237188 2022-02-25 00:25:49 -0800 heap-use-after-free in setContentsLayer(WebCore::TextureMapperPlatformLayer*) 2022-05-06 07:45:27 -0700 1 1 1 Unclassified Security Security WebKit Local Build PC Linux RESOLVED DUPLICATE 237187 InRadar P2 Critical --- 1 tlock.chijin webkit-security-unassigned bfulgham cgarcia magomez mcatanzaro webkit-bug-importer oldest_to_newest 1845932 0 453183 tlock.chijin 2022-02-25 00:25:49 -0800 Created attachment 453183 This file is generated by a browser fuzzer The attached file cause a heap use after free in setContentsLayer. Version: safari-613.1.5-branch (4f329ebf4c7cb23791f7634fe9b917b20dc2e5a6) and webkitgtk-2.34.6 asan report: ==18385==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00012d7b8 at pc 0x7f751aa143ff bp 0x7ffcc1bb1f80 sp 0x7ffcc1bb1f78 WRITE of size 8 at 0x61b00012d7b8 thread T0 #0 0x7f751aa143fe in WebCore::TextureMapperLayer::setContentsLayer(WebCore::TextureMapperPlatformLayer*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:702:21 #1 0x7f751aa2e9aa in WebCore::TextureMapperPlatformLayerProxy::~TextureMapperPlatformLayerProxy() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxy.cpp:56:24 #2 0x7f751aa2eed8 in WebCore::TextureMapperPlatformLayerProxy::~TextureMapperPlatformLayerProxy() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxy.cpp:53:1 #3 0x7f751aa6cb9f in WTF::ThreadSafeRefCounted<WebCore::TextureMapperPlatformLayerProxy, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13 #4 0x7f751aa6cb9f in WTF::ThreadSafeRefCounted<WebCore::TextureMapperPlatformLayerProxy, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9 #5 0x7f751aa6cb9f in WTF::Ref<WebCore::TextureMapperPlatformLayerProxy, WTF::RawPtrTraits<WebCore::TextureMapperPlatformLayerProxy> >::~Ref() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/Ref.h:61:18 #6 0x7f751aa6cb9f in Nicosia::ContentLayerTextureMapperImpl::~ContentLayerTextureMapperImpl() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaContentLayerTextureMapperImpl.cpp:58:1 #7 0x7f751aa6cc48 in Nicosia::ContentLayerTextureMapperImpl::~ContentLayerTextureMapperImpl() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaContentLayerTextureMapperImpl.cpp:53:1 #8 0x7f751aa621ab in std::default_delete<Nicosia::ContentLayer::Impl>::operator()(Nicosia::ContentLayer::Impl*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #9 0x7f751aa621ab in std::unique_ptr<Nicosia::ContentLayer::Impl, std::default_delete<Nicosia::ContentLayer::Impl> >::~unique_ptr() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:292:4 #10 0x7f751aa621ab in Nicosia::ContentLayer::~ContentLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/NicosiaPlatformLayer.cpp:58:29 #11 0x7f751aa62388 in Nicosia::ContentLayer::~ContentLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/NicosiaPlatformLayer.cpp:58:29 #12 0x7f7520aa3ea2 in WTF::ThreadSafeRefCounted<Nicosia::PlatformLayer, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13 #13 0x7f7520aa3ea2 in WTF::ThreadSafeRefCounted<Nicosia::PlatformLayer, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9 #14 0x7f7520aa3ea2 in WTF::Ref<Nicosia::ContentLayer, WTF::RawPtrTraits<Nicosia::ContentLayer> >::~Ref() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/Ref.h:61:18 #15 0x7f7520aa3ea2 in Nicosia::GCGLLayer::~GCGLLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaGCGLLayer.cpp:60:1 #16 0x7f7520aa3fa8 in Nicosia::GCGLLayer::~GCGLLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaGCGLLayer.cpp:58:1 #17 0x7f7520a7c1f2 in std::default_delete<Nicosia::GCGLLayer>::operator()(Nicosia::GCGLLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #18 0x7f7520a7c1f2 in