112380 2013-03-14 14:23:09 -0700 Add runtime check for improper register allocations in DFG 2017-06-12 11:55:17 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 111777 112609 1 msaboff msaboff abecsi benjamin cmarcelo fpizlo ojan.autocc saam tmpsantos webkit.review.bot ysuzuki oldest_to_newest 855487 0 msaboff 2013-03-14 14:23:09 -0700 The recent bug https://bugs.webkit.org/show_bug.cgi?id=111777 - "Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article" had a symptom not at all related to the cause. Defects like it are difficult to track down and it isn't clear when adding or modifying the DFG JIT code generator that one has created such a problem. Therefore we should create a runtime check to find, via ASSERT, that a register allocation has been added in an unsafe location. 855504 1 193190 msaboff 2013-03-14 14:48:04 -0700 Created attachment 193190 Patch No new tests were added with this patch, as existing tests should work unchanged unless they have unsafe register allocations and then they'll crash. 855508 2 webkit.review.bot 2013-03-14 14:51:02 -0700 Attachment 193190 did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/assembler/AbstractMacroAssembler.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Source/WTF/ChangeLog', u'Source/WTF/wtf/Platform.h']" exit_code: 1 Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:696: This { should be at the end of the previous line [whitespace/braces] [4] Total errors found: 1 in 7 files If any of these errors are false positives, please file a bug against check-webkit-style. 856158 3 msaboff 2013-03-15 11:55:16 -0700 When enabled and an improper register allocation is found, the process will ASSERT fail and provide a backtrace similar to: ASSERTION FAILED: Unsafe branch over register allocation at offset 126 !(low <= m_offset && m_offset <= high) /Volumes/Data/src/webkit/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(706) : void JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check(unsigned int, unsigned int) 1 0x10ef79f0c JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check(unsigned int, unsigned int) 2 0x10ef791e8 JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int) 3 0x10ef7616f JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const 4 0x10f0500f7 JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality(JSC::DFG::Edge, JSC::DFG::Edge) 5 0x10f029f57 JSC::DFG::SpeculativeJIT::compare(JSC::DFG::Node*, JSC::MacroAssemblerX86Common::RelationalCondition, JSC::MacroAssemblerX86Common::DoubleCondition, unsigned long (*)(JSC::ExecState*, long long, long long)) 6 0x10f0554a5 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) 7 0x10f02127f JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) 8 0x10f021b2e JSC::DFG::SpeculativeJIT::compile() 9 0x10efe4499 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) 10 0x10efe5a7d JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) 11 0x10efc49a0 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) 12 0x10efc433c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) 13 0x10f09fc91 JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) 14 0x10f0a03eb JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) 15 0x10f09ce29 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int) 16 0x10f09cb45 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int) 17 0x10eefb02f JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind) 18 0x10eef0aae JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) 19 0x10f10aebf cti_optimize 20 0x10f113470 jscGeneratedNativeCode 21 0x10f0d00e4 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*) 22 0x10f0c87b9 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*) 23 0x10f0c7f07 JSC::eval(JSC::ExecState*) 24 0x10f110da1 cti_op_call_eval 25 0x10f113470 jscGeneratedNativeCode 26 0x10f0d00e4 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*) 27 0x10f0ccbc8 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) 28 0x10ef3d117 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 29 0x111603e42 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) 30 0x111e8b173 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) 31 0x111e8b2c4 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) 856166 4 193190 ggaren 2013-03-15 12:02:43 -0700 Comment on attachment 193190 