Merge branch 'master' into f17
This commit is contained in:
commit
e86eaa89ee
284
qt-Fix-JIT-crash-on-x86-64-avoid-32-bit-branch-offset-o.patch
Normal file
284
qt-Fix-JIT-crash-on-x86-64-avoid-32-bit-branch-offset-o.patch
Normal file
@ -0,0 +1,284 @@
|
||||
From ada98493bbfbd9af0d0b593017e29d39bcd3495e Mon Sep 17 00:00:00 2001
|
||||
From: Kent Hansen <kent.hansen@nokia.com>
|
||||
Date: Thu, 8 Jul 2010 17:26:50 +0000
|
||||
Subject: [PATCH] Fix JIT crash on x86-64 (avoid 32-bit branch offset
|
||||
overflow)
|
||||
|
||||
Cherry-picked from webkit commit
|
||||
a5b3261a8c4386b4e14ce40a34c7fc933a5f7001
|
||||
|
||||
Task-number: QTBUG-23871
|
||||
Change-Id: Ia028fe072b349e3a7883ae0f6f7298941cc1bc9e
|
||||
Reviewed-by: Simon Hausmann <simon.hausmann@nokia.com>
|
||||
(cherry picked from commit 79ebd39d0d4846cb911ae122d2059e5add568d7e in qtscript)
|
||||
Reviewed-by: Kent Hansen <kent.hansen@nokia.com>
|
||||
---
|
||||
.../javascriptcore/JavaScriptCore/ChangeLog | 27 +++++++++++++++++++
|
||||
.../JavaScriptCore/JavaScriptCore.pri | 1 +
|
||||
.../JavaScriptCore/jit/ExecutableAllocator.cpp | 21 +++++++++++++++
|
||||
.../jit/ExecutableAllocatorFixedVMPool.cpp | 31 +++++++++++++++-------
|
||||
.../jit/ExecutableAllocatorPosix.cpp | 29 ++------------------
|
||||
.../jit/ExecutableAllocatorSymbian.cpp | 2 +-
|
||||
.../JavaScriptCore/jit/ExecutableAllocatorWin.cpp | 2 +-
|
||||
.../javascriptcore/JavaScriptCore/wtf/Platform.h | 10 +++++++
|
||||
8 files changed, 84 insertions(+), 39 deletions(-)
|
||||
|
||||
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog b/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog
|
||||
index 9cbf0c1..5ab23e6 100644
|
||||
--- a/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog
|
||||
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog
|
||||
@@ -1,3 +1,30 @@
|
||||
+2010-07-08 Gavin Barraclough <barraclough@apple.com>
|
||||
+
|
||||
+ Reviewed by Sam Weinig.
|
||||
+
|
||||
+ https://bugs.webkit.org/show_bug.cgi?id=41641
|
||||
+
|
||||
+ Update compile flags to allow use of ExecutableAllocatorFixedVMPool on platforms
|
||||
+ other than x86-64 (this may be useful on 32-bit platforms, too).
|
||||
+
|
||||
+ Simplify ifdefs by dividing into thwo broad allocation strategies
|
||||
+ (ENABLE_EXECUTABLE_ALLOCATOR_FIXED & ENABLE_EXECUTABLE_ALLOCATOR_DEMAND).
|
||||
+
|
||||
+ Rename constant used in the code to have names descriptive of their purpose,
|
||||
+ rather than their specific value on a given platform.
|
||||
+
|
||||
+ * jit/ExecutableAllocator.cpp:
|
||||
+ (JSC::ExecutableAllocator::reprotectRegion):
|
||||
+ (JSC::ExecutableAllocator::cacheFlush):
|
||||
+ * jit/ExecutableAllocatorFixedVMPool.cpp:
|
||||
+ (JSC::FixedVMPoolAllocator::FixedVMPoolAllocator):
|
||||
+ (JSC::FixedVMPoolAllocator::free):
|
||||
+ (JSC::ExecutablePool::systemAlloc):
|
||||
+ * jit/ExecutableAllocatorPosix.cpp:
|
||||
+ * jit/ExecutableAllocatorSymbian.cpp:
|
||||
+ * jit/ExecutableAllocatorWin.cpp:
|
||||
+ * wtf/Platform.h:
|
||||
+
|
||||
2010-08-24 Oliver Hunt <oliver@apple.com>
|
||||
|
||||
Reviewed by Geoff Garen.
