Title: [272922] trunk/Source
- Revision
- 272922
- Author
- ysuz...@apple.com
- Date
- 2021-02-16 12:51:07 -0800 (Tue, 16 Feb 2021)
Log Message
[JSC] Enable JITCage on macOS
https://bugs.webkit.org/show_bug.cgi?id=221805
<rdar://problem/74153806>
Reviewed by Mark Lam.
Source/_javascript_Core:
We enable JITCage too on macOS if it is ARM64E.
We need to add this entitlement only when building it on macOS 120000 or higher version.
Otherwise, we cannot launch the process. This means that we need to dynamically generate entitlements file
because we must not attach this entitlement when building JSC for non 120000 macOS.
We also remove install_name for jsc binary because it broke codesigning. Previously, it was OK since we didn't
have com.apple.private.xxx, but now this broken codesigning makes JSC binary unlaunchable.
* _javascript_Core.xcodeproj/project.pbxproj:
* Scripts/process-entitlements.sh:
Source/WebKit:
We need to add this entitlement only when building it on macOS 120000 or higher version.
Otherwise, we cannot launch the process. And we attach this entitlement only when building processes
with Apple Internal SDKs.
* Scripts/process-entitlements.sh:
Source/WTF:
Enable JIT_CAGE when macOS is 120000 or higher with ARM64E.
* wtf/PlatformEnable.h:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (272921 => 272922)
--- trunk/Source/_javascript_Core/ChangeLog 2021-02-16 20:20:21 UTC (rev 272921)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-02-16 20:51:07 UTC (rev 272922)
@@ -1,3 +1,22 @@
+2021-02-16 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Enable JITCage on macOS
+ https://bugs.webkit.org/show_bug.cgi?id=221805
+ <rdar://problem/74153806>
+
+ Reviewed by Mark Lam.
+
+ We enable JITCage too on macOS if it is ARM64E.
+ We need to add this entitlement only when building it on macOS 120000 or higher version.
+ Otherwise, we cannot launch the process. This means that we need to dynamically generate entitlements file
+ because we must not attach this entitlement when building JSC for non 120000 macOS.
+
+ We also remove install_name for jsc binary because it broke codesigning. Previously, it was OK since we didn't
+ have com.apple.private.xxx, but now this broken codesigning makes JSC binary unlaunchable.
+
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * Scripts/process-entitlements.sh:
+
2021-02-16 Chris Dumez <cdu...@apple.com>
Reduce explicit usage of [objC release] in WebKit even more
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (272921 => 272922)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2021-02-16 20:20:21 UTC (rev 272921)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2021-02-16 20:51:07 UTC (rev 272922)
@@ -11279,7 +11279,7 @@
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
- shellScript = "set -e\n\n# Skip for Production builds.\nif [[ ${CONFIGURATION:=Debug} == \"Production\" ]]; then\n exit\nfi\n\n# Copy and update the jsc binary to refer to _javascript_Core.framework relative to its location.\nmkdir -p \"${BUILT_PRODUCTS_DIR}/${_javascript_CORE_HELPERS_DIR}\"\nditto \"${BUILT_PRODUCTS_DIR}/jsc\" \"${BUILT_PRODUCTS_DIR}/${_javascript_CORE_HELPERS_DIR}/jsc\"\ninstall_name_tool -change \"${_javascript_CORE_FRAMEWORKS_DIR}/_javascript_Core.framework/Versions/A/_javascript_Core\" \"@loader_path/../_javascript_Core\" \"${BUILT_PRODUCTS_DIR}/${_javascript_CORE_HELPERS_DIR}/jsc\"\n";
+ shellScript = "set -e\n\n# Skip for Production builds.\nif [[ ${CONFIGURATION:=Debug} == \"Production\" ]]; then\n exit\nfi\n\nmkdir -p \"${BUILT_PRODUCTS_DIR}/${_javascript_CORE_HELPERS_DIR}\"\nditto \"${BUILT_PRODUCTS_DIR}/jsc\" \"${BUILT_PRODUCTS_DIR}/${_javascript_CORE_HELPERS_DIR}/jsc\"\n";
};
65788AA018B409EB00C189FF /* Offline Assemble */ = {
isa = PBXShellScriptBuildPhase;
Modified: trunk/Source/_javascript_Core/Scripts/process-entitlements.sh (272921 => 272922)
--- trunk/Source/_javascript_Core/Scripts/process-entitlements.sh 2021-02-16 20:20:21 UTC (rev 272921)
+++ trunk/Source/_javascript_Core/Scripts/process-entitlements.sh 2021-02-16 20:51:07 UTC (rev 272922)
@@ -12,11 +12,26 @@
function mac_process_jsc_entitlements()
{
plistbuddy Add :com.apple.security.cs.allow-jit bool YES
+ if [[ "${WK_USE_RESTRICTED_ENTITLEMENTS}" == YES ]]
+ then
+ if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 120000 ))
+ then
+ plistbuddy Add :com.apple.private.securejit bool YES
+ fi
+ fi
}
function mac_process_testapi_entitlements()
{
- true
+ if [[ "${WK_USE_RESTRICTED_ENTITLEMENTS}" == YES ]]
+ then
+ plistbuddy Add :com.apple.security.cs.allow-jit bool YES
+ plistbuddy Add :com.apple.rootless.storage._javascript_Core bool YES
+ if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 120000 ))
+ then
+ plistbuddy Add :com.apple.private.securejit bool YES
+ fi
+ fi
}
# ========================================
@@ -26,6 +41,10 @@
function maccatalyst_process_jsc_entitlements()
{
plistbuddy Add :com.apple.security.cs.allow-jit bool YES
+ if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 120000 ))
+ then
+ plistbuddy Add :com.apple.private.securejit bool YES
+ fi
}
function maccatalyst_process_testapi_entitlements()
@@ -32,6 +51,10 @@
{
plistbuddy Add :com.apple.rootless.storage._javascript_Core bool YES
plistbuddy Add :com.apple.security.cs.allow-jit bool YES
+ if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 120000 ))
+ then
+ plistbuddy Add :com.apple.private.securejit bool YES
+ fi
}
# ========================================
Modified: trunk/Source/WTF/ChangeLog (272921 => 272922)
--- trunk/Source/WTF/ChangeLog 2021-02-16 20:20:21 UTC (rev 272921)
+++ trunk/Source/WTF/ChangeLog 2021-02-16 20:51:07 UTC (rev 272922)
@@ -1,3 +1,15 @@
+2021-02-16 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Enable JITCage on macOS
+ https://bugs.webkit.org/show_bug.cgi?id=221805
+ <rdar://problem/74153806>
+
+ Reviewed by Mark Lam.