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=193190&action=review r=me > Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:728 > + unsigned temp; > + temp = offset1; > + offset1 = offset2; > + offset2 = temp; Please use std::swap. > Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:770 > + Vector<RegisterAllocationOffset, 10> m_unsafeRegisterAllocationForBranchingOver; I think it would be a little clearer just to call this, and related functions, something like "registerAlloationOffsets". There's nothing inherently unsafe about the data we're tracking -- we just happen to use the data to discover unsafe actions. > Source/WTF/wtf/Platform.h:856 > +#if !defined(ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION) && ENABLE(DFG_JIT) > +#define ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION 0 > +#endif Let's turn this on by default in debug builds, so it can help us catch bugs. 856199 5 msaboff 2013-03-15 12:37:41 -0700 Committed r145931: <http://trac.webkit.org/changeset/145931> 857166 6 tmpsantos 2013-03-18 09:04:52 -0700 (In reply to comment #5) > Committed r145931: <http://trac.webkit.org/changeset/145931> Looks like it caught the first bug on WebAudio. I have several failing on EFL Debug bot after this patch: crash log for WebProcess (pid <unknown>): STDOUT: <empty> STDERR: ERROR: Thread name "com.apple.WebKit.ProcessLauncher" is longer than 31 characters and will be truncated by Visual Studio STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*) STDERR: ERROR: Thread name "com.apple.WebKit.EventDispatcher" is longer than 31 characters and will be truncated by Visual Studio STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*) STDERR: ERROR: Thread name "com.apple.WebKit.PluginProcessConnectionManager" is longer than 31 characters and will be truncated by Visual Studio STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*) STDERR: ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 496 in jump offset range 496..524 STDERR: !(low <= m_offset && m_offset <= high) STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(704) : void JSC::AbstractMacroAssembler<AssemblerType>::RegisterAllocationOffset::check(unsigned int, unsigned int) [with AssemblerType = JSC::X86Assembler] STDERR: 1 0x7fe38a9e5180 JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check(unsigned int, unsigned int) STDERR: 2 0x7fe38a9e46f4 JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int) STDERR: 3 0x7fe38a9e42e2 JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const STDERR: 4 0x7fe38aa71d63 JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray(JSC::TypedArrayDescriptor const&, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID, JSC::DFG::Node*, unsigned long) STDERR: 5 0x7fe38aa9cac9 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) STDERR: 6 0x7fe38aa6d0e7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) STDERR: 7 0x7fe38aa6d84f JSC::DFG::SpeculativeJIT::compile() STDERR: 8 0x7fe38aa3a0f8 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) STDERR: 9 0x7fe38aa3b325 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) STDERR: 10 0x7fe38aa298f8 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) STDERR: 11 0x7fe38aa2917c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) STDERR: 12 0x7fe38abe4997 JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) STDERR: 13 0x7fe38abe4c8c JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) STDERR: 14 0x7fe38abe2e9a JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int) STDERR: 15 0x7fe38abe2617 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 16 0x7fe38a938a7d JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind) STDERR: 17 0x7fe38a932766 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 18 0x7fe38ab38a7e STDERR: 19 0x7fe38ab35ab8 STDERR: 20 0x7fe33d45c058 857198 7 abecsi 2013-03-18 09:31:35 -0700 The same ASSERT is hit in debug Qt MiniBrowser (x86_64 Linux) when loading wired.com ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 216 in jump offset range 216..262 0x00007ffff1e45358 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check (this=0x7fffffffb1a8, low=216, high=262) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:704 704 RELEASE_ASSERT_WITH_MESSAGE(!(low <= m_offset && m_offset <= high), "Unsafe branch over register allocation at instruction offset %u in jump offset range %u..%u", m_offset, low, high); (gdb) bt #0 0x00007ffff1e45358 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check (this=0x7fffffffb1a8, low=216, high=262) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:704 #1 0x00007ffff1e44998 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange (this=0x7fffffffb0d0, offset1=216, offset2=262) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:728 #2 0x00007ffff1e445ac in JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link (this=0x7fffffff6790, masm=0x7fffffffb0d0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:542 #3 0x00007ffff1ef06ee in JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality (this=0x7fffffffa470, leftChild=..., rightChild=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1433 #4 0x00007ffff1ed1d71 in JSC::DFG::SpeculativeJIT::compare (this=0x7fffffffa470, node=0x7fff818605b0, condition=JSC::MacroAssemblerX86Common::Equal, doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation= 0x7ffff1ea46bb <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3438 #5 0x00007ffff1ef5528 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470, node=0x7fff818605b0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2328 #6 0x00007ffff1ec9b59 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470, block=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1762 #7 0x00007ffff1eca2c7 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1880 #8 0x00007ffff1e982d2 in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffb0d0, speculative=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108 #9 0x00007ffff1e99531 in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffb0d0, entry=..., entryWithArityCheck=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:302 #10 0x00007ffff1e886ac in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fff833ff530, codeBlock=0x1620370, jitCode=..., jitCodeWithArityCheck=0x7ffff7eef3c0, osrEntryBytecodeIndex=0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGDriver.cpp:161 #11 0x00007ffff1e87e84 in JSC::DFG::tryCompileFunction (exec=0x7fff833ff530, codeBlock=0x1620370, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGDriver.cpp:179 #12 0x00007ffff201e5b9 in JSC::jitCompileFunctionIfAppropriate (exec=0x7fff833ff530, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, effort=JSC::JITCompilationCanFail) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITDriver.h:95 #13 0x00007ffff201e8ab in JSC::prepareFunctionForExecution (exec=0x7fff833ff530, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, kind=JSC::CodeForCall) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/ExecutionHarness.h:68 #14 0x00007ffff201cafa in JSC::FunctionExecutable::compileForCallInternal (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.cpp:538 #15 0x00007ffff201c277 in JSC::FunctionExecutable::compileOptimizedForCall (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.cpp:463 #16 0x00007ffff1d6e143 in JSC::FunctionExecutable::compileOptimizedFor (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0, kind=JSC::CodeForCall) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.h:678 #17 0x00007ffff1d68af2 in JSC::FunctionCodeBlock::compileOptimized (this=0x817dc0, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2879 #18 0x00007ffff1f6524e in JSC::cti_optimize (args=0x7fffffffc9b0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:1899 #19 0x00007ffff1f6226d in JSC::tryCacheGetByID (callFrame=0x7fff833ff530, codeBlock=0x7ffff7ecfc70, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x7fff00000000) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:996 #20 0x00007fff833ff060 in ?? () #21 0x00007fff00000000 in ?? () #22 0x00007ffff18536d1 in WebCore::jsDocumentCookie (exec=0x7fffffffc9b0, slotBase=...) at generated/JSDocument.cpp:514 857260 8 msaboff 2013-03-18 10:21:21 -0700 (In reply to comment #7) > The same ASSERT is hit in debug Qt MiniBrowser (x86_64 Linux) when loading wired.com > > ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 216 in jump offset range 216..262 > > 0x00007ffff1e45358 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check (this=0x7fffffffb1a8, low=216, high=262) > at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:704 > 704 RELEASE_ASSERT_WITH_MESSAGE(!