std::unique_ptr<Nicosia::GCGLLayer, std::default_delete<Nicosia::GCGLLayer> >::~unique_ptr() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:292:4 #19 0x7f7520a7c1f2 in WebCore::GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapper.cpp:386:1 #20 0x7f7520a7c918 in WebCore::GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapper.cpp:348:1 #21 0x7f751e0f97be in std::default_delete<WebCore::GraphicsContextGL>::operator()(WebCore::GraphicsContextGL*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #22 0x7f751e0f97be in WTF::RefCounted<WebCore::GraphicsContextGL, std::default_delete<WebCore::GraphicsContextGL> >::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefCounted.h:190:13 #23 0x7f751e0f97be in WTF::DefaultRefDerefTraits<WebCore::GraphicsContextGL>::derefIfNotNull(WebCore::GraphicsContextGL*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #24 0x7f751e0f97be in WTF::RefPtr<WebCore::GraphicsContextGL, WTF::RawPtrTraits<WebCore::GraphicsContextGL>, WTF::DefaultRefDerefTraits<WebCore::GraphicsContextGL> >::operator=(std::nullptr_t) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:159:5 #25 0x7f751e0f97be in WebCore::WebGLRenderingContextBase::destroyGraphicsContextGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:1199:19 #26 0x7f751e14193a in WebCore::WebGLRenderingContextBase::~WebGLRenderingContextBase() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:1174:9 #27 0x7f751e157e1f in WebCore::WebGLRenderingContext::~WebGLRenderingContext() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContext.h:35:7 #28 0x7f751e157e1f in non-virtual thunk to WebCore::WebGLRenderingContext::~WebGLRenderingContext() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContext.h #29 0x7f751dc27ef4 in std::default_delete<WebCore::CanvasRenderingContext>::operator()(WebCore::CanvasRenderingContext*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #30 0x7f751dc27ef4 in std::unique_ptr<WebCore::CanvasRenderingContext, std::default_delete<WebCore::CanvasRenderingContext> >::reset(WebCore::CanvasRenderingContext*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4 #31 0x7f751dc27ef4 in std::unique_ptr<WebCore::CanvasRenderingContext, std::default_delete<WebCore::CanvasRenderingContext> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2 #32 0x7f751dc27ef4 in WebCore::HTMLCanvasElement::~HTMLCanvasElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLCanvasElement.cpp:148:15 #33 0x7f751dc28668 in WebCore::HTMLCanvasElement::~HTMLCanvasElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLCanvasElement.cpp:141:1 #34 0x7f751d411577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #35 0x7f751d411577 in WTF::DefaultRefDerefTraits<WebCore::Node>::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #36 0x7f751d411577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #37 0x7f751d411577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #38 0x7f751d411577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #39 0x7f751d3f784e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #40 0x7f751d3f784e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #41 0x7f751d3f9665 in WebCore::ContainerNode::~ContainerNode() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:316:5 #42 0x7f751dc22518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #43 0x7f751dc22518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #44 0x7f751442eb3a in JSC::PreciseAllocation::sweep() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/PreciseAllocation.cpp:234:25 #45 0x7f7514414ff8 in JSC::MarkedSpace::sweepPreciseAllocations() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedSpace.cpp:235:21 #46 0x7f7514387248 in