--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: webkitgtk/2.4.8-2
- From: Alberto Garcia <berto@igalia.com>
- Date: Sat, 28 Mar 2015 14:43:53 +0200
- Message-id: <20150328124353.25297.64060.reportbug@perseus.local>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package webkitgtk
This package contains two patches:
* debian/patches/g-closure-unref.diff:
Fixes a case of use-after-free.
http://bugs.debian.org/780444
* debian/patches/fix-cloop.patch:
Fixes the LLInt part of the JavaScript interpreter that makes
webkitgtk unusable on powerpc.
This patch has been recommended by the RedHat maintainer.
http://bugs.debian.org/771841
unblock webkitgtk/2.4.8-2
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru webkitgtk-2.4.8/debian/changelog webkitgtk-2.4.8/debian/changelog
--- webkitgtk-2.4.8/debian/changelog 2015-01-17 14:19:53.000000000 +0200
+++ webkitgtk-2.4.8/debian/changelog 2015-03-26 23:49:46.000000000 +0200
@@ -1,3 +1,13 @@
+webkitgtk (2.4.8-2) unstable; urgency=medium
+
+ * debian/patches/g-closure-unref.diff:
+ + Fix use-after-free warning when loading page into WebView
+ (Closes: #780444).
+ * debian/patches/fix-cloop.patch:
+ + Fix crash on powerpc (Closes: #771841).
+
+ -- Alberto Garcia <berto@igalia.com> Thu, 26 Mar 2015 23:49:21 +0200
+
webkitgtk (2.4.8-1) unstable; urgency=medium
* New upstream release, which includes some of the patches already
diff -Nru webkitgtk-2.4.8/debian/patches/fix-cloop.patch webkitgtk-2.4.8/debian/patches/fix-cloop.patch
--- webkitgtk-2.4.8/debian/patches/fix-cloop.patch 1970-01-01 02:00:00.000000000 +0200
+++ webkitgtk-2.4.8/debian/patches/fix-cloop.patch 2015-03-26 23:49:46.000000000 +0200
@@ -0,0 +1,240 @@
+From: Tomas Popela <tpopela@redhat.com>
+Subject: Fix crash on powerpc
+Bug-Debian: https://bugs.debian.org/771841
+Origin: http://pkgs.fedoraproject.org/cgit/webkitgtk3.git/tree/
+Index: webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
++++ webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+@@ -2002,7 +2002,7 @@ _llint_op_next_pname:
+ loadi 20[PC], t2
+ loadi PayloadOffset[cfr, t2, 8], t2
+ loadp JSPropertyNameIterator::m_jsStrings[t2], t3
+- loadi [t3, t0, 8], t3
++ loadi PayloadOffset[t3, t0, 8], t3
+ addi 1, t0
+ storei t0, PayloadOffset[cfr, t1, 8]
+ loadi 4[PC], t1
+Index: webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
++++ webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
+@@ -299,13 +299,13 @@ macro assertNotConstant(index)
+ end
+
+ macro functionForCallCodeBlockGetter(targetRegister)
+- loadp Callee[cfr], targetRegister
++ loadp Callee + PayloadOffset[cfr], targetRegister
+ loadp JSFunction::m_executable[targetRegister], targetRegister
+ loadp FunctionExecutable::m_codeBlockForCall[targetRegister], targetRegister
+ end
+
+ macro functionForConstructCodeBlockGetter(targetRegister)
+- loadp Callee[cfr], targetRegister
++ loadp Callee + PayloadOffset[cfr], targetRegister
+ loadp JSFunction::m_executable[targetRegister], targetRegister
+ loadp FunctionExecutable::m_codeBlockForConstruct[targetRegister], targetRegister
+ end
+Index: webkitgtk/Source/JavaScriptCore/interpreter/ProtoCallFrame.h