(low <= m_offset && m_offset <= high), "Unsafe branch over register allocation at instruction offset %u in jump offset range %u..%u", m_offset, low, high); > (gdb) bt > #0 0x00007ffff1e45358 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check (this=0x7fffffffb1a8, low=216, high=262) > at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:704 > #1 0x00007ffff1e44998 in JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange (this=0x7fffffffb0d0, offset1=216, offset2=262) > at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:728 > #2 0x00007ffff1e445ac in JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link (this=0x7fffffff6790, masm=0x7fffffffb0d0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h:542 > #3 0x00007ffff1ef06ee in JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality (this=0x7fffffffa470, leftChild=..., rightChild=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1433 > #4 0x00007ffff1ed1d71 in JSC::DFG::SpeculativeJIT::compare (this=0x7fffffffa470, node=0x7fff818605b0, condition=JSC::MacroAssemblerX86Common::Equal, doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation= > 0x7ffff1ea46bb <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3438 > #5 0x00007ffff1ef5528 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470, node=0x7fff818605b0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2328 > #6 0x00007ffff1ec9b59 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470, block=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1762 > #7 0x00007ffff1eca2c7 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffffa470) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1880 > #8 0x00007ffff1e982d2 in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffb0d0, speculative=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108 > #9 0x00007ffff1e99531 in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffb0d0, entry=..., entryWithArityCheck=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:302 > #10 0x00007ffff1e886ac in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fff833ff530, codeBlock=0x1620370, jitCode=..., jitCodeWithArityCheck=0x7ffff7eef3c0, osrEntryBytecodeIndex=0) > at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGDriver.cpp:161 > #11 0x00007ffff1e87e84 in JSC::DFG::tryCompileFunction (exec=0x7fff833ff530, codeBlock=0x1620370, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/dfg/DFGDriver.cpp:179 > #12 0x00007ffff201e5b9 in JSC::jitCompileFunctionIfAppropriate (exec=0x7fff833ff530, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, effort=JSC::JITCompilationCanFail) > at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITDriver.h:95 > #13 0x00007ffff201e8ab in JSC::prepareFunctionForExecution (exec=0x7fff833ff530, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, kind=JSC::CodeForCall) > at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/ExecutionHarness.h:68 > #14 0x00007ffff201cafa in JSC::FunctionExecutable::compileForCallInternal (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0) > at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.cpp:538 > #15 0x00007ffff201c277 in JSC::FunctionExecutable::compileOptimizedForCall (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0) > at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.cpp:463 > #16 0x00007ffff1d6e143 in JSC::FunctionExecutable::compileOptimizedFor (this=0x7ffff7eef370, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0, kind=JSC::CodeForCall) > at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/Executable.h:678 > #17 0x00007ffff1d68af2 in JSC::FunctionCodeBlock::compileOptimized (this=0x817dc0, exec=0x7fff833ff530, scope=0x7ffff7ecfc70, bytecodeIndex=0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2879 > #18 0x00007ffff1f6524e in JSC::cti_optimize (args=0x7fffffffc9b0) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:1899 > #19 0x00007ffff1f6226d in JSC::tryCacheGetByID (callFrame=0x7fff833ff530, codeBlock=0x7ffff7ecfc70, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x7fff00000000) > at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:996 > #20 0x00007fff833ff060 in ?? () > #21 0x00007fff00000000 in ?? () > #22 0x00007ffff18536d1 in WebCore::jsDocumentCookie (exec=0x7fffffffc9b0, slotBase=...) at generated/JSDocument.cpp:514 This one is known and being tracked with https://bugs.webkit.org/show_bug.cgi?id=112477 857434 9 msaboff 2013-03-18 12:41:50 -0700 (In reply to comment #6) > (In reply to comment #5) > > Committed r145931: <http://trac.webkit.org/changeset/145931> > > Looks like it caught the first bug on WebAudio. I have several failing on EFL Debug bot after this patch: > > crash log for WebProcess (pid <unknown>): > STDOUT: <empty> > STDERR: ERROR: Thread name "com.apple.WebKit.ProcessLauncher" is longer than 31 characters and will be truncated by Visual Studio > STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*) > STDERR: ERROR: Thread name "com.apple.WebKit.EventDispatcher" is longer than 31 characters and will be truncated by Visual Studio > STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*) > STDERR: ERROR: Thread name "com.apple.WebKit.PluginProcessConnectionManager" is longer than 31 characters and will be truncated by Visual Studio > STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/WTF/wtf/Threading.cpp(78) : WTF::ThreadIdentifier WTF::createThread(WTF::ThreadFunction, void*, const char*) > STDERR: ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 496 in jump offset range 496..524 > STDERR: !(low <= m_offset && m_offset <= high) > STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(704) : void JSC::AbstractMacroAssembler<AssemblerType>::RegisterAllocationOffset::check(unsigned int, unsigned int) [with AssemblerType = JSC::X86Assembler] > STDERR: 1 0x7fe38a9e5180 JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::check(unsigned int, unsigned int) > STDERR: 2 0x7fe38a9e46f4 JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int) > STDERR: 3 0x7fe38a9e42e2 JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const > STDERR: 4 0x7fe38aa71d63 JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray(JSC::TypedArrayDescriptor const&, JSC::X86Registers::RegisterID, JSC::X86Registers::RegisterID, JSC::DFG::Node*, unsigned long) > STDERR: 5 0x7fe38aa9cac9 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) > STDERR: 6 0x7fe38aa6d0e7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) > STDERR: 7 0x7fe38aa6d84f JSC::DFG::SpeculativeJIT::compile() > STDERR: 8 0x7fe38aa3a0f8 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) > STDERR: 9 0x7fe38aa3b325 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) > STDERR: 10 0x7fe38aa298f8 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) > STDERR: 11 0x7fe38aa2917c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) > STDERR: 12 0x7fe38abe4997 JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) > STDERR: 13 0x7fe38abe4c8c JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) > STDERR: 14 0x7fe38abe2e9a JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int) > STDERR: 15 0x7fe38abe2617 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int) > STDERR: 16 0x7fe38a938a7d JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind) > STDERR: 17 0x7fe38a932766 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) > STDERR: 18 0x7fe38ab38a7e > STDERR: 19 0x7fe38ab35ab8 > STDERR: 20 0x7fe33d45c058 Created https://bugs.webkit.org/show_bug.cgi?id=112609 - "EFL: Unsafe branch detected in compilePutByValForFloatTypedArray()" to track this. Investigating now. 1318305 10 ysuzuki 2017-06-12 11:32:02 -0700 Hmmm, it seems that this check is not so correct. This assersion can be fired even if the code is not buggy. For example, SpeculateCellOperand cell(this); GPRReg cellGPR = cell.gpr(); auto loop = m_jit.label(); ... m_jit.jump().linkTo(loop, &m_jit); causes assertion failure. But there is no bugs. 1318311 11 saam 2017-06-12 11:50:30 -0700 (In reply to Yusuke Suzuki from comment #10) > Hmmm, it seems that this check is not so correct. > This assersion can be fired even if the code is not buggy. > For example, > > SpeculateCellOperand cell(this); > GPRReg cellGPR = cell.gpr(); > > auto loop = m_jit.label(); > ... > m_jit.jump().linkTo(loop, &m_jit); > > causes assertion failure. But there is no bugs. I vaguely remember one of Filip's patches running into this same assertion recently. 