JSC::Heap::sweepInFinalize() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:2116:19 #47 0x7f7514387248 in JSC::Heap::finalize() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:2061:9 #48 0x7f7514386195 in JSC::Heap::handleNeedFinalize(unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1997:9 #49 0x7f751437ac59 in JSC::Heap::handleNeedFinalize() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:2008:12 #50 0x7f751437ac59 in JSC::Heap::finishChangingPhase(JSC::GCConductor) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1604:17 #51 0x7f7514380ff0 in JSC::Heap::changePhase(JSC::GCConductor, JSC::CollectorPhase) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1578:12 #52 0x7f7514380ff0 in JSC::Heap::runEndPhase(JSC::GCConductor) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1568:12 #53 0x7f751437a58e in JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1221:18 #54 0x7f75143905fc in JSC::Heap::collectInMutatorThread()::$_0::operator()(JSC::CurrentThreadState&) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1835:52 #55 0x7f75143905fc in WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ScopedLambda.h:106:16 #56 0x7f75143fad1d in void WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()<JSC::CurrentThreadState&>(JSC::CurrentThreadState&) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ScopedLambda.h:58:16 #57 0x7f75143fad1d in JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MachineStackMarker.cpp:221:5 #58 0x7f751438638e in JSC::Heap::collectInMutatorThread() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1847:13 #59 0x7f7514385f45 in JSC::Heap::stopIfNecessarySlow(unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1816:9 #60 0x7f7514385f45 in JSC::Heap::stopIfNecessarySlow() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1788:12 #61 0x7f751436ec6e in JSC::Heap::stopIfNecessary() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/HeapInlines.h:270:9 #62 0x7f751436ec6e in JSC::Heap::collectIfNecessaryOrDefer(JSC::GCDeferralContext*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:2599:13 #63 0x7f75143f8641 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocator.cpp:125:10 #64 0x7f75125fdf09 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocatorInlines.h:40:43 #65 0x7f75125fdf09 in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'() const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/FreeListInlines.h:46:16 #66 0x7f75125fdf09 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocatorInlines.h:37:23 #67 0x7f75125fdf09 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/AllocatorInlines.h:35:30 #68 0x7f75125fdf09 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/IsoSubspaceInlines.h:34:30 #69 0x7f75125fdf09 in void* JSC::tryAllocateCellHelper<JSC::Structure>(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSCellInlines.h:180:63 #70 0x7f75125fdf09 in void* JSC::allocateCell<JSC::Structure>(JSC::Heap&, unsigned long) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSCellInlines.h:194:12 #71 0x7f75125fdf09 in JSC::Structure::create(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue, JSC::TypeInfo const&, JSC::ClassInfo const*, unsigned char, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/StructureInlines.h:63:42 #72 0x7f75155beb22 in JSC::JSSloppyFunction::createStructure(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSFunction.h:253:16 #73 0x7f75155beb22 in JSC::JSGlobalObject::init(JSC::VM&)::$_0::operator()(JSC::JSGlobalObject::FunctionStructures&) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:745:58 #74 0x7f75155a5a6a in JSC::JSGlobalObject::init(JSC::VM&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:748:5 #75 0x7f75155d42c9 