120389 2013-08-27 19:07:26 -0700 JSArray::shiftCountWithArrayStorage doesn't change indexBias when shifting the last element in m_vector 2013-11-05 09:05:50 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 121074 1 mhahnenberg mhahnenberg oldest_to_newest 921791 0 mhahnenberg 2013-08-27 19:07:26 -0700 This leads to the JSArray forgetting it's true size (it thinks it has 8 bytes less than it actually does). 921793 1 209836 mhahnenberg 2013-08-27 19:16:04 -0700 Created attachment 209836 Patch 921809 2 209836 ggaren 2013-08-27 20:28:57 -0700 Comment on attachment 209836 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=209836&action=review > Source/JavaScriptCore/ChangeLog:8 > + This leads to the JSArray forgetting it's true size (it thinks it has 8 bytes less Should be "its true size". 921821 3 mhahnenberg 2013-08-27 21:17:01 -0700 (In reply to comment #2) > (From update of attachment 209836 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=209836&action=review > > > Source/JavaScriptCore/ChangeLog:8 > > + This leads to the JSArray forgetting it's true size (it thinks it has 8 bytes less > > Should be "its true size". Will fix. 921822 4 209836 msaboff 2013-08-27 21:21:36 -0700 Comment on attachment 209836 Patch r=me - With change log fix. 921826 5 209836 fpizlo 2013-08-27 21:38:45 -0700 Comment on attachment 209836 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=209836&action=review > Source/JavaScriptCore/runtime/JSArray.cpp:729 > + return true; > } > + > + storage->m_indexBias += count; > return true; This looks like it's introducing a new bug: the (startIndex < usedVectorLength - (startIndex + count)) == true case already adds count to indexBias. So now you're adding it twice. 921828 6 209836 mhahnenberg 2013-08-27 21:41:24 -0700 Comment on attachment 209836 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=209836&action=review >> Source/JavaScriptCore/runtime/JSArray.cpp:729 >> return true; > > This looks like it's introducing a new bug: the (startIndex < usedVectorLength - (startIndex + count)) == true case already adds count to indexBias. So now you're adding it twice. I don't think so. There's an early return inside the if block. 922016 7 mhahnenberg 2013-08-28 08:25:20 -0700 (In reply to comment #6) > (From update of attachment 209836 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=209836&action=review > > >> Source/JavaScriptCore/runtime/JSArray.cpp:729 > >> return true; > > > > This looks like it's introducing a new bug: the (startIndex < usedVectorLength - (startIndex + count)) == true case already adds count to indexBias. So now you're adding it twice. > > I don't think so. There's an early return inside the if block. But it does look like the other branch of the if-statement isn't modifying indexBias either, and it appears that it should. 922095 8 209901 mhahnenberg 2013-08-28 10:37:10 -0700 Created attachment 209901 Patch 922273 9 209901 mhahnenberg 2013-08-28 17:34:18 -0700 Comment on attachment 209901 Patch This patch is wrong. It breaks Facebook. 922530 10 209997 mhahnenberg 2013-08-29 10:26:34 -0700 Created attachment 209997 Patch 922532 11 mhahnenberg 2013-08-29 10:28:14 -0700 (In reply to comment #10) > Created an attachment (id=209997) [details] > Patch I went through the code and tried to figure out exactly what it was doing. As I went I added new variables that more accurately describe some of the intermediate calculations that are going on, which make the code much clearer. I also added comments to explain why we're doing certain things in certain places. 922538 12 209997 mhahnenberg 2013-08-29 10:30:23 -0700 Comment on attachment 209997 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=209997&action=review > Source/JavaScriptCore/runtime/JSArray.cpp:726 > + // Since we're consuming part of the vector by moving its beginning to the left, ...beginning to the *right* 922649 13 209997 msaboff 2013-08-29 13:44:50 -0700 Comment on attachment 209997 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=209997&action=review > Source/JavaScriptCore/runtime/JSArray.cpp:717 > memmove( > - storage->m_vector + startIndex, > - storage->m_vector + startIndex + count, > - sizeof(JSValue) * (usedVectorLength - (startIndex + count))); > - for (unsigned i = usedVectorLength - count; i < usedVectorLength; ++i) > - storage->m_vector[i].clear(); > - } > + storage->m_vector + count, > + storage->m_vector, > + sizeof(JSValue) * startIndex); What about when the result of the shift will result with a vector length of 0. Copying in that case is wasteful and may also be wrong. > Source/JavaScriptCore/runtime/JSArray.cpp:735 > + memmove( > + storage->m_vector + startIndex, > + storage->m_vector + firstIndexAfterShiftRegion, > + sizeof(JSValue) * numElementsAfterShiftRegion); Ditto. 922654 14 mhahnenberg 2013-08-29 13:47:38 -0700 (In reply to comment #13) > (From update of attachment 209997 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=209997&action=review > > > Source/JavaScriptCore/runtime/JSArray.cpp:717 > > memmove( > > - storage->m_vector + startIndex, > > - storage->m_vector + startIndex + count, > > - sizeof(JSValue) * (usedVectorLength - (startIndex + count))); > > - for (unsigned i = usedVectorLength - count; i < usedVectorLength; ++i) > > - storage->m_vector[i].clear(); > > - } > > + storage->m_vector + count, > > + storage->m_vector, > > + sizeof(JSValue) * startIndex); > > What about when the result of the shift will result with a vector length of 0. Copying in that case is wasteful and may also be wrong. Why create a special case for that? I ran benchmarks with this patch and it had no effect. > > > Source/JavaScriptCore/runtime/JSArray.cpp:735 > > + memmove( > > + storage->m_vector + startIndex, > > + storage->m_vector + firstIndexAfterShiftRegion, > > + sizeof(JSValue) * numElementsAfterShiftRegion); > > Ditto. 926932 15 209997 msaboff 2013-09-09 15:06:41 -0700 Comment on attachment 209997 Patch r=me per our discussion. Please add RELEASE_ASSERTs to make sure that neither memmove will write past the end (first memmove) or beginning (second memmove). 926962 16 mhahnenberg 2013-09-09 15:40:01 -0700 Committed r155395: <http://trac.webkit.org/changeset/155395> 947210 17 209997 ossy 2013-11-05 09:05:50 -0800 Comment on attachment 209997 Patch Cleared review? from attachment 209997 so that this bug does not appear in http://webkit.org/pending-review. If you would like this patch reviewed, please attach it to a new bug (or re-open this bug before marking it for review again). 209836 2013-08-27 19:16:04 -0700 2013-08-28 10:37:09 -0700 Patch bug-120389-20130827191619.patch text/plain 1348 mhahnenberg SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTU0NzE4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBA CisyMDEzLTA4LTI3ICBNYXJrIEhhaG5lbmJlcmcgIDxtaGFobmVuYmVyZ0BhcHBsZS5jb20+CisK KyAgICAgICAgSlNBcnJheTo6c2hpZnRDb3VudFdpdGhBcnJheVN0b3JhZ2UgZG9lc24ndCBjaGFu Z2UgaW5kZXhCaWFzIHdoZW4gc2hpZnRpbmcgdGhlIGxhc3QgZWxlbWVudCBpbiBtX3ZlY3Rvcgor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTIwMzg5CisK KyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGhpcyBsZWFk cyB0byB0aGUgSlNBcnJheSBmb3JnZXR0aW5nIGl0J3MgdHJ1ZSBzaXplIChpdCB0aGlua3MgaXQg