+
+ Enable JIT_CAGE when macOS is 120000 or higher with ARM64E.
+
+ * wtf/PlatformEnable.h:
+
2021-02-15 Per Arne <pvol...@apple.com>
[macOS] Close XPC connections before entering sandbox
Modified: trunk/Source/WTF/wtf/PlatformEnable.h (272921 => 272922)
--- trunk/Source/WTF/wtf/PlatformEnable.h 2021-02-16 20:20:21 UTC (rev 272921)
+++ trunk/Source/WTF/wtf/PlatformEnable.h 2021-02-16 20:51:07 UTC (rev 272922)
@@ -887,7 +887,7 @@
#error "ENABLE(WHLSL_COMPILER) requires ENABLE(WEBGPU)"
#endif
-#if OS(DARWIN) && ENABLE(JIT) && USE(APPLE_INTERNAL_SDK) && CPU(ARM64E) && defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 150000
+#if OS(DARWIN) && ENABLE(JIT) && USE(APPLE_INTERNAL_SDK) && CPU(ARM64E) && ((defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 150000) || (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 120000))
#define ENABLE_JIT_CAGE 1
#endif
Modified: trunk/Source/WebKit/ChangeLog (272921 => 272922)
--- trunk/Source/WebKit/ChangeLog 2021-02-16 20:20:21 UTC (rev 272921)
+++ trunk/Source/WebKit/ChangeLog 2021-02-16 20:51:07 UTC (rev 272922)
@@ -1,3 +1,17 @@
+2021-02-16 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Enable JITCage on macOS
+ https://bugs.webkit.org/show_bug.cgi?id=221805
+ <rdar://problem/74153806>
+
+ Reviewed by Mark Lam.
+
+ We need to add this entitlement only when building it on macOS 120000 or higher version.
+ Otherwise, we cannot launch the process. And we attach this entitlement only when building processes
+ with Apple Internal SDKs.
+
+ * Scripts/process-entitlements.sh:
+
2021-02-16 Alex Christensen <achristen...@webkit.org>
Add API to disable HTTPS upgrade
Modified: trunk/Source/WebKit/Scripts/process-entitlements.sh (272921 => 272922)
--- trunk/Source/WebKit/Scripts/process-entitlements.sh 2021-02-16 20:20:21 UTC (rev 272921)
+++ trunk/Source/WebKit/Scripts/process-entitlements.sh 2021-02-16 20:51:07 UTC (rev 272922)
@@ -26,6 +26,10 @@
plistbuddy Add :com.apple.private.security.message-filter bool YES
plistbuddy Add :com.apple.avfoundation.allow-system-wide-context bool YES
fi
+ if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 120000 ))
+ then
+ plistbuddy Add :com.apple.private.securejit bool YES
+ fi
fi
mac_process_webcontent_or_plugin_entitlements
@@ -104,6 +108,14 @@
plistbuddy Add :com.apple.security.files.user-selected.read-write bool YES
plistbuddy Add :com.apple.security.print bool YES
+ if [[ "${WK_USE_RESTRICTED_ENTITLEMENTS}" == YES ]]
+ then
+ if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 120000 ))
+ then
+ plistbuddy Add :com.apple.private.securejit bool YES
+ fi
+ fi
+
mac_process_webcontent_or_plugin_entitlements
}
@@ -147,6 +159,10 @@
plistbuddy Add :com.apple.private.security.message-filter bool YES
plistbuddy Add :com.apple.UIKit.view-service-wants-custom-idiom-and-scale bool YES
fi
+ if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 120000 ))
+ then
+ plistbuddy Add :com.apple.private.securejit bool YES
+ fi
}
function maccatalyst_process_gpu_entitlements()
@@ -174,6 +190,10 @@
plistbuddy Add :com.apple.security.cs.disable-library-validation bool YES
plistbuddy Add :com.apple.security.files.user-selected.read-write bool YES
plistbuddy Add :com.apple.security.print bool YES
+ if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 120000 ))
+ then
+ plistbuddy Add :com.apple.private.securejit bool YES
+ fi
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes