[qt/f18] fix QtScript JIT crash (QTBUG-23871, kde#297661)
Rex Dieter
rdieter at fedoraproject.org
Mon Aug 13 22:10:16 UTC 2012
commit 5d4c00ca2f2a3f604274cb992e4b33edec61fc59
Author: Rex Dieter <rdieter at fedoraproject.org>
Date: Mon Aug 13 17:12:40 2012 -0500
fix QtScript JIT crash (QTBUG-23871, kde#297661)
...sh-on-x86-64-avoid-32-bit-branch-offset-o.patch | 284 ++++++++++++++++++++
qt.spec | 10 +-
2 files changed, 293 insertions(+), 1 deletions(-)
---
diff --git a/qt-Fix-JIT-crash-on-x86-64-avoid-32-bit-branch-offset-o.patch b/qt-Fix-JIT-crash-on-x86-64-avoid-32-bit-branch-offset-o.patch
new file mode 100644
index 0000000..b170819
--- /dev/null
+++ b/qt-Fix-JIT-crash-on-x86-64-avoid-32-bit-branch-offset-o.patch
@@ -0,0 +1,284 @@
+From ada98493bbfbd9af0d0b593017e29d39bcd3495e Mon Sep 17 00:00:00 2001
+From: Kent Hansen <kent.hansen at nokia.com>
+Date: Thu, 8 Jul 2010 17:26:50 +0000
+Subject: [PATCH] Fix JIT crash on x86-64 (avoid 32-bit branch offset
+ overflow)
+
+Cherry-picked from webkit commit
+a5b3261a8c4386b4e14ce40a34c7fc933a5f7001
+
+Task-number: QTBUG-23871
+Change-Id: Ia028fe072b349e3a7883ae0f6f7298941cc1bc9e
+Reviewed-by: Simon Hausmann <simon.hausmann at nokia.com>
+(cherry picked from commit 79ebd39d0d4846cb911ae122d2059e5add568d7e in qtscript)
+Reviewed-by: Kent Hansen <kent.hansen at nokia.com>
+---
+ .../javascriptcore/JavaScriptCore/ChangeLog | 27 +++++++++++++++++++
+ .../JavaScriptCore/JavaScriptCore.pri | 1 +
+ .../JavaScriptCore/jit/ExecutableAllocator.cpp | 21 +++++++++++++++
+ .../jit/ExecutableAllocatorFixedVMPool.cpp | 31 +++++++++++++++-------
+ .../jit/ExecutableAllocatorPosix.cpp | 29 ++------------------
+ .../jit/ExecutableAllocatorSymbian.cpp | 2 +-
+ .../JavaScriptCore/jit/ExecutableAllocatorWin.cpp | 2 +-
+ .../javascriptcore/JavaScriptCore/wtf/Platform.h | 10 +++++++
+ 8 files changed, 84 insertions(+), 39 deletions(-)
+
+diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog b/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog
+index 9cbf0c1..5ab23e6 100644
+--- a/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog
++++ b/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog
+@@ -1,3 +1,30 @@
++2010-07-08 Gavin Barraclough <barraclough at apple.com>
++
++ Reviewed by Sam Weinig.
++
++ https://bugs.webkit.org/show_bug.cgi?id=41641
++
++ Update compile flags to allow use of ExecutableAllocatorFixedVMPool on platforms
++ other than x86-64 (this may be useful on 32-bit platforms, too).
++
++ Simplify ifdefs by dividing into thwo broad allocation strategies
++ (ENABLE_EXECUTABLE_ALLOCATOR_FIXED & ENABLE_EXECUTABLE_ALLOCATOR_DEMAND).
++
++ Rename constant used in the code to have names descriptive of their purpose,
++ rather than their specific value on a given platform.
