tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit c3e0176a09450e8a87c029c0cbdec0fca8f87a26
parent 141a27ea8b444c2224168c4c57ca9ab21242b7a1
Author: Nika Layzell <nika@thelayzells.com>
Date:   Tue, 16 Dec 2025 04:53:46 +0000

Bug 1927599 - Part 4: Inline JIT calls on iOS, r=jandem

This inlines the calls as recommended by the BrowserEngineCore documentation,
making it harder to use these methods as part of an exploit.

Differential Revision: https://phabricator.services.mozilla.com/D227290

Diffstat:

Mjs/src/jit/ProcessExecutableMemory.cpp | 14+-------------


Mjs/src/jit/ProcessExecutableMemory.h | 24+++++++++++++++++++-----


2 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/js/src/jit/ProcessExecutableMemory.cpp b/js/src/jit/ProcessExecutableMemory.cpp
@@ -46,10 +46,6 @@
 #  include <valgrind/valgrind.h>
 #endif
 
-#if defined(XP_IOS)
-#  include <BrowserEngineCore/BEMemory.h>
-#endif
-
 using namespace js;
 using namespace js::jit;
 
@@ -998,22 +994,14 @@ bool js::jit::ReprotectRegion(void* start, size_t size,
   return true;
 }
 
-#ifdef JS_USE_APPLE_FAST_WX
+#if defined(JS_USE_APPLE_FAST_WX) && !defined(XP_IOS)
 void js::jit::AutoMarkJitCodeWritableForThread::markExecutable(
     bool executable) {
-#  if defined(XP_IOS)
-  if (executable) {
-    be_memory_inline_jit_restrict_rwx_to_rx_with_witness();
-  } else {
-    be_memory_inline_jit_restrict_rwx_to_rw_with_witness();
-  }
-#  else
   if (__builtin_available(macOS 11.0, *)) {
     pthread_jit_write_protect_np(executable);
   } else {
     MOZ_CRASH("pthread_jit_write_protect_np must be available");
   }
-#  endif
 }
 #endif
 
diff --git a/js/src/jit/ProcessExecutableMemory.h b/js/src/jit/ProcessExecutableMemory.h
@@ -9,6 +9,10 @@
 
 #include "util/Poison.h"
 
+#ifdef XP_IOS
+#  include <BrowserEngineCore/BEMemory.h>
+#endif
+
 namespace js {
 namespace jit {
 
@@ -115,19 +119,29 @@ class MOZ_RAII AutoMarkJitCodeWritableForThread {
   void checkDestructor() {}
 #endif
 
-#ifdef JS_USE_APPLE_FAST_WX
+#if defined(JS_USE_APPLE_FAST_WX) && !defined(XP_IOS)
   void markExecutable(bool executable);
-#else
-  void markExecutable(bool executable) {}
 #endif
 
  public:
-  AutoMarkJitCodeWritableForThread() {
+  MOZ_ALWAYS_INLINE_EVEN_DEBUG AutoMarkJitCodeWritableForThread() {
+#if defined(JS_USE_APPLE_FAST_WX)
+#  if defined(XP_IOS)
+    be_memory_inline_jit_restrict_rwx_to_rw_with_witness();
+#  else
     markExecutable(false);
+#  endif
+#endif
     checkConstructor();
   }
-  ~AutoMarkJitCodeWritableForThread() {
+  MOZ_ALWAYS_INLINE_EVEN_DEBUG ~AutoMarkJitCodeWritableForThread() {
+#if defined(JS_USE_APPLE_FAST_WX)
+#  if defined(XP_IOS)
+    be_memory_inline_jit_restrict_rwx_to_rx_with_witness();
+#  else
     markExecutable(true);
+#  endif
+#endif
     checkDestructor();
   }
 };