Public bug reported: With Ubuntu 25.04, on arm64 hardware with BTI (e.g. Snapdragon X Elite), packages using webkit (e.g. Yelp, Epiphany, jsc from libjavascriptcoregtk-bin) crash with SIGILL, because of an indirect branch to a function without a BTI landing pad.
Epiphany for example continually prints: (epiphany:49469): epiphany-WARNING **: 16:29:50.082: Web process crashed As a simpler example, `jsc -e 0` will crash with Illegal instruction (core dumped). There is an upstream bug, but fixing this "is not something Apple plans to implement": https://bugs.webkit.org/show_bug.cgi?id=245697 The crash occurs in Plucky but not Oracular, since in Oracular the library doesn't have BTI enabled: ubuntu@plucky:~$ readelf -n /lib/aarch64-linux-gnu/libjavascriptcoregtk-4.1.so.0 | grep AArch64 Properties: AArch64 feature: BTI, PAC ubuntu@oracular:~$ readelf -n /lib/aarch64-linux-gnu/libjavascriptcoregtk-4.1.so.0 | grep AArch64 [nothing] It also won't occur on hardware without BTI support. The Debian package in sid doesn't have BTI, but there's nothing explicitly disabling it there, so I'm not entirely sure why only Ubuntu is currently affected. The crash occurs when trying to call llint_program_prologue, which is defined in assembly. Normally assembly files without the correct annotation will not set the BTI feature, but for JavaScriptCore, LowLevelInterpreter.cpp includes the functions from LowLevelInterpreter.asm as inline assembly, so the toolchain doesn't recognise that there is a problem; it has no way of knowing that the labels inside the asm block will be used as indirect branch targets. The fix for this (to avoid extensive source changes) will be to recompile the package to not use BTI, for example by using -mbranch-protection=pac-ret rather than -mbranch-protection=standard . I think a simpler fix is just to change hardening=+all in export DEB_BUILD_MAINT_OPTIONS = hardening=+all optimize=-lto in debian/rules to hardening=+all,-branch , but that will also disable PAC. A systemwide workaround is to add arm64.nobti to the kernel command line. ** Affects: webkit2gtk (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to webkit2gtk in Ubuntu. https://bugs.launchpad.net/bugs/2107619 Title: JSC crashes with SIGILL on arm64 hardware with BTI Status in webkit2gtk package in Ubuntu: New Bug description: With Ubuntu 25.04, on arm64 hardware with BTI (e.g. Snapdragon X Elite), packages using webkit (e.g. Yelp, Epiphany, jsc from libjavascriptcoregtk-bin) crash with SIGILL, because of an indirect branch to a function without a BTI landing pad. Epiphany for example continually prints: (epiphany:49469): epiphany-WARNING **: 16:29:50.082: Web process crashed As a simpler example, `jsc -e 0` will crash with Illegal instruction (core dumped). There is an upstream bug, but fixing this "is not something Apple plans to implement": https://bugs.webkit.org/show_bug.cgi?id=245697 The crash occurs in Plucky but not Oracular, since in Oracular the library doesn't have BTI enabled: ubuntu@plucky:~$ readelf -n /lib/aarch64-linux-gnu/libjavascriptcoregtk-4.1.so.0 | grep AArch64 Properties: AArch64 feature: BTI, PAC ubuntu@oracular:~$ readelf -n /lib/aarch64-linux-gnu/libjavascriptcoregtk-4.1.so.0 | grep AArch64 [nothing] It also won't occur on hardware without BTI support. The Debian package in sid doesn't have BTI, but there's nothing explicitly disabling it there, so I'm not entirely sure why only Ubuntu is currently affected. The crash occurs when trying to call llint_program_prologue, which is defined in assembly. Normally assembly files without the correct annotation will not set the BTI feature, but for JavaScriptCore, LowLevelInterpreter.cpp includes the functions from LowLevelInterpreter.asm as inline assembly, so the toolchain doesn't recognise that there is a problem; it has no way of knowing that the labels inside the asm block will be used as indirect branch targets. The fix for this (to avoid extensive source changes) will be to recompile the package to not use BTI, for example by using -mbranch-protection=pac-ret rather than -mbranch-protection=standard . I think a simpler fix is just to change hardening=+all in export DEB_BUILD_MAINT_OPTIONS = hardening=+all optimize=-lto in debian/rules to hardening=+all,-branch , but that will also disable PAC. A systemwide workaround is to add arm64.nobti to the kernel command line. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/webkit2gtk/+bug/2107619/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