++
++ * jit/ExecutableAllocator.cpp:
++ (JSC::ExecutableAllocator::reprotectRegion):
++ (JSC::ExecutableAllocator::cacheFlush):
++ * jit/ExecutableAllocatorFixedVMPool.cpp:
++ (JSC::FixedVMPoolAllocator::FixedVMPoolAllocator):
++ (JSC::FixedVMPoolAllocator::free):
++ (JSC::ExecutablePool::systemAlloc):
++ * jit/ExecutableAllocatorPosix.cpp:
++ * jit/ExecutableAllocatorSymbian.cpp:
++ * jit/ExecutableAllocatorWin.cpp:
++ * wtf/Platform.h:
++
+ 2010-08-24 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Geoff Garen.
+diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri b/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri
+index b061321..847f69c 100644
+--- a/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri
++++ b/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri
+@@ -100,6 +100,7 @@ SOURCES += \
+ interpreter/CallFrame.cpp \
+ interpreter/Interpreter.cpp \
+ interpreter/RegisterFile.cpp \
++ jit/ExecutableAllocatorFixedVMPool.cpp \
+ jit/ExecutableAllocatorPosix.cpp \
+ jit/ExecutableAllocatorSymbian.cpp \
+ jit/ExecutableAllocatorWin.cpp \
+diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp
+index f6b27ec..f0ebbab 100644
+--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp
++++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp
+@@ -33,6 +33,27 @@ namespace JSC {
+
+ size_t ExecutableAllocator::pageSize = 0;
+
++#if ENABLE(ASSEMBLER_WX_EXCLUSIVE)
++void ExecutableAllocator::reprotectRegion(void* start, size_t size, ProtectionSeting setting)
++{
++ if (!pageSize)
++ intializePageSize();
++
++ // Calculate the start of the page containing this region,
++ // and account for this extra memory within size.
++ intptr_t startPtr = reinterpret_cast<intptr_t>(start);
++ intptr_t pageStartPtr = startPtr & ~(pageSize - 1);
++ void* pageStart = reinterpret_cast<void*>(pageStartPtr);
++ size += (startPtr - pageStartPtr);
++
++ // Round size up
++ size += (pageSize - 1);
++ size &= ~(pageSize - 1);
++
++ mprotect(pageStart, size, (setting == Writable) ? PROTECTION_FLAGS_RW : PROTECTION_FLAGS_RX);
++}
++#endif
++
+ }
+
+ #endif // HAVE(ASSEMBLER)
+diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp
+index dd1db4e..16d0fb1 100644
+--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp
++++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp
+@@ -27,25 +27,33 @@
+
+ #include "ExecutableAllocator.h"
+
+-#include <errno.h>
++#if ENABLE(EXECUTABLE_ALLOCATOR_FIXED)
+
+-#if ENABLE(ASSEMBLER) && OS(DARWIN) && CPU(X86_64)
++#include <errno.h>
+
+ #include "TCSpinLock.h"
+-#include <mach/mach_init.h>
+-#include <mach/vm_map.h>
+ #include <sys/mman.h>
+ #include <unistd.h>
+ #include <wtf/AVLTree.h>
+ #include <wtf/VMTags.h>
+
++#if CPU(X86_64)
++ // These limits suitable on 64-bit platforms (particularly x86-64, where we require all jumps to have a 2Gb max range).
++ #define VM_POOL_SIZE (2u * 1024u * 1024u * 1024u) // 2Gb
++ #define COALESCE_LIMIT (16u * 1024u * 1024u) // 16Mb
++#else
++ // These limits are hopefully sensible on embedded platforms.
++ #define VM_POOL_SIZE (32u * 1024u * 1024u) // 32Mb
++ #define COALESCE_LIMIT (4u * 1024u * 1024u) // 4Mb
++#endif
++
++// ASLR currently only works on darwin (due to arc4random) & 64-bit (due to address space size).
++#define VM_POOL_ASLR (OS(DARWIN) && CPU(X86_64))
++
+ using namespace WTF;
+
+ namespace JSC {
+
+-#define TWO_GB (2u * 1024u * 1024u * 1024u)
+-#define SIXTEEN_MB (16u * 1024u * 1024u)
+-
+ // FreeListEntry describes a free chunk of memory, stored in the freeList.