aGFzIDggYnl0ZXMgbGVzcyAKKyAgICAgICAgdGhhbiBpdCBhY3R1YWxseSBkb2VzKS4gCisKKyAg ICAgICAgKiBydW50aW1lL0pTQXJyYXkuY3BwOgorICAgICAgICAoSlNDOjpKU0FycmF5OjpzaGlm dENvdW50V2l0aEFycmF5U3RvcmFnZSk6CisKIDIwMTMtMDgtMjMgIEFuZHkgRXN0ZXMgIDxhZXN0 ZXNAYXBwbGUuY29tPgogCiAgICAgICAgIEZpeCBpc3N1ZXMgZm91bmQgYnkgdGhlIENsYW5nIFN0 YXRpYyBBbmFseXplcgpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvSlNBcnJh eS5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvSlNBcnJh eS5jcHAJKHJldmlzaW9uIDE1NDcxOCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1l L0pTQXJyYXkuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC03MjIsNyArNzIyLDEwIEBAIGJvb2wgSlNB cnJheTo6c2hpZnRDb3VudFdpdGhBcnJheVN0b3JhZ2UKICAgICAgICAgICAgIGZvciAodW5zaWdu ZWQgaSA9IHVzZWRWZWN0b3JMZW5ndGggLSBjb3VudDsgaSA8IHVzZWRWZWN0b3JMZW5ndGg7ICsr aSkKICAgICAgICAgICAgICAgICBzdG9yYWdlLT5tX3ZlY3RvcltpXS5jbGVhcigpOwogICAgICAg ICB9CisgICAgICAgIHJldHVybiB0cnVlOwogICAgIH0KKworICAgIHN0b3JhZ2UtPm1faW5kZXhC aWFzICs9IGNvdW50OwogICAgIHJldHVybiB0cnVlOwogfQogCg== 209901 2013-08-28 10:37:10 -0700 2013-08-29 10:26:33 -0700 Patch bug-120389-20130828103711.patch text/plain 1574 mhahnenberg SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTU0NzUwKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE1IEBA CisyMDEzLTA4LTI3ICBNYXJrIEhhaG5lbmJlcmcgIDxtaGFobmVuYmVyZ0BhcHBsZS5jb20+CisK KyAgICAgICAgSlNBcnJheTo6c2hpZnRDb3VudFdpdGhBcnJheVN0b3JhZ2UgZG9lc24ndCBjaGFu Z2UgaW5kZXhCaWFzIHdoZW4gc2hpZnRpbmcgdGhlIGxhc3QgZWxlbWVudCBpbiBtX3ZlY3Rvcgor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTIwMzg5CisK KyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGhpcyBsZWFk cyB0byB0aGUgSlNBcnJheSBmb3JnZXR0aW5nIGl0cyB0cnVlIHNpemUgKGl0IHRoaW5rcyBpdCBo YXMgOCBieXRlcyBsZXNzIHRoYW4gaXQgYWN0dWFsbHkgZG9lcykuIAorCisgICAgICAgICogcnVu dGltZS9KU0FycmF5LmNwcDoKKyAgICAgICAgKEpTQzo6SlNBcnJheTo6c2hpZnRDb3VudFdpdGhB cnJheVN0b3JhZ2UpOgorCiAyMDEzLTA4LTI4ICBaYW4gRG9iZXJzZWsgIDx6ZG9iZXJzZWtAaWdh bGlhLmNvbT4KIAogICAgICAgICBbR1RLXSBBZGQgc3VwcG9ydCBmb3IgYnVpbGRpbmcgSlNDIHdp dGggRlRMIEpJVCBlbmFibGVkCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9K U0FycmF5LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9K U0FycmF5LmNwcAkocmV2aXNpb24gMTU0NzUwKQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL3J1 bnRpbWUvSlNBcnJheS5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTcxMyw3ICs3MTMsNiBAQCBib29s IEpTQXJyYXk6OnNoaWZ0Q291bnRXaXRoQXJyYXlTdG9yYWdlCiAgICAgICAgICAgICB9CiAgICAg