Bug#781386: unblock: webkitgtk/2.4.8-2

[Alberto Garcia <berto@igalia.com>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package webkitgtk

This package contains two patches:

   * debian/patches/g-closure-unref.diff:

     Fixes a case of use-after-free.

     http://bugs.debian.org/780444

   * debian/patches/fix-cloop.patch:

     Fixes the LLInt part of the JavaScript interpreter that makes
     webkitgtk unusable on powerpc.

     This patch has been recommended by the RedHat maintainer.

     http://bugs.debian.org/771841

unblock webkitgtk/2.4.8-2

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru webkitgtk-2.4.8/debian/changelog webkitgtk-2.4.8/debian/changelog
--- webkitgtk-2.4.8/debian/changelog	2015-01-17 14:19:53.000000000 +0200
+++ webkitgtk-2.4.8/debian/changelog	2015-03-26 23:49:46.000000000 +0200
@@ -1,3 +1,13 @@
+webkitgtk (2.4.8-2) unstable; urgency=medium
+
+  * debian/patches/g-closure-unref.diff:
+    + Fix use-after-free warning when loading page into WebView
+     (Closes: #780444).
+  * debian/patches/fix-cloop.patch:
+    + Fix crash on powerpc (Closes: #771841).
+
+ -- Alberto Garcia <berto@igalia.com>  Thu, 26 Mar 2015 23:49:21 +0200
+
 webkitgtk (2.4.8-1) unstable; urgency=medium
 
