70456 CVE-2012-0611 2011-10-19 16:54:24 -0700 Use after free in positioned generated content under run-in 2014-02-18 22:36:39 -0800 1 1 1 Unclassified Security Security 525.x (Nightly build) All All RESOLVED FIXED InRadar P2 Major --- 1 inferno webkit-security-unassigned ayao cdn commit-queue esprehn hyatt kenrb kling mitz simon.fraser staikos webkit.review.bot yong.li.webkit oldest_to_newest 487140 0 inferno 2011-10-19 16:54:24 -0700 credit: Marty + ASAN + ClusterFuzz http://code.google.com/p/chromium/issues/detail?id=100958 Bot CLUSTER_FUZZ_331 on platform LINUX Chromium Revision : 106012 Webkit Revision : 97678 Testcase:: <style> .c17 { position: relative; } .c19::after { display: compact; position: absolute; content: no-close-quote; } .c19:nth-of-type(-n+6) { display: run-in;</style> <script> var nodes = Array(); function boom() { try { nodes[45] = document.createElement('thead'); } catch(e) {} try { nodes[45].setAttribute('class', 'c19'); } catch(e) {} try { document.documentElement.appendChild(nodes[45]); } catch(e) {} try { nodes[46] = document.createElement('b'); } catch(e) {} try { nodes[46].setAttribute('class', 'c19'); } catch(e) {} try { document.documentElement.appendChild(nodes[46]); } catch(e) {} try { nodes[47] = document.createElement('header'); } catch(e) {} try { document.documentElement.appendChild(nodes[47]); } catch(e) {} } window.onload = boom; </script> /mnt/scratch0/chrome/src/out/Release/DumpRenderTree ASAN:SIGILL ================================================================= ==16725== ERROR: AddressSanitizer heap-use-after-free on address 0x7f6cbb283ab0 at pc 0x2527275 bp 0x7fff3223adf0 sp 0x7fff3223ace0 READ of size 1 at 0x7f6cbb283ab0 thread T0 #0 0x2527275 in WebCore::RenderBlock::layoutPositionedObjects(bool) #1 0x251d37d in WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) #2 0x251afe9 in WebCore::RenderBlock::layout() #3 0x27de57b in WebCore::RenderView::layout() #4 0x2045cab in WebCore::FrameView::layout(bool) #5 0x2050277 in WebCore::FrameView::visibleContentsResized() #6 0x16f7d77 in WebCore::ScrollView::updateScrollbars(WebCore::IntSize const&) #7 0x16fa7e4 in WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) #8 0x2041e3b in WebCore::FrameView::setContentsSize(WebCore::IntSize const&) #9 0x2042291 in WebCore::FrameView::adjustViewSize() #10 0x2045e2f in WebCore::FrameView::layout(bool) #11 0x12d2168 in WebCore::Document::implicitClose() #12 0x1ee65dc in WebCore::FrameLoader::checkCompleted() #13 0x1ee28c8 in WebCore::FrameLoader::finishedParsing() #14 0x12f073e in WebCore::Document::finishedParsing() #15 0x15b9b4e in WebCore::HTMLDocumentParser::prepareToStopParsing() #16 0x1ec4444 in WebCore::DocumentWriter::endIfNotLoadingMainResource() #17 0x1f030f9 in WebCore::FrameLoader::finishedLoading() #18 0x1f28034 in WebCore::MainResourceLoader::didFinishLoading(double) #19 0x338c097 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) #20 0x34c3c03 in (anonymous namespace)::RequestProxy::NotifyCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) webkit/tools/test_shell/simple_resource_loader_bridge.cc:0 #21 0x34c405e in base::internal::Invoker4<false, base::internal::InvokerStorage4<void ((anonymous namespace)::RequestProxy::*)(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&), (anonymous namespace)::RequestProxy*, net::URLRequestStatus, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, base::Time>, void ((anonymous namespace)::RequestProxy::*)(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&)>::DoInvoke(base::internal::InvokerStorageBase*) webkit/tools/test_shell/simple_resource_loader_bridge.cc:0 #22 0x866067 in MessageLoop::RunTask(MessageLoop::PendingTask const&) #23 0x866819 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) #24 0x867cd8 in MessageLoop::DoWork() #25 0x8aef0f in (anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_pump_glib.cc:0 #26 0x7f6cc34298c2 in g_main_dispatch /build/buildd/glib2.0-2.24.1/glib/gmain.c:1960 #27 0x7f6cc342d748 in g_main_context_iterate /build/buildd/glib2.0-2.24.1/glib/gmain.c:2591 #28 0x7f6cc342d8fc in IA__g_main_context_iteration /build/buildd/glib2.0-2.24.1/glib/gmain.c:2654 #29 0x8b1361 in base::MessagePumpGtk::RunOnce(_GMainContext*, bool) #30 0x8afa6d in base::MessagePumpGlib::RunWithDispatcher(base::MessagePump::Delegate*, base::MessagePumpDispatcher*) #31 0x864ba9 in MessageLoop::RunInternal() #32 0x863ad9 in MessageLoop::Run() #33 0x48d2f5 in TestShell::waitTestFinished() #34 0x4847a2 in TestShell::runFileTest(TestParams const&) #35 0x434dda in runTest(TestShell&, TestParams&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) third_party/WebKit/Tools/DumpRenderTree/chromium/DumpRenderTree.cpp:0 #36 0x433ab7 in main #37 0x7f6cbf7c7c4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258 #38 0x419499 in _start 0x7f6cbb283ab0 is located 48 bytes inside of 184-byte region [0x7f6cbb283a80,0x7f6cbb283b38) freed by thread T0 here: #1 0x27328ef in WebCore::RenderObjectChildList::destroyLeftoverChildren() #2 0x250e3e0 in WebCore::RenderBlock::willBeDestroyed() #3 0x272cd32 in WebCore::RenderObject::destroy() #4 0x252d915 in WebCore::RenderBlock::handleRunInChild(WebCore::RenderBox*) #5 0x25242f6 in WebCore::RenderBlock::layoutBlockChildren(bool, int&) #6 0x251c59b in WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) #7 0x251afe9 in WebCore::RenderBlock::layout() #8 0x2537e94 in WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) #9 0x252431a in WebCore::RenderBlock::layoutBlockChildren(bool, int&) #10 0x251c59b in WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) #11 0x251afe9 