138118 2014-10-27 19:20:55 -0700 Assert that Array elements not copied when changing shape to ArrayStorage type are indeed holes 2014-12-22 15:09:33 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 138138 1 mark.lam mark.lam buildbot commit-queue fpizlo ggaren mhahnenb mmirman msaboff oliver rniwa webkit-bug-importer oldest_to_newest 1044384 0 mark.lam 2014-10-27 19:20:55 -0700 When we convert a dense holey array into the ArrayStorage shape, the new holes in the new array gets garbage. The following test is run with Heap::tryAllocateStorage() modified to scribble all over newly allocated buffers with the value 0xbaddda4a. The test basically sets up a hole DoubleShape array, and then runs Array.unshift() on it to force it to change to the ArrayStorage shape. Thereafter, the test dumps the values of the array again to look for the holes. The test code: ============= function doubleArray() { var arr = []; arr[0] = 0.1; arr[1] = 1.1; arr[2] = 2.1; arr[3] = 3.1; // arr[4] = hole; // arr[5] = hole; arr[6] = 6.1; arr[7] = 7.1; arr[8] = 8.1; return arr; } function test(name, arr, newElement) { print(name + " BEFORE unshift:"); for (var i = 0; i < arr.length; i++) print(" arr[" + i + "] = " + arr[i]); arr.unshift(newElement); print(name + " AFTER unshift:"); for (var i = 0; i < arr.length; i++) print(" arr[" + i + "] = " + arr[i]); } test("double array", doubleArray(), 100.5); The output: ========== double array BEFORE unshift: arr[0] = 0.1 arr[1] = 1.1 arr[2] = 2.1 arr[3] = 3.1 arr[4] = undefined arr[5] = undefined arr[6] = 6.1 arr[7] = 7.1 arr[8] = 8.1 arr[9] = undefined double array AFTER unshift: arr[0] = 100.5 arr[1] = 0.1 arr[2] = 1.1 arr[3] = 2.1 arr[4] = 3.1 arr[5] = -3.7291244322514128e-25 arr[6] = -3.7291244322514128e-25 arr[7] = 6.1 arr[8] = 7.1 arr[9] = 8.1 Note that the resultant arr[5] and arr[6] which should be undefined (because of the holes) now contain junk. 1044386 1 webkit-bug-importer 2014-10-27 19:22:24 -0700 <rdar://problem/18791403> 1044418 2 240528 mark.lam 2014-10-27 22:31:50 -0700 Created attachment 240528 the patch. 1044466 3 240528 mhahnenb 2014-10-28 07:56:36 -0700 Comment on attachment 240528 the patch. R=me 1044467 4 mhahnenb 2014-10-28 07:59:01 -0700 Is there a test you could add that would reliably trigger the bug without having to make the tryAllocateStorage modification? 