Created attachment 579948 [details] updated ebuild This would be very helpful in order to allow turning off the Javascript JIT during compilation. Some use cases of this would be security (e.g. spectre), and some architectures where the JIT doesn't work. This should be as simple as adding the use flag and adding the corresponding -DENABLE_JIT configuration switch. I've attached an ebuild that should solve this.
(In reply to Michael Mackus from comment #0) This use flag existed in the past; it was removed because having it turned off resulted in compile failures. I assume you've tested this ebuild and it works fine now? It'd be nice to have back if it works. With JIT enabled the runtime allocates dozens of gigabytes of virtual memory, making it unusable with unlimited-overcommit disabled.
Removal of the USE flag meant that upstream makes the decision, not that it's always enabled. It is automatically disabled by upstream if the platform doesn't support JIT, making one reason to have it moot ("where the JIT doesn't work"). Otherwise nothing has changed, as the removal was done in the latest or almost latest version, and it is a maintenance nightmare as-is. I don't really feel inclined to ever add it again, unless someone improves this heavily in coordination with upstream, but I doubt they want to support this. As far as Spectre is concerned, please check what the real story is. It may very well be that with JIT there's good protection against it, but without it it's a big gaping hole. But that's just a counter-claim - I don't know. I only know that SSE2 is important for its mitigation.
Thank you. I thought this would be a good addition since it seems like it fits into the nature of gentoo. I'm more concerned about Spectre vulnerabilities, since javascript will be the prime attack surface I'm worried about. Everything I have read says one vulnerability lies primarily in the JIT due to the speed and the need to get a precise timing measurement. If it really is a maintenance nightmare, I guess I will find out as I'm currently maintaining my own ebuild for this that appears to be working.
If it is truly a maintenance nightmare it probably isn't worth the effort. For now I'm just using: export JavaScriptCoreUseJIT=0 In my .bashrc - this way it *should* never be used by vimb. I did get the webkit to compile successfully with the compile time switch, though, and I'd prefer to do it in the source code directly. However, after thinking about this some more it is more important to ensure webkit is up to date & working than maintain another ebuild.
Yeah, the problem is that the main tree doesn't have the luxury of "it works on MY computer"; it has to work for everyone.
