138543 2014-11-09 06:23:17 -0800 Assertions in JSC::StackVisitor::Frame::existingArguments() during stack unwinding 2014-11-11 12:36:22 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 akiss webkit-unassigned ap buildbot commit-queue fpizlo ggaren mark.lam oliver rniwa oldest_to_newest 1047385 0 akiss 2014-11-09 06:23:17 -0800 When running jsc tests, exceptionFuzz/earley-boyer.js fails sporadically (experienced both on x86_64 and ARM64). The following 2 commands reproduce the assertions reliably, however: WebKitBuild/Debug/bin/jsc --enableExceptionFuzz=true --fireExceptionFuzzAt=15006 Source/JavaScriptCore/tests/exceptionFuzz/earley-boyer.js JSC EXCEPTION FUZZ: Throwing fuzz exception with call frame 0x7ffffe28dc00, seen in CommonSlowPaths and return address 0x11cc168. ASSERTION FAILED: isCell() ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h(494) : JSC::JSCell* JSC::JSValue::asCell() const 1 0x7f7dd496754c /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f7dd496754c] 2 0x42e53d WebKitBuild/Debug/bin/jsc(_ZNK3JSC7JSValue6asCellEv+0x3d) [0x42e53d] 3 0x42c4a1 WebKitBuild/Debug/bin/jsc(_ZN3JSC8asObjectENS_7JSValueE+0x18) [0x42c4a1] 4 0x7f7dd45c7d9c /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC12asActivationENS_7JSValueE+0x21) [0x7f7dd45c7d9c] 5 0x7f7dd45c7e0e /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZNK3JSC8Register18lexicalEnvironmentEv+0x20) [0x7f7dd45c7e0e] 6 0x7f7dd45c7635 /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZNK3JSC9ExecState18lexicalEnvironmentEv+0x8f) [0x7f7dd45c7635] 7 0x7f7dd45d3d6a /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC12StackVisitor5Frame17existingArgumentsEv+0xe8) [0x7f7dd45d3d6a] WebKitBuild/Debug/bin/jsc --enableExceptionFuzz=true --fireExceptionFuzzAt=15009 Source/JavaScriptCore/tests/exceptionFuzz/earley-boyer.js JSC EXCEPTION FUZZ: Throwing fuzz exception with call frame 0x7fff9e8dab50, seen in CommonSlowPaths and return address 0x1d959d0. ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info()) ../../Source/JavaScriptCore/runtime/JSCell.h(249) : To JSC::jsCast(JSC::JSValue) [with To = JSC::Arguments*] 1 0x7f662090057e /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrashWithSecurityImplication+0x1e) [0x7f662090057e] 2 0x7f662056d918 /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC6jsCastIPNS_9ArgumentsEEET_NS_7JSValueE+0x6a) [0x7f662056d918] 3 0x7f662056cd84 /home/akiss/devel/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC12StackVisitor5Frame17existingArgumentsEv+0x102) [0x7f662056cd84] It turns out that ExceptionFuzz fires in a function containing an op_create_lexical_environment followed by an op_create_arguments, when either the lexicalEnvironment or the unmodifiedArgumentsRegister in the lexicalEnvironment is not set up yet. The function that ExceptionFuzz is firing at is: BgL_nboyerzd2benchmarkzd2#CMhDdb:[0x1e8e610->0x7f50e98bad70, %sNoneFunctionCall, 223]: 223 m_instructions; 1784 bytes; 1 parameter(s); 