   * New upstream release, which includes some of the patches already
diff -Nru webkitgtk-2.4.8/debian/patches/fix-cloop.patch webkitgtk-2.4.8/debian/patches/fix-cloop.patch
--- webkitgtk-2.4.8/debian/patches/fix-cloop.patch	1970-01-01 02:00:00.000000000 +0200
+++ webkitgtk-2.4.8/debian/patches/fix-cloop.patch	2015-03-26 23:49:46.000000000 +0200
@@ -0,0 +1,240 @@
+From: Tomas Popela <tpopela@redhat.com>
+Subject: Fix crash on powerpc
+Bug-Debian: https://bugs.debian.org/771841
+Origin: http://pkgs.fedoraproject.org/cgit/webkitgtk3.git/tree/
+Index: webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
++++ webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+@@ -2002,7 +2002,7 @@ _llint_op_next_pname:
+     loadi 20[PC], t2
+     loadi PayloadOffset[cfr, t2, 8], t2
+     loadp JSPropertyNameIterator::m_jsStrings[t2], t3
+-    loadi [t3, t0, 8], t3
++    loadi PayloadOffset[t3, t0, 8], t3
+     addi 1, t0
+     storei t0, PayloadOffset[cfr, t1, 8]
+     loadi 4[PC], t1
+Index: webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
++++ webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
+@@ -299,13 +299,13 @@ macro assertNotConstant(index)
+ end
+ 
+ macro functionForCallCodeBlockGetter(targetRegister)
+-    loadp Callee[cfr], targetRegister
++    loadp Callee + PayloadOffset[cfr], targetRegister
+     loadp JSFunction::m_executable[targetRegister], targetRegister
+     loadp FunctionExecutable::m_codeBlockForCall[targetRegister], targetRegister
+ end
+ 
+ macro functionForConstructCodeBlockGetter(targetRegister)
+-    loadp Callee[cfr], targetRegister
++    loadp Callee + PayloadOffset[cfr], targetRegister
+     loadp JSFunction::m_executable[targetRegister], targetRegister
+     loadp FunctionExecutable::m_codeBlockForConstruct[targetRegister], targetRegister
+ end
+Index: webkitgtk/Source/JavaScriptCore/interpreter/ProtoCallFrame.h
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/interpreter/ProtoCallFrame.h
++++ webkitgtk/Source/JavaScriptCore/interpreter/ProtoCallFrame.h
+@@ -36,7 +36,7 @@ struct ProtoCallFrame {
+     Register calleeValue;
+     Register argCountAndCodeOriginValue;
+     Register thisArg;
+-    size_t paddedArgCount;
++    uint32_t paddedArgCount;
+     JSValue *args;
+ 
+     void init(CodeBlock*, JSScope*, JSObject*, JSValue, int, JSValue* otherArgs = 0);
+@@ -53,7 +53,7 @@ struct ProtoCallFrame {
+     int argumentCountIncludingThis() const { return argCountAndCodeOriginValue.payload(); }
+     int argumentCount() const { return argumentCountIncludingThis() - 1; }
+     void setArgumentCountIncludingThis(int count) { argCountAndCodeOriginValue.payload() = count; }
+-    void setPaddedArgsCount(size_t argCount) { paddedArgCount = argCount; }
++    void setPaddedArgsCount(uint32_t argCount) { paddedArgCount = argCount; }
+ 
+     void clearCurrentVPC() { argCountAndCodeOriginValue.tag() = 0; }
+     
+Index: webkitgtk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
++++ webkitgtk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
+@@ -1354,7 +1354,7 @@ LLINT_SLOW_PATH_DECL(slow_path_get_from_
+             CodeBlock* codeBlock = exec->codeBlock();
+             ConcurrentJITLocker locker(codeBlock->m_lock);
+             pc[5].u.structure.set(exec->vm(), codeBlock->ownerExecutable(), scope->structure());
+-            pc[6].u.operand = slot.cachedOffset();
++            pc[6].u.pointer = reinterpret_cast<void*>(slot.cachedOffset());
+         }
+     }
+ 
+@@ -1381,7 +1381,7 @@ LLINT_SLOW_PATH_DECL(slow_path_put_to_sc
+         if (slot.isCacheable() && slot.base() == scope && scope->structure()->propertyAccessesAreCacheable()) {
+             ConcurrentJITLocker locker(codeBlock->m_lock);
+             pc[5].u.structure.set(exec->vm(), codeBlock->ownerExecutable(), scope->structure());
+-            pc[6].u.operand = slot.cachedOffset();