+ struct FreeListEntry {
+ FreeListEntry(void* pointer, size_t size)
+@@ -291,9 +299,12 @@ public:
+ // for now instead of 2^26 bits of ASLR lets stick with 25 bits of randomization plus
+ // 2^24, which should put up somewhere in the middle of usespace (in the address range
+ // 0x200000000000 .. 0x5fffffffffff).
+- intptr_t randomLocation = arc4random() & ((1 << 25) - 1);
++ intptr_t randomLocation = 0;
++#if VM_POOL_ASLR
++ randomLocation = arc4random() & ((1 << 25) - 1);
+ randomLocation += (1 << 24);
+ randomLocation <<= 21;
++#endif
+ m_base = mmap(reinterpret_cast<void*>(randomLocation), m_totalHeapSize, INITIAL_PROTECTION_FLAGS, MAP_PRIVATE | MAP_ANON, VM_TAG_FOR_EXECUTABLEALLOCATOR_MEMORY, 0);
+ if (!m_base)
+ CRASH();
+@@ -387,7 +398,7 @@ public:
+ // 16MB of allocations have been freed, sweep m_freeList
+ // coalescing any neighboring fragments.
+ m_countFreedSinceLastCoalesce += size;
+- if (m_countFreedSinceLastCoalesce >= SIXTEEN_MB) {
++ if (m_countFreedSinceLastCoalesce >= COALESCE_LIMIT) {
+ m_countFreedSinceLastCoalesce = 0;
+ coalesceFreeSpace();
+ }
+@@ -429,7 +440,7 @@ ExecutablePool::Allocation ExecutablePool::systemAlloc(size_t size)
+ SpinLockHolder lock_holder(&spinlock);
+
+ if (!allocator)
+- allocator = new FixedVMPoolAllocator(JIT_ALLOCATOR_LARGE_ALLOC_SIZE, TWO_GB);
++ allocator = new FixedVMPoolAllocator(JIT_ALLOCATOR_LARGE_ALLOC_SIZE, VM_POOL_SIZE);
+ ExecutablePool::Allocation alloc = {reinterpret_cast<char*>(allocator->alloc(size)), size};
+ return alloc;
+ }
+diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp
+index 2eb0c87..b04049c 100644
+--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp
++++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp
+@@ -27,7 +27,7 @@
+
+ #include "ExecutableAllocator.h"
+
+-#if ENABLE(ASSEMBLER) && OS(UNIX) && !OS(SYMBIAN)
++#if ENABLE(EXECUTABLE_ALLOCATOR_DEMAND) && !OS(WINDOWS) && !OS(SYMBIAN)
+
+ #include <sys/mman.h>
+ #include <unistd.h>
+@@ -35,8 +35,6 @@
+
+ namespace JSC {
+
+-#if !(OS(DARWIN) && !PLATFORM(QT) && CPU(X86_64))
+-
+ void ExecutableAllocator::intializePageSize()
+ {
+ ExecutableAllocator::pageSize = getpagesize();
+@@ -57,29 +55,6 @@ void ExecutablePool::systemRelease(const ExecutablePool::Allocation& alloc)
+ ASSERT_UNUSED(result, !result);
+ }
+
+-#endif // !(OS(DARWIN) && !PLATFORM(QT) && CPU(X86_64))
+-
+-#if ENABLE(ASSEMBLER_WX_EXCLUSIVE)
+-void ExecutableAllocator::reprotectRegion(void* start, size_t size, ProtectionSeting setting)
+-{
+- if (!pageSize)
+- intializePageSize();
+-
+- // Calculate the start of the page containing this region,
+- // and account for this extra memory within size.