1044473 5 mark.lam 2014-10-28 08:27:01 -0700 (In reply to comment #4) > Is there a test you could add that would reliably trigger the bug without > having to make the tryAllocateStorage modification? Maybe, but it will require a lot of allocations and GCs to create allocatable memory filled with junk that we can allocate from. Such a test will probably not be short running, and is flaky at best. The test will also have to rely on operations like Array.unshift() to trigger the conversion to ArrayStorage shape. Hence, the test is not general and will only be testing this specific case that has been fixed, and therefore have limited utility. We’re also not likely to regress this specific piece of code. Hence, I’m going to forego the test and land this without it for now. 1044474 6 mark.lam 2014-10-28 08:30:29 -0700 Thanks for the review. Landed in r175249: <http://trac.webkit.org/r175249>. 1044475 7 mhahnenb 2014-10-28 08:33:40 -0700 (In reply to comment #5) > (In reply to comment #4) > > Is there a test you could add that would reliably trigger the bug without > > having to make the tryAllocateStorage modification? > > Maybe, but it will require a lot of allocations and GCs to create > allocatable memory filled with junk that we can allocate from. Such a test > will probably not be short running, and is flaky at best. Is it even possible to create a storage allocation with uninitialized memory? I thought it was guaranteed that any CopiedSpace allocation was already pre-zeroed. There's an invariant with array backing stores that requires they be zeroed when they're allocated. If it's possible to get random garbage in your array backing store, that sounds like a bug in the storage allocator. 1044478 8 mark.lam 2014-10-28 08:36:16 -0700 (In reply to comment #7) > There's an invariant with array backing stores that requires they be zeroed > when they're allocated. If it's possible to get random garbage in your array > backing store, that sounds like a bug in the storage allocator. Interesting. I’ll double check this in the code. 1044528 9 ggaren 2014-10-28 10:41:28 -0700 Seems like you should be able to test this with a double array, since a zero-initialized double array will see zeros instead of holes. 