24 callee register(s); 7 variable(s); 3 captured var(s) (from r-3 to r-5, inclusive); uses arguments, in r-4, r-3; lexical environment in r-1 [ 0] enter [ 1] get_scope arg-3 [ 3] create_lexical_environment loc0 [ 5] init_lazy_reg loc3 [ 7] init_lazy_reg loc2 [ 9] create_arguments loc3 [ 11] put_to_scope loc0, arguments(@id0), loc3, 3<ThrowIfNotFound|LocalClosureVar>, <structure>, -4 [ 18] put_to_scope loc0, arguments(@id0), loc2, 3<ThrowIfNotFound|LocalClosureVar>, <structure>, -3 And the lines in existingArguments() causing the assertions are: if (codeBlock()->needsActivation()) return jsCast<Arguments*>(callFrame()->lexicalEnvironment()->registerAt(unmodifiedArgumentsRegister(reg).offset()).get()); If an exception is raised in op_enter or in op_get_scope then, although codeBlock()->needsActivation() is true, callFrame()->lexicalEnvironment() fails since the environment is undefined. If an exception is raised before the first put_to_scope then jsCast<Arguments*> fails since the unmodifiedArgumentsRegister of the lexicalEnvironment is undefined. 1047386 1 241252 akiss 2014-11-09 06:33:21 -0800 Created attachment 241252 Proposed patch. The patch fixes both assertions and causes no jsc test regressions. 1047481 2 241252 fpizlo 2014-11-09 23:22:19 -0800 Comment on attachment 241252 Proposed patch. Can you write a test for this? 1047559 3 241252 ggaren 2014-11-10 10:48:26 -0800 Comment on attachment 241252 Proposed patch. When codeBlock->needsActivation() is true, how is it possible that the frame lacks an activation? I believe that should be impossible. 1047609 4 akiss 2014-11-10 13:15:14 -0800 If I'm right, create_lexical_environment at [3] sets up activation to r-1. So, before that, although codeBlock()->needsActivation() is true, the frame does not have activation yet. About the test: I'm not sure yet that I can force the first 6 instructions throw an exception... at least "naturally", but only from "outside" by ExceptionFuzz. When ExceptionFuzz was introduced in http://trac.webkit.org/changeset/171213 , StackVisitor was modified to handle throws in op_enter. I guess that was also only to cover such artificial fuzz exceptions. (At least I could not find any already existing test that would reliably trigger that exception, unfortunately.) 1047665 5 ggaren 2014-11-10 15:35:18 -0800 Looks like this has been failing on the bots periodically: <rdar://problem/18867723>. 1047666 6 ggaren 2014-11-10 15:36:02 -0800 I see: this failure is only possible in fuzzing mode, which sometimes inserts exceptions in places where they would otherwise be impossible. 1047680 7 241252 ggaren 2014-11-10 16:05:58 -0800 Comment on attachment 241252 Proposed patch. It feels a bit awkward to program defensively like this just to make the fuzzer happy. Programming like this means that we can't tell the difference between "Something is seriously wrong because the activation object is missing" and "I'm just fuzzing". Ideally, we would teach the fuzzer not to throw in cases that otherwise couldn't -- for example, in the LLInt, by passing an argument to END() that said "ASSERT there is no exception, and do not fuzz for exceptions". I guess this patch is an improvement for now, so it's worth doing. Note, though that you missed a spot: Oliver removed the original work-around for fuzzing, probably because he wasn't aware of this special fuzzing behavior. You should update your comments to specify that we do this only for fuzzing, and also add back the code that Oliver removed in <http://trac.webkit.org/changeset/174226>: Index: /trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp =================================================================== --- /trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (revision 174225) +++ /trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (revision 174226) @@ -440,6 +440,4 @@ CallFrame* callFrame = visitor->callFrame(); CodeBlock* codeBlock = visitor->codeBlock(); - JSScope* scope = callFrame->scope(); - if (Debugger* debugger = callFrame->vmEntryGlobalObject()->debugger()) { ClearExceptionScope scope(&callFrame->vm()); @@ -456,13 +454,4 @@ RELEASE_ASSERT(!visitor->isInlinedFrame()); #endif - lexicalEnvironment = callFrame->uncheckedActivation(); - // Protect against the lexical environment not being created, or the variable still being - // initialized to Undefined inside op_enter. - if (lexicalEnvironment && lexicalEnvironment.isCell()) { - JSLexicalEnvironment* activationObject = jsCast<JSLexicalEnvironment*>(lexicalEnvironment); - // Protect against throwing exceptions after tear-off. - if (!activationObject->isTornOff()) - activationObject->tearOff(*scope->vm()); - } } 1047684 8 fpizlo 2014-11-10 16:12:04 -0800 (In reply to comment #7) > Comment on attachment 241252 [details] > Proposed patch. > > It feels a bit awkward to program defensively like this just to make the > fuzzer happy. Programming like this means that we can't tell the difference > between "Something is seriously wrong because the activation object is > missing" and "I'm just fuzzing". > > Ideally, we would teach the fuzzer not to throw in cases that otherwise > couldn't -- for example, in the LLInt, by passing an argument to END() that > said "ASSERT there is no exception, and do not fuzz for exceptions". > > I guess this patch is an improvement for now, so it's worth doing. Note, > though that you missed a spot: Oliver removed the original work-around for > fuzzing, probably because he wasn't aware of this special fuzzing behavior. > > You should update your comments to specify that we do this only for fuzzing, > and also add back the code that Oliver removed in > <http://trac.webkit.org/changeset/174226>: > > Index: /trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp > =================================================================== > --- /trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (revision > 174225) > +++ /trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (revision > 174226) > @@ -440,6 +440,4 @@ > CallFrame* callFrame = visitor->callFrame(); > CodeBlock* codeBlock = visitor->codeBlock(); > - JSScope* scope = callFrame->scope(); > - > if (Debugger* debugger = callFrame->vmEntryGlobalObject()->debugger()) { > ClearExceptionScope scope(&callFrame->vm()); > @@ -456,13 +454,4 @@ > RELEASE_ASSERT(!visitor->isInlinedFrame()); > #endif > - lexicalEnvironment = callFrame->uncheckedActivation(); > - // Protect against the lexical environment not being created, or > the variable still being > - // initialized to Undefined inside op_enter. > - if (lexicalEnvironment && lexicalEnvironment.isCell()) { > - JSLexicalEnvironment* activationObject = > jsCast<JSLexicalEnvironment*>(lexicalEnvironment); > - // Protect against throwing exceptions after tear-off. > - if (!activationObject->isTornOff()) > - activationObject->tearOff(*scope->vm()); > - } > } For what it's worth, when we added the fuzzer we added a handful of such checks that are only to defend against the fuzzer. This involved far less infrastructure than making the fuzzer more complicated. Also, if we ever were wrong about our assumptions about when activations are allocated or who could throw exceptions, this defensiveness would turn a crash into something much less severe. 1047858 9 241354 akiss 2014-11-11 09:03:11 -0800 Created attachment 241354 Updated patch Updated/added comments as requested. However, I don't think that the change to Interpreter.cpp could/should be reverted. The code that was removed there was callinf isTornOff and tearOff on LexicalEnvironment. However, that API/functionality does not exists anymore. 1047917 10 ggaren 2014-11-11 11:56:39 -0800 > However, I don't think that the change to Interpreter.cpp could/should be > reverted. The code that was removed there was callinf isTornOff and tearOff > on LexicalEnvironment. However, that API/functionality does not exists > anymore. Aha! You are correct. 1047918 11 241354 ggaren 2014-11-11 11:56:52 -0800 Comment on attachment 241354 Updated patch r=me 1047935 12 241354 commit-queue 2014-11-11 12:36:17 -0800 Comment on attachment 241354 Updated patch Clearing flags on attachment: 241354 Committed r175967: <http://trac.webkit.org/changeset/175967> 1047936 13 commit-queue 2014-11-11 12:36:22 -0800 All reviewed patches have been landed. Closing bug. 241252 2014-11-09 06:33:21 -0800 2014-11-11 09:03:11 -0800 Proposed patch. stackvisitor-exfuzz-v6.patch text/plain 4020 akiss ZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cgYi9Tb3VyY2UvSmF2 YVNjcmlwdENvcmUvQ2hhbmdlTG9nCmluZGV4IDBlMWRhY2MuLjZkOGJlMTcgMTAwNjQ0Ci0tLSBh L1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL0phdmFTY3JpcHRD b3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDI1IEBACisyMDE0LTExLTA5ICBBa29zIEtpc3MgIDxh a2lzc0BpbmYudS1zemVnZWQuaHU+CisKKyAgICAgICAgRml4IFN0YWNrVmlzaXRvcjo6RnJhbWU6 OmV4aXN0aW5nQXJndW1lbnRzKCkgdG8gaGFuZGxlIGNhc2VzIHdoZW4gbGV4aWNhbEVudmlyb25t