in JSC::JSGlobalObject::finishCreation(JSC::VM&, JSC::JSObject*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:2590:5 #76 0x7f751c9e878e in WebCore::JSDOMGlobalObject::finishCreation(JSC::VM&, JSC::JSObject*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMGlobalObject.cpp:255:11 #77 0x7f751ca0677f in WebCore::JSDOMWindowBase::finishCreation(JSC::VM&, WebCore::JSWindowProxy*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMWindowBase.cpp:120:11 #78 0x7f751aaabfd0 in WebCore::JSDOMWindow::finishCreation(JSC::VM&, WebCore::JSWindowProxy*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/DerivedSources/JSDOMWindow.cpp:5744:11 #79 0x7f751ca901a4 in WebCore::JSDOMWindow::create(JSC::VM&, JSC::Structure*, WTF::Ref<WebCore::DOMWindow, WTF::RawPtrTraits<WebCore::DOMWindow> >&&, WebCore::JSWindowProxy*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/DerivedSources/JSDOMWindow.h:41:14 #80 0x7f751ca901a4 in WebCore::JSWindowProxy::setWindow(WebCore::AbstractDOMWindow&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSWindowProxy.cpp:112:18 #81 0x7f751cb659a9 in WebCore::WindowProxy::setDOMWindow(WebCore::AbstractDOMWindow*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/WindowProxy.cpp:173:22 #82 0x7f751e7db91b in WebCore::FrameLoader::clear(WebCore::Document*, bool, bool, bool, WTF::Function<void ()>&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/FrameLoader.cpp:679:31 #83 0x7f751e770b00 in WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/DocumentWriter.cpp:165:23 #84 0x7f751e75b5a4 in WebCore::DocumentLoader::commitData(unsigned char const*, unsigned long) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/DocumentLoader.cpp:1221:34 #85 0x7f751a83b7eb in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, unsigned char const*, int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:1156:17 #86 0x7f751e76fb0c in WebCore::DocumentLoader::commitLoad(unsigned char const*, int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/DocumentLoader.cpp:1188:27 #87 0x7f751e997bcd in WebCore::CachedRawResource::notifyClientsDataWasReceived(unsigned char const*, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/cache/CachedRawResource.cpp:138:12 #88 0x7f751e9972c3 in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/cache/CachedRawResource.cpp:75:9 #89 0x7f751e8e148f in WebCore::SubresourceLoader::didReceiveDataOrBuffer(unsigned char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer>, WTF::DefaultRefDerefTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/SubresourceLoader.cpp:562:25 #90 0x7f751e8e1114 in WebCore::SubresourceLoader::didReceiveData(unsigned char const*, unsigned int, long long, WebCore::DataPayloadType) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/SubresourceLoader.cpp:530:5 #91 0x7f751a73092b in WebKit::WebResourceLoader::didReceiveData(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:210:19 #92 0x7f7519591b4e in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long), std::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long>, 0ul, 1ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long), std::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long>&&, std::integer_sequence<unsigned long, 0ul, 1ul>) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/HandleMessage.h:125:5 #93 0x7f7519591b4e in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long), std::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long>, std::integer_sequence<unsigned long, 0ul, 1ul> >(std::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long)) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/HandleMessage.h:131:5 #94 0x7f7519591b4e