+- intptr_t startPtr = reinterpret_cast<intptr_t>(start);
+- intptr_t pageStartPtr = startPtr & ~(pageSize - 1);
+- void* pageStart = reinterpret_cast<void*>(pageStartPtr);
+- size += (startPtr - pageStartPtr);
+-
+- // Round size up
+- size += (pageSize - 1);
+- size &= ~(pageSize - 1);
+-
+- mprotect(pageStart, size, (setting == Writable) ? PROTECTION_FLAGS_RW : PROTECTION_FLAGS_RX);
+-}
+-#endif
+-
+ }
+
+-#endif // HAVE(ASSEMBLER)
++#endif
+diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp
+index e82975c..9028f50 100644
+--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp
++++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp
+@@ -22,7 +22,7 @@
+
+ #include "ExecutableAllocator.h"
+
+-#if ENABLE(ASSEMBLER) && OS(SYMBIAN)
++#if ENABLE(EXECUTABLE_ALLOCATOR_DEMAND) && OS(SYMBIAN)
+
+ #include <e32hal.h>
+ #include <e32std.h>
+diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp
+index e38323c..72a1d5f 100644
+--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp
++++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp
+@@ -27,7 +27,7 @@
+
+ #include "ExecutableAllocator.h"
+
+-#if ENABLE(ASSEMBLER) && OS(WINDOWS)
++#if ENABLE(EXECUTABLE_ALLOCATOR_DEMAND) && OS(WINDOWS)
+
+ #include "windows.h"
+
+diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h b/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h
+index 700977e..d930ed7 100644
+--- a/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h
++++ b/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h
+@@ -1016,6 +1016,16 @@ on MinGW. See https://bugs.webkit.org/show_bug.cgi?id=29268 */
+ #define ENABLE_ASSEMBLER_WX_EXCLUSIVE 0
+ #endif
+
++/* Pick which allocator to use; we only need an executable allocator if the assembler is compiled in.
++ On x86-64 we use a single fixed mmap, on other platforms we mmap on demand. */
++#if ENABLE(ASSEMBLER)
++#if CPU(X86_64)
++#define ENABLE_EXECUTABLE_ALLOCATOR_FIXED 1
++#else
++#define ENABLE_EXECUTABLE_ALLOCATOR_DEMAND 1
++#endif
++#endif
++
+ #if !defined(ENABLE_PAN_SCROLLING) && OS(WINDOWS)
+ #define ENABLE_PAN_SCROLLING 1
+ #endif
+--
+1.7.11.4
+
diff --git a/qt.spec b/qt.spec
index 7f70e1f..33b2af6 100644
--- a/qt.spec
+++ b/qt.spec
@@ -16,7 +16,7 @@ Summary: Qt toolkit
Name: qt
Epoch: 1
Version: 4.8.2
-Release: 4%{?dist}
+Release: 5%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@@ -122,6 +122,10 @@ Patch101: qt-Fix-cursor-truncate-to-include-line-position.patch
# fix crash on big endian machines
# https://bugreports.qt-project.org/browse/QTBUG-22960
Patch102: qt-everywhere-opensource-src-4.8.1-type.patch
+# fix JIT crash
+# https://bugreports.qt-project.org/browse/QTBUG-23871
+# https://bugs.kde.org/show_bug.cgi?id=297661
+Patch103: qt-Fix-JIT-crash-on-x86-64-avoid-32-bit-branch-offset-o.patch
# security patches
# CVE-2011-3922 qt: Stack-based buffer overflow in embedded harfbuzz code
@@ -465,6 +469,7 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
%patch100 -p1 -b .QTgaHandler
%patch101 -p1 -b .fix_cursor_blink
%patch102 -p1 -b .bigendian
+%patch103 -p1 -b .QtScript_JIT
# security fixes
%patch200 -p1 -b .CVE-2011-3922
@@ -1096,6 +1101,9 @@ fi
%changelog
+* Mon Aug 13 2012 Rex Dieter <rdieter at fedoraproject.org> 4.8.2-5
+- fix QtScript JIT crash (QTBUG-23871, kde#297661)
+
* Thu Jul 05 2012 Rex Dieter <rdieter at fedoraproject.org> 4.8.2-4
- text cursor blinks not in the current cell (kde#296490)
More information about the scm-commits
mailing list