153431 2016-01-25 11:06:47 -0800 javascript jit bug affecting Google Maps 2016-04-22 16:49:22 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Mac OS X 10.11 RESOLVED FIXED InRadar P2 Normal --- 1 rsturgell mark.lam bburg commit-queue fpizlo ggaren keith_miller mark.lam msaboff saam webkit-bug-importer oldest_to_newest 1158390 0 269762 rsturgell 2016-01-25 11:06:47 -0800 Created attachment 269762 Jit bug repro, prints FAILED for incorrect results A couple weeks ago we pushed a new version of Google Maps, and Safari users started seeing rendering bugs (missing water features and parks) after loading a few viewports. We were able to work around the issue by rolling back a (seemingly innocuous) change. I've managed to reduce the repro to a simple case, see attached. The test calls function calc() 20k times. The function should always return 1. If it successfully returns 1 on every call, the tests shows "PASSED". If it ever returns something other than 1, the test prints FAILED and the iteration number, and exits. In Safari and WebkitNightly Version 9.0.2 (11601.3.9, r195530) it returns 0 after roughly 10k iterations: FAILED! Got result 0 at iteration 10486 Note that the test passes if the web inspector is open, and it also seems to pass on the very first load of a freshly started browser (but will consistently repro thereafter on a reload or new tab). 1158585 1 webkit-bug-importer 2016-01-25 16:14:49 -0800 <rdar://problem/24337479> 1160963 2 rsturgell 2016-02-01 11:50:34 -0800 Were you able to reproduce this problem? I spent quite a lot of time creating this reduced repro, it would be nice to know that this report hasn't gone into a black hole... Thanks, Ryan 1160964 3 saam 2016-02-01 11:55:48 -0800 (In reply to comment #2) > Were you able to reproduce this problem? > > I spent quite a lot of time creating this reduced repro, it would be nice to > know that this report hasn't gone into a black hole... > > Thanks, > Ryan Thanks Ryan. I'll look into this when I'm in the office (I'm on vacation today). 1162062 4 mark.lam 2016-02-04 11:08:37 -0800 Ryan, thanks for the repro case. I can reproduce the bug. It appears to only manifest with the FTL JIT. 1170278 5 rsturgell 2016-03-03 10:35:14 -0800 Any update on this? The workaround in my code is quite fragile, and I'm not at all confident that we don't have other instances of this problem that I just haven't detected. The style of code in this repro is very common throughout our code. If you do not plan to fix the bug any time soon, can you give me some insight into what the exact trigger is, so that I may be able to check our code for other cases? 1171297 6 bburg 2016-03-05 16:10:23 -0800 The bug is still active, but there's a lot going on. FTL JIT has a new backend, so it is probably helpful if you could confirm that it reproduces with a recent nightly. 1171800 7 rsturgell 2016-03-07 15:24:31 -0800 (In reply to comment #6) > The bug is still active, but there's a lot going on. FTL JIT has a new > backend, so it is probably helpful if you could confirm that it reproduces > with a recent nightly. Yes, the attached test still fails in today's nightly (Version 9.0.3 (11601.4.4, r197659)). 