ICAgICAgICBtX2J1dHRlcmZseSA9IG1fYnV0dGVyZmx5LT5zaGlmdChzdHJ1Y3R1cmUoKSwgY291 bnQpOwogICAgICAgICAgICAgc3RvcmFnZSA9IG1fYnV0dGVyZmx5LT5hcnJheVN0b3JhZ2UoKTsK LSAgICAgICAgICAgIHN0b3JhZ2UtPm1faW5kZXhCaWFzICs9IGNvdW50OwogICAgICAgICB9IGVs c2UgewogICAgICAgICAgICAgbWVtbW92ZSgKICAgICAgICAgICAgICAgICBzdG9yYWdlLT5tX3Zl Y3RvciArIHN0YXJ0SW5kZXgsCkBAIC03MjMsNiArNzIyLDggQEAgYm9vbCBKU0FycmF5OjpzaGlm dENvdW50V2l0aEFycmF5U3RvcmFnZQogICAgICAgICAgICAgICAgIHN0b3JhZ2UtPm1fdmVjdG9y W2ldLmNsZWFyKCk7CiAgICAgICAgIH0KICAgICB9CisKKyAgICBzdG9yYWdlLT5tX2luZGV4Qmlh cyArPSBjb3VudDsKICAgICByZXR1cm4gdHJ1ZTsKIH0KIAo= 209997 2013-08-29 10:26:34 -0700 2013-11-05 09:05:50 -0800 Patch bug-120389-20130829102644.patch text/plain 5021 mhahnenberg SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTU0ODE3KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE5IEBA CisyMDEzLTA4LTI5ICBNYXJrIEhhaG5lbmJlcmcgIDxtaGFobmVuYmVyZ0BhcHBsZS5jb20+CisK KyAgICAgICAgSlNBcnJheTo6c2hpZnRDb3VudFdpdGhBcnJheVN0b3JhZ2UgZG9lc24ndCBjaGFu Z2UgaW5kZXhCaWFzIHdoZW4gc2hpZnRpbmcgdGhlIGxhc3QgZWxlbWVudCBpbiBtX3ZlY3Rvcgor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTIwMzg5CisK KyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgV2VudCB0aHJv dWdoIGFuZCBjbGVhbmVkIHVwIHNoaWZ0Q291bnRXaXRoQXJyYXlTdG9yYWdlLiBHYXZlIG1lYW5p bmdmdWwgdmFyaWFibGUgbmFtZXMKKyAgICAgICAgYW5kIGNvbW1lbnRlZCB0aGUgY29uZnVzaW5n IHBhcnRzLiBUaGlzIGxlZCB0byByZWFsaXppbmcgaG93IHRvIGZpeCB0aGlzIGJ1Zywgd2hpY2gg aGFzCisgICAgICAgIGJlZW4gZG9uZS4gVGhlIGlzc3VlIHdhcyB0aGF0IHdlIHdlcmUgbW9kaWZ5 aW5nIHRoZSB2ZWN0b3IgbGVuZ3RoIHVuY29uZGl0aW9uYWxseSwgZXZlbgorICAgICAgICB3aGVu IHdlIHdlcmVuJ3QgbG9naWNhbGx5IGNoYW5naW5nIHRoZSBsZW5ndGggb2YgdGhlIHZlY3Rvci4g SW5zdGVhZCwgd2Ugc2hvdWxkIG9ubHkgbW9kaWZ5CisgICAgICAgIHRoZSB2ZWN0b3IgbGVuZ3Ro IHdoZW4gd2UgbW9kaWZ5IHRoZSBpbmRleCBiaWFzLgorCisgICAgICAgICogcnVudGltZS9KU0Fy cmF5LmNwcDoKKyAgICAgICAgKEpTQzo6SlNBcnJheTo6c2hpZnRDb3VudFdpdGhBcnJheVN0b3Jh Z2UpOgorCiAyMDEzLTA4LTI5ICBDaHJpcyBDdXJ0aXMgIDxjaHJpc19jdXJ0aXNAYXBwbGUuY29t PgogCiAgICAgICAgIFZNOjp0aHJvd0V4Y2VwdGlvbigpIGNyYXNoZXMgcmVwcm9kdWNpYmx5IGlu IHRlc3RhcGkgd2l0aCAhRU5BQkxFKEpJVCkKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9y dW50aW1lL0pTQXJyYXkuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9y dW50aW1lL0pTQXJyYXkuY3BwCShyZXZpc2lvbiAxNTQ4MTApCisrKyBTb3VyY2UvSmF2YVNjcmlw dENvcmUvcnVudGltZS9KU0FycmF5LmNwcAkod29ya2luZyBjb3B5KQpAQCAtNzAwLDI5ICs3MDAs NDkgQEAgYm9vbCBKU0FycmF5OjpzaGlmdENvdW50V2l0aEFycmF5U3RvcmFnZQogICAgIAogICAg