ZW50IGFuZC9vciB1bm1vZGlmaWVkQXJndW1lbnRzUmVnaXN0ZXIgaXMgbm90IHNldCB1cCB5ZXQK KyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEzODU0Mwor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIElmIGNvZGVC bG9jaygpLT5uZWVkc0FjdGl2YXRpb24oKSBpcyBmYWxzZSwgdW5tb2RpZmllZEFyZ3VtZW50c1Jl Z2lzdGVyCisgICAgICAgIGlzIGFscmVhZHkgY2hlY2tlZCBmb3IgVW5kZWZpbmVkLiBUaGlzIHBh dGNoIGFwcGxpZXMgdGhlIHNhbWUgY2hlY2sgd2hlbgorICAgICAgICB0aGUgY29uZGl0aW9uIGlz IHRydWUgKGFuZCBhbHNvIGNoZWNrcyB3aGV0aGVyCisgICAgICAgIGNhbGxGcmFtZSgpLT5oYXNB Y3RpdmF0aW9uKCkpLgorCisgICAgICAgICogaW50ZXJwcmV0ZXIvQ2FsbEZyYW1lLmg6CisgICAg ICAgIChKU0M6OkV4ZWNTdGF0ZTo6aGFzQWN0aXZhdGlvbikKKyAgICAgICAgTW92ZWQgdG8gaW50 ZXJwcmV0ZXIvQ2FsbEZyYW1lSW5saW5lcy5oLgorICAgICAgICAqIGludGVycHJldGVyL0NhbGxG cmFtZUlubGluZXMuaDoKKyAgICAgICAgKEpTQzo6Q2FsbEZyYW1lOjpoYXNBY3RpdmF0aW9uKToK KyAgICAgICAgRml4ZWQgdG8gdmVyaWZ5IHRoYXQgdGhlIEpTVmFsdWUgcmV0dXJuZWQgYnkgdW5j aGVja2VkQWN0aXZhdGlvbigpIGlzIGEKKyAgICAgICAgY2VsbC4KKyAgICAgICAgKiBpbnRlcnBy ZXRlci9TdGFja1Zpc2l0b3IuY3BwOgorICAgICAgICAoSlNDOjpTdGFja1Zpc2l0b3I6OkZyYW1l OjpleGlzdGluZ0FyZ3VtZW50cyk6CisKIDIwMTQtMTEtMDcgIETDoW5pZWwgQsOhdHlhaSAgPGRi YXR5YWkudS1zemVnZWRAcGFydG5lci5zYW1zdW5nLmNvbT4KIAogICAgICAgICBGaXggYW4gYWxp Z25tZW50IGlzc3VlIHdpdGggb3BlcmF0aW9uUHVzaENhdGNoU2NvcGUgb24gQVJNdjcKZGlmZiAt LWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9pbnRlcnByZXRlci9DYWxsRnJhbWUuaCBiL1Nv dXJjZS9KYXZhU2NyaXB0Q29yZS9pbnRlcnByZXRlci9DYWxsRnJhbWUuaAppbmRleCBlZWJmZGQy Li5iODA4MzZmIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvaW50ZXJwcmV0ZXIv Q2FsbEZyYW1lLmgKKysrIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL2ludGVycHJldGVyL0NhbGxG cmFtZS5oCkBAIC01MSw3ICs1MSw3IEBAIG5hbWVzcGFjZSBKU0MgIHsKICAgICAgICAgICAgIHJl dHVybiB0aGlzW0pTU3RhY2s6OlNjb3BlQ2hhaW5dLlJlZ2lzdGVyOjpzY29wZSgpOwogICAgICAg ICB9CiAKLSAgICAgICAgYm9vbCBoYXNBY3RpdmF0aW9uKCkgY29uc3QgeyByZXR1cm4gISF1bmNo ZWNrZWRBY3RpdmF0aW9uKCk7IH0KKyAgICAgICAgYm9vbCBoYXNBY3RpdmF0aW9uKCkgY29uc3Q7 CiAgICAgICAgIEpTTGV4aWNhbEVudmlyb25tZW50KiBsZXhpY2FsRW52aXJvbm1lbnQoKSBjb25z dDsKICAgICAgICAgSlNWYWx1ZSB1bmNoZWNrZWRBY3RpdmF0aW9uKCkgY29uc3Q7CiAKZGlmZiAt LWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9pbnRlcnByZXRlci9DYWxsRnJhbWVJbmxpbmVz LmggYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvaW50ZXJwcmV0ZXIvQ2FsbEZyYW1lSW5saW5lcy5o CmluZGV4IDA1ZmJhMzkuLjNmNDMwZWMgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29y ZS9pbnRlcnByZXRlci9DYWxsRnJhbWVJbmxpbmVzLmgKKysrIGIvU291cmNlL0phdmFTY3JpcHRD b3JlL2ludGVycHJldGVyL0NhbGxGcmFtZUlubGluZXMuaApAQCAtMTM5LDYgKzEzOSwxMiBAQCBp bmxpbmUgdW5zaWduZWQgQ2FsbEZyYW1lOjpsb2NhdGlvbkFzQ29kZU9yaWdpbkluZGV4KCkgY29u c3QKICAgICByZXR1cm4gTG9jYXRpb246OmRlY29kZShsb2NhdGlvbkFzUmF3Qml0cygpKTsKIH0K IAoraW5saW5lIGJvb2wgQ2FsbEZyYW1lOjpoYXNBY3RpdmF0aW9uKCkgY29uc3QKK3sKKyAgICBK U1ZhbHVlIGFjdGl2YXRpb24gPSB1bmNoZWNrZWRBY3RpdmF0aW9uKCk7CisgICAgcmV0dXJuICEh YWN0aXZhdGlvbiAmJiBhY3RpdmF0aW9uLmlzQ2VsbCgpOworfQorCiBpbmxpbmUgSlNWYWx1ZSBD YWxsRnJhbWU6OnVuY2hlY2tlZEFjdGl2YXRpb24oKSBjb25zdAogewogICAgIENvZGVCbG9jayog