206166 2020-01-13 02:51:25 -0800 scanSideState scans too much side state 2020-01-14 13:33:16 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 saelo keith_miller bfulgham commit-queue ews-feeder fpizlo keith_miller mark.lam product-security rmorisset saam tsavell tzagallo webkit-bug-importer ysuzuki oldest_to_newest 1605782 0 saelo 2020-01-13 02:51:25 -0800 The following sample sometimes crashes JSC built from current HEAD: var v2 = 2190736854 + 1; var v3 = v2 + Object; var v4 = v3; var v7 = 0; do { print(v7); function v8(v9,v10,v11,v12,v13) { try { var v14 = v13(); } catch(v16) { } var v18 = gc(); if (v18) { } else { } var v20 = v9; do { var v21 = v20 + 1; v20 = v21; } while (v20 < 4); } var v24 = new Int32Array(); var v25 = v8(...v4); for (var v29 = -1024; v29 < 100; v29++) { } var v30 = v7 + 1; var v32 = 4294967295; v7 = v30; } while (v7 < 10000); var v36 = 0; var v38 = 16; gc(); print("Try again..."); /* > lldb -- ./JSCBuild/Debug/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --gcAtEnd=true crash.js ... thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10a700000) frame #0: 0x000000010115d996 JavaScriptCore`void JSC::ConservativeRoots::genericAddSpan<JSC::DummyMarkHook>(this=0x00007ffeefbfc040, begin=0x000000010a6fff08, end=0x000000010a700008, markHook=0x00007ffeefbfbef0) at ConservativeRoots.c pp:104:27 101 HeapVersion markingVersion = m_heap.objectSpace().markingVersion(); 102 HeapVersion newlyAllocatedVersion = m_heap.objectSpace().newlyAllocatedVersion(); 103 for (char** it = static_cast<char**>(begin); it != static_cast<char**>(end); ++it) -> 104 genericAddPointer(*it, markingVersion, newlyAllocatedVersion, filter, markHook); 105 } 106 107 class DummyMarkHook { Target 0: (jsc) stopped. (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x10a700000) * frame #0: 0x000000010115d996 JavaScriptCore`void JSC::ConservativeRoots::genericAddSpan<JSC::DummyMarkHook>(this=0x00007ffeefbfc040, begin=0x000000010a6fff08, end=0x000000010a700008, markHook=0x00007ffeefbfbef0) at ConservativeRoots.cpp:104:27 frame #1: 0x000000010115d819 JavaScriptCore`JSC::ConservativeRoots::add(this=0x00007ffeefbfc040, begin=0x000000010a6fff08, end=0x000000010a700008) at ConservativeRoots.cpp:116:5 frame #2: 0x00000001019fe2de JavaScriptCore`JSC::VM::scanSideState(this=0x000000010a000000, roots=0x00007ffeefbfc040) const at VM.cpp:1068:15 frame #3: 0x000000010116c202 JavaScriptCore`JSC::Heap::gatherScratchBufferRoots(this=0x000000010a000040, roots=0x00007ffeefbfc040) at