1186024 8 mark.lam 2016-04-21 17:02:06 -0700 Here's minimum repro case that can be run from the jsc shell: === BEGIN === function badFunc(tt, operandA, m) { // This variable re-use seems important - rename it and the bug goes away. operandA = tt[operandA]; if (false) { // If this (unreachable) block is removed, the bug goes away!! } else { m[0] = operandA; } } noInline(badFunc); function run() { for (var i = 0; i < 10000; i++) { var tt = new Uint32Array([0x80000000,1]); // Needs to be an Uint32Array. var failed = false; var m = []; badFunc(tt, 0, m); badFunc(tt, 1, m); var result = m[0]; if (result != tt[1]) { print('FAILED! Got result ' + result + ' for tt[1] at iteration ' + i); return; } } print('PASSED'); } run(); === END === Here's how I run the jsc shell on this test: $ JSC_useConcurrentJIT=0 JSC_maximumInliningDepth=1 $VM/jsc test.js 1186027 9 mark.lam 2016-04-21 17:06:13 -0700 Here's the generated code for the badFunc function with my annotations: Generated JIT code for FTL B3 code for badFunc#AhFADt:[0x116ba3400->0x116ba3840->0x116bcd280, FTLFunctionCall, 28 (NeverInline)]: Code at [0x378d824037a0, 0x378d82403920): 0x378d824037a0: push %rbp 0x378d824037a1: mov %rsp, %rbp 0x378d824037a4: add $0xffffffffffffffd0, %rsp // sp = sp - 40 0x378d824037a8: mov $0x116ba3400, %rax // $rax = 0x116ba3400 // cb 0x378d824037b2: mov %rax, 0x10(%rbp) // cfr[2 * 8] = 0x116ba3400 i.e. cfr.codeBlock = 0x116ba3400. 0x378d824037b6: mov 0x40(%rbp), %rdi // $rdi = cfr[5 * 8] i.e. $rdi = arg3 i.e. m. 0x378d824037ba: mov $0xffff000000000002, %rax // $rax = Not object mask. 0x378d824037c4: test %rdi, %rax // if (!@isObject(m)) 0x378d824037c7: jnz 0x378d8240388a // goto error 0x378d824037cd: mov 0x38(%rbp), %rcx // $rcx = cfr[7 * 8] i.e. arg2 i.e. operandA 0x378d824037d1: mov 0x30(%rbp), %rdx // $rdx = cfr[6 * 8] i.e. arg1 i.e. tt 0x378d824037d5: test %rdx, %rax // if (!@isObject(tt)) 0x378d824037d8: jnz 0x378d82403894 // goto error 0x378d824037de: cmp $0x60, (%rdx) // if (tt.structureID != expected(tt)) 0x378d824037e1: jnz 0x378d8240389e // specCheckfail 0x378d824037e7: cmp $0x7d, (%rdi) // if (m.structureID != expected(m)) 0x378d824037ea: jnz 0x378d824038a8 // specCheckFail 0x378d824037f0: mov 0x10(%rdx), %rax // $rax = tt.m_vector 0x378d824037f4: mov 0x18(%rdx), %esi // $esi = tt.m_length 0x378d824037f7: mov $0xffff000000000000, %rdx // $rdx = int mask / TagTypeNumber 0x378d82403801: cmp %rdx, %rcx // if (!@isInt(operandA) 0x378d82403804: jb 0x378d824038b2 // specCheckFail. 0x378d8240380a: cmp %esi, %ecx // if (int32(tt.m_length) < int32(operandA)) 0x378d8240380c: jae 0x378d824038bc // error 0x378d82403812: mov %ecx, %ecx // operandA = int32(operandA) 0x378d82403814: mov (%rax,%rcx,4), %esi // $esi = tt.m_vector[operandA] 0x378d82403817: movsxd %esi, %rax // $rax = signExtend($esi) 0x378d8240381a: cmp %rax, %rsi // if (signExtend($esi) == $rsi) i.e. if (highBitNotSet($esi)) 0x378d8240381d: jz 0x378d82403881 // goto 0x378d82403881 0x378d82403823: cvtsi2sd %rsi, %xmm0 // $xmm0 = double($rsi) 0x378d82403828: movq %xmm0, %rax // $rax = doubleAsIntBits($xmm0) 0x378d8240382d: mov $0x1 0000 0000 0000, %rcx // $rcx = DoubleEncodeOffset 0x378d82403837: add %rax, %rcx // $rcx = boxedDouble($rsi) // Got result of tt[operandA]. Now continue 0x378d8240383a: mov 0x8(%rdi), %rax // $rax = m.butterfly <=================================== Jumps here after the int boxing below. Bad!!!! 0x378d8240383e: add %rcx, %rdx // $rdx = unbox result in $rcx expected to be a double <=== This is good for doubles, bad for ints. 0x378d82403841: movq %rdx, %xmm0 // Move unboxed bits to $xmm0 0x378d82403846: cmp $0x0, -0x8(%rax) // if (0 <= m.butterfly.indexingHeader.publicLength) 0x378d8240384a: jbe 0x378d82403860 // goto ... 0x378d82403850: movsd %xmm0, (%rax) // m[0] = result bits from xmm0 0x378d82403854: mov $0xa, %rax // $rax = undefined 0x378d8240385b: mov %rbp, %rsp // return. 