69148 2011-09-30 08:17:41 -0700 Crash due to out of bounds read/write in MarkedSpace 2011-10-03 08:14:16 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Major --- 0 michaelbraithwaite ggaren aroben barraclough ggaren oliver oldest_to_newest 476097 0 michaelbraithwaite 2011-09-30 08:17:41 -0700 With JSC from http://trac.webkit.org/browser/releases/WebKitGTK/webkit-1.4.2 on Windows and Mac. MarkedSpace can crash as MarkedSpace::sizeClassFor() accesses m_impreciseSizeClasses out of bounds. * Call MarkedSpace::sizeClassFor(952), e.g. from Heap::allocate(952); * Notice this attempts to access m_impreciseSizeClasses[7] but the size of the array is only 7. * This crashes later as it uses the address of the next member, HashSet<MarkedBlock*> m_blocks, as the SizeClass and trashes it. Also if you pass 121-127 in to sizeClassFor() it access the out of bounds m_preciseSizeClasses[15] element but due to the class layout this is m_impreciseSizeClasses[0] so it kind of works. I thought the bug was an out by one error in the size of both MarkedSpace::m_preciseSizeClasses and MarkedSpace::m_impreciseSizeClasses i.e. they should be static const size_t preciseCount = preciseCutoff / preciseStep; static const size_t impreciseCount = impreciseCutoff / impreciseStep; but the way its used in MarkedSpace::MarkedSpace() and MarkedSpace::reset() seem inconsistent with that. I'm not clear on whether SizeClass.cellSize was meant to be an upper bound or lower bound. Callstack: > jscd.dll!WTF::HashTable<WTF::StringImpl *,WTF::StringImpl *,WTF::IdentityExtractor<WTF::StringImpl *>,WTF::StringHash,WTF::HashTraits<WTF::StringImpl *>,WTF::HashTraits<WTF::StringImpl *> >::isEmptyBucket(WTF::StringImpl * const & value=) Line 339 + 0x19 bytes C++ jscd.dll!WTF::HashTable<char const *,std::pair<char const *,WTF::RefPtr<WTF::StringImpl> >,WTF::PairFirstExtractor<std::pair<char const *,WTF::RefPtr<WTF::StringImpl> > >,WTF::PtrHash<char const *>,WTF::PairHashTraits<WTF::HashTraits<char const *>,WTF::HashTraits<WTF::RefPtr<WTF::StringImpl> > >,WTF::HashTraits<char const *> >::isEmptyOrDeletedBucket(const std::pair<char const *,WTF::RefPtr<WTF::StringImpl> > & value=(...,{m_ptr=??? })) Line 341 + 0xd bytes C++ jscd.dll!WTF::HashTableConstIterator<WTF::StringImpl *,WTF::StringImpl *,WTF::IdentityExtractor<WTF::StringImpl *>,WTF::StringHash,WTF::HashTraits<WTF::StringImpl *>,WTF::HashTraits<WTF::StringImpl *> >::skipEmptyBuckets() Line 109 + 0x18 bytes C++ jscd.dll!WTF::HashTableConstIterator<WTF::StringImpl *,WTF::StringImpl *,WTF::IdentityExtractor<WTF::StringImpl *>,WTF::StringHash,WTF::HashTraits<WTF::StringImpl *>,WTF::HashTraits<WTF::StringImpl *> >::HashTableConstIterator<WTF::StringImpl *,WTF::StringImpl *,WTF::IdentityExtractor<WTF::StringImpl *>,WTF::StringHash,WTF::HashTraits<WTF::StringImpl *>,WTF::HashTraits<WTF::StringImpl *> >(const WTF::HashTable<WTF::StringImpl *,WTF::StringImpl *,WTF::IdentityExtractor<WTF::StringImpl *>,WTF::StringHash,WTF::HashTraits<WTF::StringImpl *>,WTF::HashTraits<WTF::StringImpl *> > * table=0x0d1eaff4, WTF::StringImpl * const * position=0x00000000, WTF::StringImpl * const * endPosition=0x00000100) Line 118 C++ jscd.dll!WTF::HashTable<WTF::StringImpl *,WTF::StringImpl *,WTF::IdentityExtractor<WTF::StringImpl *>,WTF::StringHash,WTF::HashTraits<WTF::StringImpl *>,WTF::HashTraits<WTF::StringImpl *> >::makeConstIterator(WTF::StringImpl * * pos=0x00000000) Line 392 + 0x26 bytes C++ jscd.dll!WTF::HashTable<WTF::StringImpl *,WTF::StringImpl *,WTF::IdentityExtractor<WTF::StringImpl *>,WTF::StringHash,WTF::HashTraits<WTF::StringImpl *>,WTF::HashTraits<WTF::StringImpl *> >::begin() Line 310 + 0x19 bytes C++ jscd.dll!WTF::HashSet<JSC::MarkedBlock *,WTF::PtrHash<JSC::MarkedBlock *>,WTF::HashTraits<JSC::MarkedBlock *> >::begin() Line 139 + 0xc bytes C++ jscd.dll!JSC::MarkedSpace::clearMarks() Line 113 + 0x12 bytes C++ jscd.dll!JSC::Heap::markRoots() Line 227 C++ jscd.dll!JSC::Heap::reset(JSC::Heap::SweepToggle sweepToggle=DoNotSweep) Line 378 C++ jscd.dll!JSC::Heap::allocateSlowCase(unsigned int bytes=952) Line 126 C++ npturbulenz.dll!JSC::Heap::allocate(unsigned int bytes=952) Line 420 C++ npturbulenz.dll!JSC::JSCell::operator new(unsigned int size=952, JSC::JSGlobalData * globalData=0x0d1e9fd8) Line 425 C++ 476236 1 ggaren 2011-09-30 12:15:37 -0700 > I'm not clear on whether SizeClass.cellSize was meant to be an upper bound or lower bound. Upper bound. 