in WebCore::RenderBlock::layout() #12 0x27de57b in WebCore::RenderView::layout() #13 0x2045cab in WebCore::FrameView::layout(bool) #14 0x2050277 in WebCore::FrameView::visibleContentsResized() #15 0x16f7d77 in WebCore::ScrollView::updateScrollbars(WebCore::IntSize const&) #16 0x16fa7e4 in WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) #17 0x2041e3b in WebCore::FrameView::setContentsSize(WebCore::IntSize const&) #18 0x2042291 in WebCore::FrameView::adjustViewSize() #19 0x2045e2f in WebCore::FrameView::layout(bool) #20 0x12d2168 in WebCore::Document::implicitClose() #21 0x1ee65dc in WebCore::FrameLoader::checkCompleted() #22 0x1ee28c8 in WebCore::FrameLoader::finishedParsing() #23 0x12f073e in WebCore::Document::finishedParsing() #24 0x15b9b4e in WebCore::HTMLDocumentParser::prepareToStopParsing() #25 0x1ec4444 in WebCore::DocumentWriter::endIfNotLoadingMainResource() #26 0x1f030f9 in WebCore::FrameLoader::finishedLoading() #27 0x1f28034 in WebCore::MainResourceLoader::didFinishLoading(double) #28 0x338c097 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) #29 0x34c3c03 in (anonymous namespace)::RequestProxy::NotifyCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) webkit/tools/test_shell/simple_resource_loader_bridge.cc:0 previously allocated by thread T0 here: #1 0x2714f6d in WebCore::RenderObject::createObject(WebCore::Node*, WebCore::RenderStyle*) #2 0x273769b in WebCore::RenderObjectChildList::updateBeforeAfterContent(WebCore::RenderObject*, WebCore::PseudoId, WebCore::RenderObject const*) #3 0x25103ba in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) #4 0x272733e in WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) #5 0x272665b in WebCore::RenderObject::setAnimatableStyle(WTF::PassRefPtr<WebCore::RenderStyle>) #6 0x1389b7d in WebCore::NodeRendererFactory::createRenderer() #7 0x138a35e in WebCore::NodeRendererFactory::createRendererIfNeeded() #8 0x13693b6 in WebCore::Node::createRendererIfNeeded() #9 0x132dfd5 in WebCore::Element::attach() #10 0x132ff5c in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) #11 0x1330c6c in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) #12 0x12cf572 in WebCore::Document::recalcStyle(WebCore::Node::StyleChange) #13 0x12d281f in WebCore::Document::updateStyleIfNeeded() #14 0x12d202f in WebCore::Document::implicitClose() #15 0x1ee65dc in WebCore::FrameLoader::checkCompleted() #16 0x1ee28c8 in WebCore::FrameLoader::finishedParsing() #17 0x12f073e in WebCore::Document::finishedParsing() #18 0x15b9b4e in WebCore::HTMLDocumentParser::prepareToStopParsing() #19 0x1ec4444 in WebCore::DocumentWriter::endIfNotLoadingMainResource() #20 0x1f030f9 in WebCore::FrameLoader::finishedLoading() #21 0x1f28034 in WebCore::MainResourceLoader::didFinishLoading(double) #22 0x338c097 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) #23 0x34c3c03 in (anonymous namespace)::RequestProxy::NotifyCompletedRequest(net::URLRequestStatus const&, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, base::Time const&) webkit/tools/test_shell/simple_resource_loader_bridge.cc:0 ==16725== ABORTING Shadow byte and word: 0x1fed97650756: fd 0x1fed97650750: fd fd fd fd fd fd fd fd More shadow bytes: 0x1fed97650730: 00 00 00 00 00 00 00 00 0x1fed97650738: 00 00 00 00 00 00 00 00 0x1fed97650740: fa fa fa fa fa fa fa fa 0x1fed97650748: fa fa fa fa fa fa fa fa =>0x1fed97650750: fd fd fd fd fd fd fd fd 0x1fed97650758: fd fd fd fd fd fd fd fd 0x1fed97650760: fd fd fd fd fd fd fd fd 0x1fed97650768: fd fd fd fd fd fd fd fd 0x1fed97650770: fa fa fa fa fa fa fa fa base::debug::StackTrace::StackTrace() [0x8c5296] base::(anonymous namespace)::StackDumpSignalHandler() [0x891e2f] 0x7f6cbf7dcaf0 0x7f6cbf7dca75 0x7f6cbf7e05c0 asan_report_error() [0x4873140] 0x7f6cc06ce8f0 WebCore::RenderBlock::layoutPositionedObjects() [0x2527275] WebCore::RenderBlock::layoutBlock() [0x251d37d] WebCore::RenderBlock::layout() [0x251afe9] WebCore::RenderView::layout() [0x27de57b] WebCore::FrameView::layout() [0x2045cab] WebCore::FrameView::visibleContentsResized() [0x2050277] WebCore::ScrollView::updateScrollbars() [0x16f7d77] WebCore::ScrollView::setContentsSize() [0x16fa7e4] WebCore::FrameView::setContentsSize() [0x2041e3b] WebCore::FrameView::adjustViewSize() [0x2042291] WebCore::FrameView::layout() [0x2045e2f] WebCore::Document::implicitClose() [0x12d2168] WebCore::FrameLoader::checkCompleted() [0x1ee65dc] WebCore::FrameLoader::finishedParsing() [0x1ee28c8] WebCore::Document::finishedParsing() [0x12f073e] WebCore::HTMLDocumentParser::prepareToStopParsing() [0x15b9b4e] WebCore::DocumentWriter::endIfNotLoadingMainResource() [0x1ec4444] WebCore::FrameLoader::finishedLoading() [0x1f030f9] WebCore::MainResourceLoader::didFinishLoading() [0x1f28034] webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest() [0x338c097] (anonymous namespace)::RequestProxy::NotifyCompletedRequest() [0x34c3c03] base::internal::Invoker4<>::DoInvoke() [0x34c405e] MessageLoop::RunTask() [0x866067] MessageLoop::DeferOrRunPendingTask() [0x866819] MessageLoop::DoWork() [0x867cd8] (anonymous namespace)::WorkSourceDispatch() [0x8aef0f] 0x7f6cc34298c2 0x7f6cc342d748 0x7f6cc342d8fc base::MessagePumpGtk::RunOnce() [0x8b1361] base::MessagePumpGlib::RunWithDispatcher() [0x8afa6d] MessageLoop::RunInternal() [0x864ba9] MessageLoop::Run() [0x863ad9] TestShell::waitTestFinished() [0x48d2f5] TestShell::runFileTest() [0x4847a2] runTest() [0x434dda] main [0x433ab7] 0x7f6cbf7c7c4d 0x419499 487620 1 lforschler 2011-10-20 09:17:00 -0700 <rdar://problem/10317548> 487678 2 inferno 2011-10-20 10:08:37 -0700 Reduced testcase:: <style> .testclass::before { position: absolute; content: ""; } .testclass { display: run-in; } </style> <script> function runTest() { test1 = document.createElement('div'); test1.setAttribute('class', 'testclass'); document.documentElement.appendChild(test1); test2 = document.createElement('b'); test2.setAttribute('class', 'testclass'); document.documentElement.appendChild(test2); test3 = document.createElement('div'); document.documentElement.appendChild(test3); } window.onload = runTest; </script> 502961 3 kenrb 2011-11-15 09:22:19 -0800 The run-in is significant. handleRunInChild() removes the run-in block from the render tree before destroying it. So positioned (or possibly floating) children that are getting destroyed are unable to clear themselves from the positioned/floating object list of a higher-level renderer (in the case of absolute positioned generated content, the RenderView). It only happens with generated content because normal content underneath the block run-in is transferred to the inline run-in, rather than being destroyed. This seems like it should be an easy fix, but for reasons I don't yet understand, the obvious solution (leave the renderer on the tree until you delete it) breaks a test. Something gets messed up with RenderLayers. 503123 4 kenrb 2011-11-15 12:05:03 -0800 Discussed with aarya: he is advocating to try to solve the general case: when a node with positioned descendants is removed from the tree, how do we clear those descendants from the positioned object list of its ancestors? AFAICT, this would imply a full subtree traversal whenever we remove a child, because there could be absolute positioned descendants anywhere down there. It looks like we already do a partial subtree traversal looking for floats, but that is somewhat limited because we don't look at (e.g.) floats that are children of non-floating children. We could turn that partial traversal (i.e. markAllDescendantsWithFloatsForLayout()) into a full traversal that looks for both floats and positioned objects, but this might still have performance concerns. 504411 5 115484 kenrb 2011-11-16 17:02:42 -0800 Created attachment 115484 Patch 504420 6 kenrb 2011-11-16 17:09:39 -0800 The patch I just uploaded is a local solution to this specific case, not a general solution. Given that a general solution to the problem I describe in comment 4 seems difficult (to me, anyway), I'm not inclined to write one unless it is clear it is worth it. 505012 7 115484 hyatt 2011-11-17 11:29:32 -0800 Comment on attachment 115484 Patch r=me 505224 8 115484 webkit.review.bot 2011-11-17 14:34:42 -0800 Comment on attachment 115484 Patch Clearing flags on attachment: 115484 Committed r100677: <http://trac.webkit.org/changeset/100677> 505225 9 webkit.review.bot 2011-11-17 14:34:47 -0800 All reviewed patches have been