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/interpreter/ProtoCallFrame.h
++++ webkitgtk/Source/JavaScriptCore/interpreter/ProtoCallFrame.h
+@@ -36,7 +36,7 @@ struct ProtoCallFrame {
+ Register calleeValue;
+ Register argCountAndCodeOriginValue;
+ Register thisArg;
+- size_t paddedArgCount;
++ uint32_t paddedArgCount;
+ JSValue *args;
+
+ void init(CodeBlock*, JSScope*, JSObject*, JSValue, int, JSValue* otherArgs = 0);
+@@ -53,7 +53,7 @@ struct ProtoCallFrame {
+ int argumentCountIncludingThis() const { return argCountAndCodeOriginValue.payload(); }
+ int argumentCount() const { return argumentCountIncludingThis() - 1; }
+ void setArgumentCountIncludingThis(int count) { argCountAndCodeOriginValue.payload() = count; }
+- void setPaddedArgsCount(size_t argCount) { paddedArgCount = argCount; }
++ void setPaddedArgsCount(uint32_t argCount) { paddedArgCount = argCount; }
+
+ void clearCurrentVPC() { argCountAndCodeOriginValue.tag() = 0; }
+
+Index: webkitgtk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
++++ webkitgtk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
+@@ -1354,7 +1354,7 @@ LLINT_SLOW_PATH_DECL(slow_path_get_from_
+ CodeBlock* codeBlock = exec->codeBlock();
+ ConcurrentJITLocker locker(codeBlock->m_lock);
+ pc[5].u.structure.set(exec->vm(), codeBlock->ownerExecutable(), scope->structure());
+- pc[6].u.operand = slot.cachedOffset();
++ pc[6].u.pointer = reinterpret_cast<void*>(slot.cachedOffset());
+ }
+ }
+
+@@ -1381,7 +1381,7 @@ LLINT_SLOW_PATH_DECL(slow_path_put_to_sc
+ if (slot.isCacheable() && slot.base() == scope && scope->structure()->propertyAccessesAreCacheable()) {
+ ConcurrentJITLocker locker(codeBlock->m_lock);
+ pc[5].u.structure.set(exec->vm(), codeBlock->ownerExecutable(), scope->structure());
+- pc[6].u.operand = slot.cachedOffset();
++ pc[6].u.pointer = reinterpret_cast<void*>(slot.cachedOffset());
+ }
+ }
+
+Index: webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
++++ webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+@@ -282,7 +282,7 @@ macro doCallToJavaScript(makeCall, doRet
+ storep temp3, CodeBlock+4[cfr, temp1, 8]
+ btinz temp1, .copyHeaderLoop
+
+- loadi ProtoCallFrame::argCountAndCodeOriginValue[protoCallFrame], temp2
++ loadi PayloadOffset + ProtoCallFrame::argCountAndCodeOriginValue[protoCallFrame], temp2
+ subi 1, temp2
+ loadi ProtoCallFrame::paddedArgCount[protoCallFrame], temp3
+ subi 1, temp3
+@@ -321,7 +321,7 @@ macro doCallToJavaScript(makeCall, doRet
+
+ .calleeFramePopped:
+ loadp Callee[cfr], temp3 # VM.topCallFrame
+- loadp ScopeChain[cfr], temp4
++ loadp ScopeChain + PayloadOffset[cfr], temp4
+ storep temp4, [temp3]
+
+ doReturn(extraStackSpace)
+@@ -598,7 +598,7 @@ end
+
+
+ macro branchIfException(label)
+- loadp ScopeChain[cfr], t3
++ loadp ScopeChain + PayloadOffset[cfr], t3
+ andp MarkedBlockMask, t3
+ loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
+ bieq VM::m_exception + TagOffset[t3], EmptyValueTag, .noException
+@@ -2039,7 +2039,7 @@ _llint_op_catch:
+ # the interpreter's throw trampoline (see _llint_throw_trampoline).
+ # The throwing code must have known that we were throwing to the interpreter,
+ # and have set VM::targetInterpreterPCForThrow.