|
||||
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri b/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri
|
||||
index b061321..847f69c 100644
|
||||
--- a/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri
|
||||
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri
|
||||
@@ -100,6 +100,7 @@ SOURCES += \
|
||||
interpreter/CallFrame.cpp \
|
||||
interpreter/Interpreter.cpp \
|
||||
interpreter/RegisterFile.cpp \
|
||||
+ jit/ExecutableAllocatorFixedVMPool.cpp \
|
||||
jit/ExecutableAllocatorPosix.cpp \
|
||||
jit/ExecutableAllocatorSymbian.cpp \
|
||||
jit/ExecutableAllocatorWin.cpp \
|
||||
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp
|
||||
index f6b27ec..f0ebbab 100644
|
||||
--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp
|
||||
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp
|
||||
@@ -33,6 +33,27 @@ namespace JSC {
|
||||
|
||||
size_t ExecutableAllocator::pageSize = 0;
|
||||
|
||||
+#if ENABLE(ASSEMBLER_WX_EXCLUSIVE)
|
||||
+void ExecutableAllocator::reprotectRegion(void* start, size_t size, ProtectionSeting setting)
|
||||
+{
|
||||
+ if (!pageSize)
|
||||
+ intializePageSize();
|
||||
+
|
||||
+ // Calculate the start of the page containing this region,
|
||||
+ // and account for this extra memory within size.
|
||||
+ intptr_t startPtr = reinterpret_cast<intptr_t>(start);
|
||||
+ intptr_t pageStartPtr = startPtr & ~(pageSize - 1);
|
||||
+ void* pageStart = reinterpret_cast<void*>(pageStartPtr);
|
||||
+ size += (startPtr - pageStartPtr);
|
||||
+
|
||||
+ // Round size up
|
||||
+ size += (pageSize - 1);
|
||||
+ size &= ~(pageSize - 1);
|
||||
+
|
||||
+ mprotect(pageStart, size, (setting == Writable) ? PROTECTION_FLAGS_RW : PROTECTION_FLAGS_RX);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
}
|
||||
|
||||
#endif // HAVE(ASSEMBLER)
|
||||
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp
|
||||
index dd1db4e..16d0fb1 100644
|
||||
--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp
|
||||
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp
|
||||
@@ -27,25 +27,33 @@
|
||||
|
||||
#include "ExecutableAllocator.h"
|
||||
|
||||
-#include <errno.h>
|
||||
+#if ENABLE(EXECUTABLE_ALLOCATOR_FIXED)
|
||||
|
||||
-#if ENABLE(ASSEMBLER) && OS(DARWIN) && CPU(X86_64)
|
||||
+#include <errno.h>
|
||||
|
||||
#include "TCSpinLock.h"
|
||||
-#include <mach/mach_init.h>
|
||||
-#include <mach/vm_map.h>
|
||||
#include <sys/mman.h>
|
||||
#include <unistd.h>
|
||||
#include <wtf/AVLTree.h>
|
||||
#include <wtf/VMTags.h>
|
||||
|
||||
+#if CPU(X86_64)
|
||||
+ // These limits suitable on 64-bit platforms (particularly x86-64, where we require all jumps to have a 2Gb max range).
|
||||
+ #define VM_POOL_SIZE (2u * 1024u * 1024u * 1024u) // 2Gb
|
||||
+ #define COALESCE_LIMIT (16u * 1024u * 1024u) // 16Mb
|
||||
+#else
|
||||
+ // These limits are hopefully sensible on embedded platforms.
|
||||
+ #define VM_POOL_SIZE (32u * 1024u * 1024u) // 32Mb
|
||||
+ #define COALESCE_LIMIT (4u * 1024u * 1024u) // 4Mb
|
||||
+#endif
|
||||
+
|
||||
+// ASLR currently only works on darwin (due to arc4random) & 64-bit (due to address space size).
|
||||
+#define VM_POOL_ASLR (OS(DARWIN) && CPU(X86_64))
|
||||
+
|
||||
using namespace WTF;
|
||||
|
||||
namespace JSC {
|
||||
|
||||
-#define TWO_GB (2u * 1024u * 1024u * 1024u)
|
||||
-#define SIXTEEN_MB (16u * 1024u * 1024u)
|
||||
-
|
||||
// FreeListEntry describes a free chunk of memory, stored in the freeList.
|
||||
struct FreeListEntry {
|
||||
FreeListEntry(void* pointer, size_t size)
|
||||
@@ -291,9 +299,12 @@ public:
|
||||
// for now instead of 2^26 bits of ASLR lets stick with 25 bits of randomization plus
|
||||
// 2^24, which should put up somewhere in the middle of usespace (in the address range
|
||||
// 0x200000000000 .. 0x5fffffffffff).
