472,13 @@ private: + // Negative zero is not observable. NaN versus undefined are only observable + // in that you would get a different exception message. So, like, whatever: we + // claim here that NaN v. undefined is observable. +- node->child1()->mergeFlags(NodeBytecodeUsesAsInt | NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsArrayIndex); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsInt | NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsArrayIndex); + break; + } + + case ToString: + case CallStringConstructor: { +- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity); + break; + } + +@@ -487,15 +498,15 @@ private: + case CompareBelowEq: + case CompareEq: + case CompareStrictEq: { +- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther); +- node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity); ++ node->child2()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity); + break; + } + + case PutByValDirect: + case PutByVal: { + m_graph.varArgChild(node, 0)->mergeFlags(NodeBytecodeUsesAsValue); +- m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex); ++ m_graph.varArgChild(node, 1)->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex | NodeBytecodeNeedsNaNOrInfinity); + m_graph.varArgChild(node, 2)->mergeFlags(NodeBytecodeUsesAsValue); + break; + } +@@ -508,20 +519,20 @@ private: + // then -0 and 0 are treated the same. We don't need NodeBytecodeUsesAsOther + // because if all of the cases are integers then NaN and undefined are + // treated the same (i.e. they will take default). +- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsInt | NodeBytecodeNeedsNaNOrInfinity); + break; + case SwitchChar: { + // We don't need NodeBytecodeNeedsNegZero because if the cases are all strings + // then -0 and 0 are treated the same. We don't need NodeBytecodeUsesAsOther + // because if all of the cases are single-character strings then NaN + // and undefined are treated the same (i.e. they will take default). +- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNaNOrInfinity); + break; + } + case SwitchString: + // We don't need NodeBytecodeNeedsNegZero because if the cases are all strings + // then -0 and 0 are treated the same. +- node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther); ++ node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther | NodeBytecodeNeedsNaNOrInfinity); + break; + case SwitchCell: + // There is currently no point to being clever here since this is used for switching +diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp +index e8bee58ada15..b679539de2e6 100644 +--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp ++++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp +@@ -81,7 +81,9 @@ private: + if (optimizeForX86() || optimizeForARM64() || optimizeForARMv7IDIVSupported()) { + fixIntOrBooleanEdge(leftChild); + fixIntOrBooleanEdge(rightChild); +- if (bytecodeCanTruncateInteger(node->arithNodeFlags())) ++ // We need to be careful about skipping overflow check because div / mod can generate non integer values ++ // from (Int32, Int32) inputs. For now, we always check non-zero divisor. ++ if (bytecodeCanTruncateInteger(node->arithNodeFlags()) && bytecodeCanIgnoreNaNAndInfinity(node->arithNodeFlags()) && bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) + node->setArithMode(Arith::Unchecked); + else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())) + node->setArithMode(Arith::CheckOverflow); +@@ -122,7 +124,7 @@ private: + + void fixupArithDiv(Node* node, Edge& leftChild, Edge& rightChild) + { +- if (m_graph.binaryArithShouldSpeculateInt32(node, FixupPass)) { ++ if (m_graph.divShouldSpeculateInt32(node, FixupPass)) { + fixupArithDivInt32(node, leftChild, rightChild); + return; + } +diff --git a/Source/JavaScriptCore/dfg/DFGGraph.h b/Source/JavaScriptCore/dfg/DFGGraph.h +index ca566d3a484e..284c87672849 100644 +--- a/Source/JavaScriptCore/dfg/DFGGraph.h ++++ b/Source/JavaScriptCore/dfg/DFGGraph.h +@@ -373,6 +373,17 @@ public: + + return shouldSpeculateInt52ForAdd(left) && shouldSpeculateInt52ForAdd(right); + } ++ ++ bool divShouldSpeculateInt32(Node* node, PredictionPass pass) ++ { ++ // Even if inputs are Int32, div can generate NaN or Infinity. ++ // Thus, Overflow in div can be caused by these non integer values as well as actual Int32 overflow. ++ Node* left = node->child1().node(); ++ Node* right = node->child2().node(); ++ ++ return Node::shouldSpeculateInt32OrBooleanForArithmetic(left, right) ++ && nodeCanSpeculateInt32ForDiv(node->arithNodeFlags(), node->sourceFor(pass)); ++ } + + bool binaryArithShouldSpeculateInt32(Node* node, PredictionPass pass) + { +diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h +index f9ff50658e93..04509a3846ca 100644 +--- a/Source/JavaScriptCore/dfg/DFGNode.h ++++ b/Source/JavaScriptCore/dfg/DFGNode.h +@@ -3308,21 +3308,25 @@ public: + out.printf(", @%u", child3()->index()); + } + +- NodeOrigin origin; ++ NO_UNIQUE_ADDRESS NodeOrigin origin; + ++private: ++ NO_UNIQUE_ADDRESS NodeType m_op; ++ ++ NO_UNIQUE_ADDRESS unsigned m_index { std::numeric_limits<unsigned>::max() }; ++ ++public: + // References to up to 3 children, or links to a variable length set of children. + AdjacencyList children; + + private: + friend class B3::SparseCollection<Node>; + +- unsigned m_index { std::numeric_limits<unsigned>::max() }; +- unsigned m_op : 10; // real type is NodeType +- unsigned m_flags : 21; + // The virtual register number (spill location) associated with this . + VirtualRegister m_virtualRegister; + // The number of uses of the result of this operation (+1 for 'must generate' nodes, which have side-effects). + unsigned m_refCount; ++ NodeFlags m_flags; + // The prediction ascribed to this node after propagation. + SpeculatedType m_prediction { SpecNone }; + // Immediate values, accesses type-checked via accessors above. +diff --git a/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp b/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp +index 88242947f6ef..0c53cd976c5c 100644 +--- a/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp ++++ b/Source/JavaScriptCore/dfg/DFGNodeFlags.cpp +@@ -74,12 +74,14 @@ void dumpNodeFlags(PrintStream& actualOut, NodeFlags flags) + out.print(comma, "VarArgs"); + + if (flags & NodeResultMask) { +- if (!(flags & NodeBytecodeUsesAsNumber) && !(flags & NodeBytecodeNeedsNegZero)) ++ if (!(flags & NodeBytecodeUsesAsNumber)) + out.print(comma, "PureInt"); +- else if (!(flags & NodeBytecodeUsesAsNumber)) +- out.print(comma, "PureInt(w/ neg zero)"); +- else if (!(flags & NodeBytecodeNeedsNegZero)) ++ else + out.print(comma, "PureNum"); ++ if (flags & NodeBytecodeNeedsNegZero) ++ out.print(comma, "NeedsNegZero"); ++ if (flags & NodeBytecodeNeedsNaNOrInfinity) ++ out.print(comma, "NeedsNaNOrInfinity"); + if (flags & NodeBytecodeUsesAsOther) + out.print(comma, "UseAsOther"); + } +diff --git a/Source/JavaScriptCore/dfg/DFGNodeFlags.h b/Source/JavaScriptCore/dfg/DFGNodeFlags.h +index 2ebe3544f601..aa60db7e6ba0 100644 +--- a/Source/JavaScriptCore/dfg/DFGNodeFlags.h ++++ b/Source/JavaScriptCore/dfg/DFGNodeFlags.h +@@ -61,18 +61,19 @@ namespace JSC { namespace DFG { + #define NodeBytecodeUseBottom 0x00000 + #define NodeBytecodeUsesAsNumber 0x04000 // The result of this computation may be used in a context that observes fractional, or bigger-than-int32, results. + #define NodeBytecodeNeedsNegZero 0x08000 // The result of this computation may be used in a context that observes -0. +-#define NodeBytecodeUsesAsOther 0x10000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined). +-#define NodeBytecodeUsesAsInt 0x20000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values. +-#define NodeBytecodeUsesAsArrayIndex 0x40000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible. +-#define NodeBytecodeUsesAsValue (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther) +-#define NodeBytecodeBackPropMask (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex) ++#define NodeBytecodeNeedsNaNOrInfinity 0x10000 // The result of this computation may be used in a context that observes NaN or Infinity. ++#define NodeBytecodeUsesAsOther 0x20000 // The result of this computation may be used in a context that distinguishes between NaN and other things (like undefined). ++#define NodeBytecodeUsesAsInt 0x40000 // The result of this computation is known to be used in a context that prefers, but does not require, integer values. ++#define NodeBytecodeUsesAsArrayIndex 0x80000 // The result of this computation is known to be used in a context that strongly prefers integer values, to the point that we should avoid using doubles if at all possible. ++#define NodeBytecodeUsesAsValue (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther) ++#define NodeBytecodeBackPropMask (NodeBytecodeUsesAsNumber | NodeBytecodeNeedsNegZero | NodeBytecodeNeedsNaNOrInfinity | NodeBytecodeUsesAsOther | NodeBytecodeUsesAsInt | NodeBytecodeUsesAsArrayIndex) + + #define NodeArithFlagsMask (NodeBehaviorMask | NodeBytecodeBackPropMask) + +-#define NodeIsFlushed 0x80000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush. ++#define NodeIsFlushed 0x100000 // Computed by CPSRethreadingPhase, will tell you which local nodes are backwards-reachable from a Flush. + +-#define NodeMiscFlag1 0x100000 +-#define NodeMiscFlag2 0x200000 ++#define NodeMiscFlag1 0x200000 ++#define NodeMiscFlag2 0x400000 + + typedef uint32_t NodeFlags; + +@@ -91,6 +92,11 @@ static inline bool bytecodeCanIgnoreNegativeZero(NodeFlags flags) + return !(flags & NodeBytecodeNeedsNegZero); + } + ++static inline bool bytecodeCanIgnoreNaNAndInfinity(NodeFlags flags) ++{ ++ return !(flags & NodeBytecodeNeedsNaNOrInfinity); ++} ++ + enum RareCaseProfilingSource { + BaselineRareCase, // Comes from slow case counting in the baseline JIT. + DFGRareCase, // Comes from OSR exit profiles. +@@ -147,6 +153,21 @@ static inline bool nodeCanSpeculateInt32(NodeFlags flags, RareCaseProfilingSourc + return true; + } + ++static inline bool nodeCanSpeculateInt32ForDiv(NodeFlags flags, RareCaseProfilingSource source) ++{ ++ if (nodeMayOverflowInt32(flags, source)) { ++ if (bytecodeUsesAsNumber(flags)) ++ return false; ++ if (!bytecodeCanIgnoreNaNAndInfinity(flags)) ++ return false; ++ } ++ ++ if (nodeMayNegZero(flags, source)) ++ return bytecodeCanIgnoreNegativeZero(flags); ++ ++ return true; ++} ++ + static inline bool nodeCanSpeculateInt52(NodeFlags flags, RareCaseProfilingSource source) + { + if (nodeMayOverflowInt52(flags, source)) +diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h +index 8f885b570665..aad4d559ccf7 100644 +--- a/Source/JavaScriptCore/dfg/DFGNodeType.h ++++ b/Source/JavaScriptCore/dfg/DFGNodeType.h +@@ -567,7 +567,7 @@ namespace JSC { namespace DFG { + + // This enum generates a monotonically increasing id for all Node types, + // and is used by the subsequent enum to fill out the id (as accessed via the NodeIdMask). +-enum NodeType { ++enum NodeType : uint16_t { + #define DFG_OP_ENUM(opcode, flags) opcode, + FOR_EACH_DFG_OP(DFG_OP_ENUM) + #undef DFG_OP_ENUM +@@ -577,6 +577,7 @@ enum NodeType { + #define DFG_OP_COUNT(opcode, flags) + 1 + constexpr unsigned numberOfNodeTypes = FOR_EACH_DFG_OP(DFG_OP_COUNT); + #undef DFG_OP_COUNT ++static_assert(numberOfNodeTypes <= UINT16_MAX); + + // Specifies the default flags for each node. + inline