1318315 12 saam 2017-06-12 11:55:17 -0700 (In reply to Saam Barati from comment #11) > (In reply to Yusuke Suzuki from comment #10) > > Hmmm, it seems that this check is not so correct. > > This assersion can be fired even if the code is not buggy. > > For example, > > > > SpeculateCellOperand cell(this); > > GPRReg cellGPR = cell.gpr(); > > > > auto loop = m_jit.label(); > > ... > > m_jit.jump().linkTo(loop, &m_jit); > > > > causes assertion failure. But there is no bugs. > > I vaguely remember one of Filip's patches running into this same assertion > recently. Looks like the same thing, discussion here: https://bugs.webkit.org/show_bug.cgi?id=164108 Fil filed this bug: https://bugs.webkit.org/show_bug.cgi?id=170974 He solved it in his patch by padding w/ a nop 193190 2013-03-14 14:48:04 -0700 2013-03-15 12:02:43 -0700 Patch 112380.pach text/plain 9447 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTQ1ODQ4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDM3IEBA CisyMDEzLTAzLTE0ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIEFkZCBydW50aW1lIGNoZWNrIGZvciBpbXByb3BlciByZWdpc3RlciBhbGxvY2F0aW9ucyBp biBERkcKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEx MjM4MAorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEFk ZGVkIGZyYW1ld29yayB0byBjaGVjayBmb3IgcmVnaXN0ZXIgYWxsb2NhdGlvbiB3aXRoaW4gYSBi cmFuY2ggc291cmNlIC0gdGFyZ2V0IHJhbmdlLiAgQWxsIHJlZ2lzdGVyIGFsbG9jYXRpb25zCisg ICAgICAgIGFyZSBzYXZlZCB1c2luZyB0aGUgb2Zmc2V0IGluIHRoZSBjb2RlIHN0cmVhbSB3aGVy ZSB0aGUgYWxsb2NhdGlvbiBvY2N1cnJlZC4gIExhdGVyIHdoZW4gYSBqdW1wIGlzIGxpbmtlZCwg dGhlCisgICAgICAgIGN1cnJlbnRseSBzYXZlZCByZWdpc3RlciBhbGxvY2F0aW9ucyBhcmUgY2hl Y2tlZCB0byBtYWtlIHN1cmUgdGhhdCB0aGV5IGRpZG4ndCBvY2N1ciBpbiB0aGUgcmFuZ2Ugb2Yg Y29kZSB0aGF0IHdhcworICAgICAgICBqdW1wZWQgb3Zlci4gIFRoaXMgcHJvdGVjdHMgYWdhaW5z dCB0aGUgY2FzZSB3aGVyZSBhbiBhbGxvY2F0aW9uIGNvdWxkIGhhdmUgc3BpbGxlZCByZWdpc3Rl ciBjb250ZW50cyB0byBmcmVlIHVwIAorICAgICAgICBhIHJlZ2lzdGVyIGFuZCB0aGF0IHNwaWxs IG9ubHkgb2NjdXJzIG9uIG9uZSBwYXRoIG9mIGEgbWFueSB0aHJvdWdoIHRoZSBjb2RlLiAgQSBz dWJzZXF1ZW50IGZpbGwgb2YgdGhlIHNwaWxsZWQKKyAgICAgICAgcmVnaXN0ZXIgbWF5IGxvYWQg Z2FyYmFnZS4gIFNlZSBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTEx Nzc3IGZvciBvbmUgc3VjaCBidWcuCisgICAgICAgIFRoaXMgY29kZSBpcyBwcm90ZWN0ZWQgYnkg dGhlIGNvbXBpbGUgdGltZSBjaGVjayBvZiAjaWYgRU5BQkxFKERGR19SRUdJU1RFUl9BTExPQ0FU SU9OX1ZBTElEQVRJT04pLgorICAgICAgICBUaGUgY2hlY2sgaXMgb25seSBkb25lIGR1cmluZyB0 aGUgcHJvY2Vzc2luZyBvZiBTcGVjdWxhdGl2ZUpJVDo6Y29tcGlsZShOb2RlKiBub2RlKSBhbmQg aXRzIGNhbGxlZXMuCisgCisgICAgICAgICogYXNzZW1ibGVyL0Fic3RyYWN0TWFjcm9Bc3NlbWJs ZXIuaDoKKyAgICAgICAgKEpTQzo6QWJzdHJhY3RNYWNyb0Fzc2VtYmxlcjo6SnVtcDo6bGluayk6 IEludm9rZSByZWdpc3RlciBhbGxvY2F0aW9uIGNoZWNrcyB1c2luZyBzb3VyY2UgYW5kIHRhcmdl dCBvZiBsaW5rLgorICAgICAgICAoSlNDOjpBYnN0cmFjdE1hY3JvQXNzZW1ibGVyOjpKdW1wOjps aW5rVG8pOiBJbnZva2UgcmVnaXN0ZXIgYWxsb2NhdGlvbiBjaGVja3MgdXNpbmcgc291cmNlIGFu ZCB0YXJnZXQgb2YgbGluay4KKyAgICAgICAgKEFic3RyYWN0TWFjcm9Bc3NlbWJsZXIpOgorICAg ICAgICAoUmVnaXN0ZXJBbGxvY2F0aW9uT2Zmc2V0KTogTmV3IGhlbHBlciBjbGFzcyB0byBzdG9y ZSB0aGUgaW5zdHJ1Y3Rpb24gc3RyZWFtIG9mZnNldCBhbmQgY29tcGFyZSBhZ2FpbnN0IGEgCisg ICAgICAgIGp1bXAgcmFuZ2UuCisgICAgICAgIChKU0M6OkFic3RyYWN0TWFjcm9Bc3NlbWJsZXI6 OlJlZ2lzdGVyQWxsb2NhdGlvbk9mZnNldDo6UmVnaXN0ZXJBbGxvY2F0aW9uT2Zmc2V0KToKKyAg ICAgICAgKEpTQzo6QWJzdHJhY3RNYWNyb0Fzc2VtYmxlcjo6UmVnaXN0ZXJBbGxvY2F0aW9uT2Zm c2V0OjpjaGVjayk6CisgICAgICAgIChKU0M6OkFic3RyYWN0TWFjcm9Bc3NlbWJsZXI6OmFkZFJl Z2lzdGVyQWxsb2NhdGlvbkF0T2Zmc2V0KToKKyAgICAgICAgKEpTQzo6QWJzdHJhY3RNYWNyb0Fz c2VtYmxlcjo6Y2xlYXJSZWdpc3RlckFsbG9jYXRpb25PZmZzZXRzKTogCisgICAgICAgIChKU0M6 OkFic3RyYWN0TWFjcm9Bc3NlbWJsZXI6OmNoZWNrUmVnaXN0ZXJBbGxvY2F0aW9uQWdhaW5zdEJy YW5jaFJhbmdlKToKKyAgICAgICAgKiBkZmcvREZHU3BlY3VsYXRpdmVKSVQuaDoKKyAgICAgICAg KEpTQzo6REZHOjpTcGVjdWxhdGl2ZUpJVDo6YWxsb2NhdGUpOgorICAgICAgICAqIGRmZy9ERkdT cGVjdWxhdGl2ZUpJVDMyXzY0LmNwcDoKKyAgICAgICAgKEpTQzo6REZHOjpTcGVjdWxhdGl2ZUpJ VDo6Y29tcGlsZSk6CisgICAgICAgICogZGZnL0RGR1NwZWN1bGF0aXZlSklUNjQuY3BwOgorICAg ICAgICAoSlNDOjpERkc6OlNwZWN1bGF0aXZlSklUOjpjb21waWxlKToKKwogMjAxMy0wMy0xMSAg TWFyayBIYWhuZW5iZXJnICA8bWhhaG5lbmJlcmdAYXBwbGUuY29tPgogCiAgICAgICAgIE9iamVj dGl2ZS1DIEFQSTogT2JqZWN0aXZlLUMgZnVuY3Rpb25zIGV4cG9zZWQgdG8gSmF2YVNjcmlwdCBo YXZlIHRoZSB3cm9uZyB0eXBlIChvYmplY3QgaW5zdGVhZCBvZiBmdW5jdGlvbikKSW5kZXg6IFNv dXJjZS9KYXZhU2NyaXB0Q29yZS9hc3NlbWJsZXIvQWJzdHJhY3RNYWNyb0Fzc2VtYmxlci5oCj09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9hc3NlbWJsZXIvQWJzdHJhY3RNYWNy