in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long)) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/HandleMessage.h:202:5 #95 0x7f7519591b4e in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/DerivedSources/WebKit/WebResourceLoaderMessageReceiver.cpp:54:16 #96 0x7f7519b71619 in IPC::Connection::dispatchMessage(IPC::Decoder&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/Connection.cpp:1058:14 #97 0x7f7519b71dbe in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/Connection.cpp:1103:9 #98 0x7f7519b729c3 in IPC::Connection::dispatchOneIncomingMessage() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/Connection.cpp:1172:5 #99 0x7f7516739dc7 in WTF::Function<void ()>::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/Function.h:82:35 #100 0x7f7516739dc7 in WTF::RunLoop::performWork() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/RunLoop.cpp:133:9 #101 0x7f75168b8645 in WTF::RunLoop::RunLoop()::$_1::operator()(void*) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:80:42 #102 0x7f75168b8645 in WTF::RunLoop::RunLoop()::$_1::__invoke(void*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:79:43 #103 0x7f75168b5c2c in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28 #104 0x7f75168b5c2c in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5 #105 0x7f750fc0304d in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5204d) #106 0x7f750fc033ff (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff) #107 0x7f750fc036f2 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x526f2) #108 0x7f75168b7202 in WTF::RunLoop::run() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9 #109 0x7f751a9a3c4f in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/AuxiliaryProcessMain.h:70:9 #110 0x7f751a9a3c4f in int WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/AuxiliaryProcessMain.h:96:27 #111 0x7f751a9a3c4f in WebKit::WebProcessMain(int, char**) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:87:12 #112 0x7f750f59f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #113 0x41d37d in _start (/root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/bin/WebKitWebProcess+0x41d37d) 0x61b00012d7b8 is located 56 bytes inside of 1488-byte region [0x61b00012d780,0x61b00012dd50) freed by thread T44 (eadedCompositor) here: #0 0x4c2bd7 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7f7519cdf8ea in WebKit::CoordinatedGraphicsScene::updateSceneState()::$_0::operator()(Nicosia::Scene::State&) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:264:17 #2 0x7f7519cdf8ea in void Nicosia::Scene::accessState<WebKit::CoordinatedGraphicsScene::updateSceneState()::$_0>(WebKit::CoordinatedGraphicsScene::updateSceneState()::$_0 const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/PrivateHeaders/WebCore/NicosiaScene.h:66:9 #3 0x7f7519cdf8ea in WebKit::CoordinatedGraphicsScene::updateSceneState() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:235:22 #4 0x7f7519cde311 in WebKit::CoordinatedGraphicsScene::paintToCurrentGLContext(WebCore::TransformationMatrix const&, WebCore::FloatRect const&, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:65:5 #5 0x7f7519cef1e8 in WebKit::ThreadedCompositor::renderLayerTree() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:235:14 #6 0x7f75168b8774 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #7 0x7f75168b8774 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43 previously allocated by thread T44 (eadedCompositor) here: #0 0x4c2ecf in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f75168cc72a in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20 #2 0x7f7519cde311 in WebKit::CoordinatedGraphicsScene::paintToCurrentGLContext(WebCore::TransformationMatrix