Y29kZUJsb2NrID0gdGhpcy0+Y29kZUJsb2NrKCk7CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNj cmlwdENvcmUvaW50ZXJwcmV0ZXIvU3RhY2tWaXNpdG9yLmNwcCBiL1NvdXJjZS9KYXZhU2NyaXB0 Q29yZS9pbnRlcnByZXRlci9TdGFja1Zpc2l0b3IuY3BwCmluZGV4IGViODIxNDkuLjViNjZmMDMg MTAwNjQ0Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9pbnRlcnByZXRlci9TdGFja1Zpc2l0 b3IuY3BwCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9pbnRlcnByZXRlci9TdGFja1Zpc2l0 b3IuY3BwCkBAIC0yOTcsMTEgKzI5NywxMiBAQCBBcmd1bWVudHMqIFN0YWNrVmlzaXRvcjo6RnJh bWU6OmV4aXN0aW5nQXJndW1lbnRzKCkKICNlbmRpZiAvLyBFTkFCTEUoREZHX0pJVCkKICAgICAg ICAgcmVnID0gY29kZUJsb2NrKCktPmFyZ3VtZW50c1JlZ2lzdGVyKCk7CiAKLSAgICBpZiAoY29k ZUJsb2NrKCktPm5lZWRzQWN0aXZhdGlvbigpKQotICAgICAgICByZXR1cm4ganNDYXN0PEFyZ3Vt ZW50cyo+KGNhbGxGcmFtZSgpLT5sZXhpY2FsRW52aXJvbm1lbnQoKS0+cmVnaXN0ZXJBdCh1bm1v ZGlmaWVkQXJndW1lbnRzUmVnaXN0ZXIocmVnKS5vZmZzZXQoKSkuZ2V0KCkpOwotICAgIAotICAg IEpTVmFsdWUgcmVzdWx0ID0gY2FsbEZyYW1lKCktPnIodW5tb2RpZmllZEFyZ3VtZW50c1JlZ2lz dGVyKHJlZykub2Zmc2V0KCkpLmpzVmFsdWUoKTsKLSAgICBpZiAoIXJlc3VsdCB8fCAhcmVzdWx0 LmlzQ2VsbCgpKSAvLyBQcm90ZWN0IGFnYWluc3QgVW5kZWZpbmVkIGluIGNhc2Ugd2UgdGhyb3cg aW4gb3BfZW50ZXIuCisgICAgSlNWYWx1ZSByZXN1bHQgPSBqc1VuZGVmaW5lZCgpOworICAgIGlm IChjb2RlQmxvY2soKS0+bmVlZHNBY3RpdmF0aW9uKCkgJiYgY2FsbEZyYW1lKCktPmhhc0FjdGl2 YXRpb24oKSkKKyAgICAgICAgcmVzdWx0ID0gY2FsbEZyYW1lKCktPmxleGljYWxFbnZpcm9ubWVu dCgpLT5yZWdpc3RlckF0KHVubW9kaWZpZWRBcmd1bWVudHNSZWdpc3RlcihyZWcpLm9mZnNldCgp KS5nZXQoKTsKKyAgICBpZiAoIXJlc3VsdCB8fCAhcmVzdWx0LmlzQ2VsbCgpKSAvLyBUcnkgbG9j YWwgdW5tb2RpZmllZEFyZ3VtZW50c1JlZ2lzdGVyIGlmIGxleGljYWxFbnZpcm9ubWVudCBpcyBu b3QgcHJlc2VudCBvciBoYXMgbm90IHNldCB1cCByZWdpc3RlcnMgeWV0LgorICAgICAgICByZXN1 bHQgPSBjYWxsRnJhbWUoKS0+cih1bm1vZGlmaWVkQXJndW1lbnRzUmVnaXN0ZXIocmVnKS5vZmZz ZXQoKSkuanNWYWx1ZSgpOworICAgIGlmICghcmVzdWx0IHx8ICFyZXN1bHQuaXNDZWxsKCkpIC8v IFByb3RlY3QgYWdhaW5zdCBVbmRlZmluZWQgaW4gY2FzZSB3ZSB0aHJvdyB3aGVuIHVubW9kaWZp ZWRBcmd1bWVudHNSZWdpc3RlciBpcyBub3Qgc2V0IHVwIHlldCAoZS5nLiwgaW4gb3BfZW50ZXIg b3Igb3BfY3JlYXRlX2FyZ3VtZW50cykuCiAgICAgICAgIHJldHVybiAwOwogICAgIHJldHVybiBq c0Nhc3Q8QXJndW1lbnRzKj4ocmVzdWx0KTsKIH0K 241354 2014-11-11 09:03:11 -0800 2014-11-11 12:36:17 -0800 Updated patch stackvisitor-exfuzz-v7.patch text/plain 4861 akiss ZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cgYi9Tb3VyY2UvSmF2 YVNjcmlwdENvcmUvQ2hhbmdlTG9nCmluZGV4IGEwZWJiOTkuLjg0ZDgzYWYgMTAwNjQ0Ci0tLSBh L1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL0phdmFTY3JpcHRD b3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDMxIEBACisyMDE0LTExLTExICBBa29zIEtpc3MgIDxh a2lzc0BpbmYudS1zemVnZWQuaHU+CisKKyAgICAgICAgSGFuZGxlIGNhc2VzIGluIFN0YWNrVmlz aXRvcjo6RnJhbWU6OmV4aXN0aW5nQXJndW1lbnRzKCkgd2hlbiBsZXhpY2FsRW52aXJvbm1lbnQg YW5kL29yIHVubW9kaWZpZWRBcmd1bWVudHNSZWdpc3RlciBpcyBub3Qgc2V0IHVwIHlldAorICAg ICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTM4NTQzCisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgRXhjZXB0aW9uIGZ1 