178298 2017-10-13 15:29:09 -0700 JSRunLoopTimer: reduce likely race when used improperly 2017-10-16 09:19:34 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 jfbastien jfbastien aestes buildbot commit-queue fpizlo jfbastien keith_miller mark.lam msaboff rmorisset saam webkit-bug-importer oldest_to_newest 1360270 0 jfbastien 2017-10-13 15:29:09 -0700 If an API user sets a timer on JSRunLoopTimer, and then racily destroys the JSRunLoopTimer while the timer is firing then it's possible for timerDidFire to cause a use-after-free and / or crash because e.g. m_apiLock becomes a nullptr while timerDidFire is executing. That results from an invalid use of JSRunLoopTimer, but we should try to be more resilient for that type of misuse because it's not necessarily easy to catch by inspection. 1360272 1 jfbastien 2017-10-13 15:29:40 -0700 <rdar://problem/32899816> 1360276 2 323757 jfbastien 2017-10-13 15:35:03 -0700 Created attachment 323757 patch Just to confirm, the assembly now looks like this: __ZN3JSC14JSRunLoopTimer12timerDidFireEv: __ZN3JSC14JSRunLoopTimer12timerDidFireEv: sub sp, sp, #0x30 sub sp, sp, #0x40 stp x22, x21, [sp, #0x10] stp x20, x19, [sp, #0x10] stp x20, x19, [sp, #0x20] stp x29, x30, [sp, #0x20] stp x29, x30, [sp, #0x30] add x29, sp, #0x20 add x29, sp, #0x30 mov x20, x0 mov x21, x0 ldr x0, [x20, #0x18] ldr x19, [x21, #0x18] cbz x19, 0x??? mov x0, x19 bl 0x??? bl 0x??? ldr x0, [x20, #0x18] ldr x19, [x0, #0x20] ldr x20, [x19, #0x20] cbz x19, 0x??? cbz x20, 0x??? ldaxr w8, [x19] ldaxr w8, [x20] The main safeguard is the acquisition of m_apiLock, though. 1360279 3 buildbot 2017-10-13 15:36:57 -0700 Attachment 323757 did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:11: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: use-after-free, use-after-free [changelog/unwantedsecurityterms] [3] ERROR: Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:57: One line control clauses should not use braces. [whitespace/braces] [4] Total errors found: 2 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style. 1360281 4 323757 saam 2017-10-13 15:43:21 -0700 Comment on attachment 323757 patch View in context: https://bugs.webkit.org/attachment.cgi?id=323757&action=review It doesn't seem like we actually solve the bug here. Your code implies we may end up reading a field even after it dies. What if we used ref counting to ref the timer when it has a timer scheduled? > Source/JavaScriptCore/ChangeLog:20 > + `this` and turns a nullptr deref into “just” a use-after-free. remove unicode > Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:52 > + std::lock_guard<JSLock> lock(*apiLock); why not holdLock? > Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:58 > + JSLockHolder locker(vm.get()); Why do we need this if we're holding it up there? > Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:94 > + std::lock_guard<JSLock> lock(*apiLock); ditto w.r.t holdLock 1360291 5 323761 jfbastien 2017-10-13 16:05:59 -0700 Created attachment 323761 patch Adress in-person comments from Andy. > It doesn't seem like we actually solve the bug here. Your code implies we > may end up reading a field even after it dies. What if we used ref counting > to ref the timer when it has a timer scheduled? I added a comment to that effect in the ChangeLog. I can explore refcounting separately, but I don't think it fits the scope of a small and targeted quick fix. At the end of the day we can try to be as robust as we want, but if the API is misused we'll be in trouble anyways, no? This seems like an easy way to avoid the simplest issues without being invasive. > > Source/JavaScriptCore/ChangeLog:20 > > + `this` and turns a nullptr deref into âjustâ a use-after-free. > > remove unicode Done. > > Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:52 > > + std::lock_guard<JSLock> lock(*apiLock); > > why not holdLock? lock_guard is used 2:1 in WebKit. Seems weird to duplicate a simple idiomatic thing from C++11 that does exactly the same thing. > > Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:58 > > + JSLockHolder locker(vm.get()); > > Why do we need this if we're holding it up there? You're right, I forgot those were the same! Gone. 1360294 6 buildbot 2017-10-13 16:07:11 -0700 Attachment 323761 did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:11: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: use-after-free, use-after-free [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style. 1360296 7 saam 2017-10-13 16:07:40 -0700 I'm not a fan, but I won't stop you from landing. My reason for wanting holdLock is it's more idiomatic JSC code. 1360307 8 jfbastien 2017-10-13 16:32:28 -0700 (In reply to Saam Barati from comment #7) > I'm not a fan, but I won't stop you from landing. Agreed, I'm not a fan either, but it seems like the simplest fix for a frequent crash. Will hold off committing until I hear from Divya. 1360764 9 323761 fpizlo 2017-10-16 08:49:31 -0700 Comment on attachment 323761 patch LGTM too 1360766 10 323761 jfbastien 2017-10-16 08:51:07 -0700 Comment on attachment 323761 patch Talked to pizlo, committing to trunk. 1360778 11 323761 commit-queue 2017-10-16 09:19:32 -0700 Comment on attachment 323761 patch Clearing flags on attachment: 323761 Committed r223409: <https://trac.webkit.org/changeset/223409> 1360779 12 commit-queue 2017-10-16 09:19:34 -0700 All reviewed patches have been landed. Closing bug. 323757 2017-10-13 15:35:03 -0700 2017-10-13 16:05:59 -0700 patch 0001-JSRunLoopTimer-reduce-likely-race-when-used-improper.patch text/plain 3669 jfbastien RnJvbSA0YWE5OTFhMjBiYWEzMTkyZDQ3NDYxNjZlODZmMGY4ODZkMDVlZGU1IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBKRiBCYXN0aWVuIDxqZmJhc3RpZW5AYXBwbGUuY29tPgpEYXRl OiBGcmksIDEzIE9jdCAyMDE3IDE1OjMzOjI4IC0wNzAwClN1YmplY3Q6IFtQQVRDSF0gSlNSdW5M b29wVGltZXI6IHJlZHVjZSBsaWtlbHkgcmFjZSB3aGVuIHVzZWQgaW1wcm9wZXJseQoKLS0tCiBT b3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nICAgICAgICAgICAgICAgICAgfCAyNyArKysr KysrKysrKysrKysrKysrKysrCiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9KU1J1bkxv b3BUaW1lci5jcHAgfCAyOSArKysrKysrKysrKystLS0tLS0tLS0tLS0KIDIgZmlsZXMgY2hhbmdl ZCwgNDIgaW5zZXJ0aW9ucygrKSwgMTQgZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VM b2cKaW5kZXggOTY2OWY0ZC4uZTM5MmRhMiAxMDA2NDQKLS0tIGEvU291cmNlL0phdmFTY3JpcHRD b3JlL0NoYW5nZUxvZworKysgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCkBAIC0x LDMgKzEsMzAgQEAKKzIwMTctMTAtMTMgIEpGIEJhc3RpZW4gIDxqZmJhc3RpZW5AYXBwbGUuY29t PgorCisgICAgICAgIEpTUnVuTG9vcFRpbWVyOiByZWR1Y2UgbGlrZWx5IHJhY2Ugd2hlbiB1c2Vk IGltcHJvcGVybHkKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dp P2lkPTE3ODI5OAorICAgICAgICA8cmRhcjovL3Byb2JsZW0vMzI4OTk4MTY+CisKKyAgICAgICAg UmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgSWYgYW4gQVBJIHVzZXIgc2V0 cyBhIHRpbWVyIG9uIEpTUnVuTG9vcFRpbWVyLCBhbmQgdGhlbiByYWNpbHkKKyAgICAgICAgZGVz dHJveXMgdGhlIEpTUnVuTG9vcFRpbWVyIHdoaWxlIHRoZSB0aW1lciBpcyBmaXJpbmcgdGhlbiBp