Revert the temporary workaround that allocated data section in executable memory. This is no longer required, because the MCJIT supports now the large code model for ARM64.
Created attachment 226549 [details] Patch
Comment on attachment 226549 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=226549&action=review r=me > Source/JavaScriptCore/ftl/FTLCompile.cpp:84 > + // Allocate the GOT in the code section to make it reachable for all code. > + if (!strcmp(sectionName, "__got")) > + return mmAllocateCodeSection(opaqueState, size, alignment, sectionID, sectionName); As a follow-up, we'll need to allocate the GOT outside executable memory -- otherwise we're still subject to "JIT spray" attacks.
(In reply to comment #2) > (From update of attachment 226549 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=226549&action=review > > r=me > > > Source/JavaScriptCore/ftl/FTLCompile.cpp:84 > > + // Allocate the GOT in the code section to make it reachable for all code. > > + if (!strcmp(sectionName, "__got")) > > + return mmAllocateCodeSection(opaqueState, size, alignment, sectionID, sectionName); > > As a follow-up, we'll need to allocate the GOT outside executable memory -- otherwise we're still subject to "JIT spray" attacks. No it won't. The GOT is just a table of pointers. We control it entirely.
Comment on attachment 226549 [details] Patch Let's not land this yet. We want to first verify the LLVM changes and give everyone time to start building with the new LLVM that has the code model changes.
Landed in http://trac.webkit.org/changeset/167397
*** Bug 129756 has been marked as a duplicate of this bug. ***