NodeFlags defaultFlags(NodeType op) +-- +2.34.1 + diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch new file mode 100644 index 0000000000..bf06809051 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch @@ -0,0 +1,104 @@ +From f67a882170609d15836204a689dc552322fbe653 Mon Sep 17 00:00:00 2001 +From: Yogita Urade <yogita.urade@windriver.com> +Date: Wed, 7 Jun 2023 08:15:11 +0000 +Subject: [oe-core][kirkstone][PATCH 1/1] RenderElement::updateFillImages + should take pointer arguments like other similar functions + https://bugs.webkit.org/show_bug.cgi?id=247317 rdar://100273147 + +Reviewed by Alan Baradlay. + +* Source/WebCore/rendering/RenderElement.cpp: +(WebCore::RenderElement::updateFillImages): +(WebCore::RenderElement::styleDidChange): +* Source/WebCore/rendering/RenderElement.h: + +Canonical link: https://commits.webkit.org/256215@main + +CVE: CVE-2022-42867 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/091a04e55c801ac6ba13f4b328fbee2eece853fc] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + Source/WebCore/rendering/RenderElement.cpp | 27 ++++++++++++++-------- + Source/WebCore/rendering/RenderElement.h | 2 +- + 2 files changed, 19 insertions(+), 10 deletions(-) + +diff --git a/Source/WebCore/rendering/RenderElement.cpp b/Source/WebCore/rendering/RenderElement.cpp +index da43bf3d..931686b8 100644 +--- a/Source/WebCore/rendering/RenderElement.cpp ++++ b/Source/WebCore/rendering/RenderElement.cpp +@@ -358,7 +358,7 @@ inline bool RenderElement::shouldRepaintForStyleDifference(StyleDifference diff) + return diff == StyleDifference::Repaint || (diff == StyleDifference::RepaintIfTextOrBorderOrOutline && hasImmediateNonWhitespaceTextChildOrBorderOrOutline()); + } + +-void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer& newLayers) ++void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer* newLayers) + { + auto fillImagesAreIdentical = [](const FillLayer* layer1, const FillLayer* layer2) -> bool { + if (layer1 == layer2) +@@ -379,7 +379,7 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer + }; + + auto isRegisteredWithNewFillImages = [&]() -> bool { +- for (auto* layer = &newLayers; layer; layer = layer->next()) { ++ for (auto* layer = newLayers; layer; layer = layer->next()) { + if (layer->image() && !layer->image()->hasClient(*this)) + return false; + } +@@ -388,11 +388,11 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer + + // If images have the same characteristics and this element is already registered as a + // client to the new images, there is nothing to do. +- if (fillImagesAreIdentical(oldLayers, &newLayers) && isRegisteredWithNewFillImages()) ++ if (fillImagesAreIdentical(oldLayers, newLayers) && isRegisteredWithNewFillImages()) + return; + + // Add before removing, to avoid removing all clients of an image that is in both sets. +- for (auto* layer = &newLayers; layer; layer = layer->next()) { ++ for (auto* layer = newLayers; layer; layer = layer->next()) { + if (layer->image()) + layer->image()->addClient(*this); + } +@@ -937,11 +937,20 @@ static inline bool areCursorsEqual(const RenderStyle* a, const RenderStyle* b) + + void RenderElement::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle) + { +- updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, m_style.backgroundLayers()); +- updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, m_style.maskLayers()); +- updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, m_style.borderImage().image()); +- updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, m_style.maskBoxImage().image()); +- updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, m_style.shapeOutside()); ++ auto registerImages = [this](auto* style, auto* oldStyle) { ++ if (!style && !oldStyle) ++ return; ++ updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, style ? &style->backgroundLayers() : nullptr); ++ updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, style ? &style->maskLayers() : nullptr); ++ updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, style ? style->borderImage().image() : nullptr); ++ updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, style ? style->maskBoxImage().image() : nullptr); ++ updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, style ? style->shapeOutside() : nullptr); ++ }; ++ ++ registerImages(&style(), oldStyle); ++ ++ // Are there other pseudo-elements that need the resources to be registered? ++ registerImages(style().getCachedPseudoStyle(PseudoId::FirstLine), oldStyle ? oldStyle->getCachedPseudoStyle(PseudoId::FirstLine) : nullptr); + + SVGRenderSupport::styleChanged(*this, oldStyle); + +diff --git a/Source/WebCore/rendering/RenderElement.h b/Source/WebCore/rendering/RenderElement.h +index f376cecb..d6ba2cdf 100644 +--- a/Source/WebCore/rendering/RenderElement.h ++++ b/Source/WebCore/rendering/RenderElement.h +@@ -349,7 +349,7 @@ private: + bool shouldRepaintForStyleDifference(StyleDifference) const; + bool hasImmediateNonWhitespaceTextChildOrBorderOrOutline() const; + +- void updateFillImages(const FillLayer*, const FillLayer&); ++ void updateFillImages(const FillLayer*, const FillLayer*); + void updateImage(StyleImage*, StyleImage*); + void updateShapeImage(const ShapeValue*, const ShapeValue*); + +-- +2.35.5 diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch new file mode 100644 index 0000000000..ff9df40433 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch @@ -0,0 +1,43 @@ +From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001 +From: Yijia Huang <hyjorc1@gmail.com> +Date: Mon, 10 Oct 2022 15:42:34 -0700 +Subject: [PATCH] [JSC] Should model BigInt with side effects + https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823 + +Reviewed by Yusuke Suzuki. + +Operations with two BigInt operands have side effects, +which should not be hoisted from loops. + +* Source/JavaScriptCore/dfg/DFGClobberize.cpp: +(JSC::DFG::doesWrites): +* Source/JavaScriptCore/dfg/DFGClobberize.h: +(JSC::DFG::clobberize): + +Canonical link: https://commits.webkit.org/255368@main + +CVE: CVE-2022-46691 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h +index 0363ab20dcd8..4b1bcfea1fd7 100644 +--- a/Source/JavaScriptCore/dfg/DFGClobberize.h ++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h +@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu + case ValueBitRShift: + // FIXME: this use of single-argument isBinaryUseKind would prevent us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 right-operand. + if (node->isBinaryUseKind(AnyBigIntUse) || node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) { ++ read(World); ++ write(SideState); + def(PureValue(node)); + return; + } +-- +2.40.0 diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch new file mode 100644 index 0000000000..0752b9c0e2 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46699.patch @@ -0,0 +1,136 @@ +From 28686e63de0d3d7270a49b0d6b656467bc4fbf68 Mon Sep 17 00:00:00 2001 +From: Justin Michaud <justin_michaud@apple.com> +Date: Wed, 9 Nov 2022 19:20:41 -0800 +Subject: [PATCH] Error() ICs should not cache special properties. + https://bugs.webkit.org/show_bug.cgi?id=247699 + +Reviewed by Yusuke Suzuki. + +HasOwnProperty/DeleteProperty are not always cacheable for special Error() +properties like column. These special properties are materialized on-demand +in materializeErrorInfoIfNeeded, but this function's behaviour can be changed +by Error.stackTraceLimit without causing a structure transition or firing watchpoints. + +That is, we cannot cache property misses, and we cannot assume HasOwnProperty is deterministic +for a given structure if we are using one of these properties. + +* Source/JavaScriptCore/runtime/ErrorInstance.cpp: +(JSC::ErrorInstance::deleteProperty): +* Source/JavaScriptCore/runtime/ErrorInstance.h: + +Canonical link: https://commits.webkit.org/256519@main + +CVE: CVE-2022-46699 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/28686e63de0d3d7270a49b0d6b656467bc4fbf68] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + JSTests/stress/delete-cache-error.js | 19 ++++++++++++++++++ + .../get-own-property-slot-cache-error.js | 6 ++++++ + JSTests/stress/get-property-cache-error.js | 20 +++++++++++++++++++ + .../JavaScriptCore/runtime/ErrorInstance.cpp | 4 +++- + Source/JavaScriptCore/runtime/ErrorInstance.h | 3 ++- + 5 files changed, 50 insertions(+), 2 deletions(-) + create mode 100644 JSTests/stress/delete-cache-error.js + create mode 100644 JSTests/stress/get-own-property-slot-cache-error.js + create mode 100644 JSTests/stress/get-property-cache-error.js + +diff --git a/JSTests/stress/delete-cache-error.js b/JSTests/stress/delete-cache-error.js +new file mode 100644 +index 000000000000..d77c09185a13 +--- /dev/null ++++ b/JSTests/stress/delete-cache-error.js +@@ -0,0 +1,19 @@ ++delete Error.stackTraceLimit ++ ++// sourceURL is not materialized ++function cacheColumn(o) { ++ delete o.sourceURL ++} ++noInline(cacheColumn) ++ ++for (let i = 0; i < 200; ++i) { ++ let e = Error() ++ cacheColumn(e) ++ if (e.sourceURL !== undefined) ++ throw "Test failed on iteration " + i + " " + e.sourceURL ++ ++ if (i == 197) { ++ // now it is ++ Error.stackTraceLimit = 10 ++ } ++} +\ No newline at end of file +diff --git a/JSTests/stress/get-own-property-slot-cache-error.js b/JSTests/stress/get-own-property-slot-cache-error.js +new file mode 100644 +index 000000000000..f8202213bf79 +--- /dev/null ++++ b/JSTests/stress/get-own-property-slot-cache-error.js +@@ -0,0 +1,6 @@ ++delete Error.stackTraceLimit ++// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because stackString is null. ++Object.hasOwn(Error(), "column") ++Error.stackTraceLimit = 10 ++// Now it does ++Object.hasOwn(Error(), "column") +\ No newline at end of file +diff --git a/JSTests/stress/get-property-cache-error.js b/JSTests/stress/get-property-cache-error.js +new file mode 100644 +index 000000000000..b35272ea6fe2 +--- /dev/null ++++ b/JSTests/stress/get-property-cache-error.js +@@ -0,0 +1,20 @@ ++// GetOwnPropertySlot does not materializeErrorInfoIfNeeded because stackString is null. ++delete Error.stackTraceLimit ++expected = undefined ++ ++function cacheColumn(o) { ++ return o.column ++} ++noInline(cacheColumn) ++ ++for (let i = 0; i < 1000; ++i) { ++ let val = cacheColumn(Error()) ++ if (val !== expected) ++ throw "Test failed on iteration " + i + ": " + val ++ ++ if (i == 900) { ++ // now it does ++ Error.stackTraceLimit = 10 ++ expected = 32 ++ } ++} +\ No newline at end of file +diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.cpp b/Source/JavaScriptCore/runtime/ErrorInstance.cpp +index ddf96869e84a..8e5373257d34 100644 +--- a/Source/JavaScriptCore/runtime/ErrorInstance.cpp ++++ b/Source/JavaScriptCore/runtime/ErrorInstance.cpp +@@ -303,7 +303,9 @@ bool ErrorInstance::deleteProperty(JSCell* cell, JSGlobalObject* globalObject, P + { + VM& vm = globalObject->vm(); + ErrorInstance* thisObject = jsCast<ErrorInstance*>(cell); +- thisObject->materializeErrorInfoIfNeeded(vm, propertyName); ++ bool materializedProperties = thisObject->materializeErrorInfoIfNeeded(vm, propertyName); ++ if (materializedProperties) ++ slot.disableCaching(); + return Base::deleteProperty(thisObject, globalObject, propertyName, slot); + } + +diff --git a/Source/JavaScriptCore/runtime/ErrorInstance.h b/Source/JavaScriptCore/runtime/ErrorInstance.h +index 28807b4ea33e..2afb153a7442 100644 +--- a/Source/JavaScriptCore/runtime/ErrorInstance.h ++++ b/Source/JavaScriptCore/runtime/ErrorInstance.h +@@ -30,7 +30,8 @@ namespace JSC { + class ErrorInstance : public JSNonFinalObject { + public: + using Base = JSNonFinalObject; +- static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut; ++ ++ static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut | GetOwnPropertySlotIsImpureForPropertyAbsence; + static constexpr bool needsDestruction = true; + + static void destroy(JSCell* cell) +-- +2.40.0 diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch new file mode 100644 index 0000000000..242b8337fa --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46700.patch @@ -0,0 +1,67 @@ +From 86fbeb6fcd638e2350b09a43dde355f9830e75da Mon Sep 17 00:00:00 2001 +From: David Degazio <d_degazio@apple.com> +Date: Tue, 8 Nov 2022 19:54:33 -0800 +Subject: [PATCH] Intl.Locale.prototype.hourCycles leaks empty JSValue to + script https://bugs.webkit.org/show_bug.cgi?id=247562 rdar://102031379 + +Reviewed by Mark Lam. + +We currently don't check if IntlLocale::hourCycles returns a null JSArray, which allows it +to be encoded as an empty JSValue and exposed to user code. This patch throws a TypeError +when udatpg_open returns a failed status. + +* JSTests/stress/intl-locale-invalid-hourCycles.js: Added. +(main): +* Source/JavaScriptCore/runtime/IntlLocale.cpp: +(JSC::IntlLocale::hourCycles): + +Canonical link: https://commits.webkit.org/256473@main + +CVE:CVE-2022-46700 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/86fbeb6fcd638e2350b09a43dde355f9830e75da] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + JSTests/stress/intl-locale-invalid-hourCycles.js | 12 ++++++++++++ + Source/JavaScriptCore/runtime/IntlLocale.cpp | 4 +++- + 2 files changed, 15 insertions(+), 1 deletion(-) + create mode 100644 JSTests/stress/intl-locale-invalid-hourCycles.js + +diff --git a/JSTests/stress/intl-locale-invalid-hourCycles.js b/JSTests/stress/intl-locale-invalid-hourCycles.js +new file mode 100644 +index 000000000000..7b94eb844764 +--- /dev/null ++++ b/JSTests/stress/intl-locale-invalid-hourCycles.js +@@ -0,0 +1,12 @@ ++function main() { ++ const v24 = new Intl.Locale("trimEnd", { 'numberingSystem': "foobar" }); ++ let empty = v24.hourCycles; ++ print(empty); ++} ++ ++try { ++ main(); ++} catch (e) { ++ if (!(e instanceof TypeError)) ++ throw e; ++} +diff --git a/Source/JavaScriptCore/runtime/IntlLocale.cpp b/Source/JavaScriptCore/runtime/IntlLocale.cpp +index c3c346163a18..bef424727a8a 100644 +--- a/Source/JavaScriptCore/runtime/IntlLocale.cpp ++++ b/Source/JavaScriptCore/runtime/IntlLocale.cpp +@@ -632,8 +632,10 @@ JSArray* IntlLocale::hourCycles(JSGlobalObject* globalObject) + + UErrorCode status = U_ZERO_ERROR; + auto generator = std::unique_ptr<UDateTimePatternGenerator, ICUDeleter<udatpg_close>>(udatpg_open(m_localeID.data(), &status)); +- if (U_FAILURE(status)) ++ if (U_FAILURE(status)) { ++ throwTypeError(globalObject, scope, "invalid locale"_s); + return nullptr; ++ } + + // Use "j" skeleton and parse pattern to retrieve the configured hour-cycle information. + constexpr const UChar skeleton[] = { 'j', 0 }; +-- +2.40.0 diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch new file mode 100644 index 0000000000..b67751736d --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch @@ -0,0 +1,225 @@ +From 612c245823a515c8c70c2ad486957bd8a850f0f9 Mon Sep 17 00:00:00 2001 +From: Yusuke Suzuki <ysuzuki@apple.com> +Date: Tue, 5 Sep 2023 08:40:19 +0000 +Subject: [PATCH] [JSC] Refactor wasm section ordering code + https://bugs.webkit.org/show_bug.cgi?id=241931 rdar://83326477 + +Reviewed by Keith Miller. + +This patch refactors existing validateOrder code since it is too adhoc right now. + +* Source/JavaScriptCore/wasm/WasmModuleInformation.h: +(JSC::Wasm::ModuleInformation::dataSegmentsCount const): +* Source/JavaScriptCore/wasm/WasmSectionParser.cpp: +(JSC::Wasm::SectionParser::parseData): +(JSC::Wasm::SectionParser::parseDataCount): +* Source/JavaScriptCore/wasm/WasmSectionParser.h: +* Source/JavaScriptCore/wasm/WasmSections.h: +(JSC::Wasm::orderingNumber): +(JSC::Wasm::isKnownSection): +(JSC::Wasm::validateOrder): +(JSC::Wasm::makeString): +* Source/JavaScriptCore/wasm/WasmStreamingParser.cpp: +(JSC::Wasm::StreamingParser::parseSectionPayload): +(JSC::Wasm::StreamingParser::finalize): + +Canonical link: https://commits.webkit.org/251800@main + +CVE: CVE-2022-48503 + +Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/612c245823a515c8c70c2ad486957bd8a850f0f9] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + .../wasm/WasmModuleInformation.h | 4 +- + .../JavaScriptCore/wasm/WasmSectionParser.cpp | 3 ++ + .../JavaScriptCore/wasm/WasmSectionParser.h | 2 +- + Source/JavaScriptCore/wasm/WasmSections.h | 52 +++++++++++-------- + .../wasm/WasmStreamingParser.cpp | 11 +++- + 5 files changed, 45 insertions(+), 27 deletions(-) + +diff --git a/Source/JavaScriptCore/wasm/WasmModuleInformation.h b/Source/JavaScriptCore/wasm/WasmModuleInformation.h +index ae6bbeed..f9f1baf7 100644 +--- a/Source/JavaScriptCore/wasm/WasmModuleInformation.h ++++ b/Source/JavaScriptCore/wasm/WasmModuleInformation.h +@@ -86,7 +86,7 @@ struct ModuleInformation : public ThreadSafeRefCounted<ModuleInformation> { + uint32_t memoryCount() const { return memory ? 