b0Fzc2VtYmxlci5oCShyZXZpc2lvbiAxNDU1NTMpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUv YXNzZW1ibGVyL0Fic3RyYWN0TWFjcm9Bc3NlbWJsZXIuaAkod29ya2luZyBjb3B5KQpAQCAtNTM4 LDYgKzUzOCwxMCBAQCBwdWJsaWM6CiAKICAgICAgICAgdm9pZCBsaW5rKEFic3RyYWN0TWFjcm9B c3NlbWJsZXI8QXNzZW1ibGVyVHlwZT4qIG1hc20pIGNvbnN0CiAgICAgICAgIHsKKyNpZiBFTkFC TEUoREZHX1JFR0lTVEVSX0FMTE9DQVRJT05fVkFMSURBVElPTikKKyAgICAgICAgICAgIG1hc20t PmNoZWNrUmVnaXN0ZXJBbGxvY2F0aW9uQWdhaW5zdEJyYW5jaFJhbmdlKG1fbGFiZWwubV9vZmZz ZXQsIG1hc20tPmRlYnVnT2Zmc2V0KCkpOworI2VuZGlmCisKICNpZiBDUFUoQVJNX1RIVU1CMikK ICAgICAgICAgICAgIG1hc20tPm1fYXNzZW1ibGVyLmxpbmtKdW1wKG1fbGFiZWwsIG1hc20tPm1f YXNzZW1ibGVyLmxhYmVsKCksIG1fdHlwZSwgbV9jb25kaXRpb24pOwogI2VsaWYgQ1BVKFNINCkK QEAgLTU0OSw2ICs1NTMsMTAgQEAgcHVibGljOgogICAgICAgICAKICAgICAgICAgdm9pZCBsaW5r VG8oTGFiZWwgbGFiZWwsIEFic3RyYWN0TWFjcm9Bc3NlbWJsZXI8QXNzZW1ibGVyVHlwZT4qIG1h c20pIGNvbnN0CiAgICAgICAgIHsKKyNpZiBFTkFCTEUoREZHX1JFR0lTVEVSX0FMTE9DQVRJT05f VkFMSURBVElPTikKKyAgICAgICAgICAgIG1hc20tPmNoZWNrUmVnaXN0ZXJBbGxvY2F0aW9uQWdh aW5zdEJyYW5jaFJhbmdlKGxhYmVsLm1fbGFiZWwubV9vZmZzZXQsIG1fbGFiZWwubV9vZmZzZXQp OworI2VuZGlmCisKICNpZiBDUFUoQVJNX1RIVU1CMikKICAgICAgICAgICAgIG1hc20tPm1fYXNz ZW1ibGVyLmxpbmtKdW1wKG1fbGFiZWwsIGxhYmVsLm1fbGFiZWwsIG1fdHlwZSwgbV9jb25kaXRp b24pOwogI2Vsc2UKQEAgLTY4Myw2ICs2OTEsNDkgQEAgcHVibGljOgogICAgICAgICByZXR1cm4g TGFiZWwodGhpcyk7CiAgICAgfQogCisjaWYgRU5BQkxFKERGR19SRUdJU1RFUl9BTExPQ0FUSU9O X1ZBTElEQVRJT04pCisgICAgY2xhc3MgUmVnaXN0ZXJBbGxvY2F0aW9uT2Zmc2V0CisgICAgewor ICAgIHB1YmxpYzoKKyAgICAgICAgUmVnaXN0ZXJBbGxvY2F0aW9uT2Zmc2V0KHVuc2lnbmVkIG9m ZnNldCkKKyAgICAgICAgICAgIDogbV9vZmZzZXQob2Zmc2V0KQorICAgICAgICB7CisgICAgICAg IH0KKworICAgICAgICB2b2lkIGNoZWNrKHVuc2lnbmVkIGxvdywgdW5zaWduZWQgaGlnaCkKKyAg ICAgICAgeworICAgICAgICAgICAgUkVMRUFTRV9BU1NFUlRfV0lUSF9NRVNTQUdFKCEobG93IDw9 IG1fb2Zmc2V0ICYmIG1fb2Zmc2V0IDw9IGhpZ2gpLCAiVW5zYWZlIGJyYW5jaCBvdmVyIHJlZ2lz dGVyIGFsbG9jYXRpb24gYXQgaW5zdHJ1Y3Rpb24gb2Zmc2V0ICV1IiwgbV9vZmZzZXQpOworICAg ICAgICB9CisKKyAgICBwcml2YXRlOgorICAgICAgICB1bnNpZ25lZCBtX29mZnNldDsKKyAgICB9 OworCisgICAgdm9pZCBhZGRSZWdpc3RlckFsbG9jYXRpb25BdE9mZnNldCh1bnNpZ25lZCBvZmZz ZXQpCisgICAgeworICAgICAgICBtX3Vuc2FmZVJlZ2lzdGVyQWxsb2NhdGlvbkZvckJyYW5jaGlu Z092ZXIuYXBwZW5kKFJlZ2lzdGVyQWxsb2NhdGlvbk9mZnNldChvZmZzZXQpKTsKKyAgICB9CisK KyAgICB2b2lkIGNsZWFyUmVnaXN0ZXJBbGxvY2F0aW9uT2Zmc2V0cygpCisgICAgeworICAgICAg ICBtX3Vuc2FmZVJlZ2lzdGVyQWxsb2NhdGlvbkZvckJyYW5jaGluZ092ZXIuY2xlYXIoKTsKKyAg ICB9CisKKyAgICB2b2lkIGNoZWNrUmVnaXN0ZXJBbGxvY2F0aW9uQWdhaW5zdEJyYW5jaFJhbmdl KHVuc2lnbmVkIG9mZnNldDEsIHVuc2lnbmVkIG9mZnNldDIpCisgICAgeworICAgICAgICBpZiAo b2Zmc2V0MSA+IG9mZnNldDIpIHsKKyAgICAgICAgICAgIHVuc2lnbmVkIHRlbXA7CisgICAgICAg ICAgICB0ZW1wID0gb2Zmc2V0MTsKKyAgICAgICAgICAgIG9mZnNldDEgPSBvZmZzZXQyOworICAg ICAgICAgICAgb2Zmc2V0MiA9IHRlbXA7CisgICAgICAgIH0KKworICAgICAgICBzaXplX3Qgc2l6 ZSA9IG1fdW5zYWZlUmVnaXN0ZXJBbGxvY2F0aW9uRm9yQnJhbmNoaW5nT3Zlci5zaXplKCk7Cisg ICAgICAgIGZvciAoc2l6ZV90IGkgPSAwOyBpIDwgc2l6ZTsgKytpKQorICAgICAgICAgICAgbV91 bnNhZmVSZWdpc3RlckFsbG9jYXRpb25Gb3JCcmFuY2hpbmdPdmVyW2ldLmNoZWNrKG9mZnNldDEs IG9mZnNldDIpOworICAgIH0KKyNlbmRpZgorCiAgICAgdGVtcGxhdGU8dHlwZW5hbWUgVCwgdHlw ZW5hbWUgVT4KICAgICBzdGF0aWMgcHRyZGlmZl90IGRpZmZlcmVuY2VCZXR3ZWVuKFQgZnJvbSwg VSB0bykKICAgICB7CkBAIC03MTUsNiArNzY2LDEwIEBAIHByb3RlY3RlZDoKIAogICAgIFdlYWtS YW5kb20gbV9yYW5kb21Tb3VyY2U7CiAKKyNpZiBFTkFCTEUoREZHX1JFR0lTVEVSX0FMTE9DQVRJ T05fVkFMSURBVElPTikKKyAgICBWZWN0b3I8UmVnaXN0ZXJBbGxvY2F0aW9uT2Zmc2V0LCAxMD4g bV91bnNhZmVSZWdpc3RlckFsbG9jYXRpb25Gb3JCcmFuY2hpbmdPdmVyOworI2VuZGlmCisKICNp ZiBFTkFCTEUoSklUX0NPTlNUQU5UX0JMSU5ESU5HKQogICAgIHN0YXRpYyBib29sIHNjcmF0Y2hS ZWdpc3RlckZvckJsaW5kaW5nKCkgeyByZXR1cm4gZmFsc2U7IH0KICAgICBzdGF0aWMgYm9vbCBz aG91bGRCbGluZEZvclNwZWNpZmljQXJjaCh1aW50MzJfdCkgeyByZXR1cm4gdHJ1ZTsgfQpJbmRl eDogU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTcGVjdWxhdGl2ZUpJVDMyXzY0LmNwcAo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0aXZlSklU MzJfNjQuY3BwCShyZXZpc2lvbiAxNDU1NTMpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZn L0RGR1NwZWN1bGF0aXZlSklUMzJfNjQuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0xOTIzLDYgKzE5 MjMsMTAgQEAgdm9pZCBTcGVjdWxhdGl2ZUpJVDo6Y29tcGlsZShOb2RlKiBub2RlKQogewogICAg IE5vZGVUeXBlIG9wID0gbm9kZS0+b3AoKTsKIAorI2lmIEVOQUJMRShERkdfUkVHSVNURVJfQUxM T0NBVElPTl9WQUxJREFUSU9OKQorICAgIG1faml0LmNsZWFyUmVnaXN0ZXJBbGxvY2F0aW9uT2Zm c2V0cygpOworI2VuZGlmCisKICAgICBzd2l0Y2ggKG9wKSB7CiAgICAgY2FzZSBKU0NvbnN0YW50 