Heap.cpp:724:10 frame #4: 0x00000001011a2810 JavaScriptCore`JSC::Heap::addCoreConstraints(this=0x0000000107ec02c0, slotVisitor=0x0000000107ef2000)::$_30::operator()(JSC::SlotVisitor&) at Heap.cpp:2736:17 frame #5: 0x00000001011a26f1 JavaScriptCore`WTF::Detail::CallableWrapper<JSC::Heap::addCoreConstraints()::$_30, void, JSC::SlotVisitor&>::call(this=0x0000000107ec02b8, in=0x0000000107ef2000) at Function.h:52:39 frame #6: 0x00000001012007d7 JavaScriptCore`WTF::Function<void (JSC::SlotVisitor&)>::operator(this=0x0000000107ec1568, in=0x0000000107ef2000)(JSC::SlotVisitor&) const at Function.h:84:35 frame #7: 0x000000010120072c JavaScriptCore`JSC::SimpleMarkingConstraint::executeImpl(this=0x0000000107ec1540, visitor=0x0000000107ef2000) at SimpleMarkingConstraint.cpp:47:5 frame #8: 0x00000001011ea91c JavaScriptCore`JSC::MarkingConstraint::execute(this=0x0000000107ec1540, visitor=0x0000000107ef2000) at MarkingConstraint.cpp:57:5 frame #9: 0x00000001011ec2a0 JavaScriptCore`JSC::MarkingConstraintSolver::runExecutionThread(this=0x00007ffeefbfc8e0, visitor=0x0000000107ef2000, preference=NextConstraintFirst, pickNext=ScopedLambda<WTF::Optional<unsigned int> ()> @ 0x00007ffeefbfc670)>) at MarkingConstraintSolver.cpp:239:25 frame #10: 0x00000001011fd474 JavaScriptCore`JSC::MarkingConstraintSolver::execute(this=0x000000010a6fffb0, visitor=0x0000000107ef2000)>)::$_31::operator()(JSC::SlotVisitor&) const at MarkingConstraintSolver.cpp:68:42 frame #11: 0x00000001011fd401 JavaScriptCore`WTF::SharedTaskFunctor<void (JSC::SlotVisitor&), JSC::MarkingConstraintSolver::execute(JSC::MarkingConstraintSolver::SchedulerPreference, WTF::ScopedLambda<WTF::Optional<unsigned int> ()>)::$_31>::run(this=0x000000010a6fffa0, arguments=0x0000000107ef2000) at SharedTask.h:91:16 frame #12: 0x0000000101177bea JavaScriptCore`JSC::Heap::runTaskInParallel(this=0x000000010a000040, task=RefPtr<WTF::SharedTask<void (JSC::SlotVisitor &)>, WTF::DumbPtrTraits<WTF::SharedTask<void (JSC::SlotVisitor &)> > > @ 0x00007ffeefbfc768)>, WTF::DumbPtrTraits<WTF::SharedTask<void (JSC::SlotVisitor&)> > >) at Heap.cpp:3023:11 frame #13: 0x00000001011ec052 JavaScriptCore`void JSC::Heap::runFunctionInParallel<JSC::MarkingConstraintSolver::execute(JSC::MarkingConstraintSolver::SchedulerPreference, WTF::ScopedLambda<WTF::Optional<unsigned int> ()>)::$_31>(this=0x000000010a000040, func=0x00007ffeefbfc7d8)>)::$_31 const&) at Heap.h:390:9 frame #14: 0x00000001011ebdc2 