dCdzCisgICAgICAgIHBvc3NpYmxlIGZvciB0aW1lckRpZEZpcmUgdG8gY2F1c2UgYSB1c2UtYWZ0 ZXItZnJlZSBhbmQgLyBvciBjcmFzaAorICAgICAgICBiZWNhdXNlIGUuZy4gbV9hcGlMb2NrIGJl Y29tZXMgYSBudWxscHRyIHdoaWxlIHRpbWVyRGlkRmlyZSBpcworICAgICAgICBleGVjdXRpbmcu IFRoYXQgcmVzdWx0cyBmcm9tIGFuIGludmFsaWQgdXNlIG9mIEpTUnVuTG9vcFRpbWVyLCBidXQK KyAgICAgICAgd2Ugc2hvdWxkIHRyeSB0byBiZSBtb3JlIHJlc2lsaWVudCBmb3IgdGhhdCB0eXBl IG9mIG1pc3VzZSBiZWNhdXNlCisgICAgICAgIGl0J3Mgbm90IG5lY2Vzc2FyaWx5IGVhc3kgdG8g Y2F0Y2ggYnkgaW5zcGVjdGlvbi4KKworICAgICAgICAqIHJ1bnRpbWUvSlNSdW5Mb29wVGltZXIu Y3BwOgorICAgICAgICAoSlNDOjpKU1J1bkxvb3BUaW1lcjo6dGltZXJEaWRGaXJlKTogcHV0IG1f YXBpTG9jayBvbiB0aGUgc3RhY2ssCisgICAgICAgIGFuZCBjaGVja3MgZm9yIG51bGxwdHIuIFRo aXMgcHJldmVudHMgbG9hZGluZyBpdCB0d2ljZSBvZmYgb2YKKyAgICAgICAgYHRoaXNgIGFuZCB0 dXJucyBhIG51bGxwdHIgZGVyZWYgaW50byDigJxqdXN04oCdIGEgdXNlLWFmdGVyLWZyZWUuCisg ICAgICAgIChKU0M6OkpTUnVuTG9vcFRpbWVyOjp+SlNSdW5Mb29wVGltZXIpOiBhY3F1aXJlIG1f YXBpTG9jayBiZWZvcmUKKyAgICAgICAgY2FsbGluZyBtX3ZtLT51bnJlZ2lzdGVyUnVuTG9vcFRp bWVyKHRoaXMpLCB3aGljaCBpbiB0dXJuIGRvZXMKKyAgICAgICAgQ0ZSdW5Mb29wUmVtb3ZlVGlt ZXIgLyBDRlJ1bkxvb3BUaW1lckludmFsaWRhdGUuIFRoaXMgcHJldmVudHMKKyAgICAgICAgdGlt ZXJEaWRGaXJlIGZyb20gZG9pbmcgbXVjaCB3aGlsZSB0aGUgdGltZXJzIGFyZSB1bi1yZWdpc3Rl cmVkLgorICAgICAgICB+SlNSdW5Mb29wVGltZXIgYWxzbyBuZWVkcyB0byBzZXQgbV9hcGlMb2Nr IHRvIG51bGxwdHIgYmVmb3JlCisgICAgICAgIHJlbGVhc2luZyB0aGUgbG9jaywgc28gaXQgbmVl ZHMgaXRzIG93biBsb2NhbCBjb3B5LgorCiAyMDE3LTEwLTExICBDb21taXQgUXVldWUgIDxjb21t aXQtcXVldWVAd2Via2l0Lm9yZz4KIAogICAgICAgICBVbnJldmlld2VkLCByb2xsaW5nIG91dCBy MjIzMTEzIGFuZCByMjIzMTIxLgpkaWZmIC0tZ2l0IGEvU291cmNlL0phdmFTY3JpcHRDb3JlL3J1 bnRpbWUvSlNSdW5Mb29wVGltZXIuY3BwIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUv SlNSdW5Mb29wVGltZXIuY3BwCmluZGV4IDY0MjRiNzEuLmNhZjU3ZmUgMTAwNjQ0Ci0tLSBhL1Nv dXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL0pTUnVuTG9vcFRpbWVyLmNwcAorKysgYi9Tb3Vy Y2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9KU1J1bkxvb3BUaW1lci5jcHAKQEAgLTQwLDI3ICs0 MCwyNSBAQAogI2luY2x1ZGUgPHd0Zi9nbGliL1J1bkxvb3BTb3VyY2VQcmlvcml0eS5oPgogI2Vu ZGlmCiAKKyNpbmNsdWRlIDxtdXRleD4KKwogbmFtZXNwYWNlIEpTQyB7CiAKIGNvbnN0IFNlY29u ZHMgSlNSdW5Mb29wVGltZXI6OnNfZGVjYWRlIHsgNjAgKiA2MCAqIDI0ICogMzY1ICogMTAgfTsK IAogdm9pZCBKU1J1bkxvb3BUaW1lcjo6dGltZXJEaWRGaXJlKCkKIHsKLSAgICBtX2FwaUxvY2st