++            pc[6].u.pointer = reinterpret_cast<void*>(slot.cachedOffset());
+         }
+     }
+ 
+Index: webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
++++ webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+@@ -282,7 +282,7 @@ macro doCallToJavaScript(makeCall, doRet
+     storep temp3, CodeBlock+4[cfr, temp1, 8]
+     btinz temp1, .copyHeaderLoop
+ 
+-    loadi ProtoCallFrame::argCountAndCodeOriginValue[protoCallFrame], temp2
++    loadi PayloadOffset + ProtoCallFrame::argCountAndCodeOriginValue[protoCallFrame], temp2
+     subi 1, temp2
+     loadi ProtoCallFrame::paddedArgCount[protoCallFrame], temp3
+     subi 1, temp3
+@@ -321,7 +321,7 @@ macro doCallToJavaScript(makeCall, doRet
+ 
+ .calleeFramePopped:
+     loadp Callee[cfr], temp3 # VM.topCallFrame
+-    loadp ScopeChain[cfr], temp4
++    loadp ScopeChain + PayloadOffset[cfr], temp4
+     storep temp4, [temp3]
+ 
+     doReturn(extraStackSpace)
+@@ -598,7 +598,7 @@ end
+ 
+ 
+ macro branchIfException(label)
+-    loadp ScopeChain[cfr], t3
++    loadp ScopeChain + PayloadOffset[cfr], t3
+     andp MarkedBlockMask, t3
+     loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
+     bieq VM::m_exception + TagOffset[t3], EmptyValueTag, .noException
+@@ -2039,7 +2039,7 @@ _llint_op_catch:
+     # the interpreter's throw trampoline (see _llint_throw_trampoline).
+     # The throwing code must have known that we were throwing to the interpreter,
+     # and have set VM::targetInterpreterPCForThrow.
+-    loadp ScopeChain[cfr], t3
++    loadp ScopeChain + PayloadOffset[cfr], t3
+     andp MarkedBlockMask, t3
+     loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
+     loadp VM::callFrameForThrow[t3], cfr
+@@ -2159,7 +2159,7 @@ macro nativeCallTrampoline(executableOff
+         andp MarkedBlockMask, t3
+         loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
+     elsif C_LOOP
+-        loadp ScopeChain[cfr], t3
++        loadp ScopeChain + PayloadOffset[cfr], t3
+         andp MarkedBlockMask, t3
+         loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
+         storep cfr, VM::topCallFrame[t3]
+@@ -2172,7 +2172,7 @@ macro nativeCallTrampoline(executableOff
+         move t2, cfr
+         cloopCallNative executableOffsetToFunction[t1]
+         restoreReturnAddressBeforeReturn(t3)
+-        loadp ScopeChain[cfr], t3
++        loadp ScopeChain + PayloadOffset[cfr], t3
+         andp MarkedBlockMask, t3
+         loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
+     else
+@@ -2212,7 +2212,7 @@ macro resolveScope()
+     addi 1, t2
+ 
+ .resolveScopeAfterActivationCheck:
+-    loadp ScopeChain[cfr], t0
++    loadp ScopeChain + PayloadOffset[cfr], t0
+     btiz t2, .resolveScopeLoopEnd
+ 
+ .resolveScopeLoop:
+@@ -2271,13 +2271,13 @@ _llint_op_resolve_scope:
+ 
+ macro loadWithStructureCheck(operand, slowPath)
+     loadisFromInstruction(operand, t0)
+-    loadp [cfr, t0, 8], t0
++    loadp PayloadOffset[cfr, t0, 8], t0
+     loadpFromInstruction(5, t1)
+     bpneq JSCell::m_structure[t0], t1, slowPath
+ end
+ 
+ macro getProperty()
+-    loadisFromInstruction(6, t3)
++    loadpFromInstruction(6, t3)
+     loadPropertyAtVariableOffset(t3, t0, t1, t2)
+     valueProfile(t1, t2, 28, t0)
+     loadisFromInstruction(1, t0)
+@@ -2297,7 +2297,7 @@ end
+ 
+ macro getClosureVar()
+     loadp JSVariableObject::m_registers[t0], t0
+-    loadisFromInstruction(6, t3)
++    loadpFromInstruction(6, t3)
+     loadp TagOffset[t0, t3, 8], t1
+     loadp PayloadOffset[t0, t3, 8], t2
+     valueProfile(t1, t2, 28, t0)
+@@ -2356,7 +2356,7 @@ _llint_op_get_from_scope:
+ macro putProperty()
+     loadisFromInstruction(3, t1)
+     loadConstantOrVariable(t1, t2, t3)
+-    loadisFromInstruction(6, t1)
++    loadpFromInstruction(6, t1)
+     storePropertyAtVariableOffset(t1, t0, t2, t3)
+ end
+ 
+@@ -2374,7 +2374,7 @@ macro putClosureVar()