0x378d8240385e: pop %rbp 0x378d8240385f: ret // case: (0 <= m.butterfly.length) 0x378d82403860: cmp $0x0, -0x4(%rax) // if (0 <= m.butterfly.indexingHeader.vectorLength) 0x378d82403864: jbe 0x378d824038c6 // error ??? 0x378d8240386a: mov $0x1, -0x8(%rax) // m.butterfly.indexingHeader.publicLength = 1 0x378d82403871: movsd %xmm0, (%rax) // m[0] = result bits from xmm0 0x378d82403875: mov $0xa, %rax // $rax = undefined 0x378d8240387c: mov %rbp, %rsp // return. 0x378d8240387f: pop %rbp 0x378d82403880: ret // case: highBitNotSet($esi) ... 0x378d82403881: lea (%rsi,%rdx), %rcx // $rcx = $rsi + int mask i.e. boxedInt($rsi) <===== Boxing the Int here and jumps above for badness. 0x378d82403885: jmp 0x378d8240383a // Jumps 0x378d8240388a: push $0x0 0x378d8240388f: jmp 0x378d824039a0 0x378d82403894: push $0x1 0x378d82403899: jmp 0x378d824039a0 0x378d8240389e: push $0x2 0x378d824038a3: jmp 0x378d824039a0 0x378d824038a8: push $0x3 0x378d824038ad: jmp 0x378d824039a0 0x378d824038b2: push $0x4 0x378d824038b7: jmp 0x378d824039a0 0x378d824038bc: push $0x5 0x378d824038c1: jmp 0x378d824039a0 0x378d824038c6: push $0x6 0x378d824038cb: jmp 0x378d824039a0 0x378d824038d0: mov $0x1133fe2e0, %r9 0x378d824038da: mov %rbx, (%r9) 0x378d824038dd: mov %r12, 0x8(%r9) 0x378d824038e1: mov %r13, 0x10(%r9) 0x378d824038e5: mov %r14, 0x18(%r9) 0x378d824038e9: mov %r15, 0x20(%r9) 0x378d824038ed: mov $0x1133f8000, %rdi 0x378d824038f7: mov %rbp, %rsi 0x378d824038fa: mov $0x1103d90e0, %r11 0x378d82403904: call *%r11 0x378d82403907: mov $0x1133fe358, %rsi 0x378d82403911: mov (%rsi), %rsi 0x378d82403914: jmp *%rsi 1186032 10 mark.lam 2016-04-21 17:14:06 -0700 So, result array "m" is of DoubleShape. When the result to be written is an Int52 which gets converted to a double, all is well. When the result is an Int32, the generated FTL code mistakenly assumes the result is a double, and does a double style unboxing on it. The resultant "unboxed" value is an impure NaN (0xfffe000000000001). I'm not sure why that gets read as a hole or undefined yet when we print the result later. 1186090 11 ggaren 2016-04-21 19:35:34 -0700 > I'm not sure why that gets read as a hole or undefined yet when we print the > result later. Double arrays use NaN to represent hole (and hole converts to undefined). That's likely why impure NaN sometimes becomes hole or undefined. But that's sort of a red herring -- by the time we have an impure NaN, all bets are off for any future behavior. 1186386 12 mark.lam 2016-04-22 13:12:59 -0700 (In reply to comment #11) > > I'm not sure why that gets read as a hole or undefined yet when we print the > > result later. > > Double arrays use NaN to represent hole (and hole converts to undefined). > That's likely why impure NaN sometimes becomes hole or undefined. I know we store pure NaN to represent holes in arrays with double indexing types. I mistakenly thought that we did that to allow impureNaNs to represent NaN values in the array. Having thought about it more, that didn't make sense. And I also confirmed that the isHole() check (in ArrayPrototype.cpp) checks for any NaNs, not only pure NaNs. That explains why the wrong value gets misinterpreted as a hole and produced an undefined result. Onwards with finding out what went wrong in the FTL that resulted in the bad "unboxing". 