1044531 10 mark.lam 2014-10-28 10:44:14 -0700 (In reply to comment #9) > Seems like you should be able to test this with a double array, since a > zero-initialized double array will see zeros instead of holes. That won't work. The scenario here requires a conversion of the double array to an ArrayStorage array. In the ArrayStorage array, 0s are holes. 1044535 11 commit-queue 2014-10-28 10:48:24 -0700 Re-opened since this is blocked by bug 138138 1044538 12 ggaren 2014-10-28 10:48:51 -0700 If zero is hole in ArrayStorage, and the GC zero-initializes ArrayStorage, then this patch is wrong and you should roll it out. An alternative patch, which might be fine, would ASSERT that all indices that were holes in the input are holes in the output. 1044660 13 mark.lam 2014-10-28 17:49:09 -0700 For the record, the patch was causing some JS test failures because the assertion I added in JSObject::convertUndecidedToArrayStorage() was firing. Looks like the publicLength is not 0 even though JSObject::convertUndecidedToArrayStorage() does not copy any array elements. I may have misunderstood how Undecided arrays work. Will investigate further. 1044680 14 fpizlo 2014-10-28 19:02:49 -0700 (In reply to comment #13) > For the record, the patch was causing some JS test failures because the > assertion I added in JSObject::convertUndecidedToArrayStorage() was firing. > Looks like the publicLength is not 0 even though > JSObject::convertUndecidedToArrayStorage() does not copy any array elements. > I may have misunderstood how Undecided arrays work. Will investigate > further. Undecided can come into play when you do something like: var a = []; // It's IsArray + Undecided because you haven't stored anything into it. a.length = 42; // It's still IsArray + Undecided because you still haven't stored anything into it, and the publicLength is 42. 1057442 15 mark.lam 2014-12-22 13:36:46 -0800 I was wrong about heap memory not being zeroed out on allocation. The backing store for Arrays are allocated from the CopiedSpace (aka storage space), and those allocations are zero filled. Changing this patch to assert that the expected holes are holes. 