476266 2 ggaren 2011-09-30 12:57:58 -0700 The bug here is that 952 is bigger than the biggest object the Heap can allocate. Another bug is that the Heap's object size assertions did not kick in, since they assume that the Heap can allocate up to maxCellSize, when in reality it can only allocate up to maxCellSize - impreciseStep. 476269 3 109333 ggaren 2011-09-30 13:03:49 -0700 Created attachment 109333 Patch 476304 4 ggaren 2011-09-30 14:14:01 -0700 Committed r96424: <http://trac.webkit.org/changeset/96424> 476627 5 aroben 2011-10-01 20:25:56 -0700 Is it possible to write a test for this? 476720 6 ggaren 2011-10-02 15:03:03 -0700 (In reply to comment #5) > Is it possible to write a test for this? It's not currently possible because there are no subclasses of JSCell that are 952 bytes. I'm not sure how WebKitGTK ran into this issue. (Maybe I'm forgetting about a particular subclass, though?) 476981 7 aroben 2011-10-03 08:14:16 -0700 (In reply to comment #6) > (In reply to comment #5) > > Is it possible to write a test for this? > > It's not currently possible because there are no subclasses of JSCell that are 952 bytes. I'm not sure how WebKitGTK ran into this issue. (Maybe I'm forgetting about a particular subclass, though?) Thanks for the explanation. In the future it would be nice to put information like this in the ChangeLog. 109333 2011-09-30 13:03:49 -0700 2011-09-30 13:15:23 -0700 Patch bug-69148-20110930130348.patch text/plain 5812 ggaren SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gOTY0MTQpCisrKyBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMjkgQEAK KzIwMTEtMDktMzAgIEdlb2ZmcmV5IEdhcmVuICA8Z2dhcmVuQGFwcGxlLmNvbT4KKworICAgICAg ICBDcmFzaCBkdWUgdG8gb3V0IG9mIGJvdW5kcyByZWFkL3dyaXRlIGluIE1hcmtlZFNwYWNlCisg ICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD02OTE0OAorICAg ICAgICAKKyAgICAgICAgVGhpcyB3YXMgYSBjYXNlIG9mIGJlaW5nIHN1cnByaXNlZCBieSBhIHBv b3JseSBhcml0dWxjYXRlZCBjZWxsIHNpemUgbGltaXQsCisgICAgICAgIHBsdXMgYW4gaW5jb3Jy ZWN0IEFTU0VSVCBndWFyZGluZyB0aGUgY2VsbCBzaXplIGxpbWl0LgorCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgICogaGVhcC9NYXJrZWRTcGFjZS5oOgor ICAgICAgICAoSlNDOjpNYXJrZWRTcGFjZTo6c2l6ZUNsYXNzRm9yKTogQ2hhbmdlZCBoZWFwIHNp emUgcmFuZ2VzIHRvIGJlIGluY2x1c2l2ZSwKKyAgICAgICAgc2luY2UgaXQgbWFrZXMgdGhlIHJh