+- loadp ScopeChain[cfr], t3
++ loadp ScopeChain + PayloadOffset[cfr], t3
+ andp MarkedBlockMask, t3
+ loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
+ loadp VM::callFrameForThrow[t3], cfr
+@@ -2159,7 +2159,7 @@ macro nativeCallTrampoline(executableOff
+ andp MarkedBlockMask, t3
+ loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
+ elsif C_LOOP
+- loadp ScopeChain[cfr], t3
++ loadp ScopeChain + PayloadOffset[cfr], t3
+ andp MarkedBlockMask, t3
+ loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
+ storep cfr, VM::topCallFrame[t3]
+@@ -2172,7 +2172,7 @@ macro nativeCallTrampoline(executableOff
+ move t2, cfr
+ cloopCallNative executableOffsetToFunction[t1]
+ restoreReturnAddressBeforeReturn(t3)
+- loadp ScopeChain[cfr], t3
++ loadp ScopeChain + PayloadOffset[cfr], t3
+ andp MarkedBlockMask, t3
+ loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
+ else
+@@ -2212,7 +2212,7 @@ macro resolveScope()
+ addi 1, t2
+
+ .resolveScopeAfterActivationCheck:
+- loadp ScopeChain[cfr], t0
++ loadp ScopeChain + PayloadOffset[cfr], t0
+ btiz t2, .resolveScopeLoopEnd
+
+ .resolveScopeLoop:
+@@ -2271,13 +2271,13 @@ _llint_op_resolve_scope:
+
+ macro loadWithStructureCheck(operand, slowPath)
+ loadisFromInstruction(operand, t0)
+- loadp [cfr, t0, 8], t0
++ loadp PayloadOffset[cfr, t0, 8], t0
+ loadpFromInstruction(5, t1)
+ bpneq JSCell::m_structure[t0], t1, slowPath
+ end
+
+ macro getProperty()
+- loadisFromInstruction(6, t3)
++ loadpFromInstruction(6, t3)
+ loadPropertyAtVariableOffset(t3, t0, t1, t2)
+ valueProfile(t1, t2, 28, t0)
+ loadisFromInstruction(1, t0)
+@@ -2297,7 +2297,7 @@ end
+
+ macro getClosureVar()
+ loadp JSVariableObject::m_registers[t0], t0
+- loadisFromInstruction(6, t3)
++ loadpFromInstruction(6, t3)
+ loadp TagOffset[t0, t3, 8], t1
+ loadp PayloadOffset[t0, t3, 8], t2
+ valueProfile(t1, t2, 28, t0)
+@@ -2356,7 +2356,7 @@ _llint_op_get_from_scope:
+ macro putProperty()
+ loadisFromInstruction(3, t1)
+ loadConstantOrVariable(t1, t2, t3)
+- loadisFromInstruction(6, t1)
++ loadpFromInstruction(6, t1)
+ storePropertyAtVariableOffset(t1, t0, t2, t3)
+ end
+
+@@ -2374,7 +2374,7 @@ macro putClosureVar()
+ loadisFromInstruction(3, t1)
+ loadConstantOrVariable(t1, t2, t3)
+ loadp JSVariableObject::m_registers[t0], t0
+- loadisFromInstruction(6, t1)
++ loadpFromInstruction(6, t1)
+ storei t2, TagOffset[t0, t1, 8]
+ storei t3, PayloadOffset[t0, t1, 8]
+ end
+Index: webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+===================================================================
+--- webkitgtk.orig/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
++++ webkitgtk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+@@ -171,7 +171,7 @@ macro doCallToJavaScript(makeCall, doRet
+ storep temp3, CodeBlock[cfr, temp1, 8]
+ btinz temp1, .copyHeaderLoop
+
+- loadi ProtoCallFrame::argCountAndCodeOriginValue[protoCallFrame], temp2
++ loadi PayloadOffset + ProtoCallFrame::argCountAndCodeOriginValue[protoCallFrame], temp2
+ subi 1, temp2
+ loadi ProtoCallFrame::paddedArgCount[protoCallFrame], temp3