landed. Closing bug. 686727 10 inferno 2012-08-03 07:33:59 -0700 *** Bug 72666 has been marked as a duplicate of this bug. *** 115484 2011-11-16 17:02:42 -0800 2011-11-17 14:34:42 -0800 Patch bug-70456-20111116200146.patch text/plain 5935 kenrb U3VidmVyc2lvbiBSZXZpc2lvbjogMTAwNTIzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKb2xkIG1vZGUgMTAwNjQ0Cm5ldyBt b2RlIDEwMDc1NQppbmRleCA4NDBmNmY1YzFlY2RhOGE0NjkwYzNlNWU5YmFlOGM1NGY2OTFkMzUx Li5mMDI4NDFjMGYyMjkxNWMzMGY1MjZmNjlkMTYxOTI2MmZiNzFhNzdkCi0tLSBhL1NvdXJjZS9X ZWJDb3JlL0NoYW5nZUxvZworKysgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKQEAgLTEsMyAr MSwxOCBAQAorMjAxMS0xMS0xNiAgS2VuIEJ1Y2hhbmFuIDxrZW5yYkBjaHJvbWl1bS5vcmc+CisK KyAgICAgICAgQ3Jhc2ggZnJvbSBwb3NpdGlvbmVkIGdlbmVyYXRlZCBjb250ZW50IHVuZGVyIHJ1 bi1pbgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NzA0 NTYKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBNb2Rp ZmllZCBoYW5kbGluZyBvZiBydW4taW4gY2hpbGRyZW4gdG8gY2xlYXIgZ2VuZXJhdGVkIGNoaWxk cmVuCisgICAgICAgIGJlZm9yZSByZW1vdmluZyB0aGUgcGFyZW50IGZyb20gdGhlIHJlbmRlciB0 cmVlLiBUaGlzIGNhdXNlZCBwcm9ibGVtcworICAgICAgICB3aXRoIGFic29sdXRlIHBvc2l0aW9u ZWQgY2hpbGRyZW4gYmVpbmcgbm90IHByb3Blcmx5IHJlbW92ZWQgZnJvbSB0aGUKKyAgICAgICAg cG9zaXRpb25lZCBvYmplY3QgbGlzdCBvZiB0aGUgUmVuZGVyVmlldy4KKworICAgICAgICAqIHJl bmRlcmluZy9SZW5kZXJCbG9jay5jcHA6CisgICAgICAgIChXZWJDb3JlOjpSZW5kZXJCbG9jazo6 aGFuZGxlUnVuSW5DaGlsZCk6CisKIDIwMTEtMTEtMTYgIFNhbSBXZWluaWcgIDxzYW1Ad2Via2l0 Lm9yZz4KIAogICAgICAgICBKUyB3cmFwcGVycyBvZiBET00gb2JqZWN0cyBzaG91bGQgaGF2ZSBu by1vcCBjb25zdHJ1Y3RvcnMKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL3JlbmRlcmluZy9S ZW5kZXJCbG9jay5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyQmxvY2suY3Bw CmluZGV4IGY5N2UwMzRjOGUzYWE4ZGFkMDkxMWZmZmI5NjI0NWRiYzI0NDUwNmMuLmVhYzQwN2Ji YmI4NjM3NmVlYWUwMzg4MmQzYmY1NmU0YzcwNDQwNjIgMTAwNzU1Ci0tLSBhL1NvdXJjZS9XZWJD b3JlL3JlbmRlcmluZy9SZW5kZXJCbG9jay5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvcmVuZGVy aW5nL1JlbmRlckJsb2NrLmNwcApAQCAtMTU4Miw2ICsxNTgyLDE2IEBAIGJvb2wgUmVuZGVyQmxv Y2s6OmhhbmRsZVJ1bkluQ2hpbGQoUmVuZGVyQm94KiBjaGlsZCkKIAogICAgIFJlbmRlckJsb2Nr KiBjdXJyQmxvY2sgPSB0b1JlbmRlckJsb2NrKGN1cnIpOwogCisgICAgLy8gRmlyc3Qgd2UgZGVz dHJveSBhbnkgOmJlZm9yZS86YWZ0ZXIgY29udGVudC4gSXQgd2lsbCBiZSByZWdlbmVyYXRlZCBi eSB0aGUgbmV3IGlubGluZS4KKyAgICAvLyBFeGNlcHRpb24gaXMgaWYgdGhlIHJ1bi1pbiBpdHNl bGYgaXMgZ2VuZXJhdGVkLgorICAgIGlmIChjaGlsZC0+c3R5bGUoKS0+c3R5bGVUeXBlKCkgIT0g QkVGT1JFICYmIGNoaWxkLT5zdHlsZSgpLT5zdHlsZVR5cGUoKSAhPSBBRlRFUikgeworICAgICAg ICBSZW5kZXJPYmplY3QqIGdlbmVyYXRlZENvbnRlbnQ7CisgICAgICAgIGlmIChjaGlsZC0+Z2V0 Q2FjaGVkUHNldWRvU3R5bGUoQkVGT1JFKSAmJiAoZ2VuZXJhdGVkQ29udGVudCA9IGNoaWxkLT5i ZWZvcmVQc2V1ZG9FbGVtZW50UmVuZGVyZXIoKSkpCisgICAgICAgICAgICBnZW5lcmF0ZWRDb250 ZW50LT5kZXN0cm95KCk7CisgICAgICAgIGlmIChjaGlsZC0+Z2V0Q2FjaGVkUHNldWRvU3R5bGUo