+     loadisFromInstruction(3, t1)
+     loadConstantOrVariable(t1, t2, t3)
+     loadp JSVariableObject::m_registers[t0], t0
+-    loadisFromInstruction(6, t1)
++    loadpFromInstruction(6, t1)
+     storei t2, TagOffset[t0, t1, 8]
+     storei t3, PayloadOffset[t0, t1, 8]
+ end
+Index: webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
++++ webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+@@ -171,7 +171,7 @@ macro doCallToJavaScript(makeCall, doRet
+     storep temp3, CodeBlock[cfr, temp1, 8]
+     btinz temp1, .copyHeaderLoop
+ 
+-    loadi ProtoCallFrame::argCountAndCodeOriginValue[protoCallFrame], temp2
++    loadi PayloadOffset + ProtoCallFrame::argCountAndCodeOriginValue[protoCallFrame], temp2
+     subi 1, temp2
+     loadi ProtoCallFrame::paddedArgCount[protoCallFrame], temp3
+     subi 1, temp3
+@@ -2047,7 +2047,7 @@ macro loadWithStructureCheck(operand, sl
+ end
+ 
+ macro getProperty()
+-    loadisFromInstruction(6, t1)
++    loadpFromInstruction(6, t1)
+     loadPropertyAtVariableOffset(t1, t0, t2)
+     valueProfile(t2, 7, t0)
+     loadisFromInstruction(1, t0)
+@@ -2064,7 +2064,7 @@ end
+ 
+ macro getClosureVar()
+     loadp JSVariableObject::m_registers[t0], t0
+-    loadisFromInstruction(6, t1)
++    loadpFromInstruction(6, t1)
+     loadq [t0, t1, 8], t0
+     valueProfile(t0, 7, t1)
+     loadisFromInstruction(1, t1)
+@@ -2121,7 +2121,7 @@ _llint_op_get_from_scope:
+ macro putProperty()
+     loadisFromInstruction(3, t1)
+     loadConstantOrVariable(t1, t2)
+-    loadisFromInstruction(6, t1)
++    loadpFromInstruction(6, t1)
+     storePropertyAtVariableOffset(t1, t0, t2)
+ end
+ 
+@@ -2138,7 +2138,7 @@ macro putClosureVar()
+     loadisFromInstruction(3, t1)
+     loadConstantOrVariable(t1, t2)
+     loadp JSVariableObject::m_registers[t0], t0
+-    loadisFromInstruction(6, t1)
++    loadpFromInstruction(6, t1)
+     storeq t2, [t0, t1, 8]
+ end
+ 
diff -Nru webkitgtk-2.4.8/debian/patches/g-closure-unref.diff webkitgtk-2.4.8/debian/patches/g-closure-unref.diff
--- webkitgtk-2.4.8/debian/patches/g-closure-unref.diff	1970-01-01 02:00:00.000000000 +0200
+++ webkitgtk-2.4.8/debian/patches/g-closure-unref.diff	2015-03-26 23:49:46.000000000 +0200
@@ -0,0 +1,28 @@
+From: Milan Crha <mcrha@redhat.com>
+Subject: Fix use-after-free warning when loading page into WebView
+Bug: https://bugs.webkit.org/show_bug.cgi?id=127474
+Bug-Debian: http://bugs.debian.org/780444
+Origin: http://trac.webkit.org/changeset/180141
+Index: webkitgtk/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
++++ webkitgtk/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
+@@ -52,12 +52,13 @@ void GObjectEventListener::gobjectDestro
+ {
+     ASSERT(m_coreTarget);
+ 
+-    // We must set m_coreTarget to null, because removeEventListener
+-    // may call the destructor as a side effect and we must be in the
+-    // proper state to prevent g_object_weak_unref.
+-    EventTarget* target = m_coreTarget;
++    // Protect 'this' class in case the 'm_coreTarget' holds the last reference,
++    // which may cause, inside removeEventListener(), free of this object
++    // and later use-after-free with the m_handler = 0; assignment.
++    RefPtr<GObjectEventListener> protect(this);
++
++    m_coreTarget->removeEventListener(m_domEventName.data(), this, m_capture);
+     m_coreTarget = 0;
+-    target->removeEventListener(m_domEventName.data(), this, m_capture);
+     m_handler = 0;
+ }
+ 
diff -Nru webkitgtk-2.4.8/debian/patches/series webkitgtk-2.4.8/debian/patches/series
--- webkitgtk-2.4.8/debian/patches/series	2015-01-17 14:19:53.000000000 +0200
+++ webkitgtk-2.4.8/debian/patches/series	2015-03-26 23:49:46.000000000 +0200
@@ -14,3 +14,5 @@
 nullptr-accessibilitymenulistoption.patch
 ax-focus-events.patch
 fix-ftbfs-pluginpackage.patch
+g-closure-unref.diff
+fix-cloop.patch