+ subi 1, temp3
+@@ -2047,7 +2047,7 @@ macro loadWithStructureCheck(operand, sl
+ end
+
+ macro getProperty()
+- loadisFromInstruction(6, t1)
++ loadpFromInstruction(6, t1)
+ loadPropertyAtVariableOffset(t1, t0, t2)
+ valueProfile(t2, 7, t0)
+ loadisFromInstruction(1, t0)
+@@ -2064,7 +2064,7 @@ end
+
+ macro getClosureVar()
+ loadp JSVariableObject::m_registers[t0], t0
+- loadisFromInstruction(6, t1)
++ loadpFromInstruction(6, t1)
+ loadq [t0, t1, 8], t0
+ valueProfile(t0, 7, t1)
+ loadisFromInstruction(1, t1)
+@@ -2121,7 +2121,7 @@ _llint_op_get_from_scope:
+ macro putProperty()
+ loadisFromInstruction(3, t1)
+ loadConstantOrVariable(t1, t2)
+- loadisFromInstruction(6, t1)
++ loadpFromInstruction(6, t1)
+ storePropertyAtVariableOffset(t1, t0, t2)
+ end
+
+@@ -2138,7 +2138,7 @@ macro putClosureVar()
+ loadisFromInstruction(3, t1)
+ loadConstantOrVariable(t1, t2)
+ loadp JSVariableObject::m_registers[t0], t0
+- loadisFromInstruction(6, t1)
++ loadpFromInstruction(6, t1)
+ storeq t2, [t0, t1, 8]
+ end
+
diff -Nru webkitgtk-2.4.8/debian/patches/g-closure-unref.diff webkitgtk-2.4.8/debian/patches/g-closure-unref.diff
--- webkitgtk-2.4.8/debian/patches/g-closure-unref.diff 1970-01-01 02:00:00.000000000 +0200
+++ webkitgtk-2.4.8/debian/patches/g-closure-unref.diff 2015-03-26 23:49:46.000000000 +0200
@@ -0,0 +1,28 @@
+From: Milan Crha <mcrha@redhat.com>
+Subject: Fix use-after-free warning when loading page into WebView
+Bug: https://bugs.webkit.org/show_bug.cgi?id=127474
+Bug-Debian: http://bugs.debian.org/780444
+Origin: http://trac.webkit.org/changeset/180141
+Index: webkitgtk/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
+===================================================================
+--- webkitgtk.orig/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
++++ webkitgtk/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
+@@ -52,12 +52,13 @@ void GObjectEventListener::gobjectDestro
+ {
+ ASSERT(m_coreTarget);
+
+- // We must set m_coreTarget to null, because removeEventListener
+- // may call the destructor as a side effect and we must be in the
+- // proper state to prevent g_object_weak_unref.
+- EventTarget* target = m_coreTarget;
++ // Protect 'this' class in case the 'm_coreTarget' holds the last reference,
++ // which may cause, inside removeEventListener(), free of this object
++ // and later use-after-free with the m_handler = 0; assignment.
++ RefPtr<GObjectEventListener> protect(this);
++
++ m_coreTarget->removeEventListener(m_domEventName.data(), this, m_capture);
+ m_coreTarget = 0;
+- target->removeEventListener(m_domEventName.data(), this, m_capture);
+ m_handler = 0;
+ }
+
diff -Nru webkitgtk-2.4.8/debian/patches/series webkitgtk-2.4.8/debian/patches/series
--- webkitgtk-2.4.8/debian/patches/series 2015-01-17 14:19:53.000000000 +0200
+++ webkitgtk-2.4.8/debian/patches/series 2015-03-26 23:49:46.000000000 +0200
@@ -14,3 +14,5 @@
nullptr-accessibilitymenulistoption.patch
ax-focus-events.patch
fix-ftbfs-pluginpackage.patch
+g-closure-unref.diff
+fix-cloop.patch
--- End Message ---