JavaScriptCore`JSC::MarkingConstraintSolver::execute(this=0x00007ffeefbfc8e0, preference=NextConstraintFirst, pickNext=ScopedLambda<WTF::Optional<unsigned int> ()> @ 0x00007ffeefbfc800)>) at MarkingConstraintSolver.cpp:67:16 frame #15: 0x00000001011eb6b2 JavaScriptCore`JSC::MarkingConstraintSolver::drain(this=0x00007ffeefbfc8e0, unexecuted=0x0000000107ef6058) at MarkingConstraintSolver.cpp:99:5 frame #16: 0x00000001011eb375 JavaScriptCore`JSC::MarkingConstraintSet::executeConvergenceImpl(this=0x0000000107ef6050, visitor=0x0000000107ef2000) at MarkingConstraintSet.cpp:113:16 frame #17: 0x00000001011eb29d JavaScriptCore`JSC::MarkingConstraintSet::executeConvergence(this=0x0000000107ef6050, visitor=0x0000000107ef2000) at MarkingConstraintSet.cpp:85:19 frame #18: 0x0000000101170003 JavaScriptCore`JSC::Heap::runFixpointPhase(this=0x000000010a000040, conn=Mutator) at Heap.cpp:1398:43 frame #19: 0x000000010116ee2b JavaScriptCore`JSC::Heap::runCurrentPhase(this=0x000000010a000040, conn=Mutator, currentThreadState=0x00007ffeefbfcf70) at Heap.cpp:1227:18 frame #20: 0x000000010119dd6a JavaScriptCore`JSC::Heap::collectInMutatorThread(this=0x00007ffeefbfcfd0, state=0x00007ffeefbfcf70)::$_0::operator()(JSC::CurrentThreadState&) const at Heap.cpp:1850:52 frame #21: 0x000000010119dd1c JavaScriptCore`WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(argument=0x00007ffeefbfcfc0, arguments=0x00007ffeefbfcf70) at ScopedLambda.h:106:16 frame #22: 0x00000001011d0f8c JavaScriptCore`void WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator(this=0x00007ffeefbfcfc0, arguments=0x00007ffeefbfcf70)<JSC::CurrentThreadState&>(JSC::CurrentThreadState&) const at ScopedL ambda.h:58:16 frame #23: 0x00000001011d0ebe JavaScriptCore`JSC::callWithCurrentThreadState(lambda=0x00007ffeefbfcfc0)> const&) at MachineStackMarker.cpp:223:5 frame #24: 0x0000000101173c6b JavaScriptCore`JSC::Heap::collectInMutatorThread(this=0x000000010a000040) at Heap.cpp:1862:13 frame #25: 0x00000001011739fb JavaScriptCore`JSC::Heap::stopIfNecessarySlow(this=0x000000010a000040, oldState=37) at Heap.cpp:1831:9 frame #26: 0x0000000101174b2b JavaScriptCore`void JSC::Heap::waitForCollector<JSC::Heap::waitForCollection(unsigned long long)::$_27>(this=0x000000010a000040, func=0x00007ffeefbfd090)::$_27 const&) at Heap.cpp:1888:13 frame #27: 0x000000010116eadc JavaScriptCore`JSC::Heap::waitForCollection(this=0x000000010a000040, ticket=141) at Heap.cpp:2150:5 frame #28: 0x000000010116e3b0 