enppbmcgbWF5IG1heSByYWlzZSBleGNlcHRpb25zIGluIHBsYWNlcyB3aGVyZSB0aGV5IHdvdWxk IGJlCisgICAgICAgIG90aGVyd2lzZSBpbXBvc3NpYmxlLiBUaGVyZWZvcmUsIGEgY2FsbEZyYW1l IG1heSBsYWNrIGFjdGl2YXRpb24gZXZlbiBpZgorICAgICAgICB0aGUgY29kZUJsb2NrIHNpZ25h bHMgbmVlZCBvZiBhY3RpdmF0aW9uLiBBbHNvLCBldmVuIGlmIGNvZGVCbG9jaworICAgICAgICBz aWduYWxzIHRoZSB1c2Ugb2YgYXJndW1lbnRzLCB0aGUgdW5tb2RpZmllZEFyZ3VtZW50c1JlZ2lz dGVyIG1heSBub3QgYmUKKyAgICAgICAgaW5pdGlhbGl6ZWQgeWV0IChuZWl0aGVyIGxvY2FsbHkg bm9yIGluIGxleGljYWxFbnZpcm9ubWVudCkuCisKKyAgICAgICAgSWYgY29kZUJsb2NrKCktPm5l ZWRzQWN0aXZhdGlvbigpIGlzIGZhbHNlLCB1bm1vZGlmaWVkQXJndW1lbnRzUmVnaXN0ZXIKKyAg ICAgICAgaXMgYWxyZWFkeSBjaGVja2VkIGZvciBVbmRlZmluZWQuIFRoaXMgcGF0Y2ggYXBwbGll cyB0aGUgc2FtZSBjaGVjayB3aGVuCisgICAgICAgIHRoZSBjb25kaXRpb24gaXMgdHJ1ZSAoYW5k IGFsc28gY2hlY2tzIHdoZXRoZXIKKyAgICAgICAgY2FsbEZyYW1lKCktPmhhc0FjdGl2YXRpb24o KSkuCisKKyAgICAgICAgKiBpbnRlcnByZXRlci9DYWxsRnJhbWUuaDoKKyAgICAgICAgKEpTQzo6 RXhlY1N0YXRlOjpoYXNBY3RpdmF0aW9uKToKKyAgICAgICAgTW92ZWQgdG8gaW50ZXJwcmV0ZXIv Q2FsbEZyYW1lSW5saW5lcy5oLgorICAgICAgICAqIGludGVycHJldGVyL0NhbGxGcmFtZUlubGlu ZXMuaDoKKyAgICAgICAgKEpTQzo6Q2FsbEZyYW1lOjpoYXNBY3RpdmF0aW9uKToKKyAgICAgICAg Rml4ZWQgdG8gdmVyaWZ5IHRoYXQgdGhlIEpTVmFsdWUgcmV0dXJuZWQgYnkgdW5jaGVja2VkQWN0 aXZhdGlvbigpIGlzIGEKKyAgICAgICAgY2VsbC4KKyAgICAgICAgKiBpbnRlcnByZXRlci9TdGFj a1Zpc2l0b3IuY3BwOgorICAgICAgICAoSlNDOjpTdGFja1Zpc2l0b3I6OkZyYW1lOjpleGlzdGlu Z0FyZ3VtZW50cyk6CisKIDIwMTQtMTEtMDkgIEFrb3MgS2lzcyAgPGFraXNzQGluZi51LXN6ZWdl ZC5odT4KIAogICAgICAgICBGaXggJ25vcmV0dXJuJyBmdW5jdGlvbiBkb2VzIHJldHVybiB3YXJu aW5nIGluIExMVk1PdmVycmlkZXMuY3BwCmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvaW50ZXJwcmV0ZXIvQ2FsbEZyYW1lLmggYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvaW50ZXJw cmV0ZXIvQ2FsbEZyYW1lLmgKaW5kZXggZWViZmRkMi4uYjgwODM2ZiAxMDA2NDQKLS0tIGEvU291 cmNlL0phdmFTY3JpcHRDb3JlL2ludGVycHJldGVyL0NhbGxGcmFtZS5oCisrKyBiL1NvdXJjZS9K YXZhU2NyaXB0Q29yZS9pbnRlcnByZXRlci9DYWxsRnJhbWUuaApAQCAtNTEsNyArNTEsNyBAQCBu YW1lc3BhY2UgSlNDICB7CiAgICAgICAgICAgICByZXR1cm4gdGhpc1tKU1N0YWNrOjpTY29wZUNo YWluXS5SZWdpc3Rlcjo6c2NvcGUoKTsKICAgICAgICAgfQogCi0gICAgICAgIGJvb2wgaGFzQWN0 aXZhdGlvbigpIGNvbnN0IHsgcmV0dXJuICEhdW5jaGVja2VkQWN0aXZhdGlvbigpOyB9CisgICAg ICAgIGJvb2wgaGFzQWN0aXZhdGlvbigpIGNvbnN0OwogICAgICAgICBKU0xleGljYWxFbnZpcm9u bWVudCogbGV4aWNhbEVudmlyb25tZW50KCkgY29uc3Q7CiAgICAgICAgIEpTVmFsdWUgdW5jaGVj a2VkQWN0aXZhdGlvbigpIGNvbnN0OwogCmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvaW50ZXJwcmV0ZXIvQ2FsbEZyYW1lSW5saW5lcy5oIGIvU291cmNlL0phdmFTY3JpcHRDb3Jl L2ludGVycHJldGVyL0NhbGxGcmFtZUlubGluZXMuaAppbmRleCAwNWZiYTM5Li4zZjQzMGVjIDEw MDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvaW50ZXJwcmV0ZXIvQ2FsbEZyYW1lSW5s aW5lcy5oCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9pbnRlcnByZXRlci9DYWxsRnJhbWVJ bmxpbmVzLmgKQEAgLTEzOSw2ICsxMzksMTIgQEAgaW5saW5lIHVuc2lnbmVkIENhbGxGcmFtZTo6 bG9jYXRpb25Bc0NvZGVPcmlnaW5JbmRleCgpIGNvbnN0CiAgICAgcmV0dXJuIExvY2F0aW9uOjpk ZWNvZGUobG9jYXRpb25Bc1Jhd0JpdHMoKSk7CiB9CiAKK2lubGluZSBib29sIENhbGxGcmFtZTo6 