const&, WebCore::FloatRect const&, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:65:5 #3 0x7f7519cef1e8 in WebKit::ThreadedCompositor::renderLayerTree() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:235:14 #4 0x7f75168b8774 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #5 0x7f75168b8774 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43 Thread T44 (eadedCompositor) created by T0 here: #0 0x4348a6 in pthread_create /root/llvm/llvm-12/compiler-rt/lib/asan/asan_interceptors.cpp:205:3 #1 0x7f75168c0658 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, std::optional<unsigned long>, WTF::Thread::QOS) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:275:17 #2 0x7f7516744b25 in WTF::Thread::create(char const*, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/Threading.cpp:203:32 #3 0x7f7519ce966f in WebKit::createRunLoop() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:46:5 #4 0x7f7519ce966f in WebKit::CompositingRunLoop::CompositingRunLoop(WTF::Function<void ()>&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:57:17 #5 0x7f7519ceb0af in std::_MakeUniq<WebKit::CompositingRunLoop>::__single_object std::make_unique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_6>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_6&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:857:34 #6 0x7f7519ceb0af in decltype(auto) WTF::makeUnique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_6>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_6&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/StdLibExtras.h:509:12 #7 0x7f7519ceb0af in WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:58:28 #8 0x7f7519ceae4e in WebKit::ThreadedCompositor::create(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:52:26 SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:702:21 in WebCore::TextureMapperLayer::setContentsLayer(WebCore::TextureMapperPlatformLayer*) Shadow bytes around the buggy address: 0x0c368001daa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001dab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001dac0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c368001dad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c368001dae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c368001daf0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd 0x0c368001db00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001db10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001db20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001db30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001db40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==18385==ABORTING 1845933 1 webkit-bug-importer 2022-02-25 00:26:06 -0800 <rdar://problem/89462309> 1854048 2 tlock.chijin 2022-03-22 20:44:26 -0700 Is this bug also fixed by the patch of Bug 237187 (https://bugs.webkit.org/show_bug.cgi?id=237187)? 1854091 3 magomez 2022-03-23 03:02:24 -0700 (In reply to Chijin from comment #2) > Is this bug also fixed by the patch of Bug 237187 > (https://bugs.webkit.org/show_bug.cgi?id=237187)? Yes, seems to be exactly the same issue. 