|
||||
- intptr_t randomLocation = arc4random() & ((1 << 25) - 1);
|
||||
+ intptr_t randomLocation = 0;
|
||||
+#if VM_POOL_ASLR
|
||||
+ randomLocation = arc4random() & ((1 << 25) - 1);
|
||||
randomLocation += (1 << 24);
|
||||
randomLocation <<= 21;
|
||||
+#endif
|
||||
m_base = mmap(reinterpret_cast<void*>(randomLocation), m_totalHeapSize, INITIAL_PROTECTION_FLAGS, MAP_PRIVATE | MAP_ANON, VM_TAG_FOR_EXECUTABLEALLOCATOR_MEMORY, 0);
|
||||
if (!m_base)
|
||||
CRASH();
|
||||
@@ -387,7 +398,7 @@ public:
|
||||
// 16MB of allocations have been freed, sweep m_freeList
|
||||
// coalescing any neighboring fragments.
|
||||
m_countFreedSinceLastCoalesce += size;
|
||||
- if (m_countFreedSinceLastCoalesce >= SIXTEEN_MB) {
|
||||
+ if (m_countFreedSinceLastCoalesce >= COALESCE_LIMIT) {
|
||||
m_countFreedSinceLastCoalesce = 0;
|
||||
coalesceFreeSpace();
|
||||
}
|
||||
@@ -429,7 +440,7 @@ ExecutablePool::Allocation ExecutablePool::systemAlloc(size_t size)
|
||||
SpinLockHolder lock_holder(&spinlock);
|
||||
|
||||
if (!allocator)
|
||||
- allocator = new FixedVMPoolAllocator(JIT_ALLOCATOR_LARGE_ALLOC_SIZE, TWO_GB);
|
||||
+ allocator = new FixedVMPoolAllocator(JIT_ALLOCATOR_LARGE_ALLOC_SIZE, VM_POOL_SIZE);
|
||||
ExecutablePool::Allocation alloc = {reinterpret_cast<char*>(allocator->alloc(size)), size};
|
||||
return alloc;
|
||||
}
|
||||
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp
|
||||
index 2eb0c87..b04049c 100644
|
||||
--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp
|
||||
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp
|
||||
@@ -27,7 +27,7 @@
|
||||
|
||||
#include "ExecutableAllocator.h"
|
||||
|
||||
-#if ENABLE(ASSEMBLER) && OS(UNIX) && !OS(SYMBIAN)
|
||||
+#if ENABLE(EXECUTABLE_ALLOCATOR_DEMAND) && !OS(WINDOWS) && !OS(SYMBIAN)
|
||||
|
||||
#include <sys/mman.h>
|
||||
#include <unistd.h>
|
||||
@@ -35,8 +35,6 @@
|
||||
|
||||
namespace JSC {
|
||||
|
||||
-#if !(OS(DARWIN) && !PLATFORM(QT) && CPU(X86_64))
|
||||
-
|
||||
void ExecutableAllocator::intializePageSize()
|
||||
{
|
||||
ExecutableAllocator::pageSize = getpagesize();
|
||||
@@ -57,29 +55,6 @@ void ExecutablePool::systemRelease(const ExecutablePool::Allocation& alloc)
|
||||
ASSERT_UNUSED(result, !result);
|
||||
}
|
||||
|
||||
-#endif // !(OS(DARWIN) && !PLATFORM(QT) && CPU(X86_64))
|
||||
-
|
||||
-#if ENABLE(ASSEMBLER_WX_EXCLUSIVE)
|
||||
-void ExecutableAllocator::reprotectRegion(void* start, size_t size, ProtectionSeting setting)
|
||||
-{
|
||||
- if (!pageSize)
|
||||
- intializePageSize();
|
||||
-
|
||||
- // Calculate the start of the page containing this region,
|
||||
- // and account for this extra memory within size.