OgogICAgICAgICBpbml0Q29uc3RhbnRJbmZvKG5vZGUpOwpAQCAtNDkyMyw3ICs0OTI3LDExIEBA IHZvaWQgU3BlY3VsYXRpdmVKSVQ6OmNvbXBpbGUoTm9kZSogbm9kZSkKICAgICAgICAgUkVMRUFT RV9BU1NFUlRfTk9UX1JFQUNIRUQoKTsKICAgICAgICAgYnJlYWs7CiAgICAgfQotICAgIAorCisj aWYgRU5BQkxFKERGR19SRUdJU1RFUl9BTExPQ0FUSU9OX1ZBTElEQVRJT04pCisgICAgbV9qaXQu Y2xlYXJSZWdpc3RlckFsbG9jYXRpb25PZmZzZXRzKCk7CisjZW5kaWYKKwogICAgIGlmICghbV9j b21waWxlT2theSkKICAgICAgICAgcmV0dXJuOwogICAgIApJbmRleDogU291cmNlL0phdmFTY3Jp cHRDb3JlL2RmZy9ERkdTcGVjdWxhdGl2ZUpJVDY0LmNwcAo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0aXZlSklUNjQuY3BwCShyZXZpc2lvbiAxNDU1 NTMpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0aXZlSklUNjQuY3Bw CSh3b3JraW5nIGNvcHkpCkBAIC0xODg4LDYgKzE4ODgsMTAgQEAgdm9pZCBTcGVjdWxhdGl2ZUpJ VDo6Y29tcGlsZShOb2RlKiBub2RlKQogewogICAgIE5vZGVUeXBlIG9wID0gbm9kZS0+b3AoKTsK ICAgICAKKyNpZiBFTkFCTEUoREZHX1JFR0lTVEVSX0FMTE9DQVRJT05fVkFMSURBVElPTikKKyAg ICBtX2ppdC5jbGVhclJlZ2lzdGVyQWxsb2NhdGlvbk9mZnNldHMoKTsKKyNlbmRpZgorCiAgICAg c3dpdGNoIChvcCkgewogICAgIGNhc2UgSlNDb25zdGFudDoKICAgICAgICAgaW5pdENvbnN0YW50 SW5mbyhub2RlKTsKQEAgLTQ3NzMsNiArNDc3NywxMCBAQCB2b2lkIFNwZWN1bGF0aXZlSklUOjpj b21waWxlKE5vZGUqIG5vZGUpCiAgICAgICAgIGJyZWFrOwogICAgIH0KIAorI2lmIEVOQUJMRShE RkdfUkVHSVNURVJfQUxMT0NBVElPTl9WQUxJREFUSU9OKQorICAgIG1faml0LmNsZWFyUmVnaXN0 ZXJBbGxvY2F0aW9uT2Zmc2V0cygpOworI2VuZGlmCisKICAgICBpZiAoIW1fY29tcGlsZU9rYXkp CiAgICAgICAgIHJldHVybjsKICAgICAKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcv REZHU3BlY3VsYXRpdmVKSVQuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUv ZGZnL0RGR1NwZWN1bGF0aXZlSklULmgJKHJldmlzaW9uIDE0NTU1MykKKysrIFNvdXJjZS9KYXZh U2NyaXB0Q29yZS9kZmcvREZHU3BlY3VsYXRpdmVKSVQuaAkod29ya2luZyBjb3B5KQpAQCAtMTcz LDYgKzE3Myw5IEBAIHB1YmxpYzoKICAgICAvLyBBbGxvY2F0ZSBhIGdwci9mcHIuCiAgICAgR1BS UmVnIGFsbG9jYXRlKCkKICAgICB7CisjaWYgRU5BQkxFKERGR19SRUdJU1RFUl9BTExPQ0FUSU9O X1ZBTElEQVRJT04pCisgICAgICAgIG1faml0LmFkZFJlZ2lzdGVyQWxsb2NhdGlvbkF0T2Zmc2V0 KG1faml0LmRlYnVnT2Zmc2V0KCkpOworI2VuZGlmCiAgICAgICAgIFZpcnR1YWxSZWdpc3RlciBz cGlsbE1lOwogICAgICAgICBHUFJSZWcgZ3ByID0gbV9ncHJzLmFsbG9jYXRlKHNwaWxsTWUpOwog ICAgICAgICBpZiAoc3BpbGxNZSAhPSBJbnZhbGlkVmlydHVhbFJlZ2lzdGVyKSB7CkBAIC0xODgs NiArMTkxLDkgQEAgcHVibGljOgogICAgIH0KICAgICBHUFJSZWcgYWxsb2NhdGUoR1BSUmVnIHNw ZWNpZmljKQogICAgIHsKKyNpZiBFTkFCTEUoREZHX1JFR0lTVEVSX0FMTE9DQVRJT05fVkFMSURB VElPTikKKyAgICAgICAgbV9qaXQuYWRkUmVnaXN0ZXJBbGxvY2F0aW9uQXRPZmZzZXQobV9qaXQu ZGVidWdPZmZzZXQoKSk7CisjZW5kaWYKICAgICAgICAgVmlydHVhbFJlZ2lzdGVyIHNwaWxsTWUg PSBtX2dwcnMuYWxsb2NhdGVTcGVjaWZpYyhzcGVjaWZpYyk7CiAgICAgICAgIGlmIChzcGlsbE1l ICE9IEludmFsaWRWaXJ0dWFsUmVnaXN0ZXIpIHsKICNpZiBVU0UoSlNWQUxVRTMyXzY0KQpJbmRl eDogU291cmNlL1dURi9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dURi9DaGFuZ2VM b2cJKHJldmlzaW9uIDE0NTg0OCkKKysrIFNvdXJjZS9XVEYvQ2hhbmdlTG9nCSh3b3JraW5nIGNv cHkpCkBAIC0xLDMgKzEsMTMgQEAKKzIwMTMtMDMtMTQgIE1pY2hhZWwgU2Fib2ZmICA8bXNhYm9m ZkBhcHBsZS5jb20+CisKKyAgICAgICAgQWRkIHJ1bnRpbWUgY2hlY2sgZm9yIGltcHJvcGVyIHJl Z2lzdGVyIGFsbG9jYXRpb25zIGluIERGRworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9y Zy9zaG93X2J1Zy5jZ2k/aWQ9MTEyMzgwCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChP T1BTISkuCisKKyAgICAgICAgKiB3dGYvUGxhdGZvcm0uaDogQWRkZWQgbmV3IEVOQUJMRV9ERkdf UkVHSVNURVJfQUxMT0NBVElPTl9WQUxJREFUSU9OIGNvbXBpbGF0aW9uIGZsYWcgdG8KKyAgICAg ICAgZW5hYmxlIGdlbmVyYXRpb24gb2YgcmVnaXN0ZXIgYWxsb2NhdGlvbiBjaGVja2luZy4KKwog MjAxMy0wMy0xMyAgSmVzc2llIEJlcmxpbiAgPGpiZXJsaW5AYXBwbGUuY29tPgogCiAgICAgICAg IFJlbW92ZSBzdm46ZXhlY3V0YWJsZSBmcm9tIGEgZmlsZSB0aGF0IGlzbid0IHN1cHBvc2VkIHRv IGJlIGV4ZWN1dGFibGUuCkluZGV4OiBTb3VyY2UvV1RGL3d0Zi9QbGF0Zm9ybS5oCj09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT0KLS0tIFNvdXJjZS9XVEYvd3RmL1BsYXRmb3JtLmgJKHJldmlzaW9uIDE0NTU1MykKKysrIFNv dXJjZS9XVEYvd3RmL1BsYXRmb3JtLmgJKHdvcmtpbmcgY29weSkKQEAgLTg1MCw2ICs4NTAsMTEg QEAKICNkZWZpbmUgRU5BQkxFX1dSSVRFX0JBUlJJRVJfUFJPRklMSU5HIDAKICNlbmRpZgogCisv LyBFbmFibGUgdmVyaWZpY2F0aW9uIHRoYXQgdGhhdCByZWdpc3RlciBhbGxvY2F0aW9ucyBhcmUg bm90IG1hZGUgd2l0aGluIGdlbmVyYXRlZCBjb250cm9sIGZsb3cuCisjaWYgIWRlZmluZWQoRU5B QkxFX0RGR19SRUdJU1RFUl9BTExPQ0FUSU9OX1ZBTElEQVRJT04pICYmIEVOQUJMRShERkdfSklU KQorI2RlZmluZSBFTkFCTEVfREZHX1JFR0lTVEVSX0FMTE9DQVRJT05fVkFMSURBVElPTiAwCisj ZW5kaWYKKwogLyogQ29uZmlndXJlIHRoZSBKSVQgKi8KICNpZiBDUFUoWDg2KSAmJiBDT01QSUxF UihNU1ZDKQogI2RlZmluZSBKU0NfSE9TVF9DQUxMIF9fZmFzdGNhbGwK