1186463 13 mark.lam 2016-04-22 15:19:47 -0700 DFG graph just before FTL lowering (with my annotations) says: // @59: Int52(@25:tt @78 [ operandA @79 ]) 59:< 1:-> ValueRep(Int52Rep:Kill:@25<Int52>, JS|PureInt, Boolint32Nonboolint32Int52asdouble, bc#6, exit: bc#12) 91:<!0:-> KillStack(MustGen, loc6, W:SideState, ClobbersExit, bc#12, ExitInvalid) 32:<!0:-> ZombieHint(MustGen, loc6, W:SideState, ClobbersExit, bc#12, ExitInvalid) // @58: butterfly for @80:m 58:< 1:-> GetButterfly(Cell:@80, Storage|PureInt, R:JSObject_butterfly, Exits, bc#21) // @60: Double(@59:Int52(@25:tt @78 [ operandA @79 ])) 60:< 1:-> DoubleRep(Number:Kill:@59, Double|PureInt, Bytecodedouble, bc#21) // @80:m [ @30:0 ] = @60:Double(@59:Int52(@25:tt @78 [ operandA @79 ])) 39:<!0:-> PutByVal(KnownCell:Kill:@80, Int32:Kill:@30, DoubleRepReal:Kill:@60<Double>, Untyped:Kill:@58, MustGen|VarArgs, DoubleOriginalArrayToHoleAsIs, R:Butterfly_publicLength,Butterfly_vectorLength,IndexedDoubleProperties, W:Butterfly_publicLength,IndexedDoubleProperties, Exits, ClobbersExit, bc#21) i.e. the DFG graph says that whatever value we got from node @59 will be converted to a double at node @60, and put in the results array "m" at node @39. The initial lowered B3 (with my annotations) says: Int64 @65 = ZExt32(@62, DFG:@25<Int52>) // @65 = zeroExtended int32(operandA) Int64 @66 = Const64(DFG:@25<Int52>, 2) // @66 = 2 Int32 @67 = Trunc($2(@66), DFG:@25<Int52>) // @67 = 2 Int64 @68 = Shl(@65, @67, DFG:@25<Int52>) // @68 = zeroExtended int32(operandA) * 4 Int64 @69 = Add(@56, @68, DFG:@25<Int52>) // @69 = &tt[operandA] Int32 @70 = Load(@69, DFG:@25<Int52>, ControlDependent|Reads:0...1) // @70 = tt[operandA] Int64 @71 = ZExt32(@70, DFG:@25<Int52>) // @71 = zeroExtended(tt[operandA]) Int32 @72 = Trunc(@71, DFG:@59) // @72 = int32(@71) Int64 @73 = SExt32(@72, DFG:@59) // @73 = signedExtended(tt[operandA]) Int32 @74 = Equal(@73, @71, DFG:@59) // @74 = (tt[operandA] is Int32) <========= checks if result is Int32 Void @75 = Branch(@74, DFG:@59, #5, #6, Terminal) // @75: branch #5 if Int32 else #6. // is Int32 BB#5: ; frequency = 1.000000 Int64 @76 = ZExt32(@72, DFG:@59) // @76 = zeroExtended(tt[operandA]) Int64 @77 = Add(@76, $-281474976710656(@13), DFG:@59) // @77 = boxedInt(tt[operandA]) Void @78 = Upsilon(@77, DFG:@59, ^85, WritesLocalState) Void @79 = Jump(DFG:@59, #7, Terminal) // not Int32 BB#6: ; frequency = 1.000000 Double @80 = IToD(@71, DFG:@59) // @80 = double(tt[operandA]) Int64 @81 = BitwiseCast(@80, DFG:@59) // @81 = double(tt[operandA]).bitsAsInt64() Int64 @82 = Sub(@81, $-281474976710656(@13), DFG:@59) // @82 = boxedDouble(tt[operandA]) Void @83 = Upsilon(@82, DFG:@59, ^85, WritesLocalState) Void @84 = Jump(DFG:@59, #7, Terminal) // Got result of tt[operandA]. Now continue BB#7: ; frequency = 1.000000 Int64 @85 = Phi(DFG:@59, ReadsLocalState) Int64 @86 = Const64(DFG:@58, 8) // @86 = 8 Int64 @87 = Add(@29, $8(@86), DFG:@58) // @87 = &m[8] = &m.butterfly Int64 @88 = Load(@87, DFG:@58, ControlDependent|Reads:23...24) // @88 = m.butterfly Void @89 = Branch($1(@1), DFG:@60<Double>, #9, #8, Terminal) // @89: if (1) goto #9 else #8. ... BB#10: ; frequency = 1.000000 Int64 @95 = Add(@85, $-281474976710656(@13), DFG:@60<Double>) // @95 = result + NumberTag <================== trying to unbox a double. Bad !!!!!!! Double @96 = BitwiseCast(@95, DFG:@60<Double>) // @96 = bitwise value of "unboxed" double result. Void @97 = Upsilon(@96, DFG:@60<Double>, ^100, WritesLocalState) Void @98 = Jump(DFG:@60<Double>, #12, Terminal) Hence, the bug lies in the lowering from DFG to B3. Diving in there next. 1186471 14 fpizlo 2016-04-22 15:35:14 -0700 I think I know what is going on! Can you show the graph before DFG node @59? 