Bug#605132: libwebkit-1.0-2: don't crash when WX mmap() is denied

Sat Nov 27 17:45:25 UTC 2010

Package: libwebkit-1.0-2
Version: 1.2.5-2.1
Severity: normal

Hi,

I'm using a grsec-enabled kernel with PaX memory protection, which by
default deny mmap()ing with write and exec protection.

This leads to problems in webkit-based applications (GtkLauncher,
midori, epiphany, rhythmbox...) which crash when trying to use
javascript engine because the JIT js compiler needs to execute stuff it
just wrote in memory (that's the whole point of JIT).

The segfault is usually at:

#0  0x0000692f95f8edf4 in JSC::ExecutablePool::systemAlloc (n=16384)
    at ../JavaScriptCore/jit/ExecutableAllocatorPosix.cpp:49

the code beeing:

ExecutablePool::Allocation ExecutablePool::systemAlloc(size_t n)
{
    void* allocation = mmap(NULL, n, INITIAL_PROTECTION_FLAGS, MAP_PRIVATE |    MAP_ANON, VM_TAG_FOR_EXECUTABLEALLOCATOR_MEMORY, 0);
    if (allocation == MAP_FAILED)
        CRASH();                                                                
    ExecutablePool::Allocation alloc = { reinterpret_cast<char*>(allocation), n };
    return alloc;
}

INITIAL_PROTECTION_FLAGS is 

#if ENABLE(ASSEMBLER_WX_EXCLUSIVE)
#define PROTECTION_FLAGS_RW (PROT_READ | PROT_WRITE)
#define PROTECTION_FLAGS_RX (PROT_READ | PROT_EXEC)
#define INITIAL_PROTECTION_FLAGS PROTECTION_FLAGS_RX
#else
#define INITIAL_PROTECTION_FLAGS (PROT_READ | PROT_WRITE | PROT_EXEC)
#endif

with ASSEMBLER_WX_EXCLUSIVE beeing enabled only on iphone platform.

As I understand it, disabling assembly completely has a too large cost, but
it'd be nice to not crash directly if the mmap is denied. A fallback to no jit
or no-assembly jit would be better imho.

What do you think?

I guess this really belongs upstream but I don't have a bugs.webkit.org account
right now.

Regards,
-- 
Yves-Alexis
-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-grsec-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libwebkit-1.0-2 depends on:
ii  libatk1.0-0                 1.30.0-1     The ATK accessibility toolkit
ii  libc6                       2.11.2-7     Embedded GNU C Library: Shared lib
ii  libcairo2                   1.9.14-1     The Cairo 2D vector graphics libra
ii  libenchant1c2a              1.6.0-1      a wrapper library for various spel
ii  libfontconfig1              2.8.0-2.1    generic font configuration library
ii  libfreetype6                2.4.2-2.1    FreeType 2 font engine, shared lib
ii  libgail18                   2.20.1-2     GNOME Accessibility Implementation
ii  libglib2.0-0                2.27.3-1     The GLib library of C routines
ii  libgstreamer-plugins-base0. 0.10.30-1    GStreamer libraries from the "base
ii  libgstreamer0.10-0          0.10.30-1    Core GStreamer libraries and eleme
ii  libgtk2.0-0                 2.20.1-2     The GTK+ graphical user interface 
ii  libicu44                    4.4.2-2      International Components for Unico
ii  libjpeg62                   6b1-1        The Independent JPEG Group's JPEG 
ii  libpango1.0-0               1.28.3-1     Layout and rendering of internatio
ii  libpng12-0                  1.2.44-1     PNG library - runtime
ii  libsoup2.4-1                2.30.2-1     an HTTP library implementation in 
ii  libsqlite3-0                3.7.3-1      SQLite 3 shared library
ii  libstdc++6                  4.4.5-8      The GNU Standard C++ Library v3
ii  libwebkit-1.0-common        1.2.5-2.1    Web content engine library for Gtk
ii  libxml2                     2.7.8.dfsg-1 GNOME XML library
ii  libxslt1.1                  1.1.26-6     XSLT 1.0 processing library - runt
ii  libxt6                      1:1.0.7-1    X11 toolkit intrinsics library

libwebkit-1.0-2 recommends no packages.

libwebkit-1.0-2 suggests no packages.

-- no debconf information