bmdlcyBlYXNpZXIgdG8gdW5kZXJzdGFuZC4KKyAgICAgICAgCisgICAgICAgIEJ1bXBlZCB1cCB0 aGUgbWF4IGNlbGwgc2l6ZSB0byBzdXBwb3J0IHRoZSB1c2UgY2FzZSBpbiB0aGlzIGJ1Zy4gU2lu Y2UgdGhlCisgICAgICAgIGF0b21TaXplIGlzIG11Y2ggYmlnZ2VyIHRoYW4gaXQgdXNlZCB0byBi ZSwgdGhlcmUgaXNuJ3QgbXVjaCBhY2NvdW50aW5nCisgICAgICAgIGNvc3QgdG8gaGFuZGxpbmcg bW9yZSBzaXplIGNsYXNzZXMuCisgICAgICAgIAorICAgICAgICBTd2l0Y2hlZCB0byBGaXhlZEFy cmF5LCB0byBoZWxwIGNhdGNoIFNpemVDbGFzcyBpbmRleGluZyBidWdzIGluIHRoZSBmdXR1cmUu CisKKyAgICAgICAgKiBoZWFwL01hcmtlZFNwYWNlLmNwcDoKKyAgICAgICAgKEpTQzo6TWFya2Vk U3BhY2U6Ok1hcmtlZFNwYWNlKToKKyAgICAgICAgKEpTQzo6TWFya2VkU3BhY2U6OnJlc2V0QWxs b2NhdG9yKToKKyAgICAgICAgKEpTQzo6TWFya2VkU3BhY2U6OmNhbm9uaWNhbGl6ZUNlbGxMaXZl bmVzc0RhdGEpOiBVcGRhdGVkIGZvciBzaXplIHJhbmdlcworICAgICAgICBiZWluZyBpbmNsdXNp dmUuCisKIDIwMTEtMDktMzAgIE1hcmsgSGFobmVuYmVyZyAgPG1oYWhuZW5iZXJnQGFwcGxlLmNv bT4KIAogICAgICAgICBBZGQgZ2V0Q2FsbERhdGEgdG8gTWV0aG9kVGFibGUgaW4gQ2xhc3NJbmZv CkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvaGVhcC9NYXJrZWRTcGFjZS5jcHAKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2hlYXAvTWFya2VkU3BhY2UuY3BwCShyZXZp c2lvbiA5NjQxNCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9oZWFwL01hcmtlZFNwYWNlLmNw cAkod29ya2luZyBjb3B5KQpAQCAtMzUsMTAgKzM1LDEwIEBAIE1hcmtlZFNwYWNlOjpNYXJrZWRT cGFjZShIZWFwKiBoZWFwKQogICAgICwgbV9oaWdoV2F0ZXJNYXJrKDApCiAgICAgLCBtX2hlYXAo aGVhcCkKIHsKLSAgICBmb3IgKHNpemVfdCBjZWxsU2l6ZSA9IHByZWNpc2VTdGVwOyBjZWxsU2l6 ZSA8IHByZWNpc2VDdXRvZmY7IGNlbGxTaXplICs9IHByZWNpc2VTdGVwKQorICAgIGZvciAoc2l6 ZV90IGNlbGxTaXplID0gcHJlY2lzZVN0ZXA7IGNlbGxTaXplIDw9IHByZWNpc2VDdXRvZmY7IGNl bGxTaXplICs9IHByZWNpc2VTdGVwKQogICAgICAgICBzaXplQ2xhc3NGb3IoY2VsbFNpemUpLmNl bGxTaXplID0gY2VsbFNpemU7CiAKLSAgICBmb3IgKHNpemVfdCBjZWxsU2l6ZSA9IGltcHJlY2lz ZVN0ZXA7IGNlbGxTaXplIDwgaW1wcmVjaXNlQ3V0b2ZmOyBjZWxsU2l6ZSArPSBpbXByZWNpc2VT dGVwKQorICAgIGZvciAoc2l6ZV90IGNlbGxTaXplID0gaW1wcmVjaXNlU3RlcDsgY2VsbFNpemUg PD0gaW1wcmVjaXNlQ3V0b2ZmOyBjZWxsU2l6ZSArPSBpbXByZWNpc2VTdGVwKQogICAgICAgICBz aXplQ2xhc3NGb3IoY2VsbFNpemUpLmNlbGxTaXplID0gY2VsbFNpemU7CiB9CiAKQEAgLTY0LDE5 ICs2NCwxOSBAQCB2b2lkIE1hcmtlZFNwYWNlOjpyZXNldEFsbG9jYXRvcigpCiB7CiAgICAgbV93 YXRlck1hcmsgPSAwOwogCi0gICAgZm9yIChzaXplX3QgY2VsbFNpemUgPSBwcmVjaXNlU3RlcDsg Y2VsbFNpemUgPCBwcmVjaXNlQ3V0b2ZmOyBjZWxsU2l6ZSArPSBwcmVjaXNlU3RlcCkKKyAgICBm