1057444 16 243639 mark.lam 2014-12-22 13:42:40 -0800 Created attachment 243639 updated patch 1057454 17 243639 msaboff 2014-12-22 14:31:34 -0800 Comment on attachment 243639 updated patch View in context: https://bugs.webkit.org/attachment.cgi?id=243639&action=review > Source/JavaScriptCore/runtime/JSObject.cpp:853 > + if (value == value) { Shouldn't this always be true? Seems like a bug. 1057455 18 243639 msaboff 2014-12-22 14:33:57 -0800 Comment on attachment 243639 updated patch View in context: https://bugs.webkit.org/attachment.cgi?id=243639&action=review r=me >> Source/JavaScriptCore/runtime/JSObject.cpp:853 >> + if (value == value) { > > Shouldn't this always be true? Seems like a bug. So this is a not a NaN check. 1057459 19 243639 commit-queue 2014-12-22 15:09:27 -0800 Comment on attachment 243639 updated patch Clearing flags on attachment: 243639 Committed r177657: <http://trac.webkit.org/changeset/177657> 1057460 20 commit-queue 2014-12-22 15:09:33 -0800 All reviewed patches have been landed. Closing bug. 240528 2014-10-27 22:31:50 -0700 2014-12-22 13:42:40 -0800 the patch. bug-138118.patch text/plain 4469 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTc1MjQwKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIwIEBA CisyMDE0LTEwLTI3ICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBI b2xlcyBhcmUgbm90IGNvcGllZCBwcm9wZXJseSB3aGVuIEFycmF5cyBjaGFuZ2Ugc2hhcGUgdG8g QXJyYXlTdG9yYWdlIHR5cGUuCisgICAgICAgIDxodHRwczovL3dlYmtpdC5vcmcvYi8xMzgxMTg+ CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgV2hlbiB3 ZSBjb252ZXJ0IG5vbi1BcnJheVN0b3JhZ2UgdHlwZWQgYXJyYXlzIGludG8gQXJyYXlTdG9yYWdl IHR5cGVkIGFycmF5cywKKyAgICAgICAgd2Ugc2tpcHBlZCB0aGUgaG9sZXMuICBBcyBhIHJlc3Vs dCwgdGhlIHNsb3RzIGluIHRoZSBBcnJheVN0b3JhZ2UgdmVjdG9yIHRoYXQKKyAgICAgICAgY29y cmVzcG9uZHMgdG8gdGhvc2UgaG9sZXMgYXJlIHVuaW5pdGlhbGl6ZS4gIFRoaXMgaXMgbm93IGZp eGVkLgorCisgICAgICAgICogcnVudGltZS9KU09iamVjdC5jcHA6CisgICAgICAgIChKU0M6OkpT T2JqZWN0Ojpjb252ZXJ0VW5kZWNpZGVkVG9BcnJheVN0b3JhZ2UpOgorICAgICAgICAoSlNDOjpK U09iamVjdDo6Y29udmVydEludDMyVG9BcnJheVN0b3JhZ2UpOgorICAgICAgICAoSlNDOjpKU09i amVjdDo6Y29udmVydERvdWJsZVRvQXJyYXlTdG9yYWdlKToKKyAgICAgICAgKEpTQzo6SlNPYmpl Y3Q6OmNvbnZlcnRDb250aWd1b3VzVG9BcnJheVN0b3JhZ2UpOgorCiAyMDE0LTEwLTI3ICBNYXJr IExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KIAogICAgICAgICBTaW1wbGlmaWVkIHNvbWUgSlNP YmplY3QgbWV0aG9kcyBmb3IgY29udmVydGluZyBhcnJheXMgdG8gQXJyYXlTdG9yYWdlIHNoYXBl LgpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvSlNPYmplY3QuY3BwCj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL0pTT2JqZWN0LmNwcAkocmV2 