JavaScriptCore`JSC::Heap::collectSync(this=0x000000010a000040, request=GCRequest @ 0x00007ffeefbfd130) at Heap.cpp:1146:5 frame #29: 0x000000010116e4a9 JavaScriptCore`JSC::Heap::collectNow(this=0x000000010a000040, synchronousness=Sync, request=GCRequest @ 0x00007ffeefbfd190) at Heap.cpp:1092:9 frame #30: 0x000000010002cda6 jsc`functionGCAndSweep(globalObject=0x000000010a1fc068, (null)=0x00007ffeefbfd1d0) at jsc.cpp:1490:13 frame #31: 0x00003dfc64601178 frame #32: 0x00003dfc64602da8 frame #33: 0x000000010145a517 JavaScriptCore`llint_entry + 128442 */ I haven't had a chance to analyze this crash properly, but it seems to be related to this commit: https://github.com/WebKit/webkit/commit/39080824d26a2246b742cf7d4ebc50fe36b515c4 and so I assume that no current release of WebKit is affected by this. The sample is unfortunately quite unreliably, only crashing for me roughly once in ten attempts. 1605783 1 webkit-bug-importer 2020-01-13 02:51:34 -0800 <rdar://problem/58524626> 1605922 2 keith_miller 2020-01-13 10:08:13 -0800 Thanks for the report. I'll take a look. 1605971 3 387551 keith_miller 2020-01-13 11:46:50 -0800 Created attachment 387551 Patch 1605973 4 387551 ysuzuki 2020-01-13 11:54:27 -0800 Comment on attachment 387551 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=387551&action=review r=me too with comment. Who is initializing CheckpointOSRExitSideState tmps? Are all elements cleared (JSEmpty) when declaring it? Can we add default initializer to `tmps` field as, JSValue tmps[maxNumCheckpointTmps] { }; > Source/JavaScriptCore/ChangeLog:3 > + JSC: Crash during GC Let's rename the title. 1605976 5 keith_miller 2020-01-13 11:59:47 -0800 (In reply to Yusuke Suzuki from comment #4) > Comment on attachment 387551 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=387551&action=review > > r=me too with comment. > Who is initializing CheckpointOSRExitSideState tmps? Are all elements > cleared (JSEmpty) when declaring it? Can we add default initializer to > `tmps` field as, > > JSValue tmps[maxNumCheckpointTmps] { }; Currently, no one. I can do that though. > > > Source/JavaScriptCore/ChangeLog:3 > > + JSC: Crash during GC > > Let's rename the title. Done. 1605978 6 387553 keith_miller 2020-01-13 12:00:18 -0800 Created attachment 387553 Patch for landing 1606240 7 387553 commit-queue 2020-01-13 21:25:03 -0800 Comment on attachment 387553 Patch for landing Clearing flags on attachment: 387553 Committed r254491: <https://trac.webkit.org/changeset/254491> 