aGFzQWN0aXZhdGlvbigpIGNvbnN0Cit7CisgICAgSlNWYWx1ZSBhY3RpdmF0aW9uID0gdW5jaGVj a2VkQWN0aXZhdGlvbigpOworICAgIHJldHVybiAhIWFjdGl2YXRpb24gJiYgYWN0aXZhdGlvbi5p c0NlbGwoKTsKK30KKwogaW5saW5lIEpTVmFsdWUgQ2FsbEZyYW1lOjp1bmNoZWNrZWRBY3RpdmF0 aW9uKCkgY29uc3QKIHsKICAgICBDb2RlQmxvY2sqIGNvZGVCbG9jayA9IHRoaXMtPmNvZGVCbG9j aygpOwpkaWZmIC0tZ2l0IGEvU291cmNlL0phdmFTY3JpcHRDb3JlL2ludGVycHJldGVyL1N0YWNr VmlzaXRvci5jcHAgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvaW50ZXJwcmV0ZXIvU3RhY2tWaXNp dG9yLmNwcAppbmRleCBlYjgyMTQ5Li45NDJmOTI0IDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNj cmlwdENvcmUvaW50ZXJwcmV0ZXIvU3RhY2tWaXNpdG9yLmNwcAorKysgYi9Tb3VyY2UvSmF2YVNj cmlwdENvcmUvaW50ZXJwcmV0ZXIvU3RhY2tWaXNpdG9yLmNwcApAQCAtMjk3LDExICsyOTcsMTgg QEAgQXJndW1lbnRzKiBTdGFja1Zpc2l0b3I6OkZyYW1lOjpleGlzdGluZ0FyZ3VtZW50cygpCiAj ZW5kaWYgLy8gRU5BQkxFKERGR19KSVQpCiAgICAgICAgIHJlZyA9IGNvZGVCbG9jaygpLT5hcmd1 bWVudHNSZWdpc3RlcigpOwogCi0gICAgaWYgKGNvZGVCbG9jaygpLT5uZWVkc0FjdGl2YXRpb24o KSkKLSAgICAgICAgcmV0dXJuIGpzQ2FzdDxBcmd1bWVudHMqPihjYWxsRnJhbWUoKS0+bGV4aWNh bEVudmlyb25tZW50KCktPnJlZ2lzdGVyQXQodW5tb2RpZmllZEFyZ3VtZW50c1JlZ2lzdGVyKHJl Zykub2Zmc2V0KCkpLmdldCgpKTsKLSAgICAKLSAgICBKU1ZhbHVlIHJlc3VsdCA9IGNhbGxGcmFt ZSgpLT5yKHVubW9kaWZpZWRBcmd1bWVudHNSZWdpc3RlcihyZWcpLm9mZnNldCgpKS5qc1ZhbHVl KCk7Ci0gICAgaWYgKCFyZXN1bHQgfHwgIXJlc3VsdC5pc0NlbGwoKSkgLy8gUHJvdGVjdCBhZ2Fp bnN0IFVuZGVmaW5lZCBpbiBjYXNlIHdlIHRocm93IGluIG9wX2VudGVyLgorICAgIC8vIENhcmUg c2hvdWxkIGJlIHRha2VuIGhlcmUgc2luY2UgZXhjZXB0aW9uIGZ1enppbmcgbWF5IHJhaXNlIGV4 Y2VwdGlvbnMgaW4KKyAgICAvLyBwbGFjZXMgd2hlcmUgdGhleSB3b3VsZCBiZSBvdGhlcndpc2Ug aW1wb3NzaWJsZS4gVGhlcmVmb3JlLCBjYWxsRnJhbWUgbWF5CisgICAgLy8gbGFjayBhY3RpdmF0 aW9uIGV2ZW4gaWYgdGhlIGNvZGVCbG9jayBzaWduYWxzIG5lZWQgb2YgYWN0aXZhdGlvbi4gQWxz bywKKyAgICAvLyBldmVuIGlmIGNvZGVCbG9jayBzaWduYWxzIHRoZSB1c2Ugb2YgYXJndW1lbnRz LCB0aGUKKyAgICAvLyB1bm1vZGlmaWVkQXJndW1lbnRzUmVnaXN0ZXIgbWF5IG5vdCBiZSBpbml0 aWFsaXplZCB5ZXQgKG5laXRoZXIgbG9jYWxseQorICAgIC8vIG5vciBpbiBsZXhpY2FsRW52aXJv bm1lbnQpLgorICAgIEpTVmFsdWUgcmVzdWx0ID0ganNVbmRlZmluZWQoKTsKKyAgICBpZiAoY29k ZUJsb2NrKCktPm5lZWRzQWN0aXZhdGlvbigpICYmIGNhbGxGcmFtZSgpLT5oYXNBY3RpdmF0aW9u KCkpCisgICAgICAgIHJlc3VsdCA9IGNhbGxGcmFtZSgpLT5sZXhpY2FsRW52aXJvbm1lbnQoKS0+ cmVnaXN0ZXJBdCh1bm1vZGlmaWVkQXJndW1lbnRzUmVnaXN0ZXIocmVnKS5vZmZzZXQoKSkuZ2V0 KCk7CisgICAgaWYgKCFyZXN1bHQgfHwgIXJlc3VsdC5pc0NlbGwoKSkgLy8gVHJ5IGxvY2FsIHVu bW9kaWZpZWRBcmd1bWVudHNSZWdpc3RlciBpZiBsZXhpY2FsRW52aXJvbm1lbnQgaXMgbm90IHBy ZXNlbnQgKGdlbmVyYWxseSBwb3NzaWJsZSkgb3IgaGFzIG5vdCBzZXQgdXAgcmVnaXN0ZXJzIHll dCAob25seSBwb3NzaWJsZSBpZiBmdXp6aW5nIGV4Y2VwdGlvbnMpLgorICAgICAgICByZXN1bHQg PSBjYWxsRnJhbWUoKS0+cih1bm1vZGlmaWVkQXJndW1lbnRzUmVnaXN0ZXIocmVnKS5vZmZzZXQo KSkuanNWYWx1ZSgpOworICAgIGlmICghcmVzdWx0IHx8ICFyZXN1bHQuaXNDZWxsKCkpIC8vIFBy b3RlY3QgYWdhaW5zdCB0aGUgY2FzZSB3aGVuIGV4Y2VwdGlvbiBmdXp6aW5nIHRocm93cyB3aGVu IHVubW9kaWZpZWRBcmd1bWVudHNSZWdpc3RlciBpcyBub3Qgc2V0IHVwIHlldCAoZS5nLiwgaW4g b3BfZW50ZXIpLgogICAgICAgICByZXR1cm4gMDsKICAgICByZXR1cm4ganNDYXN0PEFyZ3VtZW50 cyo+KHJlc3VsdCk7CiB9Cg==