aXNpb24gMTc1MjQwKQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvSlNPYmplY3Qu Y3BwCSh3b3JraW5nIGNvcHkpCkBAIC03MzIsNiArNzMyLDcgQEAgQXJyYXlTdG9yYWdlKiBKU09i amVjdDo6Y29udmVydFVuZGVjaWRlZAogICAgIHVuc2lnbmVkIHZlY3Rvckxlbmd0aCA9IG1fYnV0 dGVyZmx5LT52ZWN0b3JMZW5ndGgoKTsKICAgICBBcnJheVN0b3JhZ2UqIHN0b3JhZ2UgPSBjb25z dHJ1Y3RDb252ZXJ0ZWRBcnJheVN0b3JhZ2VXaXRob3V0Q29weWluZ0VsZW1lbnRzKHZtLCB2ZWN0 b3JMZW5ndGgpOwogICAgIC8vIE5vIG5lZWQgdG8gY29weSBlbGVtZW50cy4KKyAgICBBU1NFUlQo IW1fYnV0dGVyZmx5LT5wdWJsaWNMZW5ndGgoKSk7CiAgICAgCiAgICAgU3RydWN0dXJlKiBuZXdT dHJ1Y3R1cmUgPSBTdHJ1Y3R1cmU6Om5vblByb3BlcnR5VHJhbnNpdGlvbih2bSwgc3RydWN0dXJl KHZtKSwgdHJhbnNpdGlvbik7CiAgICAgc2V0U3RydWN0dXJlQW5kQnV0dGVyZmx5KHZtLCBuZXdT dHJ1Y3R1cmUsIHN0b3JhZ2UtPmJ1dHRlcmZseSgpKTsKQEAgLTc3OCwxMiArNzc5LDEzIEBAIEFy cmF5U3RvcmFnZSogSlNPYmplY3Q6OmNvbnZlcnRJbnQzMlRvQXIKIAogICAgIHVuc2lnbmVkIHZl Y3Rvckxlbmd0aCA9IG1fYnV0dGVyZmx5LT52ZWN0b3JMZW5ndGgoKTsKICAgICBBcnJheVN0b3Jh Z2UqIG5ld1N0b3JhZ2UgPSBjb25zdHJ1Y3RDb252ZXJ0ZWRBcnJheVN0b3JhZ2VXaXRob3V0Q29w eWluZ0VsZW1lbnRzKHZtLCB2ZWN0b3JMZW5ndGgpOwotICAgIGZvciAodW5zaWduZWQgaSA9IG1f YnV0dGVyZmx5LT5wdWJsaWNMZW5ndGgoKTsgaS0tOykgeworICAgIGZvciAodW5zaWduZWQgaSA9 IDA7IGkgPCBtX2J1dHRlcmZseS0+cHVibGljTGVuZ3RoKCk7IGkrKykgewogICAgICAgICBKU1Zh bHVlIHYgPSBtX2J1dHRlcmZseS0+Y29udGlndW91cygpW2ldLmdldCgpOwotICAgICAgICBpZiAo IXYpCi0gICAgICAgICAgICBjb250aW51ZTsKLSAgICAgICAgbmV3U3RvcmFnZS0+bV92ZWN0b3Jb aV0uc2V0V2l0aG91dFdyaXRlQmFycmllcih2KTsKLSAgICAgICAgbmV3U3RvcmFnZS0+bV9udW1W YWx1ZXNJblZlY3RvcisrOworICAgICAgICBpZiAodikgeworICAgICAgICAgICAgbmV3U3RvcmFn ZS0+bV92ZWN0b3JbaV0uc2V0V2l0aG91dFdyaXRlQmFycmllcih2KTsKKyAgICAgICAgICAgIG5l d1N0b3JhZ2UtPm1fbnVtVmFsdWVzSW5WZWN0b3IrKzsKKyAgICAgICAgfSBlbHNlCisgICAgICAg ICAgICBuZXdTdG9yYWdlLT5tX3ZlY3RvcltpXS5jbGVhcigpOwogICAgIH0KICAgICAKICAgICBT dHJ1Y3R1cmUqIG5ld1N0cnVjdHVyZSA9IFN0cnVjdHVyZTo6bm9uUHJvcGVydHlUcmFuc2l0aW9u KHZtLCBzdHJ1Y3R1cmUodm0pLCB0cmFuc2l0aW9uKTsKQEAgLTg0NywxMiArODQ5LDEzIEBAIEFy cmF5U3RvcmFnZSogSlNPYmplY3Q6OmNvbnZlcnREb3VibGVUb0EKIAogICAgIHVuc2lnbmVkIHZl Y3Rvckxlbmd0aCA9IG1fYnV0dGVyZmx5LT52ZWN0b3JMZW5ndGgoKTsKICAgICBBcnJheVN0b3Jh Z2UqIG5ld1N0b3JhZ2UgPSBjb25zdHJ1Y3RDb252ZXJ0ZWRBcnJheVN0b3JhZ2VXaXRob3V0Q29w eWluZ0VsZW1lbnRzKHZtLCB2ZWN0b3JMZW5ndGgpOwotICAgIGZvciAodW5zaWduZWQgaSA9IG1f YnV0dGVyZmx5LT5wdWJsaWNMZW5ndGgoKTsgaS0tOykgeworICAgIGZvciAodW5zaWduZWQgaSA9 