1606241 8 commit-queue 2020-01-13 21:25:05 -0800 All reviewed patches have been landed. Closing bug. 1606564 9 tsavell 2020-01-14 13:33:16 -0800 This change broke many tests on Debug with the new assertion. Tracked in https://bugs.webkit.org/show_bug.cgi?id=206229 387551 2020-01-13 11:46:50 -0800 2020-01-13 12:00:14 -0800 Patch bug-206166-20200113114648.patch text/plain 3111 keith_miller U3VidmVyc2lvbiBSZXZpc2lvbjogMjU0NDM0CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCAw Njk3MjkwNDJmMDk3YmFlZWJlN2I0OWE1MjY3NTcxOTAyMTExZWQ0Li4xZGI4ZjAyNDdjNDVkOTk3 OTA2NTNmNDRhYjgxNTZlYTJkMTZhNWQ1IDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwxMyBAQAorMjAyMC0wMS0xMyAgS2VpdGggTWlsbGVyICA8a2VpdGhfbWlsbGVyQGFwcGxl LmNvbT4KKworICAgICAgICBKU0M6IENyYXNoIGR1cmluZyBHQworICAgICAgICBodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjA2MTY2CisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBydW50aW1lL1ZNLmNwcDoKKyAgICAgICAg KEpTQzo6Vk06OnNjYW5TaWRlU3RhdGUgY29uc3QpOgorCiAyMDIwLTAxLTExICBLZWl0aCBNaWxs ZXIgIDxrZWl0aF9taWxsZXJAYXBwbGUuY29tPgogCiAgICAgICAgIENoZWNrTmV1dGVyZWQgbmVl ZHMgdG8gY2xhaW0gaXQgcmVhZHMgSlNUeXBlIGluIGNsb2JiZXJpemUuCmRpZmYgLS1naXQgYS9T b3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9WTS5jcHAgYi9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvcnVudGltZS9WTS5jcHAKaW5kZXggNDc1MmFhMDg3ZGUyYjA2MGYwYmNhZTAyZjBhNTJjOGJm N2UwZDhhNi4uYzg2NzVhM2VlM2I5YTNjNWRhODY4YzBjNDBjN2Q5MzQyNmRiMDIzZiAxMDA2NDQK LS0tIGEvU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvVk0uY3BwCisrKyBiL1NvdXJjZS9K YXZhU2NyaXB0Q29yZS9ydW50aW1lL1ZNLmNwcApAQCAtMTA2NCw4ICsxMDY0LDExIEBAIHZvaWQg Vk06OmdhdGhlclNjcmF0Y2hCdWZmZXJSb290cyhDb25zZXJ2YXRpdmVSb290cyYgY29uc2VydmF0 aXZlUm9vdHMpCiAKIHZvaWQgVk06OnNjYW5TaWRlU3RhdGUoQ29uc2VydmF0aXZlUm9vdHMmIHJv b3RzKSBjb25zdAogewotICAgIGZvciAoY29uc3QgYXV0byYgaXRlciA6IG1fY2hlY2twb2ludFNp ZGVTdGF0ZSkKLSAgICAgICAgcm9vdHMuYWRkKGl0ZXIudmFsdWUtPnRtcHMsIGl0ZXIudmFsdWUt PnRtcHMgKyBzaXplb2YoaXRlci52YWx1ZS0+dG1wcykpOworICAgIEFTU0VSVChoZWFwLm11dGF0 b3JTdGF0ZSgpICE9IE11dGF0b3JTdGF0ZTo6UnVubmluZyk7CisgICAgZm9yIChjb25zdCBhdXRv JiBpdGVyIDogbV9jaGVja3BvaW50U2lkZVN0YXRlKSB7CisgICAgICAgIHN0YXRpY19hc3NlcnQo c2l6ZW9mKGl0ZXIudmFsdWUtPnRtcHMpIC8gc2l6ZW9mKEpTVmFsdWUpID09IG1heE51bUNoZWNr cG9pbnRUbXBzKTsKKyAgICAgICAgcm9vdHMuYWRkKGl0ZXIudmFsdWUtPnRtcHMsIGl0ZXIudmFs dWUtPnRtcHMgKyBtYXhOdW1DaGVja3BvaW50VG1wcyk7CisgICAgfQogfQogI2VuZGlmCiAKZGlm ZiAtLWdpdCBhL0pTVGVzdHMvQ2hhbmdlTG9nIGIvSlNUZXN0cy9DaGFuZ2VMb2cKaW5kZXggMDJi