Disable SharedArrayBuffers to mitigate Spectre. Based on: https://trac.webkit.org/changeset/226386/webkit Backported to webkitgtk-2.18.4 by Mark H Weaver --- webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.h.orig 2017-12-19 02:23:07.000000000 -0500 +++ webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.h 2018-01-06 19:28:55.985066986 -0500 @@ -338,8 +338,10 @@ WriteBarrier m_moduleLoaderStructure; WriteBarrier m_arrayBufferPrototype; WriteBarrier m_arrayBufferStructure; +#if ENABLE(SHARED_ARRAY_BUFFER) WriteBarrier m_sharedArrayBufferPrototype; WriteBarrier m_sharedArrayBufferStructure; +#endif #define DEFINE_STORAGE_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ WriteBarrier m_ ## lowerName ## Prototype; \ @@ -670,8 +672,13 @@ switch (sharingMode) { case ArrayBufferSharingMode::Default: return m_arrayBufferPrototype.get(); +#if ENABLE(SHARED_ARRAY_BUFFER) case ArrayBufferSharingMode::Shared: return m_sharedArrayBufferPrototype.get(); +#else + default: + return m_arrayBufferPrototype.get(); +#endif } } Structure* arrayBufferStructure(ArrayBufferSharingMode sharingMode) const @@ -679,8 +686,13 @@ switch (sharingMode) { case ArrayBufferSharingMode::Default: return m_arrayBufferStructure.get(); +#if ENABLE(SHARED_ARRAY_BUFFER) case ArrayBufferSharingMode::Shared: return m_sharedArrayBufferStructure.get(); +#else + default: + return m_arrayBufferStructure.get(); +#endif } RELEASE_ASSERT_NOT_REACHED(); return nullptr; --- webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.cpp.orig 2017-12-19 02:23:07.000000000 -0500 +++ webkitgtk-2.18.4/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2018-01-06 19:27:16.628574304 -0500 @@ -574,8 +574,10 @@ m_arrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Default)); m_arrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_arrayBufferPrototype.get())); +#if ENABLE(SHARED_ARRAY_BUFFER) m_sharedArrayBufferPrototype.set(vm, this, JSArrayBufferPrototype::create(vm, this, JSArrayBufferPrototype::createStructure(vm, this, m_objectPrototype.get()), ArrayBufferSharingMode::Shared)); m_sharedArrayBufferStructure.set(vm, this, JSArrayBuffer::createStructure(vm, this, m_sharedArrayBufferPrototype.get())); +#endif m_iteratorPrototype.set(vm, this, IteratorPrototype::create(vm, this, IteratorPrototype::createStructure(vm, this, m_objectPrototype.get()))); m_generatorPrototype.set(vm, this, GeneratorPrototype::create(vm, this, GeneratorPrototype::createStructure(vm, this, m_iteratorPrototype.get()))); @@ -620,10 +622,11 @@ JSArrayBufferConstructor* arrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_arrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Default); m_arrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, arrayBufferConstructor, DontEnum); +#if ENABLE(SHARED_ARRAY_BUFFER) JSArrayBufferConstructor* sharedArrayBufferConstructor = nullptr; sharedArrayBufferConstructor = JSArrayBufferConstructor::create(vm, JSArrayBufferConstructor::createStructure(vm, this, m_functionPrototype.get()), m_sharedArrayBufferPrototype.get(), m_speciesGetterSetter.get(), ArrayBufferSharingMode::Shared); m_sharedArrayBufferPrototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, sharedArrayBufferConstructor, DontEnum); - +#endif #define CREATE_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ capitalName ## Constructor* lowerName ## Constructor = capitalName ## Constructor::create(vm, capitalName ## Constructor::createStructure(vm, this, m_functionPrototype.get()), m_ ## lowerName ## Prototype.get(), m_speciesGetterSetter.get()); \ m_ ## lowerName ## Prototype->putDirectWithoutTransition(vm, vm.propertyNames->constructor, lowerName ## Constructor, DontEnum); \ @@ -686,7 +689,9 @@ putDirectWithoutTransition(vm, vm.propertyNames->builtinNames().ArrayPrivateName(), arrayConstructor, DontEnum | DontDelete | ReadOnly); putDirectWithoutTransition(vm, vm.propertyNames->ArrayBuffer, arrayBufferConstructor, DontEnum); +#if ENABLE(SHARED_ARRAY_BUFFER) putDirectWithoutTransition(vm, vm.propertyNames->SharedArrayBuffer, sharedArrayBufferConstructor, DontEnum); +#endif #define PUT_CONSTRUCTOR_FOR_SIMPLE_TYPE(capitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Constructor, DontEnum); \ @@ -1288,8 +1293,10 @@ visitor.append(thisObject->m_arrayBufferPrototype); visitor.append(thisObject->m_arrayBufferStructure); +#if ENABLE(SHARED_ARRAY_BUFFER) visitor.append(thisObject->m_sharedArrayBufferPrototype); visitor.append(thisObject->m_sharedArrayBufferStructure); +#endif #define VISIT_SIMPLE_TYPE(CapitalName, lowerName, properName, instanceType, jsName, prototypeBase) \ visitor.append(thisObject->m_ ## lowerName ## Prototype); \ --- webkitgtk-2.18.4/Source/WTF/wtf/Platform.h.orig 2017-10-16 08:18:56.000000000 -0400 +++ webkitgtk-2.18.4/Source/WTF/wtf/Platform.h 2018-01-06 19:29:52.897349199 -0500 @@ -1190,6 +1190,9 @@ #define HAVE_NS_ACTIVITY 1 #endif +/* Disable SharedArrayBuffers until Spectre security concerns are mitigated. */ +#define ENABLE_SHARED_ARRAY_BUFFER 0 + #if (OS(DARWIN) && USE(CG)) || (USE(FREETYPE) && !PLATFORM(GTK)) || (PLATFORM(WIN) && (USE(CG) || USE(CAIRO))) #undef ENABLE_OPENTYPE_MATH #define ENABLE_OPENTYPE_MATH 1