IDA7IGkgPCBtX2J1dHRlcmZseS0+cHVibGljTGVuZ3RoKCk7IGkrKykgewogICAgICAgICBkb3Vi bGUgdmFsdWUgPSBtX2J1dHRlcmZseS0+Y29udGlndW91c0RvdWJsZSgpW2ldOwotICAgICAgICBp ZiAodmFsdWUgIT0gdmFsdWUpCi0gICAgICAgICAgICBjb250aW51ZTsKLSAgICAgICAgbmV3U3Rv cmFnZS0+bV92ZWN0b3JbaV0uc2V0V2l0aG91dFdyaXRlQmFycmllcihKU1ZhbHVlKEpTVmFsdWU6 OkVuY29kZUFzRG91YmxlLCB2YWx1ZSkpOwotICAgICAgICBuZXdTdG9yYWdlLT5tX251bVZhbHVl c0luVmVjdG9yKys7CisgICAgICAgIGlmICh2YWx1ZSA9PSB2YWx1ZSkgeworICAgICAgICAgICAg bmV3U3RvcmFnZS0+bV92ZWN0b3JbaV0uc2V0V2l0aG91dFdyaXRlQmFycmllcihKU1ZhbHVlKEpT VmFsdWU6OkVuY29kZUFzRG91YmxlLCB2YWx1ZSkpOworICAgICAgICAgICAgbmV3U3RvcmFnZS0+ bV9udW1WYWx1ZXNJblZlY3RvcisrOworICAgICAgICB9IGVsc2UKKyAgICAgICAgICAgIG5ld1N0 b3JhZ2UtPm1fdmVjdG9yW2ldLmNsZWFyKCk7CiAgICAgfQogICAgIAogICAgIFN0cnVjdHVyZSog bmV3U3RydWN0dXJlID0gU3RydWN0dXJlOjpub25Qcm9wZXJ0eVRyYW5zaXRpb24odm0sIHN0cnVj dHVyZSh2bSksIHRyYW5zaXRpb24pOwpAQCAtODcyLDEyICs4NzUsMTMgQEAgQXJyYXlTdG9yYWdl KiBKU09iamVjdDo6Y29udmVydENvbnRpZ3VvdQogCiAgICAgdW5zaWduZWQgdmVjdG9yTGVuZ3Ro ID0gbV9idXR0ZXJmbHktPnZlY3Rvckxlbmd0aCgpOwogICAgIEFycmF5U3RvcmFnZSogbmV3U3Rv cmFnZSA9IGNvbnN0cnVjdENvbnZlcnRlZEFycmF5U3RvcmFnZVdpdGhvdXRDb3B5aW5nRWxlbWVu dHModm0sIHZlY3Rvckxlbmd0aCk7Ci0gICAgZm9yICh1bnNpZ25lZCBpID0gbV9idXR0ZXJmbHkt PnB1YmxpY0xlbmd0aCgpOyBpLS07KSB7CisgICAgZm9yICh1bnNpZ25lZCBpID0gMDsgaSA8IG1f YnV0dGVyZmx5LT5wdWJsaWNMZW5ndGgoKTsgaSsrKSB7CiAgICAgICAgIEpTVmFsdWUgdiA9IG1f YnV0dGVyZmx5LT5jb250aWd1b3VzKClbaV0uZ2V0KCk7Ci0gICAgICAgIGlmICghdikKLSAgICAg ICAgICAgIGNvbnRpbnVlOwotICAgICAgICBuZXdTdG9yYWdlLT5tX3ZlY3RvcltpXS5zZXRXaXRo b3V0V3JpdGVCYXJyaWVyKHYpOwotICAgICAgICBuZXdTdG9yYWdlLT5tX251bVZhbHVlc0luVmVj dG9yKys7CisgICAgICAgIGlmICh2KSB7CisgICAgICAgICAgICBuZXdTdG9yYWdlLT5tX3ZlY3Rv cltpXS5zZXRXaXRob3V0V3JpdGVCYXJyaWVyKHYpOworICAgICAgICAgICAgbmV3U3RvcmFnZS0+ bV9udW1WYWx1ZXNJblZlY3RvcisrOworICAgICAgICB9IGVsc2UKKyAgICAgICAgICAgIG5ld1N0 b3JhZ2UtPm1fdmVjdG9yW2ldLmNsZWFyKCk7CiAgICAgfQogICAgIAogICAgIFN0cnVjdHVyZSog bmV3U3RydWN0dXJlID0gU3RydWN0dXJlOjpub25Qcm9wZXJ0eVRyYW5zaXRpb24odm0sIHN0cnVj dHVyZSh2bSksIHRyYW5zaXRpb24pOwo= 243639 2014-12-22 13:42:40 -0800 2014-12-22 15:09:27 -0800 updated patch bug-138118.patch text/plain 3724 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTc3NjUzKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE1IEBA