YzdjYTgxOWVkZjBhNWFmYzQzNzJiYjAwNGQxYTYzMTcyZjRmMy4uNmYzYzBkZjhiZDE0NDcyNDc5 NTAzYTkyZjdmNWFmMjdiYWFmYTAxMSAxMDA2NDQKLS0tIGEvSlNUZXN0cy9DaGFuZ2VMb2cKKysr IGIvSlNUZXN0cy9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxMyBAQAorMjAyMC0wMS0xMyAgS2VpdGgg TWlsbGVyICA8a2VpdGhfbWlsbGVyQGFwcGxlLmNvbT4KKworICAgICAgICBKU0M6IENyYXNoIGR1 cmluZyBHQworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9 MjA2MTY2CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAg KiBzdHJlc3MvY2hlY2twb2ludC1zaWRlLXN0YXRlLWdjLXRtcHMtb3ZlcmZsb3cuanM6IEFkZGVk LgorICAgICAgICAodjgpOgorCiAyMDIwLTAxLTExICBLZWl0aCBNaWxsZXIgIDxrZWl0aF9taWxs ZXJAYXBwbGUuY29tPgogCiAgICAgICAgIENoZWNrTmV1dGVyZWQgbmVlZHMgdG8gY2xhaW0gaXQg cmVhZHMgSlNUeXBlIGluIGNsb2JiZXJpemUuCmRpZmYgLS1naXQgYS9KU1Rlc3RzL3N0cmVzcy9j aGVja3BvaW50LXNpZGUtc3RhdGUtZ2MtdG1wcy1vdmVyZmxvdy5qcyBiL0pTVGVzdHMvc3RyZXNz L2NoZWNrcG9pbnQtc2lkZS1zdGF0ZS1nYy10bXBzLW92ZXJmbG93LmpzCm5ldyBmaWxlIG1vZGUg MTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjAw NDBlNjg3ZDQ3MTU5ZTczOTZkOTk3Y2JlZGQyMzU4YzNjMWVjY2MKLS0tIC9kZXYvbnVsbAorKysg Yi9KU1Rlc3RzL3N0cmVzcy9jaGVja3BvaW50LXNpZGUtc3RhdGUtZ2MtdG1wcy1vdmVyZmxvdy5q cwpAQCAtMCwwICsxLDMwIEBACisvL0AgcmVxdWlyZU9wdGlvbnMoIi0tdXNlQ29uY3VycmVudEdD PWZhbHNlIikKKwordmFyIHYyID0gMjE5MDczNjg1NCArIDE7Cit2YXIgdjMgPSB2MiArIE9iamVj dDsKK3ZhciB2NCA9IHYzOwordmFyIHY3ID0gMDsKK2RvIHsKKyAgICBmdW5jdGlvbiB2OCh2OSx2 MTAsdjExLHYxMix2MTMpIHsKKyAgICAgICAgdHJ5IHsKKyAgICAgICAgICAgIHZhciB2MTQgPSB2 MTMoKTsKKyAgICAgICAgfSBjYXRjaCh2MTYpIHsKKyAgICAgICAgfQorICAgICAgICB2YXIgdjE4 ID0gZ2MoKTsKKyAgICAgICAgaWYgKHYxOCkgeworICAgICAgICAgICAgfSBlbHNlIHsKKyAgICAg ICAgICAgIH0KKyAgICAgICAgdmFyIHYyMCA9IHY5OworICAgICAgICBkbyB7CisgICAgICAgICAg ICB2YXIgdjIxID0gdjIwICsgMTsKKyAgICAgICAgICAgIHYyMCA9IHYyMTsKKyAgICAgICAgfSB3 aGlsZSAodjIwIDwgNCk7CisgICAgfQorICAgIHZhciB2MjQgPSBuZXcgSW50MzJBcnJheSgpOwor ICAgIHZhciB2MjUgPSB2OCguLi52NCk7CisgICAgZm9yICh2YXIgdjI5ID0gLTEwMjQ7IHYyOSA8 IDEwMDsgdjI5KyspIHsKKyAgICB9CisgICAgdmFyIHYzMCA9IHY3ICsgMTsKKyAgICB2NyA9IHYz MDsKK30gd2hpbGUgKHY3IDwgMTAwMDApOworZ2MoKTsK 387553 2020-01-13 12:00:18 -0800 2020-01-13 21:25:03 -0800 Patch for landing bug-206166-20200113120016.patch text/plain 3949 keith_miller U3VidmVyc2lvbiBSZXZpc2lvbjogMjU0NDM0CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCAw Njk3MjkwNDJmMDk3YmFlZWJlN2I0OWE1MjY3NTcxOTAyMTExZWQ0Li45MjI2Zjk1NDVlMmU1Y2M2 MDFhZjM3YmJlYmU2ODQ2MjQxYzc2Y2U1IDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwxOCBAQAorMjAyMC0wMS0xMyAgS2VpdGggTWlsbGVyICA8a2VpdGhfbWlsbGVyQGFwcGxl