1 : 0; } + uint32_t tableCount() const { return tables.size(); } + uint32_t elementCount() const { return elements.size(); } +- uint32_t dataSegmentsCount() const { return numberOfDataSegments; } ++ uint32_t dataSegmentsCount() const { return numberOfDataSegments.value_or(0); } + + const TableInformation& table(unsigned index) const { return tables[index]; } + +@@ -131,7 +131,7 @@ struct ModuleInformation : public ThreadSafeRefCounted<ModuleInformation> { + Vector<CustomSection> customSections; + Ref<NameSection> nameSection; + BranchHints branchHints; +- uint32_t numberOfDataSegments { 0 }; ++ std::optional<uint32_t> numberOfDataSegments; + + BitVector m_declaredFunctions; + BitVector m_declaredExceptions; +diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp +index 5b511811..c55ee3c0 100644 +--- a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp ++++ b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp +@@ -768,6 +768,8 @@ auto SectionParser::parseData() -> PartialResult + uint32_t segmentCount; + WASM_PARSER_FAIL_IF(!parseVarUInt32(segmentCount), "can't get Data section's count"); + WASM_PARSER_FAIL_IF(segmentCount > maxDataSegments, "Data section's count is too big ", segmentCount, " maximum ", maxDataSegments); ++ if (m_info->numberOfDataSegments) ++ WASM_PARSER_FAIL_IF(segmentCount != m_info->numberOfDataSegments.value(), "Data section's count ", segmentCount, " is different from Data Count section's count ", m_info->numberOfDataSegments.value()); + WASM_PARSER_FAIL_IF(!m_info->data.tryReserveCapacity(segmentCount), "can't allocate enough memory for Data section's ", segmentCount, " segments"); + + for (uint32_t segmentNumber = 0; segmentNumber < segmentCount; ++segmentNumber) { +@@ -847,6 +849,7 @@ auto SectionParser::parseDataCount() -> PartialResult + { + uint32_t numberOfDataSegments; + WASM_PARSER_FAIL_IF(!parseVarUInt32(numberOfDataSegments), "can't get Data Count section's count"); ++ WASM_PARSER_FAIL_IF(numberOfDataSegments > maxDataSegments, "Data Count section's count is too big ", numberOfDataSegments , " maximum ", maxDataSegments); + + m_info->numberOfDataSegments = numberOfDataSegments; + return { }; +diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.h b/Source/JavaScriptCore/wasm/WasmSectionParser.h +index 91fd3ed8..4d7dcbac 100644 +--- a/Source/JavaScriptCore/wasm/WasmSectionParser.h ++++ b/Source/JavaScriptCore/wasm/WasmSectionParser.h +@@ -44,7 +44,7 @@ public: + { + } + +-#define WASM_SECTION_DECLARE_PARSER(NAME, ID, DESCRIPTION) PartialResult WARN_UNUSED_RETURN parse ## NAME(); ++#define WASM_SECTION_DECLARE_PARSER(NAME, ID, ORDERING, DESCRIPTION) PartialResult WARN_UNUSED_RETURN parse ## NAME(); + FOR_EACH_KNOWN_WASM_SECTION(WASM_SECTION_DECLARE_PARSER) + #undef WASM_SECTION_DECLARE_PARSER + +diff --git a/Source/JavaScriptCore/wasm/WasmSections.h b/Source/JavaScriptCore/wasm/WasmSections.h +index bef20701..b422a587 100644 +--- a/Source/JavaScriptCore/wasm/WasmSections.h ++++ b/Source/JavaScriptCore/wasm/WasmSections.h +@@ -33,20 +33,21 @@ IGNORE_RETURN_TYPE_WARNINGS_BEGIN + + namespace JSC { namespace Wasm { + ++// macro(Name, ID, OrderingNumber, Description). + #define FOR_EACH_KNOWN_WASM_SECTION(macro) \ +- macro(Type, 1, "Function signature declarations") \ +- macro(Import, 2, "Import declarations") \ +- macro(Function, 3, "Function declarations") \ +- macro(Table, 4, "Indirect function table and other tables") \ +- macro(Memory, 5, "Memory attributes") \ +- macro(Global, 6, "Global declarations") \ +- macro(Export, 7, "Exports") \ +- macro(Start, 8, "Start function declaration") \ +- macro(Element, 9, "Elements section") \ +- macro(Code, 10, "Function bodies (code)") \ +- macro(Data, 11, "Data segments") \ +- macro(DataCount, 12, "Data count") \ +- macro(Exception, 13, "Exception declarations") \ ++ macro(Type, 1, 1, "Function signature declarations") \ ++ macro(Import, 2, 2, "Import declarations") \ ++ macro(Function, 3, 3, "Function declarations") \ ++ macro(Table, 4, 4, "Indirect function table and other tables") \ ++ macro(Memory, 5, 5, "Memory attributes") \ ++ macro(Global, 6, 7, "Global declarations") \ ++ macro(Export, 7, 8, "Exports") \ ++ macro(Start, 8, 9, "Start function declaration") \ ++ macro(Element, 9, 10, "Elements section") \ ++ macro(Code, 10, 12, "Function bodies (code)") \ ++ macro(Data, 11, 13, "Data segments") \ ++ macro(DataCount, 12, 11, "Data count") \ ++ macro(Exception, 13, 6, "Exception declarations") \ + + enum class Section : uint8_t { + // It's important that Begin is less than every other section number and that Custom is greater. +@@ -54,18 +55,29 @@ enum class Section : uint8_t { + // Also, Begin is not a real section but is used as a marker for validating the ordering + // of sections. + Begin = 0, +-#define DEFINE_WASM_SECTION_ENUM(NAME, ID, DESCRIPTION) NAME = ID, ++#define DEFINE_WASM_SECTION_ENUM(NAME, ID, ORDERING, DESCRIPTION) NAME = ID, + FOR_EACH_KNOWN_WASM_SECTION(DEFINE_WASM_SECTION_ENUM) + #undef DEFINE_WASM_SECTION_ENUM + Custom + }; + static_assert(static_cast<uint8_t>(Section::Begin) < static_cast<uint8_t>(Section::Type), "Begin should come before the first known section."); + ++inline unsigned orderingNumber(Section section) ++{ ++ switch (section) { ++#define ORDERING_OF_SECTION(NAME, ID, ORDERING, DESCRIPTION) case Section::NAME: return ORDERING; ++ FOR_EACH_KNOWN_WASM_SECTION(ORDERING_OF_SECTION) ++#undef VALIDATE_SECTION ++ default: ++ return static_cast<unsigned>(section); ++ } ++} ++ + template<typename Int> + inline bool isKnownSection(Int section) + { + switch (section) { +-#define VALIDATE_SECTION(NAME, ID, DESCRIPTION) case static_cast<Int>(Section::NAME): return true; ++#define VALIDATE_SECTION(NAME, ID, ORDERING, DESCRIPTION) case static_cast<Int>(Section::NAME): return true; + FOR_EACH_KNOWN_WASM_SECTION(VALIDATE_SECTION) + #undef VALIDATE_SECTION + default: +@@ -89,13 +101,7 @@ inline bool decodeSection(uint8_t sectionByte, Section& section) + inline bool validateOrder(Section previousKnown, Section next) + { + ASSERT(isKnownSection(previousKnown) || previousKnown == Section::Begin); +- if (previousKnown == Section::DataCount && next == Section::Code) +- return true; +- if (previousKnown == Section::Exception) +- return next >= Section::Global; +- if (next == Section::Exception) +- return previousKnown <= Section::Memory; +- return static_cast<uint8_t>(previousKnown) < static_cast<uint8_t>(next); ++ return orderingNumber(previousKnown) < orderingNumber(next); + } + + inline const char* makeString(Section section) +@@ -105,7 +111,7 @@ inline const char* makeString(Section section) + return "Begin"; + case Section::Custom: + return "Custom"; +-#define STRINGIFY_SECTION_NAME(NAME, ID, DESCRIPTION) case Section::NAME: return #NAME; ++#define STRINGIFY_SECTION_NAME(NAME, ID, ORDERING, DESCRIPTION) case Section::NAME: return #NAME; + FOR_EACH_KNOWN_WASM_SECTION(STRINGIFY_SECTION_NAME) + #undef STRINGIFY_SECTION_NAME + } +diff --git a/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp b/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp +index fa552eff..25e7e32d 100644 +--- a/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp ++++ b/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp +@@ -161,7 +161,7 @@ auto StreamingParser::parseSectionPayload(Vector<uint8_t>&& data) -> State + { + SectionParser parser(data.data(), data.size(), m_offset, m_info.get()); + switch (m_section) { +-#define WASM_SECTION_PARSE(NAME, ID, DESCRIPTION) \ ++#define WASM_SECTION_PARSE(NAME, ID, ORDERING, DESCRIPTION) \ + case Section::NAME: { \ + WASM_STREAMING_PARSER_FAIL_IF_HELPER_FAILS(parser.parse ## NAME()); \ + break; \ +@@ -393,9 +393,18 @@ auto StreamingParser::finalize() -> State + m_state = fail("Number of functions parsed (", m_functionCount, ") does not match the number of declared functions (", m_info->functions.size(), ")"); + break; + } ++ ++ if (m_info->numberOfDataSegments) { ++ if (UNLIKELY(m_info->data.size() != m_info->numberOfDataSegments.value())) { ++ m_state = fail("Data section's count ", m_info->data.size(), " is different from Data Count section's count ", m_info->numberOfDataSegments.value()); ++ break; ++ } ++ } ++ + if (m_remaining.isEmpty()) { + if (UNLIKELY(Options::useEagerWebAssemblyModuleHashing())) + m_info->nameSection->setHash(m_hasher.computeHexDigest()); ++ + m_state = State::Finished; + m_client.didFinishParsing(); + } else +-- +2.40.0 diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch new file mode 100644 index 0000000000..f2e9808ab4 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-23529.patch @@ -0,0 +1,65 @@ +CVE: CVE-2023-23529 +Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/6cc943c] + +With the help from webkit maillist, backport and rebase patch to fix +CVE-2023-23529. + +https://lists.webkit.org/pipermail/webkit-gtk/2023-August/003931.html + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 6cc943c3323a1a1368934c812e5e8ec08f54dcd4 Mon Sep 17 00:00:00 2001 +From: Yusuke Suzuki <ysuzuki@apple.com> +Date: Fri, 17 Feb 2023 10:39:19 -0800 +Subject: [PATCH] Cherry-pick 259548.63@safari-7615-branch (1b2eb138ef92). + rdar://105598149 + + [JSC] ToThis object folding should check if AbstractValue is always an object + https://bugs.webkit.org/show_bug.cgi?id=251944 + rdar://105175786 + + Reviewed by Geoffrey Garen and Mark Lam. + + ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding. + This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects. + This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example. + + * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::isToThisAnIdentity): + + Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch + +Canonical link: https://commits.webkit.org/260455@main +--- + .../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h +index 928328ffab826..82481455e651d 100644 +--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h ++++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h +@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue& + } + } + +- if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) { ++ bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject); ++ if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) { + bool allStructuresAreJSScope = !valueForNode.m_structure.isClear(); + bool overridesToThis = false; + valueForNode.m_structure.forEach([&](RegisteredStructure structure) { +@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue& + // If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation. + allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis; + }); ++ ++ // This is correct for strict mode even if this can have non objects, since the right semantics is Identity. + if (!overridesToThis) + return ToThisResult::Identity; +- if (allStructuresAreJSScope) { ++ ++ // But this folding is available only if input is always an object. ++ if (onlyObjects && allStructuresAreJSScope) { + if (ecmaMode.isStrict()) + return ToThisResult::Undefined; + return ToThisResult::GlobalThis; diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch new file mode 100644 index 0000000000..f8d7b613fa --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32439.patch @@ -0,0 +1,127 @@ +From ebefb9e6b7e7440ab6bb29452f4ac6350bd8b975 Mon Sep 17 00:00:00 2001 +From: Yijia Huang <yijia_huang@apple.com> +Date: Tue, 26 Sep 2023 09:23:31 +0000 +Subject: [PATCH] Cherry-pick 263909@main (52fe95e5805c). + https://bugs.webkit.org/show_bug.cgi?id=256567 + + EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have different heap location kinds + https://bugs.webkit.org/show_bug.cgi?id=256567 + rdar://109089013 + + Reviewed by Yusuke Suzuki. + + EnumeratorNextUpdateIndexAndMode and HasIndexedProperty are different DFG nodes. However, + they might introduce the same heap location kind in DFGClobberize.h which might lead to + hash collision. We should introduce a new locationn kind for EnumeratorNextUpdateIndexAndMode. + + * JSTests/stress/heap-location-collision-dfg-clobberize.js: Added. + (foo): + * Source/JavaScriptCore/dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * Source/JavaScriptCore/dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * Source/JavaScriptCore/dfg/DFGHeapLocation.h: + + Canonical link: https://commits.webkit.org/263909@main + +Canonical link: https://commits.webkit.org/260527.376@webkitglib/2.40 + +CVE: CVE-2023-32439 + +Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ebefb9e] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + .../stress/heap-location-collision-dfg-clobberize.js | 12 ++++++++++++ + Source/JavaScriptCore/dfg/DFGClobberize.h | 7 ++++--- + Source/JavaScriptCore/dfg/DFGHeapLocation.cpp | 4 ++++ + Source/JavaScriptCore/dfg/DFGHeapLocation.h | 1 + + 4 files changed, 21 insertions(+), 3 deletions(-) + create mode 100644 JSTests/stress/heap-location-collision-dfg-clobberize.js + +diff --git a/JSTests/stress/heap-location-collision-dfg-clobberize.js b/JSTests/stress/heap-location-collision-dfg-clobberize.js +new file mode 100644 +index 00000000..ed40601e +--- /dev/null ++++ b/JSTests/stress/heap-location-collision-dfg-clobberize.js +@@ -0,0 +1,12 @@ ++//@ runDefault("--watchdog=300", "--watchdog-exception-ok") ++const arr = [0]; ++ ++function foo() { ++ for (let _ in arr) { ++ 0 in arr; ++ while(1); ++ } ++} ++ ++ ++foo(); +diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h +index f96e21d2..af3e864b 100644 +--- a/Source/JavaScriptCore/dfg/DFGClobberize.h ++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h +@@ -371,6 +371,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu + + read(JSObject_butterfly); + ArrayMode mode = node->arrayMode(); ++ LocationKind locationKind = node->op() == EnumeratorNextUpdateIndexAndMode ? EnumeratorNextUpdateIndexAndModeLoc : HasIndexedPropertyLoc; + switch (mode.type()) { + case Array::ForceExit: { + write(SideState); +@@ -380,7 +381,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu + if (mode.isInBounds()) { + read(Butterfly_publicLength); + read(IndexedInt32Properties); +- def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); ++ def(HeapLocation(locationKind, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); + return; + } + break; +@@ -390,7 +391,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu + if (mode.isInBounds()) { + read(Butterfly_publicLength); + read(IndexedDoubleProperties); +- def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); ++ def(HeapLocation(locationKind, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); + return; + } + break; +@@ -400,7 +401,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu + if (mode.isInBounds()) { + read(Butterfly_publicLength); + read(IndexedContiguousProperties); +- def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); ++ def(HeapLocation(locationKind, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node)); + return; + } + break; +diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp +index 0661e5b8..698a6d4b 100644 +--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp ++++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp +@@ -134,6 +134,10 @@ void printInternal(PrintStream& out, LocationKind kind) + out.print("HasIndexedPorpertyLoc"); + return; + ++ case EnumeratorNextUpdateIndexAndModeLoc: ++ out.print("EnumeratorNextUpdateIndexAndModeLoc"); ++ return; ++ + case IndexedPropertyDoubleLoc: + out.print("IndexedPropertyDoubleLoc"); + return; +diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.h b/Source/JavaScriptCore/dfg/DFGHeapLocation.h +index 40fb7167..7238491b 100644 +--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.h ++++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.h +@@ -46,6 +46,7 @@ enum LocationKind { + DirectArgumentsLoc, + GetterLoc, + GlobalVariableLoc, ++ EnumeratorNextUpdateIndexAndModeLoc, + HasIndexedPropertyLoc, + IndexedPropertyDoubleLoc, + IndexedPropertyDoubleSaneChainLoc, +-- +2.40.0 diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 7b2c5c6e36..f4b8456749 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -15,6 +15,15 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://0001-Fix-build-without-opengl-or-es.patch \ file://reproducibility.patch \ file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \ + file://CVE-2022-32888.patch \ + file://CVE-2022-32923.patch \ + file://CVE-2022-46691.patch \ + file://CVE-2022-46699.patch \ + file://CVE-2022-42867.patch \ + file://CVE-2022-46700.patch \ + file://CVE-2023-23529.patch \ + file://CVE-2022-48503.patch \ + file://CVE-2023-32439.patch \ " SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" diff --git a/meta/recipes-sato/webkit/wpebackend-fdo_1.14.0.bb b/meta/recipes-sato/webkit/wpebackend-fdo_1.14.2.bb index 708201043b..b3d7b229c8 100644 --- a/meta/recipes-sato/webkit/wpebackend-fdo_1.14.0.bb +++ b/meta/recipes-sato/webkit/wpebackend-fdo_1.14.2.bb @@ -13,7 +13,7 @@ inherit meson features_check pkgconfig REQUIRED_DISTRO_FEATURES = "opengl" SRC_URI = "https://wpewebkit.org/releases/${BPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "e75b0cb2c7145448416e8696013d8883f675c66c11ed750e06865efec5809155" +SRC_URI[sha256sum] = "93c9766ae9864eeaeaee2b0a74f22cbca08df42c1a1bdb55b086f2528e380d38" # Especially helps compiling with clang which enable this as error when # using c++11 |