Skip to content

REGRESSION(macOS Ventura): OpenAudible, Eclipse and other Java applications crash when using WebKit #7725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 16, 2022
Merged

REGRESSION(macOS Ventura): OpenAudible, Eclipse and other Java applications crash when using WebKit #7725

merged 1 commit into from
Dec 16, 2022

Conversation

@Constellation
Copy link
Member

@Constellation Constellation commented Dec 16, 2022
edited by webkit-early-warning-system
Loading

0b27858

REGRESSION(macOS Ventura): OpenAudible, Eclipse and other Java applications crash when using WebKit
https://bugs.webkit.org/show_bug.cgi?id=247387
rdar://101892715

Reviewed by Mark Lam.

x64 binary can change unmapped memory region, breaking JSC's assumption on mmap-returned memory address.
By modifying PAGEZERO address, x64 application can change the start of mmap-returned memory address.
By default, it is 4GB, but it can be anything larger than 4KB (On the other hand, ARM64 enforces it
to 4GB at minimum). This patch updates the number for filtering.

* Source/JavaScriptCore/tools/Integrity.h:
(JSC::Integrity::isSanePointer):
* Source/bmalloc/libpas/src/libpas/pas_root.c:
(pas_root_visit_conservative_candidate_pointers_in_address_range):

Canonical link: https://commits.webkit.org/257973@main

086640f

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe 🛠 🧪 win
✅ 🧪 bindings ✅ 🛠 ios-sim 🛠 mac-AS-debug ✅ 🛠 gtk ✅ 🛠 wincairo
✅ 🧪 webkitperl 🧪 ios-wk2 🧪 api-mac 🧪 gtk-wk2
🧪 api-ios 🧪 mac-wk1 🧪 api-gtk
✅ 🛠 🧪 jsc ✅ 🛠 tv ✅ 🧪 mac-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 🧪 jsc-arm64 ✅ 🛠 tv-sim 🧪 mac-AS-debug-wk2 ✅ 🧪 jsc-armv7-tests
✅ 🛠 watch ✅ 🧪 mac-wk2-stress ✅ 🛠 jsc-mips
🛠 🧪 merge ✅ 🛠 watch-sim ✅ 🧪 jsc-mips-tests
✅ 🛠 🧪 unsafe-merge

@Constellation Constellation requested a review from a team as a code owner December 16, 2022 00:18
@Constellation Constellation self-assigned this Dec 16, 2022
@Constellation Constellation added the JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues. label Dec 16, 2022
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Dec 16, 2022
edited
Loading

EWS run on previous version of this PR (hash 0f63dbf)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ⏳ 🛠 mac ⏳ 🛠 wpe ⏳ 🛠 🧪 win
✅ 🧪 bindings ✅ 🛠 ios-sim ⏳ 🛠 mac-AS-debug ⏳ 🛠 gtk ⏳ 🛠 wincairo
✅ 🧪 webkitperl 🧪 ios-wk2 ⏳ 🧪 api-mac ⏳ 🧪 gtk-wk2
🧪 api-ios ⏳ 🧪 mac-wk1 ⏳ 🧪 api-gtk
⏳ 🛠 🧪 jsc ⏳ 🛠 tv ⏳ 🧪 mac-wk2 ✅ 🛠 jsc-armv7
⏳ 🛠 🧪 jsc-arm64 ✅ 🛠 tv-sim ⏳ 🧪 mac-AS-debug-wk2 ✅ 🧪 jsc-armv7-tests
⏳ 🛠 watch ⏳ 🧪 mac-wk2-stress ✅ 🛠 jsc-mips
⏳ 🛠 watch-sim ✅ 🧪 jsc-mips-tests

@Constellation
Copy link
Member Author

Constellation commented Dec 16, 2022

Let me make it pending. I think this 4GB assumption is right for most of applications. And crashing application has very special thing making this invalid. We should change this logic only when this specific logic is used. Investigating.

