JIT Support on iOS

[jandem]

In order to ship a performant JavaScript/WebAssembly engine, a necessary component of a modern web browser, it must be possible for browser processes to create memory regions that are both writable and executable. However, applications on iOS are prevented from creating such memory regions because the system call used to configure memory region permissions (mmap(2)) does not allow it.

This is sound default behavior that improves security in general, but web browsers need this capability. As evidence, an exception is made for Safari’s WebKit rendering engine on iOS, allowing writable and executable memory regions to be created.

The same general security mitigation is employed on macOS, but on macOS applications like web browsers can opt-out by using entitlements. To allow these memory regions for non-WebKit browsers on iOS, iOS should allow an equivalent entitlement to the macOS Hardened Runtime entitlement com.apple.security.cs.allow-jit (which permits use of the mmap(2) system call using the MAP_JIT flag) and include its accompanying APIs pthread_jit_write_protect_np and sys_icache_invalidate. These APIs are already in iOS, but only Safari and other Apple applications are permitted to use them.

[rkk-ableton]

Some news in the EU: https://developer.apple.com/support/alternative-browser-engines/

[bgrins]

Note that we're aware of and are starting to look into the BrowserEngineKit framework. There's a lot to go through, but we'll follow up with comments in relevant issues as we learn more about the proposed plan & technical capabilities.

[Torrekie]

no, pthread_jit_write_protect_np is not provided by iOS, even it exists in iOS 14.2~iOS 14.4, this is a bug that Apple accidentally introduced the macOS specific pthread_jit API to iOS, which has been removed in later versions.

Also, there's no com.apple.security.cs.allow-jit, instead JIT applications shall use dynamic-codesigning and get-task-allow which letting process to use mmap(2) in sandbox, that was definitely not something able to be signed to App Store apps, it can only be done by jailbreaking or debugging.

Another thing is all JIT pages should be W^X after arm64 iOS 10 due to APRR, the pthread_jit_write_protect_np API is for performing fast global w^x, truncates COMMPAGE to change page permissions between RW and RX, which avoids patching the old JIT implementations to strict W^X policy. Since this API is not directly available on non-macOS Darwins, either following W^X or writing COMMPAGE is required for all JIT compilers.

If not, then the only way is to use the new BrowserEngineKit API in iOS 17.4, this framework is limited in EU App Store and require users to update their iOS to 17.4 or later, is it really worth breaking compatibilities?