1854098 4 tlock.chijin 2022-03-23 03:12:25 -0700 (In reply to Miguel Gomez from comment #3) > (In reply to Chijin from comment #2) > > Is this bug also fixed by the patch of Bug 237187 > > (https://bugs.webkit.org/show_bug.cgi?id=237187)? > > Yes, seems to be exactly the same issue. Should we close this issue as well? 1854100 5 magomez 2022-03-23 03:16:16 -0700 *** This bug has been marked as a duplicate of bug 237187 *** 453183 2022-02-25 00:25:49 -0800 2022-02-25 00:25:49 -0800 This file is generated by a browser fuzzer mini_uaf_setContentsLayer.html text/html 5699 tlock.chijin PGh0bWw+CjxoZWFkPgo8c3R5bGU+Cjwvc3R5bGU+CjxzY3JpcHQ+CnZhciBydW5jb3VudCA9IHsn anNmdXp6ZXInOjAsICdldmVudGhhbmRsZXIxJzowLCAnZXZlbnRoYW5kbGVyMic6MCwgJ2V2ZW50 aGFuZGxlcjMnOjAsICdldmVudGhhbmRsZXI0JzowLCAnZXZlbnRoYW5kbGVyNSc6MH0KZnVuY3Rp b24gZnJlZW1lbW9yeSgpIHsKdHJ5IHsgQ29sbGVjdEdhcmJhZ2UoKTsgfSBjYXRjaChlcnIpIHsg fQp9CmZ1bmN0aW9uIEdldFZhcmlhYmxlKGZ1enplcnZhcnMsIHZhcl90eXBlKSB7IGlmKGZ1enpl cnZhcnNbdmFyX3R5cGVdKSB7IHJldHVybiBmdXp6ZXJ2YXJzW3Zhcl90eXBlXTsgfSBlbHNlIHsg cmV0dXJuIG51bGw7IH19CmZ1bmN0aW9uIFNldFZhcmlhYmxlKGZ1enplcnZhcnMsIHZhcl9uYW1l LCB2YXJfdHlwZSkgeyBmdXp6ZXJ2YXJzW3Zhcl90eXBlXSA9IHZhcl9uYW1lOyB9CmZ1bmN0aW9u IGpzZnV6emVyKCkgewp2YXIgZnV6emVydmFycyA9IHt9OwpTZXRWYXJpYWJsZShmdXp6ZXJ2YXJz LCBkb2N1bWVudCwgJ0RvY3VtZW50Jyk7CnRyeSB7IC8qIG5ld3Zhcnt2YXIwMDAxNzpEb2N1bWVu dH0gKi8gdmFyIHZhcjAwMDE3ID0gdmFyMDAwMTgucGFyc2VGcm9tU3RyaW5nKCJmb28iLCIxIik7 IH0gY2F0Y2goZSkgeyB9CnRyeSB7IGlmICghdmFyMDAwMTcpIHsgdmFyMDAwMTcgPSBHZXRWYXJp YWJsZShmdXp6ZXJ2YXJzLCAnRG9jdW1lbnQnKTsgfSBlbHNlIHsgU2V0VmFyaWFibGUoZnV6emVy dmFycywgdmFyMDAwMTcsICdEb2N1bWVudCcpOyBTZXRWYXJpYWJsZShmdXp6ZXJ2YXJzLCB2YXIw MDAxNywgJ05vZGU7Jyk7ICB9IH0gY2F0Y2goZSkgeyB9CnRyeSB7IC8qIG5ld3Zhcnt2YXIwMDA0 MTpET01XaW5kb3d9ICovIHZhciB2YXIwMDA0MSA9IHdpbmRvdzsgfSBjYXRjaChlKSB7IH0KdHJ5 IHsgLyogbmV3dmFye3ZhcjAwMDY0OkhUTUxBdWRpb0VsZW1lbnR9ICovIHZhciB2YXIwMDA2NCA9 IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoImF1ZGlvIik7IH0gY2F0Y2goZSkgeyB9CnRyeSB7IC8q IG5ld3Zhcnt2YXIwMDA5NTpIVE1MTWVkaWFFbGVtZW50fSAqLyB2YXIgdmFyMDAwOTUgPSB2YXIw MDA2NDsgfSBjYXRjaChlKSB7IH0KdHJ5IHsgLyogbmV3dmFye3ZhcjAwMTQ1OkxvY2F0aW9ufSAq LyB2YXIgdmFyMDAxNDUgPSB2YXIwMDA0MS5sb2NhdGlvbjsgfSBjYXRjaChlKSB7IH0KdHJ5IHsg LyogbmV3dmFye3ZhcjAwMTkzOlNWR1RleHRDb250ZW50RWxlbWVudH0gKi8gdmFyIHZhcjAwMTkz ID0gdmFyMDAxOTQ7IH0gY2F0Y2goZSkgeyB9CnRyeSB7IGlmICghdmFyMDAyNTcpIHsgdmFyMDAy NTcgPSBHZXRWYXJpYWJsZShmdXp6ZXJ2YXJzLCAnUlRDSWNlQ29tcG9uZW50Jyk7IH0gZWxzZSB7 IFNldFZhcmlhYmxlKGZ1enplcnZhcnMsIHZhcjAwMjU3LCAnUlRDSWNlQ29tcG9uZW50Jyk7ICB9 IH0gY2F0Y2goZSkgeyB9CnRyeSB7IC8qIG5ld3Zhcnt2YXIwMDM0ODpVU1ZTdHJpbmd9ICovIHZh ciB2YXIwMDM0OCA9IHZhcjAwMDM4LmJhc2VVUkk7IH0gY2F0Y2goZSkgeyB9CnRyeSB7IC8qIG5l d3Zhcnt2YXIwMDM2MDpFbGVtZW50fSAqLyB2YXIgdmFyMDAzNjAgPSB2YXIwMDAxNy5hY3RpdmVF bGVtZW50OyB9IGNhdGNoKGUpIHsgfQp0cnkgeyBpZiAoIXZhcjAwMzYwKSB7IHZhcjAwMzYwID0g R2V0VmFyaWFibGUoZnV6emVydmFycywgJ0VsZW1lbnQnKTsgfSBlbHNlIHsgU2V0VmFyaWFibGUo ZnV6emVydmFycywgdmFyMDAzNjAsICdFbGVtZW50Jyk7IFNldFZhcmlhYmxlKGZ1enplcnZhcnMs IHZhcjAwMzYwLCAnTm9kZTsnKTsgIH0gfSBjYXRjaChlKSB7IH0KdHJ5IHsgLyogbmV3dmFye3Zh cjAwNDk3OkVsZW1lbnR9ICovIHZhciB2YXIwMDQ5NyA9IHZhcjAwMTI3LmVsZW1lbnRGcm9tUG9p bnQoMC4xNDA5MzM2MzI2NDEzODEwMywwLjk5ODM1OTE2MDAwNjIxMDQpOyB9IGNhdGNoKGUpIHsg fQp0cnkgeyBpZiAoIXZhcjAwNDk3KSB7IHZhcjAwNDk3ID0gR2V0VmFyaWFibGUoZnV6emVydmFy cywgJ0VsZW1lbnQnKTsgfSBlbHNlIHsgU2V0VmFyaWFibGUoZnV6emVydmFycywgdmFyMDA0OTcs ICdFbGVtZW50Jyk7IFNldFZhcmlhYmxlKGZ1enplcnZhcnMsIHZhcjAwNDk3LCAnTm9kZTsnKTsg IH0gfSBjYXRjaChlKSB7IH0KdHJ5IHsgLyogbmV3dmFye3ZhcjAwNjk5OkdMZW51bX0gKi8gdmFy IHZhcjAwNjk5ID0gdmFyMDAxNjYuVEVYVFVSRV9XUkFQX1Q7IH0gY2F0Y2goZSkgeyB9CnRyeSB7 IC8qIG5ld3Zhcnt2YXIwMDg3MzpXZWJHTFJlbmRlcmluZ0NvbnRleHR9ICovIHZhciB2YXIwMDg3 MyA9IGh0bWx2YXIwMDAyMC5nZXRDb250ZXh0KCJ3ZWJnbCIpOyB9IGNhdGNoKGUpIHsgfQp0cnkg eyBpZiAoIXZhcjAwOTI0KSB7IHZhcjAwOTI0ID0gR2V0VmFyaWFibGUoZnV6emVydmFycywgJ3Vu c2lnbmVkJyk7IH0gZWxzZSB7IFNldFZhcmlhYmxlKGZ1enplcnZhcnMsIHZhcjAwOTI0LCAndW5z aWduZWQnKTsgIH0gfSBjYXRjaChlKSB7IH0KdHJ5IHsgdmFyMDAwOTUuc3JjID0gImRhdGE6YXVk aW8vbXAzO2Jhc2U2NCwvL3VReEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBU1c1bWJ3QUFBQThBQUFB REFBQUdoZ0JWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWV3FxcXFx cXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFyLy8vLy8vLy8vLy8vLy8vLy8v