@Constellation Constellation marked this pull request as draft December 16, 2022 00:29
@Constellation Constellation force-pushed the eng/REGRESSION-macOS-Ventura-OpenAudible-Eclipse-and-other-Java-applications-crash-when-using-WebKit branch from 0f63dbf to 95ae71c Compare December 16, 2022 00:49
@Constellation Constellation changed the title x64 macOS Ventura mmap can return memory address less than 4GB x64 binary can change unmapped memory region Dec 16, 2022
@Constellation Constellation marked this pull request as ready for review December 16, 2022 00:49
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Dec 16, 2022
edited
Loading

EWS run on previous version of this PR (hash 95ae71c)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ⏳ 🛠 mac ⏳ 🛠 wpe ⏳ 🛠 🧪 win
✅ 🧪 bindings ✅ 🛠 ios-sim ⏳ 🛠 mac-AS-debug ⏳ 🛠 gtk ⏳ 🛠 wincairo
✅ 🧪 webkitperl 🧪 ios-wk2 ⏳ 🧪 api-mac ⏳ 🧪 gtk-wk2
🧪 api-ios ⏳ 🧪 mac-wk1 ⏳ 🧪 api-gtk
⏳ 🛠 🧪 jsc ⏳ 🛠 tv ⏳ 🧪 mac-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 🧪 jsc-arm64 ✅ 🛠 tv-sim ⏳ 🧪 mac-AS-debug-wk2 ✅ 🧪 jsc-armv7-tests
⏳ 🛠 watch ⏳ 🧪 mac-wk2-stress ✅ 🛠 jsc-mips
⏳ 🛠 watch-sim ✅ 🧪 jsc-mips-tests

@aproskuryakov
Copy link
Contributor

aproskuryakov commented Dec 16, 2022

Is there a reason to not explain what the PR is actually fixing? We usually care about the symptom more than about how the bug is fixed, so the title should explain the symptom.

MenloDorian
MenloDorian approved these changes Dec 16, 2022
View reviewed changes
Copy link

@MenloDorian MenloDorian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r=me

Source/JavaScriptCore/tools/Integrity.h Outdated
Comment on lines +103 to +105
Copy link

@MenloDorian MenloDorian Dec 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we just change these to 4ULL instead of static_cast<uintptr_t>(4)?

Copy link
Member Author

@Constellation Constellation Dec 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually either is fine because it is inside CPU(ADDRESS64).

@Constellation
Copy link
Member Author

Constellation commented Dec 16, 2022

Is there a reason to not explain what the PR is actually fixing? We usually care about the symptom more than about how the bug is fixed, so the title should explain the symptom.

I think "x64 binary can change unmapped memory region" is symptom (And changing the numbers for the check is the fix). But I can change a bit more :).

@Constellation Constellation force-pushed the eng/REGRESSION-macOS-Ventura-OpenAudible-Eclipse-and-other-Java-applications-crash-when-using-WebKit branch from 95ae71c to 3a268ee Compare December 16, 2022 01:16
@Constellation Constellation changed the title x64 binary can change unmapped memory region x64 binary can change unmapped memory region, breaking JSC's assumption on mmap-returned memory address Dec 16, 2022
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Dec 16, 2022
edited
Loading

EWS run on previous version of this PR (hash 3a268ee)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ⏳ 🛠 wpe ⏳ 🛠 🧪 win
✅ 🧪 bindings ✅ 🛠 ios-sim ⏳ 🛠 mac-AS-debug ⏳ 🛠 gtk ⏳ 🛠 wincairo
✅ 🧪 webkitperl 🧪 ios-wk2 🧪 api-mac ⏳ 🧪 gtk-wk2
🧪 api-ios 🧪 mac-wk1 ⏳ 🧪 api-gtk
⏳ 🛠 🧪 jsc ⏳ 🛠 tv 🧪 mac-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 🧪 jsc-arm64 ✅ 🛠 tv-sim ⏳ 🧪 mac-AS-debug-wk2 ✅ 🧪 jsc-armv7-tests
✅ 🛠 watch 🧪 mac-wk2-stress ✅ 🛠 jsc-mips
⏳ 🛠 watch-sim ✅ 🧪 jsc-mips-tests

@aproskuryakov
Copy link
Contributor

aproskuryakov commented Dec 16, 2022

That's the cause of the user observable issue. There are more people who aren't JSC developers reading bug and PR titles, so we should optimize for them. I think that the bug title is great (REGRESSION (macOS Ventura): OpenAudible, Eclipse and other Java applications crash when using WebKit).