QUZURVIpICYmIChnZW5lcmF0ZWRDb250ZW50ID0gY2hpbGQtPmFmdGVyUHNldWRvRWxlbWVudFJl bmRlcmVyKCkpKQorICAgICAgICAgICAgZ2VuZXJhdGVkQ29udGVudC0+ZGVzdHJveSgpOworICAg IH0KKwogICAgIC8vIFJlbW92ZSB0aGUgb2xkIGNoaWxkLgogICAgIGNoaWxkcmVuKCktPnJlbW92 ZUNoaWxkTm9kZSh0aGlzLCBibG9ja1J1bkluKTsKIApAQCAtMTU5MCwxNiArMTYwMCwxMSBAQCBi b29sIFJlbmRlckJsb2NrOjpoYW5kbGVSdW5JbkNoaWxkKFJlbmRlckJveCogY2hpbGQpCiAgICAg UmVuZGVySW5saW5lKiBpbmxpbmVSdW5JbiA9IG5ldyAocmVuZGVyQXJlbmEoKSkgUmVuZGVySW5s aW5lKHJ1bkluTm9kZSA/IHJ1bkluTm9kZSA6IGRvY3VtZW50KCkpOwogICAgIGlubGluZVJ1bklu LT5zZXRTdHlsZShibG9ja1J1bkluLT5zdHlsZSgpKTsKIAotICAgIGJvb2wgcnVuSW5Jc0dlbmVy YXRlZCA9IGNoaWxkLT5zdHlsZSgpLT5zdHlsZVR5cGUoKSA9PSBCRUZPUkUgfHwgY2hpbGQtPnN0 eWxlKCktPnN0eWxlVHlwZSgpID09IEFGVEVSOwotCi0gICAgLy8gTW92ZSB0aGUgbm9kZXMgZnJv bSB0aGUgb2xkIGNoaWxkIHRvIHRoZSBuZXcgY2hpbGQsIGJ1dCBza2lwIGFueSA6YmVmb3JlLzph ZnRlciBjb250ZW50LiAgSXQgaGFzIGFscmVhZHkKLSAgICAvLyBiZWVuIHJlZ2VuZXJhdGVkIGJ5 IHRoZSBuZXcgaW5saW5lLgorICAgIC8vIE1vdmUgdGhlIG5vZGVzIGZyb20gdGhlIG9sZCBjaGls ZCB0byB0aGUgbmV3IGNoaWxkCiAgICAgZm9yIChSZW5kZXJPYmplY3QqIHJ1bkluQ2hpbGQgPSBi bG9ja1J1bkluLT5maXJzdENoaWxkKCk7IHJ1bkluQ2hpbGQ7KSB7CiAgICAgICAgIFJlbmRlck9i amVjdCogbmV4dFNpYmxpbmcgPSBydW5JbkNoaWxkLT5uZXh0U2libGluZygpOwotICAgICAgICBp ZiAocnVuSW5Jc0dlbmVyYXRlZCB8fCAocnVuSW5DaGlsZC0+c3R5bGUoKS0+c3R5bGVUeXBlKCkg IT0gQkVGT1JFICYmIHJ1bkluQ2hpbGQtPnN0eWxlKCktPnN0eWxlVHlwZSgpICE9IEFGVEVSKSkg ewotICAgICAgICAgICAgYmxvY2tSdW5Jbi0+Y2hpbGRyZW4oKS0+cmVtb3ZlQ2hpbGROb2RlKGJs b2NrUnVuSW4sIHJ1bkluQ2hpbGQsIGZhbHNlKTsKLSAgICAgICAgICAgIGlubGluZVJ1bkluLT5h ZGRDaGlsZChydW5JbkNoaWxkKTsgLy8gVXNlIGFkZENoaWxkIGluc3RlYWQgb2YgYXBwZW5kQ2hp bGROb2RlIHNpbmNlIGl0IGhhbmRsZXMgY29ycmVjdCBwbGFjZW1lbnQgb2YgdGhlIGNoaWxkcmVu IHJlbGF0aXZlIHRvIDphZnRlci1nZW5lcmF0ZWQgY29udGVudC4KLSAgICAgICAgfQorICAgICAg ICBibG9ja1J1bkluLT5jaGlsZHJlbigpLT5yZW1vdmVDaGlsZE5vZGUoYmxvY2tSdW5JbiwgcnVu SW5DaGlsZCwgZmFsc2UpOworICAgICAgICBpbmxpbmVSdW5Jbi0+YWRkQ2hpbGQocnVuSW5DaGls ZCk7IC8vIFVzZSBhZGRDaGlsZCBpbnN0ZWFkIG9mIGFwcGVuZENoaWxkTm9kZSBzaW5jZSBpdCBo YW5kbGVzIGNvcnJlY3QgcGxhY2VtZW50IG9mIHRoZSBjaGlsZHJlbiByZWxhdGl2ZSB0byA6YWZ0 ZXItZ2VuZXJhdGVkIGNvbnRlbnQuCiAgICAgICAgIHJ1bkluQ2hpbGQgPSBuZXh0U2libGluZzsK ICAgICB9CiAKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3Rz L0NoYW5nZUxvZwpvbGQgbW9kZSAxMDA2NDQKbmV3IG1vZGUgMTAwNzU1CmluZGV4IGE1YTBlYmUz ZjRiMzJlZjcyMmRmMWUyOWIxNjkxNWYyNDI2NzdhZWUuLjVmYWQ5MDEyYzMwZTYwY2Y0ZTY0ZDhk Y2Q0ZjM2NWEwYmI2MzMwNWYKLS0tIGEvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCisrKyBiL0xheW91 dFRlc3RzL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1IEBACisyMDExLTExLTE2ICBLZW4gQnVjaGFu YW4gPGtlbnJiQGNocm9taXVtLm9yZz4KKworICAgICAgICBDcmFzaCBmcm9tIHBvc2l0aW9uZWQg Z2VuZXJhdGVkIGNvbnRlbnQgdW5kZXIgcnVuLWluCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD03MDQ1NgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9E