1186474 15 mark.lam 2016-04-22 15:37:27 -0700 The complete DFG graph before lowering is as follows: Block #0 (bc#0): (OSR target) Execution count: 1.000000 Predecessors: Successors: Dominated by: #0 Dominates: #0 Dominance Frontier: Iterated Dominance Frontier: Pre/Post Numbering: 0/0 States: StructuresAreWatched Availability: {locals = arg3:arg3:FlushedCell/Unavailable arg2:arg2:FlushedJSValue/Unavailable arg1:arg1:FlushedCell/Unavailable arg0:this:FlushedJSValue/Unavailable; heap = } Live: Values: 4:< 1:-> JSConstant(JS|PureInt, Other, Undefined, bc#0) 30:< 1:-> JSConstant(JS|UseAsOther, Boolint32, Int32: 0, bc#0) 81:<!0:-> ExitOK(MustGen, W:SideState, bc#0) // @78: tt 78:< 4:-> GetStack(JS|PureInt, Uint32array, arg1, machine:arg1, FlushedCell, R:Stack(6), bc#0) 62:<!0:-> CheckStructure(Cell:@78, MustGen, [%Ak:Uint32Array], R:JSCell_structureID, Exits, bc#0) // @79: operandA 79:< 2:-> GetStack(JS|PureInt, Boolint32, arg2, machine:arg2, FlushedJSValue, R:Stack(7), bc#0) // @80: m 80:< 3:-> GetStack(JS|PureInt, Array, arg3, machine:arg3, FlushedCell, R:Stack(8), bc#0) // Ensure m is a DoubleIndexing array. 64:<!0:-> CheckStructure(Cell:@80, MustGen, [%AR:Array], R:JSCell_structureID, Exits, bc#0) 82:<!0:-> KillStack(MustGen, loc0, W:SideState, ClobbersExit, bc#0) 5:<!0:-> ZombieHint(MustGen, loc0, W:SideState, ClobbersExit, bc#0, ExitInvalid) 83:<!0:-> KillStack(MustGen, loc1, W:SideState, ClobbersExit, bc#0, ExitInvalid) 7:<!0:-> ZombieHint(MustGen, loc1, W:SideState, ClobbersExit, bc#0, ExitInvalid) 84:<!0:-> KillStack(MustGen, loc2, W:SideState, ClobbersExit, bc#0, ExitInvalid) 9:<!0:-> ZombieHint(MustGen, loc2, W:SideState, ClobbersExit, bc#0, ExitInvalid) 85:<!0:-> KillStack(MustGen, loc3, W:SideState, ClobbersExit, bc#0, ExitInvalid) 11:<!0:-> ZombieHint(MustGen, loc3, W:SideState, ClobbersExit, bc#0, ExitInvalid) 86:<!0:-> KillStack(MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) 13:<!0:-> ZombieHint(MustGen, loc4, W:SideState, ClobbersExit, bc#0, ExitInvalid) 87:<!0:-> KillStack(MustGen, loc5, W:SideState, ClobbersExit, bc#0, ExitInvalid) 15:<!0:-> ZombieHint(MustGen, loc5, W:SideState, ClobbersExit, bc#0, ExitInvalid) 88:<!0:-> KillStack(MustGen, loc3, W:SideState, ClobbersExit, bc#1) 19:<!0:-> ZombieHint(MustGen, loc3, W:SideState, ClobbersExit, bc#1, ExitInvalid) 89:<!0:-> KillStack(MustGen, loc4, W:SideState, ClobbersExit, bc#3) 21:<!0:-> ZombieHint(MustGen, loc4, W:SideState, ClobbersExit, bc#3, ExitInvalid) // @56: storage for tt @78 56:< 1:-> GetIndexedPropertyStorage(KnownCell:@78, Storage|PureInt, Uint32ArrayOriginalNonArrayInBoundsAsIs, R:MiscFields, Exits, bc#6) 92:< 1:-> GetArrayLength(KnownCell:@78, Int32|PureInt, Int32, Uint32ArrayOriginalNonArrayInBoundsAsIs, R:MiscFields, Exits, bc#6) 93:<!0:-> CheckInBounds(Check:Int32:@79, KnownInt32:Kill:@92, MustGen, Int32, Exits, bc#6) // @25: tt @78 [ operandA @79 ] 25:<!2:-> GetByVal(KnownCell:Kill:@78, Int32:Kill:@79, Untyped:Kill:@56, Int52|MustGen|UseAsOther, Boolint32Nonboolint32Int52, Uint32ArrayOriginalNonArrayInBoundsAsIs, R:TypedArrayProperties,MiscFields, Exits, bc#6) predicting Int52asdouble 90:<!0:-> KillStack(MustGen, arg2, W:SideState, ClobbersExit, bc#6, ExitInvalid) 26:<!0:-> MovHint(Int52Rep:@25<Int52>, MustGen, arg2, W:SideState, ClobbersExit, bc#6, ExitInvalid) // @59: Int52(@25:tt @78 [ operandA @79 ]) 59:< 1:-> ValueRep(Int52Rep:Kill:@25<Int52>, JS|PureInt, Boolint32Nonboolint32Int52asdouble, bc#6, exit: bc#12) 91:<!0:-> KillStack(MustGen, loc6, W:SideState, ClobbersExit, bc#12, ExitInvalid) 