LmNvbT4KKworICAgICAgICBzY2FuU2lkZVN0YXRlIHNjYW5zIHRvbyBtdWNoIHNpZGUgc3RhdGUK KyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIwNjE2Ngor CisgICAgICAgIFJldmlld2VkIGJ5IFRhZGV1IFphZ2FsbG8uCisKKyAgICAgICAgVGhlIG9sZCBj b2RlIHdvdWxkIHdvdWxkIHNjYW4gdG1wcyArIHNpemVvZih0bXBzKSBidXQgc2l6ZW9mKHRtcHMp CisgICAgICAgIGlzIG5vdCB0aGUgbGVuZ3RoIG9mIHRoZSBhcnJheS4gaW5zdGVhZCB3ZSBzaG91 bGQgc2NhbiB0bXBzICsKKyAgICAgICAgbWF4TnVtQ2hlY2twb2ludFRtcHMuCisKKyAgICAgICAg KiBpbnRlcnByZXRlci9DaGVja3BvaW50T1NSRXhpdFNpZGVTdGF0ZS5oOgorICAgICAgICAqIHJ1 bnRpbWUvVk0uY3BwOgorICAgICAgICAoSlNDOjpWTTo6c2NhblNpZGVTdGF0ZSBjb25zdCk6CisK IDIwMjAtMDEtMTEgIEtlaXRoIE1pbGxlciAgPGtlaXRoX21pbGxlckBhcHBsZS5jb20+CiAKICAg ICAgICAgQ2hlY2tOZXV0ZXJlZCBuZWVkcyB0byBjbGFpbSBpdCByZWFkcyBKU1R5cGUgaW4gY2xv YmJlcml6ZS4KZGlmZiAtLWdpdCBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9pbnRlcnByZXRlci9D aGVja3BvaW50T1NSRXhpdFNpZGVTdGF0ZS5oIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL2ludGVy cHJldGVyL0NoZWNrcG9pbnRPU1JFeGl0U2lkZVN0YXRlLmgKaW5kZXggNzc5YjUzYmNmN2Y3ZTRl ZjM3YjM0MzNiYWYzMzlkNTRlMWQxOGY5MC4uODkzODlkODg5MTNhMmQwYTU2YTdiYzEyZDRkMWMw YzRkODBkZDFmYSAxMDA2NDQKLS0tIGEvU291cmNlL0phdmFTY3JpcHRDb3JlL2ludGVycHJldGVy L0NoZWNrcG9pbnRPU1JFeGl0U2lkZVN0YXRlLmgKKysrIGIvU291cmNlL0phdmFTY3JpcHRDb3Jl L2ludGVycHJldGVyL0NoZWNrcG9pbnRPU1JFeGl0U2lkZVN0YXRlLmgKQEAgLTM1LDcgKzM1LDcg QEAgc3RydWN0IENoZWNrcG9pbnRPU1JFeGl0U2lkZVN0YXRlIHsKIHB1YmxpYzoKIAogICAgIEJ5 dGVjb2RlSW5kZXggYnl0ZWNvZGVJbmRleDsKLSAgICBKU1ZhbHVlIHRtcHNbbWF4TnVtQ2hlY2tw b2ludFRtcHNdOworICAgIEpTVmFsdWUgdG1wc1ttYXhOdW1DaGVja3BvaW50VG1wc10geyB9Owog fTsKIAogfQpkaWZmIC0tZ2l0IGEvU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvVk0uY3Bw IGIvU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUvVk0uY3BwCmluZGV4IDQ3NTJhYTA4N2Rl MmIwNjBmMGJjYWUwMmYwYTUyYzhiZjdlMGQ4YTYuLmM4Njc1YTNlZTNiOWEzYzVkYTg2OGMwYzQw YzdkOTM0MjZkYjAyM2YgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1l L1ZNLmNwcAorKysgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9WTS5jcHAKQEAgLTEw NjQsOCArMTA2NCwxMSBAQCB2b2lkIFZNOjpnYXRoZXJTY3JhdGNoQnVmZmVyUm9vdHMoQ29uc2Vy dmF0aXZlUm9vdHMmIGNvbnNlcnZhdGl2ZVJvb3RzKQogCiB2b2lkIFZNOjpzY2FuU2lkZVN0YXRl KENvbnNlcnZhdGl2ZVJvb3RzJiByb290cykgY29uc3QKIHsKLSAgICBmb3IgKGNvbnN0IGF1dG8m IGl0ZXIgOiBtX2NoZWNrcG9pbnRTaWRlU3RhdGUpCi0gICAgICAgIHJvb3RzLmFkZChpdGVyLnZh bHVlLT50bXBzLCBpdGVyLnZhbHVlLT50bXBzICsgc2l6ZW9mKGl0ZXIudmFsdWUtPnRtcHMpKTsK KyAgICBBU1NFUlQoaGVhcC5tdXRhdG9yU3RhdGUoKSAhPSBNdXRhdG9yU3RhdGU6OlJ1bm5pbmcp