b3IgKHNpemVfdCBjZWxsU2l6ZSA9IHByZWNpc2VTdGVwOyBjZWxsU2l6ZSA8PSBwcmVjaXNlQ3V0 b2ZmOyBjZWxsU2l6ZSArPSBwcmVjaXNlU3RlcCkKICAgICAgICAgc2l6ZUNsYXNzRm9yKGNlbGxT aXplKS5yZXNldEFsbG9jYXRvcigpOwogCi0gICAgZm9yIChzaXplX3QgY2VsbFNpemUgPSBpbXBy ZWNpc2VTdGVwOyBjZWxsU2l6ZSA8IGltcHJlY2lzZUN1dG9mZjsgY2VsbFNpemUgKz0gaW1wcmVj aXNlU3RlcCkKKyAgICBmb3IgKHNpemVfdCBjZWxsU2l6ZSA9IGltcHJlY2lzZVN0ZXA7IGNlbGxT aXplIDw9IGltcHJlY2lzZUN1dG9mZjsgY2VsbFNpemUgKz0gaW1wcmVjaXNlU3RlcCkKICAgICAg ICAgc2l6ZUNsYXNzRm9yKGNlbGxTaXplKS5yZXNldEFsbG9jYXRvcigpOwogfQogCiB2b2lkIE1h cmtlZFNwYWNlOjpjYW5vbmljYWxpemVDZWxsTGl2ZW5lc3NEYXRhKCkKIHsKLSAgICBmb3IgKHNp emVfdCBjZWxsU2l6ZSA9IHByZWNpc2VTdGVwOyBjZWxsU2l6ZSA8IHByZWNpc2VDdXRvZmY7IGNl bGxTaXplICs9IHByZWNpc2VTdGVwKQorICAgIGZvciAoc2l6ZV90IGNlbGxTaXplID0gcHJlY2lz ZVN0ZXA7IGNlbGxTaXplIDw9IHByZWNpc2VDdXRvZmY7IGNlbGxTaXplICs9IHByZWNpc2VTdGVw KQogICAgICAgICBzaXplQ2xhc3NGb3IoY2VsbFNpemUpLnphcEZyZWVMaXN0KCk7CiAKLSAgICBm b3IgKHNpemVfdCBjZWxsU2l6ZSA9IGltcHJlY2lzZVN0ZXA7IGNlbGxTaXplIDwgaW1wcmVjaXNl Q3V0b2ZmOyBjZWxsU2l6ZSArPSBpbXByZWNpc2VTdGVwKQorICAgIGZvciAoc2l6ZV90IGNlbGxT aXplID0gaW1wcmVjaXNlU3RlcDsgY2VsbFNpemUgPD0gaW1wcmVjaXNlQ3V0b2ZmOyBjZWxsU2l6 ZSArPSBpbXByZWNpc2VTdGVwKQogICAgICAgICBzaXplQ2xhc3NGb3IoY2VsbFNpemUpLnphcEZy ZWVMaXN0KCk7CiB9CiAKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9oZWFwL01hcmtlZFNw YWNlLmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2hlYXAvTWFya2VkU3Bh Y2UuaAkocmV2aXNpb24gOTY0MTQpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvaGVhcC9NYXJr ZWRTcGFjZS5oCSh3b3JraW5nIGNvcHkpCkBAIC0zMiw3ICszMiw3IEBACiAjaW5jbHVkZSA8d3Rm L05vbmNvcHlhYmxlLmg+CiAjaW5jbHVkZSA8d3RmL1ZlY3Rvci5oPgogCi0jZGVmaW5lIEFTU0VS VF9DTEFTU19GSVRTX0lOX0NFTEwoY2xhc3MpIENPTVBJTEVfQVNTRVJUKHNpemVvZihjbGFzcykg PCBNYXJrZWRTcGFjZTo6bWF4Q2VsbFNpemUsIGNsYXNzX2ZpdHNfaW5fY2VsbCkKKyNkZWZpbmUg QVNTRVJUX0NMQVNTX0ZJVFNfSU5fQ0VMTChjbGFzcykgQ09NUElMRV9BU1NFUlQoc2l6ZW9mKGNs YXNzKSA8PSBNYXJrZWRTcGFjZTo6bWF4Q2VsbFNpemUsIGNsYXNzX2ZpdHNfaW5fY2VsbCkKIAog bmFtZXNwYWNlIEpTQyB7CiAKQEAgLTQ1LDcgKzQ1LDcgQEAgY2xhc3MgU2xvdFZpc2l0b3I7CiBj bGFzcyBNYXJrZWRTcGFjZSB7CiAgICAgV1RGX01BS0VfTk9OQ09QWUFCTEUoTWFya2VkU3BhY2Up OwogcHVibGljOgotICAgIHN0YXRpYyBjb25zdCBzaXplX3QgbWF4Q2VsbFNpemUgPSAxMDI0Owor ICAgIHN0YXRpYyBjb25zdCBzaXplX3QgbWF4Q2VsbFNpemUgPSAyMDQ4OwogCiAgICAgc3RydWN0 