Ly8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLzhBQUFBNVRFRk5SVE11T1RseUFjMEFBQUFBQUFBQUFC U0FKQUtqUWdBQWdBQUFCb2FMTFlMY0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB Ly91UXhBQUFWSG9PODZDaC93S3JRaCtVSXovWVNoS0RacUVJQUFFM2tRRmcrTlN5VURtNWYveUIr RC9HUDhoam16RzZKeTdsdkZ1OElpZjdpN3ZBcEllVmZOL0RrR0lLR0luQ2FKeE51OXdpZnplaVRm SmxhSlgvTnAvLzl3S0NsV1dEY0c0dkJpSVl3Y0I0TkhpZ29oZ3VEY0JjSXhTaUFhQjRKQWdUNmpm MllEa1FpNS9tbWFia3lhNm5UUkJ5NXVSeUtCNDhUaUZvZ2VndURpaDY2Snd5a0VRQkt6amJ6VGRs M0ZqVUNnZm5ZWkZXTTAxVzN4eDRnL3F0TW4vL3YvLy8vLzkrajlvZVplK0czNU8zWktaOWYrOE4x TENUeUQ1L2hoZXdzZkRqMFREVXpwTU1raHphUFM2VFMxNzJQbzg5bm5KMW1sbjkvcG9kMzEvajRq WWdQV3g3QXE1TVVGbnMzdFVtbFN6UDJmU3ZaWWJPVlQ5T1AzeUxKNGtURVFhY1M2UFN6ZVh0R1Ey SXQwQTVHaElpR24wV01nUzhhamNMZ1o1YkJiaHVJRlNqMEZ1SHdKUXNZOXlJUGdtWjBDNWtwTEtw eUFhQk1pT0JTQzlMbWN5cGYyV0pLVk5JdG9BRTJVRFVvMlhHdmwzKzVTbjUvLy9lZmtLcHFTbDZu TlpxN21Sdms0TFRFcEZKOEVBdUlJY3hBaFJkR2VqSGdBY0RJT3BNTVZqdS8vdVN4QjZBVktZUkFZ Q04vc0tYd2lBb0ZML2dEY2pBL3FHWE16T2tYL2w2UWNaaTZodmI2WTRXY3pPTDkzQW5rZkpsN0NW cWZuYlVRMEhvM0twd21WYmNUNTlEUWt2ckVoU25VQzZWajZVOER2TGV2a0NWNWhzK1dNdXBaS3N5 bEVqeXZjVDBjRWNZN1MyUDBZU2xWR0F1Yk02b0tZZjVjajZqWmsxS3dzeGRJZVp6UmMvUzR2enY1 ZVI5dXIvOUxlaDBmWlBQZVY1dXZicnpUdjFTdVR5NU54VHlXM0NGMHZyRjF0TEZzdUZhNzMzNnl4 bFRpN2NuS2NvZjNrdlBLdTUvMWZ5cXkvbFZmMmIxRHBERHBFN1JJaFNPSkRaUWljeVFxc21LWUVw S0oyTTZJYmNoQ3ZPODRUalVDSElXUDQxMU1tbEFkNmNWckFoRFVmNXhKVS9tSmtKaWhxZEk0ZFk5 RDVScnhCaStzUWVFYWNSUFNUQm91QWo0OGkrTGgwNFovOHYvbWYvZi8vLy8rOFY3UmlSbGxPYmlP dnBhSld1MDZ4Y3lHUDBwa3BhcHRKRG5uaGowZVdpaXh5aWV3aTVyZWJneGVzYXlSSE11UCsyN1dO L0hmZGJKdkVQNGZRWGs3KytWZEhWTVptKzBPZTJhVTRvMXhIUTVpU0tlcERlTTYwc0ljaExFcW1G cWVwMVRFOU9Fd3hLdHNkT3RqMUVGTXlKc3hjb1dNdi83a3NRL2dGVHFFUHdBbWY3Q1lFSWQ4Qk0v NEpwTHFXdzZUVFdBY3hOUzZtc1JrMFJiaEpUNkQrRmZQNGxCQlZTc2dPSnZobWtrT0VqU0JoVWdT SlFJcGlUeWMxVi9uTCtpLzhVSy8vdXBmLzRTZjl2amZ5OCtueW5uVFVUa2pWVnY3VlpHRW5mTjlQ TEhTY2thaTFkL1RvdFQ1WC85UExWMnJ6bmF2VytaWWx0VTh5eHlScVRrVVRramNhVGxncGlVMFhW Z3NVY21BVEFrcU44eFlVWmgzbE9zQ2lsZXhXSnFqdlhxOGhSK3FsdVRySVc1cE9VeVRDTEVTRkhI NmRMVkdQNUxpMnF4bFAxVUQxSmNsSmtybzBsRE50Vk1RVTFGTXk0NU9TNDFWVlZWVlZWVlZWVlZW VlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZW VlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZW VlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZW VlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZW VlZWVlZWVlZWVlZWVlZWVlZVPSI7IH0gY2F0Y2goZSkgeyB9CnRyeSB7IHZhcjAwNDk3LnNldEF0 dHJpYnV0ZSgib25iZWZvcmV1bmxvYWQiLCAiZXZlbnRoYW5kbGVyMigpIik7IH0gY2F0Y2goZSkg eyB9CnRyeSB7IHZhcjAwMTQ1LnBvcnQgPSB2YXIwMDM0ODsgfSBjYXRjaChlKSB7IH0KdHJ5IHsg dmFyMDAwNzEucm93cyA9ICIwLDEiOyB9IGNhdGNoKGUpIHsgfQp0cnkgeyB2YXIwMDg3My5mcm9u dEZhY2UodmFyMDA2OTkpOyB9IGNhdGNoKGUpIHsgfQp9CmZ1bmN0aW9uIGV2ZW50aGFuZGxlcjEo KSB7Cn0KZnVuY3Rpb24gZXZlbnRoYW5kbGVyMigpIHsKdHJ5IHsgLyogbmV3dmFye3ZhcjAwMDI1 OnVuc2lnbmVkfSAqLyB2YXIgdmFyMDAwMjUgPSB2YXIwMDAyNi5DT01QUkVTU0VEX1NSR0I4X1BV TkNIVEhST1VHSF9BTFBIQTFfRVRDMjsgfSBjYXRjaChlKSB7IH0KdHJ5IHsgaHRtbHZhcjAwMDIw LndpZHRoID0gdmFyMDAwMjU7IH0gY2F0Y2goZSkgeyB9Cn0KZnVuY3Rpb24gZXZlbnRoYW5kbGVy MygpIHsKfQpmdW5jdGlvbiBldmVudGhhbmRsZXI0KCkgewp9CmZ1bmN0aW9uIGV2ZW50aGFuZGxl cjUoKSB7Cn0KPC9zY3JpcHQ+CjwvaGVhZD4KPGJvZHkgb25sb2FkPWpzZnV6emVyKCk+CjxjYW52 YXMgaWQ9Imh0bWx2YXIwMDAyMCIgZGlyPSJMVFIiIHN0eWxlPSItd2Via2l0LW1hcmdpbi10b3At Y29sbGFwc2U6IGNvbGxhcHNlOyBib3JkZXItaW1hZ2Utd2lkdGg6IDA7IC13ZWJraXQtYWxpZ24t c2VsZjogZmxleC1zdGFydDsgY2FwdGlvbi1zaWRlOiBib3R0b207IGdyaWQtYXJlYTogMSIgZGly PSJhdXRvIiBzcmM9IngiIGhlaWdodD0iMCIgb250b3VjaHN0YXJ0PSJldmVudGhhbmRsZXI1KCki IGF4aXM9InVScHhAQkkrb18iIGNoYXJzZXQ9Imlzby04ODU5LTEiIHNjaGVtZT0iTklTVCIgZGVm ZXI9ImRlZmVyIj5tUi9AJmd0O1JaKCZhbXA7cFsjPC9jYW52YXM+CjwvYm9keT4KPC9odG1sPgo=