OworICAgIGZvciAoY29uc3QgYXV0byYgaXRlciA6IG1fY2hlY2twb2ludFNpZGVTdGF0ZSkgewor ICAgICAgICBzdGF0aWNfYXNzZXJ0KHNpemVvZihpdGVyLnZhbHVlLT50bXBzKSAvIHNpemVvZihK U1ZhbHVlKSA9PSBtYXhOdW1DaGVja3BvaW50VG1wcyk7CisgICAgICAgIHJvb3RzLmFkZChpdGVy LnZhbHVlLT50bXBzLCBpdGVyLnZhbHVlLT50bXBzICsgbWF4TnVtQ2hlY2twb2ludFRtcHMpOwor ICAgIH0KIH0KICNlbmRpZgogCmRpZmYgLS1naXQgYS9KU1Rlc3RzL0NoYW5nZUxvZyBiL0pTVGVz dHMvQ2hhbmdlTG9nCmluZGV4IDAyYmM3Y2E4MTllZGYwYTVhZmM0MzcyYmIwMDRkMWE2MzE3MmY0 ZjMuLjYzMjQ2ZDY0ZGY3YjM0OWFiYTM1YjY1ODI2ZTMzYWNkNzgzNjAxM2EgMTAwNjQ0Ci0tLSBh L0pTVGVzdHMvQ2hhbmdlTG9nCisrKyBiL0pTVGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMg QEAKKzIwMjAtMDEtMTMgIEtlaXRoIE1pbGxlciAgPGtlaXRoX21pbGxlckBhcHBsZS5jb20+CisK KyAgICAgICAgc2NhblNpZGVTdGF0ZSBzY2FucyB0b28gbXVjaCBzaWRlIHN0YXRlCisgICAgICAg IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMDYxNjYKKworICAgICAg ICBSZXZpZXdlZCBieSBUYWRldSBaYWdhbGxvLgorCisgICAgICAgICogc3RyZXNzL2NoZWNrcG9p bnQtc2lkZS1zdGF0ZS1nYy10bXBzLW92ZXJmbG93LmpzOiBBZGRlZC4KKyAgICAgICAgKHY4KToK KwogMjAyMC0wMS0xMSAgS2VpdGggTWlsbGVyICA8a2VpdGhfbWlsbGVyQGFwcGxlLmNvbT4KIAog ICAgICAgICBDaGVja05ldXRlcmVkIG5lZWRzIHRvIGNsYWltIGl0IHJlYWRzIEpTVHlwZSBpbiBj bG9iYmVyaXplLgpkaWZmIC0tZ2l0IGEvSlNUZXN0cy9zdHJlc3MvY2hlY2twb2ludC1zaWRlLXN0 YXRlLWdjLXRtcHMtb3ZlcmZsb3cuanMgYi9KU1Rlc3RzL3N0cmVzcy9jaGVja3BvaW50LXNpZGUt c3RhdGUtZ2MtdG1wcy1vdmVyZmxvdy5qcwpuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLi4wMDQwZTY4N2Q0NzE1OWU3Mzk2 ZDk5N2NiZWRkMjM1OGMzYzFlY2NjCi0tLSAvZGV2L251bGwKKysrIGIvSlNUZXN0cy9zdHJlc3Mv Y2hlY2twb2ludC1zaWRlLXN0YXRlLWdjLXRtcHMtb3ZlcmZsb3cuanMKQEAgLTAsMCArMSwzMCBA QAorLy9AIHJlcXVpcmVPcHRpb25zKCItLXVzZUNvbmN1cnJlbnRHQz1mYWxzZSIpCisKK3ZhciB2 MiA9IDIxOTA3MzY4NTQgKyAxOwordmFyIHYzID0gdjIgKyBPYmplY3Q7Cit2YXIgdjQgPSB2MzsK K3ZhciB2NyA9IDA7CitkbyB7CisgICAgZnVuY3Rpb24gdjgodjksdjEwLHYxMSx2MTIsdjEzKSB7 CisgICAgICAgIHRyeSB7CisgICAgICAgICAgICB2YXIgdjE0ID0gdjEzKCk7CisgICAgICAgIH0g Y2F0Y2godjE2KSB7CisgICAgICAgIH0KKyAgICAgICAgdmFyIHYxOCA9IGdjKCk7CisgICAgICAg IGlmICh2MTgpIHsKKyAgICAgICAgICAgIH0gZWxzZSB7CisgICAgICAgICAgICB9CisgICAgICAg IHZhciB2MjAgPSB2OTsKKyAgICAgICAgZG8geworICAgICAgICAgICAgdmFyIHYyMSA9IHYyMCAr IDE7CisgICAgICAgICAgICB2MjAgPSB2MjE7CisgICAgICAgIH0gd2hpbGUgKHYyMCA8IDQpOwor ICAgIH0KKyAgICB2YXIgdjI0ID0gbmV3IEludDMyQXJyYXkoKTsKKyAgICB2YXIgdjI1ID0gdjgo Li4udjQpOworICAgIGZvciAodmFyIHYyOSA9IC0xMDI0OyB2MjkgPCAxMDA7IHYyOSsrKSB7Cisg ICAgfQorICAgIHZhciB2MzAgPSB2NyArIDE7CisgICAgdjcgPSB2MzA7Cit9IHdoaWxlICh2NyA8 IDEwMDAwKTsKK2djKCk7Cg==