IFNpemVDbGFzcyB7CiAgICAgICAgIFNpemVDbGFzcygpOwpAQCAtNzgsMTkgKzc4LDE4IEBAIHB1 YmxpYzoKICAgICB0ZW1wbGF0ZTx0eXBlbmFtZSBGdW5jdG9yPiB0eXBlbmFtZSBGdW5jdG9yOjpS ZXR1cm5UeXBlIGZvckVhY2hCbG9jaygpOwogCiBwcml2YXRlOgotICAgIC8vIFsgOCwgMTYuLi4g MTI4ICkKKyAgICAvLyBbIDMyLi4uIDI1NiBdCiAgICAgc3RhdGljIGNvbnN0IHNpemVfdCBwcmVj aXNlU3RlcCA9IE1hcmtlZEJsb2NrOjphdG9tU2l6ZTsKLSAgICBzdGF0aWMgY29uc3Qgc2l6ZV90 IHByZWNpc2VDdXRvZmYgPSAxMjg7Ci0gICAgc3RhdGljIGNvbnN0IHNpemVfdCBtYXhpbXVtUHJl Y2lzZUFsbG9jYXRpb25TaXplID0gcHJlY2lzZUN1dG9mZiAtIHByZWNpc2VTdGVwOwotICAgIHN0 YXRpYyBjb25zdCBzaXplX3QgcHJlY2lzZUNvdW50ID0gcHJlY2lzZUN1dG9mZiAvIHByZWNpc2VT dGVwIC0gMTsKKyAgICBzdGF0aWMgY29uc3Qgc2l6ZV90IHByZWNpc2VDdXRvZmYgPSAyNTY7Cisg ICAgc3RhdGljIGNvbnN0IHNpemVfdCBwcmVjaXNlQ291bnQgPSBwcmVjaXNlQ3V0b2ZmIC8gcHJl Y2lzZVN0ZXA7CiAKLSAgICAvLyBbIDEyOCwgMjU2Li4uIDEwMjQgKQorICAgIC8vIFsgNTEyLi4u IDIwNDggXQogICAgIHN0YXRpYyBjb25zdCBzaXplX3QgaW1wcmVjaXNlU3RlcCA9IHByZWNpc2VD dXRvZmY7CiAgICAgc3RhdGljIGNvbnN0IHNpemVfdCBpbXByZWNpc2VDdXRvZmYgPSBtYXhDZWxs U2l6ZTsKLSAgICBzdGF0aWMgY29uc3Qgc2l6ZV90IGltcHJlY2lzZUNvdW50ID0gaW1wcmVjaXNl Q3V0b2ZmIC8gaW1wcmVjaXNlU3RlcCAtIDE7CisgICAgc3RhdGljIGNvbnN0IHNpemVfdCBpbXBy ZWNpc2VDb3VudCA9IGltcHJlY2lzZUN1dG9mZiAvIGltcHJlY2lzZVN0ZXA7CiAKLSAgICBTaXpl Q2xhc3MgbV9wcmVjaXNlU2l6ZUNsYXNzZXNbcHJlY2lzZUNvdW50XTsKLSAgICBTaXplQ2xhc3Mg bV9pbXByZWNpc2VTaXplQ2xhc3Nlc1tpbXByZWNpc2VDb3VudF07CisgICAgRml4ZWRBcnJheTxT aXplQ2xhc3MsIHByZWNpc2VDb3VudD4gbV9wcmVjaXNlU2l6ZUNsYXNzZXM7CisgICAgRml4ZWRB cnJheTxTaXplQ2xhc3MsIGltcHJlY2lzZUNvdW50PiBtX2ltcHJlY2lzZVNpemVDbGFzc2VzOwog ICAgIHNpemVfdCBtX3dhdGVyTWFyazsKICAgICBzaXplX3QgbV9oaWdoV2F0ZXJNYXJrOwogICAg IEhlYXAqIG1faGVhcDsKQEAgLTExMyw4ICsxMTIsOCBAQCBpbmxpbmUgdm9pZCBNYXJrZWRTcGFj ZTo6c2V0SGlnaFdhdGVyTWFyCiAKIGlubGluZSBNYXJrZWRTcGFjZTo6U2l6ZUNsYXNzJiBNYXJr ZWRTcGFjZTo6c2l6ZUNsYXNzRm9yKHNpemVfdCBieXRlcykKIHsKLSAgICBBU1NFUlQoYnl0ZXMg JiYgYnl0ZXMgPCBtYXhDZWxsU2l6ZSk7Ci0gICAgaWYgKGJ5dGVzIDw9IG1heGltdW1QcmVjaXNl QWxsb2NhdGlvblNpemUpCisgICAgQVNTRVJUKGJ5dGVzICYmIGJ5dGVzIDw9IG1heENlbGxTaXpl KTsKKyAgICBpZiAoYnl0ZXMgPD0gcHJlY2lzZUN1dG9mZikKICAgICAgICAgcmV0dXJuIG1fcHJl Y2lzZVNpemVDbGFzc2VzWyhieXRlcyAtIDEpIC8gcHJlY2lzZVN0ZXBdOwogICAgIHJldHVybiBt X2ltcHJlY2lzZVNpemVDbGFzc2VzWyhieXRlcyAtIDEpIC8gaW1wcmVjaXNlU3RlcF07CiB9Cg==