@Constellation
Copy link
Member Author

Constellation commented Dec 16, 2022

That's the cause of the user observable issue. There are more people who aren't JSC developers reading bug and PR titles, so we should optimize for them. I think that the bug title is great (REGRESSION (macOS Ventura): OpenAudible, Eclipse and other Java applications crash when using WebKit).

I feel this looks very hard to see what the change is for JSC developers reading JSC changes, but if you have strong opinion, I'm not opposing to it strongly.

@aproskuryakov
Copy link
Contributor

aproskuryakov commented Dec 16, 2022

The first line of commit message is the bug title by convention, and we certainly shouldn't retitle this bug. I am not going to argue this any further if you disagree, but I do feel strongly about this convention.

@Constellation Constellation force-pushed the eng/REGRESSION-macOS-Ventura-OpenAudible-Eclipse-and-other-Java-applications-crash-when-using-WebKit branch from 3a268ee to 086640f Compare December 16, 2022 01:47
@Constellation Constellation changed the title x64 binary can change unmapped memory region, breaking JSC's assumption on mmap-returned memory address REGRESSION(macOS Ventura): OpenAudible, Eclipse and other Java applications crash when using WebKit Dec 16, 2022
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Dec 16, 2022
edited
Loading

EWS run on current version of this PR (hash 086640f)

Misc iOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe 🛠 🧪 win
✅ 🧪 bindings ✅ 🛠 ios-sim 🛠 mac-AS-debug ✅ 🛠 gtk ✅ 🛠 wincairo
✅ 🧪 webkitperl 🧪 ios-wk2 🧪 api-mac 🧪 gtk-wk2
🧪 api-ios 🧪 mac-wk1 🧪 api-gtk
✅ 🛠 🧪 jsc ✅ 🛠 tv ✅ 🧪 mac-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 🧪 jsc-arm64 ✅ 🛠 tv-sim 🧪 mac-AS-debug-wk2 ✅ 🧪 jsc-armv7-tests
✅ 🛠 watch ✅ 🧪 mac-wk2-stress ✅ 🛠 jsc-mips
🛠 🧪 merge ✅ 🛠 watch-sim ✅ 🧪 jsc-mips-tests
✅ 🛠 🧪 unsafe-merge

@Constellation Constellation added unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing merge-queue Applied to send a pull request to merge-queue and removed unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing labels Dec 16, 2022
@Constellation
REGRESSION(macOS Ventura): OpenAudible, Eclipse and other Java applic…
0b27858 
…ations crash when using WebKit

https://bugs.webkit.org/show_bug.cgi?id=247387
rdar://101892715

Reviewed by Mark Lam.

x64 binary can change unmapped memory region, breaking JSC's assumption on mmap-returned memory address.
By modifying PAGEZERO address, x64 application can change the start of mmap-returned memory address.
By default, it is 4GB, but it can be anything larger than 4KB (On the other hand, ARM64 enforces it
to 4GB at minimum). This patch updates the number for filtering.

* Source/JavaScriptCore/tools/Integrity.h:
(JSC::Integrity::isSanePointer):
* Source/bmalloc/libpas/src/libpas/pas_root.c:
(pas_root_visit_conservative_candidate_pointers_in_address_range):

Canonical link: https://commits.webkit.org/257973@main
@webkit-early-warning-system webkit-early-warning-system force-pushed the eng/REGRESSION-macOS-Ventura-OpenAudible-Eclipse-and-other-Java-applications-crash-when-using-WebKit branch from 086640f to 0b27858 Compare December 16, 2022 04:38
@webkit-commit-queue
Copy link
Collaborator

webkit-commit-queue commented Dec 16, 2022

Committed 257973@main (0b27858): https://commits.webkit.org/257973@main

Reviewed commits have been landed. Closing PR #7725 and removing active labels.

@webkit-early-warning-system webkit-early-warning-system merged commit 0b27858 into WebKit:main Dec 16, 2022
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Dec 16, 2022
@Constellation Constellation deleted the eng/REGRESSION-macOS-Ventura-OpenAudible-Eclipse-and-other-Java-applications-crash-when-using-WebKit branch December 16, 2022 04:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MenloDorian MenloDorian MenloDorian approved these changes

Assignees

@Constellation Constellation

Labels

JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Constellation @webkit-early-warning-system @aproskuryakov @webkit-commit-queue @MenloDorian