32:<!0:-> ZombieHint(MustGen, loc6, W:SideState, ClobbersExit, bc#12, ExitInvalid) // @58: butterfly for @80:m 58:< 1:-> GetButterfly(Cell:@80, Storage|PureInt, R:JSObject_butterfly, Exits, bc#21) // @60: Double(@59:Int52(@25:tt @78 [ operandA @79 ])) 60:< 1:-> DoubleRep(Number:Kill:@59, Double|PureInt, Bytecodedouble, bc#21) // @80:m [ @30:0 ] = @60:Double(@59:Int52(@25:tt @78 [ operandA @79 ])) 39:<!0:-> PutByVal(KnownCell:Kill:@80, Int32:Kill:@30, DoubleRepReal:Kill:@60<Double>, Untyped:Kill:@58, MustGen|VarArgs, DoubleOriginalArrayToHoleAsIs, R:Butterfly_publicLength,Butterfly_vectorLength,IndexedDoubleProperties, W:Butterfly_publicLength,IndexedDoubleProperties, Exits, ClobbersExit, bc#21) // return undefined. 42:<!0:-> Return(Untyped:Kill:@4, MustGen, W:SideState, Exits, bc#26) 1186502 16 277115 mark.lam 2016-04-22 16:45:26 -0700 Created attachment 277115 proposed patch. 1186503 17 mark.lam 2016-04-22 16:49:22 -0700 Landed in r199935: <http://trac.webkit.org/r199935>. 269762 2016-01-25 11:06:47 -0800 2016-01-25 11:06:47 -0800 Jit bug repro, prints FAILED for incorrect results safari_repro.html text/html 910 rsturgell PGJvZHk+CjxzY3JpcHQ+CmZ1bmN0aW9uIGxvZyhzdHIpIHsKICB2YXIgZGl2ID0gZG9jdW1lbnQu Y3JlYXRlRWxlbWVudCgnZGl2Jyk7CiAgZGl2LmlubmVySFRNTCA9IHN0cjsKICBkb2N1bWVudC5i b2R5LmFwcGVuZENoaWxkKGRpdik7IAp9CgpmdW5jdGlvbiBiYWRGdW5jKHR0LCBhKSB7IAogIC8v IFRoaXMgdmFyaWFibGUgcmUtdXNlIHNlZW1zIGltcG9ydGFudCAtIHJlbmFtZSBpdCBhbmQgdGhl IGJ1ZyBnb2VzIGF3YXkuCiAgYSA9IHR0LnhbYV07CiAgaWYgKDEgPT0gMCkgewogICAgLy8gSWYg dGhpcyAodW5yZWFjaGFibGUpIGJsb2NrIGlzIHJlbW92ZWQsIHRoZSBidWcgZ29lcyBhd2F5ISEK ICAgIHR0Lm1bdHQuYyArIDBdID0gYTsKICAgIHR0Lm1bdHQuYyArIDFdID0gYTsKICAgIHR0Lm1b dHQuYyArIDJdID0gYTsKICAgIHR0LmMgKz0gMzsKICB9IGVsc2UgewogICAgdHQubVt0dC5jICsg MF0gPSBhOwogICAgdHQuYysrOwogIH0KfQoKZnVuY3Rpb24gY2FsYygpIHsgCiAgdmFyIGNvdW50 ID0gMDsKICB2YXIgdHQgPSB7CiAgICB4OiBuZXcgVWludDMyQXJyYXkoWzQyNjE0MTI4NjQsIDFd KSwKICAgIG06IG5ldyBVaW50MzJBcnJheSgzMDAwKSwKICAgIGM6IDAKICB9CiAgYmFkRnVuYyh0 dCwgMCk7CiAgYmFkRnVuYyh0dCwgMSk7CiAgcmV0dXJuIHR0Lm1bMV07Cn0KCmZ1bmN0aW9uIHJ1 bigpIHsKICBmb3IgKHZhciBpID0gMDsgaSA8IDIwMDAwOyBpKyspIHsKICAgIHZhciByZXN1bHQg PSBjYWxjKCk7CiAgICBpZiAocmVzdWx0ICE9IDEpIHsKICAgICAgbG9nKCdGQUlMRUQhIEdvdCBy ZXN1bHQgJyArIHJlc3VsdCArICcgYXQgaXRlcmF0aW9uICcgKyBpKTsKICAgICAgcmV0dXJuOwog ICAgfQogIH0KICBsb2coJ1BBU1NFRCcpOyAKfQoKcnVuKCk7Cjwvc2NyaXB0Pgo8L2JvZHk+Cg== 277115 2016-04-22 16:45:26 -0700 2016-04-22 16:46:06 -0700 proposed patch. bug-153431.patch text/plain 6248 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTk5OTM0KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIyIEBA CisyMDE2LTA0LTIyICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBq YXZhc2NyaXB0IGppdCBidWcgYWZmZWN0aW5nIEdvb2dsZSBNYXBzLgorICAgICAgICBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTUzNDMxCisKKyAgICAgICAgUmV2aWV3 ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGhlIGlzc3VlIHdhcyBkdWUgdG8gdGhl IGFic3RyYWN0IGludGVycHJldGVyIHdyb25nbHkgbWFya2luZyB0aGUgdHlwZSBvZiB0aGUKKyAg ICAgICAgdmFsdWUgcmVhZCBmcm9tIHRoZSBVaW50M0FycmF5IGFzIFNwZWNJbnQ1Miwgd2hpY2gg cHJlY2x1ZGVzIGl0IGZyb20gYmVpbmcgYW4KKyAgICAgICAgSW50MzIuICBUaGlzIHByb3ZlcyB0 byBiZSBmYWxzZSwgYW5kIHRoZSBnZW5lcmF0ZWQgY29kZSBmYWlsZWQgdG8gaGFuZGxlIHRoZSBj YXNlCisgICAgICAgIHdoZXJlIHRoZSByZWFkIHZhbHVlIGlzIGFjdHVhbGx5IGFuIEludDMyLgor CisgICAgICAgIFRoZSBmaXggaXMgdG8gaGF2ZSB0aGUgYWJzdHJhY3QgaW50ZXJwcmV0ZXIgdXNl IFNwZWNNYWNoaW5lSW50IGluc3RlYWQgb2YKKyAgICAgICAgU3BlY0ludDUyLgorCisgICAgICAg