IHVuc2lnbmVkIHVzZWRWZWN0b3JMZW5ndGggPSBtaW4odmVjdG9yTGVuZ3RoLCBvbGRMZW5ndGgp OwogICAgIAotICAgIHZlY3Rvckxlbmd0aCAtPSBjb3VudDsKLSAgICBzdG9yYWdlLT5zZXRWZWN0 b3JMZW5ndGgodmVjdG9yTGVuZ3RoKTsKLSAgICAKLSAgICBpZiAodmVjdG9yTGVuZ3RoKSB7Ci0g ICAgICAgIGlmIChzdGFydEluZGV4IDwgdXNlZFZlY3Rvckxlbmd0aCAtIChzdGFydEluZGV4ICsg Y291bnQpKSB7Ci0gICAgICAgICAgICBpZiAoc3RhcnRJbmRleCkgewotICAgICAgICAgICAgICAg IG1lbW1vdmUoCi0gICAgICAgICAgICAgICAgICAgIHN0b3JhZ2UtPm1fdmVjdG9yICsgY291bnQs Ci0gICAgICAgICAgICAgICAgICAgIHN0b3JhZ2UtPm1fdmVjdG9yLAotICAgICAgICAgICAgICAg ICAgICBzaXplb2YoSlNWYWx1ZSkgKiBzdGFydEluZGV4KTsKLSAgICAgICAgICAgIH0KLSAgICAg ICAgICAgIG1fYnV0dGVyZmx5ID0gbV9idXR0ZXJmbHktPnNoaWZ0KHN0cnVjdHVyZSgpLCBjb3Vu dCk7Ci0gICAgICAgICAgICBzdG9yYWdlID0gbV9idXR0ZXJmbHktPmFycmF5U3RvcmFnZSgpOwot ICAgICAgICAgICAgc3RvcmFnZS0+bV9pbmRleEJpYXMgKz0gY291bnQ7Ci0gICAgICAgIH0gZWxz ZSB7CisgICAgdW5zaWduZWQgbnVtRWxlbWVudHNCZWZvcmVTaGlmdFJlZ2lvbiA9IHN0YXJ0SW5k ZXg7CisgICAgdW5zaWduZWQgZmlyc3RJbmRleEFmdGVyU2hpZnRSZWdpb24gPSBzdGFydEluZGV4 ICsgY291bnQ7CisgICAgdW5zaWduZWQgbnVtRWxlbWVudHNBZnRlclNoaWZ0UmVnaW9uID0gdXNl ZFZlY3Rvckxlbmd0aCAtIGZpcnN0SW5kZXhBZnRlclNoaWZ0UmVnaW9uOworICAgIEFTU0VSVChu dW1FbGVtZW50c0JlZm9yZVNoaWZ0UmVnaW9uICsgY291bnQgKyBudW1FbGVtZW50c0FmdGVyU2hp ZnRSZWdpb24gPT0gdXNlZFZlY3Rvckxlbmd0aCk7CisKKyAgICAvLyBUaGUgcG9pbnQgb2YgdGhp cyBjb21wYXJpc29uIHNlZW1zIHRvIGJlIHRvIG1pbmltaXplIHRoZSBhbW91bnQgb2YgZWxlbWVu dHMgdGhhdCBoYXZlIHRvIAorICAgIC8vIGJlIG1vdmVkIGR1cmluZyBhIHNoaWZ0IG9wZXJhdGlv bi4KKyAgICBpZiAobnVtRWxlbWVudHNCZWZvcmVTaGlmdFJlZ2lvbiA8IG51bUVsZW1lbnRzQWZ0 ZXJTaGlmdFJlZ2lvbikgeworICAgICAgICAvLyBUaGUgbnVtYmVyIG9mIGVsZW1lbnRzIGJlZm9y ZSB0aGUgc2hpZnQgcmVnaW9uIGlzIGxlc3MgdGhhbiB0aGUgbnVtYmVyIG9mIGVsZW1lbnRzCisg ICAgICAgIC8vIGFmdGVyIHRoZSBzaGlmdCByZWdpb24sIHNvIHdlIG1vdmUgdGhlIGVsZW1lbnRz IGJlZm9yZSB0byB0aGUgcmlnaHQuCisgICAgICAgIGlmIChudW1FbGVtZW50c0JlZm9yZVNoaWZ0 UmVnaW9uKSB7CiAgICAgICAgICAgICBtZW1tb3ZlKAotICAgICAgICAgICAgICAgIHN0b3JhZ2Ut Pm1fdmVjdG9yICsgc3RhcnRJbmRleCwKLSAgICAgICAgICAgICAgICBzdG9yYWdlLT5tX3ZlY3Rv ciArIHN0YXJ0SW5kZXggKyBjb3VudCwKLSAgICAgICAgICAgICAgICBzaXplb2YoSlNWYWx1ZSkg KiAodXNlZFZlY3Rvckxlbmd0aCAtIChzdGFydEluZGV4ICsgY291bnQpKSk7Ci0gICAgICAgICAg ICBmb3IgKHVuc2lnbmVkIGkgPSB1c2VkVmVjdG9yTGVuZ3RoIC0gY291bnQ7IGkgPCB1c2VkVmVj dG9yTGVuZ3RoOyArK2kpCi0gICAgICAgICAgICAgICAgc3RvcmFnZS0+bV92ZWN0b3JbaV0uY2xl YXIoKTsKLSAgICAgICAgfQorICAgICAgICAgICAgICAgIHN0b3JhZ2UtPm1fdmVjdG9yICsgY291 