|
||||
- intptr_t startPtr = reinterpret_cast<intptr_t>(start);
|
||||
- intptr_t pageStartPtr = startPtr & ~(pageSize - 1);
|
||||
- void* pageStart = reinterpret_cast<void*>(pageStartPtr);
|
||||
- size += (startPtr - pageStartPtr);
|
||||
-
|
||||
- // Round size up
|
||||
- size += (pageSize - 1);
|
||||
- size &= ~(pageSize - 1);
|
||||
-
|
||||
- mprotect(pageStart, size, (setting == Writable) ? PROTECTION_FLAGS_RW : PROTECTION_FLAGS_RX);
|
||||
-}
|
||||
-#endif
|
||||
-
|
||||
}
|
||||
|
||||
-#endif // HAVE(ASSEMBLER)
|
||||
+#endif
|
||||
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp
|
||||
index e82975c..9028f50 100644
|
||||
--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp
|
||||
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp
|
||||
@@ -22,7 +22,7 @@
|
||||
|
||||
#include "ExecutableAllocator.h"
|
||||
|
||||
-#if ENABLE(ASSEMBLER) && OS(SYMBIAN)
|
||||
+#if ENABLE(EXECUTABLE_ALLOCATOR_DEMAND) && OS(SYMBIAN)
|
||||
|
||||
#include <e32hal.h>
|
||||
#include <e32std.h>
|
||||
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp
|
||||
index e38323c..72a1d5f 100644
|
||||
--- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp
|
||||
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp
|
||||
@@ -27,7 +27,7 @@
|
||||
|
||||
#include "ExecutableAllocator.h"
|
||||
|
||||
-#if ENABLE(ASSEMBLER) && OS(WINDOWS)
|
||||
+#if ENABLE(EXECUTABLE_ALLOCATOR_DEMAND) && OS(WINDOWS)
|
||||
|
||||
#include "windows.h"
|
||||
|
||||
diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h b/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h
|
||||
index 700977e..d930ed7 100644
|
||||
--- a/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h
|
||||
+++ b/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h
|
||||
@@ -1016,6 +1016,16 @@ on MinGW. See https://bugs.webkit.org/show_bug.cgi?id=29268 */
|
||||
#define ENABLE_ASSEMBLER_WX_EXCLUSIVE 0
|
||||
#endif
|
||||
|
||||
+/* Pick which allocator to use; we only need an executable allocator if the assembler is compiled in.
|
||||
+ On x86-64 we use a single fixed mmap, on other platforms we mmap on demand. */
|
||||
+#if ENABLE(ASSEMBLER)
|
||||
+#if CPU(X86_64)
|
||||
+#define ENABLE_EXECUTABLE_ALLOCATOR_FIXED 1
|
||||
+#else
|
||||
+#define ENABLE_EXECUTABLE_ALLOCATOR_DEMAND 1
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
#if !defined(ENABLE_PAN_SCROLLING) && OS(WINDOWS)
|
||||
#define ENABLE_PAN_SCROLLING 1
|
||||
#endif
|
||||
--
|
||||
1.7.11.4
|
||||
|
10
qt.spec
10
qt.spec
@ -16,7 +16,7 @@ Summary: Qt toolkit
|
||||
Name: qt
|
||||
Epoch: 1
|
||||
Version: 4.8.2
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
|
||||
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
|
||||
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
|
||||
@ -122,6 +122,10 @@ Patch101: qt-Fix-cursor-truncate-to-include-line-position.patch
|
||||
# fix crash on big endian machines
|
||||
# https://bugreports.qt-project.org/browse/QTBUG-22960
|
||||
Patch102: qt-everywhere-opensource-src-4.8.1-type.patch
|
||||
# fix JIT crash
|
||||
# https://bugreports.qt-project.org/browse/QTBUG-23871
|
||||
# https://bugs.kde.org/show_bug.cgi?id=297661
|
||||
Patch103: qt-Fix-JIT-crash-on-x86-64-avoid-32-bit-branch-offset-o.patch
|
||||
|
||||
# security patches
|
||||
# CVE-2011-3922 qt: Stack-based buffer overflow in embedded harfbuzz code
|
||||
@ -465,6 +469,7 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
|
||||
%patch100 -p1 -b .QTgaHandler
|
||||
%patch101 -p1 -b .fix_cursor_blink
|
||||
%patch102 -p1 -b .bigendian
|
||||
%patch103 -p1 -b .QtScript_JIT
|
||||
|
||||
# security fixes
|
||||
%patch200 -p1 -b .CVE-2011-3922
|
||||
@ -1096,6 +1101,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Aug 13 2012 Rex Dieter <rdieter@fedoraproject.org> 4.8.2-5
|
||||
- fix QtScript JIT crash (QTBUG-23871, kde#297661)
|
||||
|
||||
* Thu Jul 05 2012 Rex Dieter <rdieter@fedoraproject.org> 4.8.2-4
|
||||
- text cursor blinks not in the current cell (kde#296490)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user