PmxvY2soKTsKLQotICAgIFJlZlB0cjxWTT4gdm0gPSBtX2FwaUxvY2stPnZtKCk7Ci0gICAgaWYg KCF2bSkgewotICAgICAgICAvLyBUaGUgVk0gaGFzIGJlZW4gZGVzdHJveWVkLCBzbyB3ZSBzaG91 bGQganVzdCBnaXZlIHVwLgotICAgICAgICBtX2FwaUxvY2stPnVubG9jaygpOwotICAgICAgICBy ZXR1cm47CisgICAgaWYgKEpTTG9jayogYXBpTG9jayA9IG1fYXBpTG9jay5nZXQoKSkgeworICAg ICAgICBzdGQ6OmxvY2tfZ3VhcmQ8SlNMb2NrPiBsb2NrKCphcGlMb2NrKTsKKworICAgICAgICBS ZWZQdHI8Vk0+IHZtID0gYXBpTG9jay0+dm0oKTsKKyAgICAgICAgaWYgKCF2bSkgeworICAgICAg ICAgICAgLy8gVGhlIFZNIGhhcyBiZWVuIGRlc3Ryb3llZCwgc28gd2Ugc2hvdWxkIGp1c3QgZ2l2 ZSB1cC4KKyAgICAgICAgfSBlbHNlIHsKKyAgICAgICAgICAgIEpTTG9ja0hvbGRlciBsb2NrZXIo dm0uZ2V0KCkpOworICAgICAgICAgICAgZG9Xb3JrKCk7CisgICAgICAgIH0KICAgICB9Ci0KLSAg ICB7Ci0gICAgICAgIEpTTG9ja0hvbGRlciBsb2NrZXIodm0uZ2V0KCkpOwotICAgICAgICBkb1dv cmsoKTsKLSAgICB9Ci0KLSAgICBtX2FwaUxvY2stPnVubG9jaygpOwogfQogCiAjaWYgVVNFKENG KQpAQCAtOTIsNyArOTAsMTAgQEAgdm9pZCBKU1J1bkxvb3BUaW1lcjo6c2V0UnVuTG9vcChDRlJ1 bkxvb3BSZWYgcnVuTG9vcCkKIAogSlNSdW5Mb29wVGltZXI6On5KU1J1bkxvb3BUaW1lcigpCiB7 CisgICAgSlNMb2NrKiBhcGlMb2NrID0gbV9hcGlMb2NrLmdldCgpOworICAgIHN0ZDo6bG9ja19n dWFyZDxKU0xvY2s+IGxvY2soKmFwaUxvY2spOwogICAgIG1fdm0tPnVucmVnaXN0ZXJSdW5Mb29w VGltZXIodGhpcyk7CisgICAgbV9hcGlMb2NrID0gbnVsbHB0cjsKIH0KIAogdm9pZCBKU1J1bkxv b3BUaW1lcjo6dGltZXJEaWRGaXJlQ2FsbGJhY2soQ0ZSdW5Mb29wVGltZXJSZWYsIHZvaWQqIGNv bnRleHRQdHIpCi0tIAoyLjkuMwoK 323761 2017-10-13 16:05:59 -0700 2017-10-16 09:19:32 -0700 patch 0001-JSRunLoopTimer-reduce-likely-race-when-used-improper.patch text/plain 3925 jfbastien RnJvbSAyODVkZmY5ZmIxOWZmODM2NjVmMzA0ZDg1ODBkNzc5NmNjYjRhMTIzIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBKRiBCYXN0aWVuIDxqZmJhc3RpZW5AYXBwbGUuY29tPgpEYXRl OiBGcmksIDEzIE9jdCAyMDE3IDE1OjMzOjI4IC0wNzAwClN1YmplY3Q6IFtQQVRDSF0gSlNSdW5M b29wVGltZXI6IHJlZHVjZSBsaWtlbHkgcmFjZSB3aGVuIHVzZWQgaW1wcm9wZXJseQoKLS0tCiBT b3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nICAgICAgICAgICAgICAgICAgfCAzNCArKysr KysrKysrKysrKysrKysrKysrKysKIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL0pTUnVu TG9vcFRpbWVyLmNwcCB8IDIyICsrKysrKysrLS0tLS0tLQogMiBmaWxlcyBjaGFuZ2VkLCA0NyBp bnNlcnRpb25zKCspLCA5IGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2Ny aXB0Q29yZS9DaGFuZ2VMb2cgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCmluZGV4 IDk2NjlmNGQuLjg3ZjcwYmEgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFu Z2VMb2cKKysrIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDM3 IEBACisyMDE3LTEwLTEzICBKRiBCYXN0aWVuICA8amZiYXN0aWVuQGFwcGxlLmNvbT4KKworICAg ICAgICBKU1J1bkxvb3BUaW1lcjogcmVkdWNlIGxpa2VseSByYWNlIHdoZW4gdXNlZCBpbXByb3Bl cmx5CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNzgy OTgKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzMyODk5ODE2PgorCisgICAgICAgIFJldmlld2Vk IGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIElmIGFuIEFQSSB1c2VyIHNldHMgYSB0aW1l ciBvbiBKU1J1bkxvb3BUaW1lciwgYW5kIHRoZW4gcmFjaWx5CisgICAgICAgIGRlc3Ryb3lzIHRo ZSBKU1J1bkxvb3BUaW1lciB3aGlsZSB0aGUgdGltZXIgaXMgZmlyaW5nIHRoZW4gaXQncworICAg ICAgICBwb3NzaWJsZSBmb3IgdGltZXJEaWRGaXJlIHRvIGNhdXNlIGEgdXNlLWFmdGVyLWZyZWUg YW5kIC8gb3IgY3Jhc2gKKyAgICAgICAgYmVjYXVzZSBlLmcuIG1fYXBpTG9jayBiZWNvbWVzIGEg bnVsbHB0ciB3aGlsZSB0aW1lckRpZEZpcmUgaXMKKyAgICAgICAgZXhlY3V0aW5nLiBUaGF0IHJl c3VsdHMgZnJvbSBhbiBpbnZhbGlkIHVzZSBvZiBKU1J1bkxvb3BUaW1lciwgYnV0CisgICAgICAg IHdlIHNob3VsZCB0cnkgdG8gYmUgbW9yZSByZXNpbGllbnQgZm9yIHRoYXQgdHlwZSBvZiBtaXN1 c2UgYmVjYXVzZQorICAgICAgICBpdCdzIG5vdCBuZWNlc3NhcmlseSBlYXN5IHRvIGNhdGNoIGJ5 IGluc3BlY3Rpb24uCisKKyAgICAgICAgV2l0aCB0aGlzIGNoYW5nZSB0aGUgb25seSByZW1haW5p bmcgcmFjZSBpcyBpZiB0aGUgdGltZXIgZmlyZXMsCisgICAgICAgIGFuZCB0aGVuIG9ubHkgdGlt ZXJEaWRGaXJlJ3MgcHJvbG9ndWUgZXhlY3V0ZXMsIGJ1dCBub3QgdGhlIGxvYWQKKyAgICAgICAg b2YgdGhlIG1fYXBpTG9jayBwb2ludGVyIGZyb20gYHRoaXNgLiBJdCdzIGEgbXVjaCBzbWFsbGVy IHJhY2UuCisKKyAgICAgICAgU2VwYXJhdGVseSwgSSdsbCByZWFjaCBvdXQgdG8gQVBJIHVzZXJz IHdobyBhcmUgc2VlbWluZ2x5IG1pc3VzaW5nCisgICAgICAgIHRoZSBBUEkuCisKKyAgICAgICAg KiBydW50aW1lL0pTUnVuTG9vcFRpbWVyLmNwcDoKKyAgICAgICAgKEpTQzo6SlNSdW5Mb29wVGlt ZXI6OnRpbWVyRGlkRmlyZSk6IHB1dCBtX2FwaUxvY2sgb24gdGhlIHN0YWNrLAorICAgICAgICBh bmQgY2hlY2tzIGZvciBudWxscHRyLiBUaGlzIHByZXZlbnRzIGxvYWRpbmcgaXQgdHdpY2Ugb2Zm IG9mCisgICAgICAgIGB0aGlzYCBhbmQgdHVybnMgYSBudWxscHRyIGRlcmVmIGludG8gImp1c3Qi IGEgdXNlLWFmdGVyLWZyZWUuCisgICAgICAgIChKU0M6OkpTUnVuTG9vcFRpbWVyOjp+SlNSdW5M b29wVGltZXIpOiBhY3F1aXJlIG1fYXBpTG9jayBiZWZvcmUKKyAgICAgICAgY2FsbGluZyBtX3Zt LT51bnJlZ2lzdGVyUnVuTG9vcFRpbWVyKHRoaXMpLCB3aGljaCBpbiB0dXJuIGRvZXMKKyAgICAg ICAgQ0ZSdW5Mb29wUmVtb3ZlVGltZXIgLyBDRlJ1bkxvb3BUaW1lckludmFsaWRhdGUuIFRoaXMg cHJldmVudHMKKyAgICAgICAgdGltZXJEaWRGaXJlIGZyb20gZG9pbmcgbXVjaCB3aGlsZSB0aGUg