bnQsCisgICAgICAgICAgICAgICAgc3RvcmFnZS0+bV92ZWN0b3IsCisgICAgICAgICAgICAgICAg c2l6ZW9mKEpTVmFsdWUpICogc3RhcnRJbmRleCk7CisgICAgICAgIH0KKyAgICAgICAgLy8gQWRq dXN0IHRoZSBCdXR0ZXJmbHkgYW5kIHRoZSBpbmRleCBiaWFzLiBXZSBvbmx5IG5lZWQgdG8gZG8g dGhpcyBoZXJlIGJlY2F1c2Ugd2UncmUgY2hhbmdpbmcKKyAgICAgICAgLy8gdGhlIHN0YXJ0IG9m IHRoZSBCdXR0ZXJmbHksIHdoaWNoIG5lZWRzIHRvIHBvaW50IGF0IHRoZSBmaXJzdCBpbmRleGVk IHByb3BlcnR5IGluIHRoZSB1c2VkCisgICAgICAgIC8vIHBvcnRpb24gb2YgdGhlIHZlY3Rvci4K KyAgICAgICAgbV9idXR0ZXJmbHkgPSBtX2J1dHRlcmZseS0+c2hpZnQoc3RydWN0dXJlKCksIGNv dW50KTsKKyAgICAgICAgc3RvcmFnZSA9IG1fYnV0dGVyZmx5LT5hcnJheVN0b3JhZ2UoKTsKKyAg ICAgICAgc3RvcmFnZS0+bV9pbmRleEJpYXMgKz0gY291bnQ7CisKKyAgICAgICAgLy8gU2luY2Ug d2UncmUgY29uc3VtaW5nIHBhcnQgb2YgdGhlIHZlY3RvciBieSBtb3ZpbmcgaXRzIGJlZ2lubmlu ZyB0byB0aGUgbGVmdCwKKyAgICAgICAgLy8gd2UgbmVlZCB0byBtb2RpZnkgdGhlIHZlY3RvciBs ZW5ndGggYXBwcm9wcmlhdGVseS4KKyAgICAgICAgc3RvcmFnZS0+c2V0VmVjdG9yTGVuZ3RoKHZl Y3Rvckxlbmd0aCAtIGNvdW50KTsKKyAgICB9IGVsc2UgeworICAgICAgICAvLyBUaGUgbnVtYmVy IG9mIGVsZW1lbnRzIGJlZm9yZSB0aGUgc2hpZnQgcmVnaW9uIGlzIGdyZWF0ZXIgdGhhbiBvciBl cXVhbCB0byB0aGUgbnVtYmVyIAorICAgICAgICAvLyBvZiBlbGVtZW50cyBhZnRlciB0aGUgc2hp ZnQgcmVnaW9uLCBzbyB3ZSBtb3ZlIHRoZSBlbGVtZW50cyBhZnRlciB0aGUgc2hpZnQgcmVnaW9u IHRvIHRoZSBsZWZ0LgorICAgICAgICBtZW1tb3ZlKAorICAgICAgICAgICAgc3RvcmFnZS0+bV92 ZWN0b3IgKyBzdGFydEluZGV4LAorICAgICAgICAgICAgc3RvcmFnZS0+bV92ZWN0b3IgKyBmaXJz dEluZGV4QWZ0ZXJTaGlmdFJlZ2lvbiwKKyAgICAgICAgICAgIHNpemVvZihKU1ZhbHVlKSAqIG51 bUVsZW1lbnRzQWZ0ZXJTaGlmdFJlZ2lvbik7CisgICAgICAgIC8vIENsZWFyIHRoZSBzbG90cyBv ZiB0aGUgZWxlbWVudHMgd2UganVzdCBtb3ZlZC4KKyAgICAgICAgdW5zaWduZWQgc3RhcnRPZkVt cHR5VmVjdG9yVGFpbCA9IHVzZWRWZWN0b3JMZW5ndGggLSBjb3VudDsKKyAgICAgICAgZm9yICh1 bnNpZ25lZCBpID0gc3RhcnRPZkVtcHR5VmVjdG9yVGFpbDsgaSA8IHVzZWRWZWN0b3JMZW5ndGg7 ICsraSkKKyAgICAgICAgICAgIHN0b3JhZ2UtPm1fdmVjdG9yW2ldLmNsZWFyKCk7CisgICAgICAg IC8vIFdlIGRvbid0IG1vZGlmeSB0aGUgaW5kZXggYmlhcyBvciB0aGUgQnV0dGVyZmx5IHBvaW50 ZXIgaW4gdGhpcyBjYXNlIGJlY2F1c2Ugd2UncmUgbm90IGNoYW5naW5nIAorICAgICAgICAvLyB0 aGUgc3RhcnQgb2YgdGhlIEJ1dHRlcmZseSwgd2hpY2ggbmVlZHMgdG8gcG9pbnQgYXQgdGhlIGZp cnN0IGluZGV4ZWQgcHJvcGVydHkgaW4gdGhlIHVzZWQgCisgICAgICAgIC8vIHBvcnRpb24gb2Yg dGhlIHZlY3Rvci4gV2UgYWxzbyBkb24ndCBtb2RpZnkgdGhlIHZlY3RvciBsZW5ndGggYmVjYXVz ZSB3ZSdyZSBub3QgYWN0dWFsbHkgY2hhbmdpbmcKKyAgICAgICAgLy8gaXRzIGxlbmd0aDsgd2Un cmUganVzdCB1c2luZyBsZXNzIG9mIGl0LgogICAgIH0KKyAgICAKICAgICByZXR1cm4gdHJ1ZTsK IH0KIAo=