CisyMDE0LTEyLTIyICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBB c3NlcnQgdGhhdCBBcnJheSBlbGVtZW50cyBub3QgY29waWVkIHdoZW4gY2hhbmdpbmcgc2hhcGUg dG8gQXJyYXlTdG9yYWdlIHR5cGUgYXJlIGluZGVlZCBob2xlcy4KKyAgICAgICAgPGh0dHBzOi8v d2Via2l0Lm9yZy9iLzEzODExOD4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMh KS4KKworICAgICAgICAqIHJ1bnRpbWUvSlNPYmplY3QuY3BwOgorICAgICAgICAoSlNDOjpKU09i amVjdDo6Y29udmVydEludDMyVG9BcnJheVN0b3JhZ2UpOgorICAgICAgICAoSlNDOjpKU09iamVj dDo6Y29udmVydERvdWJsZVRvQXJyYXlTdG9yYWdlKToKKyAgICAgICAgKEpTQzo6SlNPYmplY3Q6 OmNvbnZlcnRDb250aWd1b3VzVG9BcnJheVN0b3JhZ2UpOgorCiAyMDE0LTEyLTIwICBFcmljIENh cmxzb24gIDxlcmljLmNhcmxzb25AYXBwbGUuY29tPgogCiAgICAgICAgIFtpT1NdIGFkZCBvcHRp bWl6ZWQgZnVsbHNjcmVlbiBBUEkKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1l L0pTT2JqZWN0LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGlt ZS9KU09iamVjdC5jcHAJKHJldmlzaW9uIDE3NzY1MykKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29y ZS9ydW50aW1lL0pTT2JqZWN0LmNwcAkod29ya2luZyBjb3B5KQpAQCAtNzc4LDEyICs3NzgsMTMg QEAgQXJyYXlTdG9yYWdlKiBKU09iamVjdDo6Y29udmVydEludDMyVG9BcgogCiAgICAgdW5zaWdu ZWQgdmVjdG9yTGVuZ3RoID0gbV9idXR0ZXJmbHktPnZlY3Rvckxlbmd0aCgpOwogICAgIEFycmF5 U3RvcmFnZSogbmV3U3RvcmFnZSA9IGNvbnN0cnVjdENvbnZlcnRlZEFycmF5U3RvcmFnZVdpdGhv dXRDb3B5aW5nRWxlbWVudHModm0sIHZlY3Rvckxlbmd0aCk7Ci0gICAgZm9yICh1bnNpZ25lZCBp ID0gbV9idXR0ZXJmbHktPnB1YmxpY0xlbmd0aCgpOyBpLS07KSB7CisgICAgZm9yICh1bnNpZ25l ZCBpID0gMDsgaSA8IG1fYnV0dGVyZmx5LT5wdWJsaWNMZW5ndGgoKTsgaSsrKSB7CiAgICAgICAg IEpTVmFsdWUgdiA9IG1fYnV0dGVyZmx5LT5jb250aWd1b3VzKClbaV0uZ2V0KCk7Ci0gICAgICAg IGlmICghdikKLSAgICAgICAgICAgIGNvbnRpbnVlOwotICAgICAgICBuZXdTdG9yYWdlLT5tX3Zl Y3RvcltpXS5zZXRXaXRob3V0V3JpdGVCYXJyaWVyKHYpOwotICAgICAgICBuZXdTdG9yYWdlLT5t X251bVZhbHVlc0luVmVjdG9yKys7CisgICAgICAgIGlmICh2KSB7CisgICAgICAgICAgICBuZXdT dG9yYWdlLT5tX3ZlY3RvcltpXS5zZXRXaXRob3V0V3JpdGVCYXJyaWVyKHYpOworICAgICAgICAg ICAgbmV3U3RvcmFnZS0+bV9udW1WYWx1ZXNJblZlY3RvcisrOworICAgICAgICB9IGVsc2UKKyAg ICAgICAgICAgIEFTU0VSVChuZXdTdG9yYWdlLT5tX3ZlY3RvcltpXS5nZXQoKS5pc0VtcHR5KCkp OwogICAgIH0KICAgICAKICAgICBTdHJ1Y3R1cmUqIG5ld1N0cnVjdHVyZSA9IFN0cnVjdHVyZTo6 bm9uUHJvcGVydHlUcmFuc2l0aW9uKHZtLCBzdHJ1Y3R1cmUodm0pLCB0cmFuc2l0aW9uKTsKQEAg LTg0NywxMiArODQ4LDEzIEBAIEFycmF5U3RvcmFnZSogSlNPYmplY3Q6OmNvbnZlcnREb3VibGVU b0EKIAogICAgIHVuc2lnbmVkIHZlY3Rvckxlbmd0aCA9IG1fYnV0dGVyZmx5LT52ZWN0b3JMZW5n