dGltZXJzIGFyZSB1bi1yZWdpc3RlcmVkLgorICAgICAgICB+SlNSdW5Mb29wVGltZXIgYWxzbyBu ZWVkcyB0byBzZXQgbV9hcGlMb2NrIHRvIG51bGxwdHIgYmVmb3JlCisgICAgICAgIHJlbGVhc2lu ZyB0aGUgbG9jaywgc28gaXQgbmVlZHMgaXRzIG93biBsb2NhbCBjb3B5LgorCiAyMDE3LTEwLTEx ICBDb21taXQgUXVldWUgIDxjb21taXQtcXVldWVAd2Via2l0Lm9yZz4KIAogICAgICAgICBVbnJl dmlld2VkLCByb2xsaW5nIG91dCByMjIzMTEzIGFuZCByMjIzMTIxLgpkaWZmIC0tZ2l0IGEvU291 cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvSlNSdW5Mb29wVGltZXIuY3BwIGIvU291cmNlL0ph dmFTY3JpcHRDb3JlL3J1bnRpbWUvSlNSdW5Mb29wVGltZXIuY3BwCmluZGV4IDY0MjRiNzEuLjg5 ZWRiNjggMTAwNjQ0Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL0pTUnVuTG9v cFRpbWVyLmNwcAorKysgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9KU1J1bkxvb3BU aW1lci5jcHAKQEAgLTQwLDI3ICs0MCwyOCBAQAogI2luY2x1ZGUgPHd0Zi9nbGliL1J1bkxvb3BT b3VyY2VQcmlvcml0eS5oPgogI2VuZGlmCiAKKyNpbmNsdWRlIDxtdXRleD4KKwogbmFtZXNwYWNl IEpTQyB7CiAKIGNvbnN0IFNlY29uZHMgSlNSdW5Mb29wVGltZXI6OnNfZGVjYWRlIHsgNjAgKiA2 MCAqIDI0ICogMzY1ICogMTAgfTsKIAogdm9pZCBKU1J1bkxvb3BUaW1lcjo6dGltZXJEaWRGaXJl KCkKIHsKLSAgICBtX2FwaUxvY2stPmxvY2soKTsKKyAgICBKU0xvY2sqIGFwaUxvY2sgPSBtX2Fw aUxvY2suZ2V0KCk7CisgICAgaWYgKCFhcGlMb2NrKSB7CisgICAgICAgIC8vIExpa2VseSBhIGJ1 Z2d5IHVzYWdlOiB0aGUgdGltZXIgZmlyZWQgd2hpbGUgSlNSdW5Mb29wVGltZXIgd2FzIGJlaW5n IGRlc3Ryb3llZC4KKyAgICAgICAgcmV0dXJuOworICAgIH0KIAotICAgIFJlZlB0cjxWTT4gdm0g PSBtX2FwaUxvY2stPnZtKCk7CisgICAgc3RkOjpsb2NrX2d1YXJkPEpTTG9jaz4gbG9jaygqYXBp TG9jayk7CisgICAgUmVmUHRyPFZNPiB2bSA9IGFwaUxvY2stPnZtKCk7CiAgICAgaWYgKCF2bSkg ewogICAgICAgICAvLyBUaGUgVk0gaGFzIGJlZW4gZGVzdHJveWVkLCBzbyB3ZSBzaG91bGQganVz dCBnaXZlIHVwLgotICAgICAgICBtX2FwaUxvY2stPnVubG9jaygpOwogICAgICAgICByZXR1cm47 CiAgICAgfQogCi0gICAgewotICAgICAgICBKU0xvY2tIb2xkZXIgbG9ja2VyKHZtLmdldCgpKTsK LSAgICAgICAgZG9Xb3JrKCk7Ci0gICAgfQotCi0gICAgbV9hcGlMb2NrLT51bmxvY2soKTsKKyAg ICBkb1dvcmsoKTsKIH0KIAogI2lmIFVTRShDRikKQEAgLTkyLDcgKzkzLDEwIEBAIHZvaWQgSlNS dW5Mb29wVGltZXI6OnNldFJ1bkxvb3AoQ0ZSdW5Mb29wUmVmIHJ1bkxvb3ApCiAKIEpTUnVuTG9v cFRpbWVyOjp+SlNSdW5Mb29wVGltZXIoKQogeworICAgIEpTTG9jayogYXBpTG9jayA9IG1fYXBp TG9jay5nZXQoKTsKKyAgICBzdGQ6OmxvY2tfZ3VhcmQ8SlNMb2NrPiBsb2NrKCphcGlMb2NrKTsK ICAgICBtX3ZtLT51bnJlZ2lzdGVyUnVuTG9vcFRpbWVyKHRoaXMpOworICAgIG1fYXBpTG9jayA9 IG51bGxwdHI7CiB9CiAKIHZvaWQgSlNSdW5Mb29wVGltZXI6OnRpbWVyRGlkRmlyZUNhbGxiYWNr KENGUnVuTG9vcFRpbWVyUmVmLCB2b2lkKiBjb250ZXh0UHRyKQotLSAKMi45LjMKCg==