ICogYnl0ZWNvZGUvU3BlY3VsYXRlZFR5cGUuaDoKKyAgICAgICAgKiBkZmcvREZHQWJzdHJhY3RJ bnRlcnByZXRlcklubGluZXMuaDoKKyAgICAgICAgKEpTQzo6REZHOjpBYnN0cmFjdEludGVycHJl dGVyPEFic3RyYWN0U3RhdGVUeXBlPjo6ZXhlY3V0ZUVmZmVjdHMpOgorCiAyMDE2LTA0LTIyICBC ZW5qYW1pbiBQb3VsYWluICA8YnBvdWxhaW5AYXBwbGUuY29tPgogCiAgICAgICAgIFtKU0NdIFBy ZWRpY3Rpb25Qcm9wYWdhdGlvbiBzaG91bGQgbm90IGJlIGluIHRoZSB0b3AgNSBoZWF2aWVzdCBw aGFzZXMKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ieXRlY29kZS9TcGVjdWxhdGVkVHlw ZS5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ieXRlY29kZS9TcGVjdWxh dGVkVHlwZS5oCShyZXZpc2lvbiAxOTk5MzQpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvYnl0 ZWNvZGUvU3BlY3VsYXRlZFR5cGUuaAkod29ya2luZyBjb3B5KQpAQCAtNjcsNyArNjcsNyBAQCBz dGF0aWMgY29uc3QgU3BlY3VsYXRlZFR5cGUgU3BlY0NlbGwgICAgCiBzdGF0aWMgY29uc3QgU3Bl Y3VsYXRlZFR5cGUgU3BlY0Jvb2xJbnQzMiAgICAgICAgICA9IDF1IDw8IDIxOyAvLyBJdCdzIGRl ZmluaXRlbHkgYW4gSW50MzIgd2l0aCB2YWx1ZSAwIG9yIDEuCiBzdGF0aWMgY29uc3QgU3BlY3Vs YXRlZFR5cGUgU3BlY05vbkJvb2xJbnQzMiAgICAgICA9IDF1IDw8IDIyOyAvLyBJdCdzIGRlZmlu aXRlbHkgYW4gSW50MzIgd2l0aCB2YWx1ZSBvdGhlciB0aGFuIDAgb3IgMS4KIHN0YXRpYyBjb25z dCBTcGVjdWxhdGVkVHlwZSBTcGVjSW50MzIgICAgICAgICAgICAgID0gU3BlY0Jvb2xJbnQzMiB8 IFNwZWNOb25Cb29sSW50MzI7IC8vIEl0J3MgZGVmaW5pdGVseSBhbiBJbnQzMi4KLXN0YXRpYyBj b25zdCBTcGVjdWxhdGVkVHlwZSBTcGVjSW50NTIgICAgICAgICAgICAgID0gMXUgPDwgMjM7IC8v IEl0J3MgZGVmaW5pdGVseSBhbiBJbnQ1MiBhbmQgd2UgaW50ZW5kIGl0IHRvIHVuYm94IGl0Lgor c3RhdGljIGNvbnN0IFNwZWN1bGF0ZWRUeXBlIFNwZWNJbnQ1MiAgICAgICAgICAgICAgPSAxdSA8 PCAyMzsgLy8gSXQncyBkZWZpbml0ZWx5IGFuIEludDUyIGFuZCB3ZSBpbnRlbmQgaXQgdG8gdW5i b3ggaXQuIEl0J3MgYWxzbyBkZWZpbml0ZWx5IG5vdCBhbiBJbnQzMi4KIHN0YXRpYyBjb25zdCBT cGVjdWxhdGVkVHlwZSBTcGVjTWFjaGluZUludCAgICAgICAgID0gU3BlY0ludDMyIHwgU3BlY0lu dDUyOyAvLyBJdCdzIHNvbWV0aGluZyB0aGF0IHdlIGNhbiBkbyBtYWNoaW5lIGludCBhcml0aG1l dGljIG9uLgogc3RhdGljIGNvbnN0IFNwZWN1bGF0ZWRUeXBlIFNwZWNJbnQ1MkFzRG91YmxlICAg ICAgPSAxdSA8PCAyNDsgLy8gSXQncyBkZWZpbml0ZWx5IGFuIEludDUyIGFuZCBpdCdzIGluc2lk ZSBhIGRvdWJsZS4KIHN0YXRpYyBjb25zdCBTcGVjdWxhdGVkVHlwZSBTcGVjSW50ZWdlciAgICAg ICAgICAgID0gU3BlY01hY2hpbmVJbnQgfCBTcGVjSW50NTJBc0RvdWJsZTsgLy8gSXQncyBkZWZp bml0ZWx5IHNvbWUga2luZCBvZiBpbnRlZ2VyLgpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3Jl L2RmZy9ERkdBYnN0cmFjdEludGVycHJldGVySW5saW5lcy5oCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJj ZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHQWJzdHJhY3RJbnRlcnByZXRlcklubGluZXMuaAkocmV2 aXNpb24gMTk5OTM0KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdBYnN0cmFjdElu dGVycHJldGVySW5saW5lcy5oCSh3b3JraW5nIGNvcHkpCkBAIC0xNTYyLDcgKzE1NjIsNyBAQCBi b29sIEFic3RyYWN0SW50ZXJwcmV0ZXI8QWJzdHJhY3RTdGF0ZVR5CiAgICAgICAgICAgICBpZiAo bm9kZS0+c2hvdWxkU3BlY3VsYXRlSW50MzIoKSkKICAgICAgICAgICAgICAgICBmb3JOb2RlKG5v ZGUpLnNldFR5cGUoU3BlY0ludDMyKTsKICAgICAgICAgICAgIGVsc2UgaWYgKGVuYWJsZUludDUy KCkgJiYgbm9kZS0+c2hvdWxkU3BlY3VsYXRlTWFjaGluZUludCgpKQotICAgICAgICAgICAgICAg IGZvck5vZGUobm9kZSkuc2V0VHlwZShTcGVjSW50NTIpOworICAgICAgICAgICAgICAgIGZvck5v ZGUobm9kZSkuc2V0VHlwZShTcGVjTWFjaGluZUludCk7CiAgICAgICAgICAgICBlbHNlCiAgICAg ICAgICAgICAgICAgZm9yTm9kZShub2RlKS5zZXRUeXBlKFNwZWNJbnQ1MkFzRG91YmxlKTsKICAg ICAgICAgICAgIGJyZWFrOwpJbmRleDogTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K LS0tIExheW91dFRlc3RzL0NoYW5nZUxvZwkocmV2aXNpb24gMTk5OTM0KQorKysgTGF5b3V0VGVz dHMvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAKKzIwMTYtMDQtMjIg IE1hcmsgTGFtICA8bWFyay5sYW1AYXBwbGUuY29tPgorCisgICAgICAgIGphdmFzY3JpcHQgaml0 IGJ1ZyBhZmZlY3RpbmcgR29vZ2xlIE1hcHMuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQu b3JnL3Nob3dfYnVnLmNnaT9pZD0xNTM0MzEKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkg KE9PUFMhKS4KKworICAgICAgICAqIGpzL3JlZ3Jlc3MvYnVnLTE1MzQzMS1leHBlY3RlZC50eHQ6 IEFkZGVkLgorICAgICAgICAqIGpzL3JlZ3Jlc3MvYnVnLTE1MzQzMS5odG1sOiBBZGRlZC4KKyAg ICAgICAgKiBqcy9yZWdyZXNzL3NjcmlwdC10ZXN0cy9idWctMTUzNDMxLmpzOiBBZGRlZC4KKwog MjAxNi0wNC0yMiAgR2VvZmZyZXkgR2FyZW4gIDxnZ2FyZW5AYXBwbGUuY29tPgogCiAgICAgICAg IHN1cGVyIHNob3VsZCBiZSBhdmFpbGFibGUgaW4gb2JqZWN0IGxpdGVyYWxzCkluZGV4OiBMYXlv dXRUZXN0cy9qcy9yZWdyZXNzL2J1Zy0xNTM0MzEtZXhwZWN0ZWQudHh0Cj09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0t IExheW91dFRlc3RzL2pzL3JlZ3Jlc3MvYnVnLTE1MzQzMS1leHBlY3RlZC50eHQJKHJldmlzaW9u IDApCisrKyBMYXlvdXRUZXN0cy9qcy9yZWdyZXNzL2J1Zy0xNTM0MzEtZXhwZWN0ZWQudHh0CSh3 b3JraW5nIGNvcHkpCkBAIC0wLDAgKzEsMTAgQEAKK0pTUmVncmVzcy9idWctMTUzNDMxCisKK09u IHN1Y2Nlc3MsIHlvdSB3aWxsIHNlZSBhIHNlcmllcyBvZiAiUEFTUyIgbWVzc2FnZXMsIGZvbGxv d2VkIGJ5ICJURVNUIENPTVBMRVRFIi4KKworCitQQVNTIG5vIGV4Y2VwdGlvbiB0aHJvd24KK1BB U1Mgc3VjY2Vzc2Z1bGx5UGFyc2VkIGlzIHRydWUKKworVEVTVCBDT01QTEVURQorCkluZGV4OiBM YXlvdXRUZXN0cy9qcy9yZWdyZXNzL2J1Zy0xNTM0MzEuaHRtbAo9PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBMYXlv dXRUZXN0cy9qcy9yZWdyZXNzL2J1Zy0xNTM0MzEuaHRtbAkocmV2aXNpb24gMCkKKysrIExheW91 dFRlc3RzL2pzL3JlZ3Jlc3MvYnVnLTE1MzQzMS5odG1sCSh3b3JraW5nIGNvcHkpCkBAIC0wLDAg KzEsMTIgQEAKKzwhRE9DVFlQRSBIVE1MIFBVQkxJQyAiLS8vSUVURi8vRFREIEhUTUwvL0VOIj4K KzxodG1sPgorPGhlYWQ+Cis8c2NyaXB0IHNyYz0iLi4vLi4vcmVzb3VyY2VzL2pzLXRlc3QtcHJl LmpzIj48L3NjcmlwdD4KKzwvaGVhZD4KKzxib2R5PgorPHNjcmlwdCBzcmM9Ii4uLy4uL3Jlc291 cmNlcy9yZWdyZXNzLXByZS5qcyI+PC9zY3JpcHQ+Cis8c2NyaXB0IHNyYz0ic2NyaXB0LXRlc3Rz L2J1Zy0xNTM0MzEuanMiPjwvc2NyaXB0PgorPHNjcmlwdCBzcmM9Ii4uLy4uL3Jlc291cmNlcy9y ZWdyZXNzLXBvc3QuanMiPjwvc2NyaXB0PgorPHNjcmlwdCBzcmM9Ii4uLy4uL3Jlc291cmNlcy9q cy10ZXN0LXBvc3QuanMiPjwvc2NyaXB0PgorPC9ib2R5PgorPC9odG1sPgpJbmRleDogTGF5b3V0 VGVzdHMvanMvcmVncmVzcy9zY3JpcHQtdGVzdHMvYnVnLTE1MzQzMS5qcwo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBMYXlvdXRUZXN0cy9qcy9yZWdyZXNzL3NjcmlwdC10ZXN0cy9idWctMTUzNDMxLmpzCShyZXZp c2lvbiAwKQorKysgTGF5b3V0VGVzdHMvanMvcmVncmVzcy9zY3JpcHQtdGVzdHMvYnVnLTE1MzQz MS5qcwkod29ya2luZyBjb3B5KQpAQCAtMCwwICsxLDM2IEBACisvL0AgcnVuRGVmYXVsdAorCisv LyBSZWdyZXNzaW9uIHRlc3QgZm9yIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNn aT9pZD0xNTM0MzEuCisvLyBSZWR1Y2VkIHZlcnNpb24gYmFzZWQgb24gdGhlIHJlcHJvZHVjdGlv biBjYXNlIHByb3ZpZGVkIGJ5IFJ5YW4gU3R1cmdlbGwgaW4gdGhlIGJ1ZywKKy8vIHdpdGggc29t ZSB2YXJpYWJsZSByZW5hbWVzIHRvIHJlYWQgc2xpZ2h0bHkgYmV0dGVyLgorCitmdW5jdGlvbiBh c3NlcnQodGVzdGVkVmFsdWUpIHsKKyAgICBpZiAoIXRlc3RlZFZhbHVlKQorICAgICAgICB0aHJv dyBFcnJvcigiRmFpbGVkIGFzc2VydGlvbiIpOworfQorCitmdW5jdGlvbiBiYWRGdW5jKGFyciwg b3BlcmFuZCwgcmVzdWx0QXJyKSB7IAorICAgIC8vIFRoaXMgcmUtdXNlIG9mIHZhcmlhYmxlICJv cGVyYW5kIiBpcyBpbXBvcnRhbnQgLSByZW5hbWUgaXQgYW5kIHRoZSBidWcgZ29lcyBhd2F5Lgor ICAgIG9wZXJhbmQgPSBhcnJbb3BlcmFuZF07CisgICAgaWYgKGZhbHNlKSB7CisgICAgICAgIC8v IElmIHRoaXMgdW5yZWFjaGFibGUgYmxvY2sgaXMgcmVtb3ZlZCwgdGhlIGJ1ZyBnb2VzIGF3YXkh IQorICAgIH0gZWxzZSAKKyAgICB7CisgICAgICAgIHJlc3VsdEFyclswXSA9IG9wZXJhbmQ7Cisg ICAgfQorfQorbm9JbmxpbmUoYmFkRnVuYyk7CisKK2Z1bmN0aW9uIHJ1bigpIHsKKyAgICBmb3Ig KHZhciBpID0gMDsgaSA8IDEwMDAwOyBpKyspIHsKKyAgICAgICAgdmFyIGFyciA9IG5ldyBVaW50 MzJBcnJheShbMHg4MDAwMDAwMCwxXSk7IC8vIE5lZWRzIHRvIGJlIGFuIFVpbnQzMkFycmF5Lgor ICAgICAgICB2YXIgcmVzdWx0QXJyID0gW107CisKKyAgICAgICAgYmFkRnVuYyhhcnIsIDAsIHJl c3VsdEFycik7CisgICAgICAgIGFzc2VydChyZXN1bHRBcnJbMF0gPT0gYXJyWzBdKTsKKyAgICAg ICAgYmFkRnVuYyhhcnIsIDEsIHJlc3VsdEFycik7CisgICAgICAgIGFzc2VydChyZXN1bHRBcnJb MF0gPT0gYXJyWzFdKTsKKyAgICB9Cit9CisKK3J1bigpOwo=