WSAoT09QUyEpLgorCisgICAgICAgIExheW91dCB0ZXN0IGZvciBjcmFzaCBjb25kaXRpb24uCisK KyAgICAgICAgKiBmYXN0L2Nzcy1nZW5lcmF0ZWQtY29udGVudC9wb3NpdGlvbmVkLWdlbmVyYXRl ZC1jb250ZW50LXVuZGVyLXJ1bi1pbi1jcmFzaC1leHBlY3RlZC5odG1sOiBBZGRlZAorICAgICAg ICAqIGZhc3QvY3NzLWdlbmVyYXRlZC1jb250ZW50L3Bvc2l0aW9uZWQtZ2VuZXJhdGVkLWNvbnRl bnQtdW5kZXItcnVuLWluLWNyYXNoLmh0bWw6IEFkZGVkCisKIDIwMTEtMTEtMTYgIFBldGVyIEth c3RpbmcgIDxwa2FzdGluZ0Bnb29nbGUuY29tPgogCiAgICAgICAgIFtjaHJvbWl1bV0gQ2xlYW4g dXAgc29tZSBhbmltYXRpb25zLyBleHBlY3RhdGlvbnMuCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0 cy9mYXN0L2Nzcy1nZW5lcmF0ZWQtY29udGVudC9wb3NpdGlvbmVkLWdlbmVyYXRlZC1jb250ZW50 LXVuZGVyLXJ1bi1pbi1jcmFzaC1leHBlY3RlZC50eHQgYi9MYXlvdXRUZXN0cy9mYXN0L2Nzcy1n ZW5lcmF0ZWQtY29udGVudC9wb3NpdGlvbmVkLWdlbmVyYXRlZC1jb250ZW50LXVuZGVyLXJ1bi1p bi1jcmFzaC1leHBlY3RlZC50eHQKbmV3IGZpbGUgbW9kZSAxMDA3NTUKaW5kZXggMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMC4uYTE4NDZlYWRmNDU2ZjQ4NjdkZGU3NDdh N2FkMzJlMjM1NzQ3NjQwMgotLS0gL2Rldi9udWxsCisrKyBiL0xheW91dFRlc3RzL2Zhc3QvY3Nz LWdlbmVyYXRlZC1jb250ZW50L3Bvc2l0aW9uZWQtZ2VuZXJhdGVkLWNvbnRlbnQtdW5kZXItcnVu LWluLWNyYXNoLWV4cGVjdGVkLnR4dApAQCAtMCwwICsxLDIgQEAKK1BBU1MsIGlmIG5vIGV4Y2Vw dGlvbnMgb3IgY3Jhc2ggb2JzZXJ2ZWQKKwpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvZmFzdC9j c3MtZ2VuZXJhdGVkLWNvbnRlbnQvcG9zaXRpb25lZC1nZW5lcmF0ZWQtY29udGVudC11bmRlci1y dW4taW4tY3Jhc2guaHRtbCBiL0xheW91dFRlc3RzL2Zhc3QvY3NzLWdlbmVyYXRlZC1jb250ZW50 L3Bvc2l0aW9uZWQtZ2VuZXJhdGVkLWNvbnRlbnQtdW5kZXItcnVuLWluLWNyYXNoLmh0bWwKbmV3 IGZpbGUgbW9kZSAxMDA3NTUKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMC4uNjBkMDJhNGFkYTVjMjIxYWJhMGRlMWEzMjhjZjU4YWM3ZDY2NTQ2OAotLS0gL2Rl di9udWxsCisrKyBiL0xheW91dFRlc3RzL2Zhc3QvY3NzLWdlbmVyYXRlZC1jb250ZW50L3Bvc2l0 aW9uZWQtZ2VuZXJhdGVkLWNvbnRlbnQtdW5kZXItcnVuLWluLWNyYXNoLmh0bWwKQEAgLTAsMCAr MSwyMiBAQAorPHN0eWxlPgorLnRlc3RjbGFzczo6YmVmb3JlIHsgcG9zaXRpb246IGFic29sdXRl OyBjb250ZW50OiAiIjsgfQorLnRlc3RjbGFzcyB7IGRpc3BsYXk6IHJ1bi1pbjsgfQorPC9zdHls ZT4KK1BBU1MsIGlmIG5vIGV4Y2VwdGlvbnMgb3IgY3Jhc2ggb2JzZXJ2ZWQKKzxzY3JpcHQ+Citm dW5jdGlvbiBydW5UZXN0KCkgCit7CisgICAgdGVzdDEgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50 KCdkaXYnKTsKKyAgICB0ZXN0MS5zZXRBdHRyaWJ1dGUoJ2NsYXNzJywgJ3Rlc3RjbGFzcycpOwor ICAgIGRvY3VtZW50LmRvY3VtZW50RWxlbWVudC5hcHBlbmRDaGlsZCh0ZXN0MSk7CisgICAgdGVz dDIgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdiJyk7CisgICAgdGVzdDIuc2V0QXR0cmlidXRl KCdjbGFzcycsICd0ZXN0Y2xhc3MnKTsKKyAgICBkb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuYXBw ZW5kQ2hpbGQodGVzdDIpOworICAgIHRlc3QzID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnZGl2 Jyk7CisgICAgZG9jdW1lbnQuZG9jdW1lbnRFbGVtZW50LmFwcGVuZENoaWxkKHRlc3QzKTsKKyAg ICBpZiAod2luZG93LmxheW91dFRlc3RDb250cm9sbGVyKQorICAgICAgICBsYXlvdXRUZXN0Q29u dHJvbGxlci5kdW1wQXNUZXh0KCk7Cit9Cit3aW5kb3cub25sb2FkID0gcnVuVGVzdDsKKzwvc2Ny aXB0PgorCg==