dGgoKTsKICAgICBBcnJheVN0b3JhZ2UqIG5ld1N0b3JhZ2UgPSBjb25zdHJ1Y3RDb252ZXJ0ZWRB cnJheVN0b3JhZ2VXaXRob3V0Q29weWluZ0VsZW1lbnRzKHZtLCB2ZWN0b3JMZW5ndGgpOwotICAg IGZvciAodW5zaWduZWQgaSA9IG1fYnV0dGVyZmx5LT5wdWJsaWNMZW5ndGgoKTsgaS0tOykgewor ICAgIGZvciAodW5zaWduZWQgaSA9IDA7IGkgPCBtX2J1dHRlcmZseS0+cHVibGljTGVuZ3RoKCk7 IGkrKykgewogICAgICAgICBkb3VibGUgdmFsdWUgPSBtX2J1dHRlcmZseS0+Y29udGlndW91c0Rv dWJsZSgpW2ldOwotICAgICAgICBpZiAodmFsdWUgIT0gdmFsdWUpCi0gICAgICAgICAgICBjb250 aW51ZTsKLSAgICAgICAgbmV3U3RvcmFnZS0+bV92ZWN0b3JbaV0uc2V0V2l0aG91dFdyaXRlQmFy cmllcihKU1ZhbHVlKEpTVmFsdWU6OkVuY29kZUFzRG91YmxlLCB2YWx1ZSkpOwotICAgICAgICBu ZXdTdG9yYWdlLT5tX251bVZhbHVlc0luVmVjdG9yKys7CisgICAgICAgIGlmICh2YWx1ZSA9PSB2 YWx1ZSkgeworICAgICAgICAgICAgbmV3U3RvcmFnZS0+bV92ZWN0b3JbaV0uc2V0V2l0aG91dFdy aXRlQmFycmllcihKU1ZhbHVlKEpTVmFsdWU6OkVuY29kZUFzRG91YmxlLCB2YWx1ZSkpOworICAg ICAgICAgICAgbmV3U3RvcmFnZS0+bV9udW1WYWx1ZXNJblZlY3RvcisrOworICAgICAgICB9IGVs c2UKKyAgICAgICAgICAgIEFTU0VSVChuZXdTdG9yYWdlLT5tX3ZlY3RvcltpXS5nZXQoKS5pc0Vt cHR5KCkpOwogICAgIH0KICAgICAKICAgICBTdHJ1Y3R1cmUqIG5ld1N0cnVjdHVyZSA9IFN0cnVj dHVyZTo6bm9uUHJvcGVydHlUcmFuc2l0aW9uKHZtLCBzdHJ1Y3R1cmUodm0pLCB0cmFuc2l0aW9u KTsKQEAgLTg3MiwxMiArODc0LDEzIEBAIEFycmF5U3RvcmFnZSogSlNPYmplY3Q6OmNvbnZlcnRD b250aWd1b3UKIAogICAgIHVuc2lnbmVkIHZlY3Rvckxlbmd0aCA9IG1fYnV0dGVyZmx5LT52ZWN0 b3JMZW5ndGgoKTsKICAgICBBcnJheVN0b3JhZ2UqIG5ld1N0b3JhZ2UgPSBjb25zdHJ1Y3RDb252 ZXJ0ZWRBcnJheVN0b3JhZ2VXaXRob3V0Q29weWluZ0VsZW1lbnRzKHZtLCB2ZWN0b3JMZW5ndGgp OwotICAgIGZvciAodW5zaWduZWQgaSA9IG1fYnV0dGVyZmx5LT5wdWJsaWNMZW5ndGgoKTsgaS0t OykgeworICAgIGZvciAodW5zaWduZWQgaSA9IDA7IGkgPCBtX2J1dHRlcmZseS0+cHVibGljTGVu Z3RoKCk7IGkrKykgewogICAgICAgICBKU1ZhbHVlIHYgPSBtX2J1dHRlcmZseS0+Y29udGlndW91 cygpW2ldLmdldCgpOwotICAgICAgICBpZiAoIXYpCi0gICAgICAgICAgICBjb250aW51ZTsKLSAg ICAgICAgbmV3U3RvcmFnZS0+bV92ZWN0b3JbaV0uc2V0V2l0aG91dFdyaXRlQmFycmllcih2KTsK LSAgICAgICAgbmV3U3RvcmFnZS0+bV9udW1WYWx1ZXNJblZlY3RvcisrOworICAgICAgICBpZiAo dikgeworICAgICAgICAgICAgbmV3U3RvcmFnZS0+bV92ZWN0b3JbaV0uc2V0V2l0aG91dFdyaXRl QmFycmllcih2KTsKKyAgICAgICAgICAgIG5ld1N0b3JhZ2UtPm1fbnVtVmFsdWVzSW5WZWN0b3Ir KzsKKyAgICAgICAgfSBlbHNlCisgICAgICAgICAgICBBU1NFUlQobmV3U3RvcmFnZS0+bV92ZWN0 b3JbaV0uZ2V0KCkuaXNFbXB0eSgpKTsKICAgICB9CiAgICAgCiAgICAgU3RydWN0dXJlKiBuZXdT dHJ1Y3R1cmUgPSBTdHJ1Y3R1cmU6Om5vblByb3BlcnR5VHJhbnNpdGlvbih2bSwgc3RydWN0dXJl KHZtKSwgdHJhbnNpdGlvbik7Cg==