82882 2012-04-02 04:16:39 -0700 [GTK] Invalid read from WebKit::DOMObjectCache::clearByFrame 2012-10-18 16:07:11 -0700 1 1 1 Unclassified WebKit WebKitGTK 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 0 mcrha webkit-unassigned darin David.Ronis webkit.review.bot xan.lopez oldest_to_newest 593336 0 mcrha 2012-04-02 04:16:39 -0700 I run Evolution under valgrind today, and because it adapted WebkitGtk as its mailer renderer, I observed these valgrind warnings (see below). This is with webkitgtk-1.8.0 tarball release. The first is when opening a message in a separate window in evolution (double click in a message list). The second is when closing the message window. ==3268== Thread 1: ==3268== Invalid read of size 4 ==3268== at 0x7E93DF0: WebKit::DOMObjectCache::clearByFrame(WebCore::Frame*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x83ED832: WebCore::FrameLoader::commitProvisionalLoad() (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x83D7819: WebCore::DocumentLoader::commitLoad(char const*, int) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x841F027: WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x840A4D4: WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x841E4DD: WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x8546E19: WebCore::readCallback(_GObject*, _GAsyncResult*, void*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0xA3A37F0: async_ready_callback_wrapper (ginputstream.c:470) ==3268== by 0xA3BBB7A: g_simple_async_result_complete (gsimpleasyncresult.c:767) ==3268== by 0xA3BBBAC: complete_in_idle_cb (gsimpleasyncresult.c:779) ==3268== by 0xAD76800: g_idle_dispatch (gmain.c:4634) ==3268== by 0xAD740AA: g_main_dispatch (gmain.c:2515) ==3268== by 0xAD74D6B: g_main_context_dispatch (gmain.c:3052) ==3268== by 0xAD74F4E: g_main_context_iterate (gmain.c:3123) ==3268== by 0xAD75377: g_main_loop_run (gmain.c:3317) ==3268== by 0x39E4F517FC: gtk_main (gtkmain.c:1362) ==3268== by 0x403603: main (main.c:681) ==3268== Address 0x34bfb760 is 16 bytes inside a block of size 24 free'd ==3268== at 0x4A0662E: free (vg_replace_malloc.c:366) ==3268== by 0xAD7C332: standard_free (gmem.c:98) ==3268== by 0xAD7C4F5: g_free (gmem.c:252) ==3268== by 0xAD945D7: g_slice_free1 (gslice.c:1111) ==3268== by 0x7E93FD7: WebKit::DOMObjectCache::forget(void*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x7EE1DA9: webkit_dom_document_finalize(_GObject*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0xA8EA32C: g_object_unref (gobject.c:3018) ==3268== by 0x7E93E20: WebKit::DOMObjectCache::clearByFrame(WebCore::Frame*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x83ED832: WebCore::FrameLoader::commitProvisionalLoad() (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x83D7819: WebCore::DocumentLoader::commitLoad(char const*, int) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x841F027: WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x840A4D4: WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x841E4DD: WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x8546E19: WebCore::readCallback(_GObject*, _GAsyncResult*, void*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0xA3A37F0: async_ready_callback_wrapper (ginputstream.c:470) ==3268== by 0xA3BBB7A: g_simple_async_result_complete (gsimpleasyncresult.c:767) ==3268== by 0xA3BBBAC: complete_in_idle_cb (gsimpleasyncresult.c:779) ==3268== by 0xAD76800: g_idle_dispatch (gmain.c:4634) ==3268== by 0xAD740AA: g_main_dispatch (gmain.c:2515) ==3268== by 0xAD74D6B: g_main_context_dispatch (gmain.c:3052) ==3268== by 0xAD74F4E: g_main_context_iterate (gmain.c:3123) ==3268== by 0xAD75377: g_main_loop_run (gmain.c:3317) ==3268== by 0x39E4F517FC: gtk_main (gtkmain.c:1362) ==3268== by 0x403603: main (main.c:681) ==3268== Invalid read of size 4 ==3268== at 0x7E93DF0: WebKit::DOMObjectCache::clearByFrame(WebCore::Frame*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x7EBC301: webkit_web_frame_core_frame_gone (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x7EA44CC: WebKit::FrameLoaderClient::frameLoaderDestroyed() (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x83E9B61: WebCore::FrameLoader::~FrameLoader() (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x8478F3B: WebCore::Frame::~Frame() (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x84963EB: WebCore::Page::~Page() (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x7ED1347: webkit_web_view_dispose(_GObject*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x57F8A16: web_view_dispose (e-web-view.c:796) ==3268== by 0x1682BAB6: mail_display_dispose (e-mail-display.c:318) ==3268== by 0xA8E52B9: g_object_run_dispose (gobject.c:1061) ==3268== by 0x39E4FB2E7D: gtk_scrolled_window_forall (gtkscrolledwindow.c:1265) ==3268== by 0x39E4ECE1CA: gtk_container_destroy (gtkcontainer.c:1370) ==3268== by 0xA8E10A3: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==3268== by 0xA8DE7C8: g_type_class_meta_marshal (gclosure.c:970) ==3268== by 0xA8DE113: g_closure_invoke (gclosure.c:777) ==3268== by 0xA8FAAE4: signal_emit_unlocked_R (gsignal.c:3663) ==3268== by 0xA8F9966: g_signal_emit_valist (gsignal.c:3296) ==3268== by 0xA8F9EAC: g_signal_emit (gsignal.c:3352) ==3268== by 0x39E50895CD: gtk_widget_dispose (gtkwidget.c:10666) ==3268== by 0xA8E52B9: g_object_run_dispose (gobject.c:1061) ==3268== by 0x39E4E8B923: gtk_box_forall (gtkbox.c:1856) ==3268== by 0x39E4ECE1CA: gtk_container_destroy (gtkcontainer.c:1370) ==3268== by 0xA8E10A3: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==3268== by 0xA8DE7C8: g_type_class_meta_marshal (gclosure.c:970) ==3268== by 0xA8DE113: g_closure_invoke (gclosure.c:777) ==3268== by 0xA8FAAE4: signal_emit_unlocked_R (gsignal.c:3663) ==3268== by 0xA8F9966: g_signal_emit_valist (gsignal.c:3296) ==3268== by 0xA8F9EAC: g_signal_emit (gsignal.c:3352) ==3268== by 0x39E50895CD: gtk_widget_dispose (gtkwidget.c:10666) ==3268== by 0x57E6783: preview_pane_dispose (e-preview-pane.c:143) ==3268== by 0xA8E52B9: g_object_run_dispose (gobject.c:1061) ==3268== by 0x39E4E8B923: gtk_box_forall (gtkbox.c:1856) ==3268== by 0x39E4ECE1CA: gtk_container_destroy (gtkcontainer.c:1370) ==3268== by 0xA8E10A3: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==3268== by 0xA8DE7C8: g_type_class_meta_marshal (gclosure.c:970) ==3268== by 0xA8DE113: g_closure_invoke (gclosure.c:777) ==3268== by 0xA8FAAE4: signal_emit_unlocked_R (gsignal.c:3663) ==3268== by 0xA8F9966: g_signal_emit_valist (gsignal.c:3296) ==3268== by 0xA8F9EAC: g_signal_emit (gsignal.c:3352) ==3268== by 0x39E50895CD: gtk_widget_dispose (gtkwidget.c:10666) ==3268== by 0xA8E52B9: g_object_run_dispose (gobject.c:1061) ==3268== by 0x39E4ECE1CA: gtk_container_destroy (gtkcontainer.c:1370) ==3268== by 0xA8E10A3: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==3268== by 0xA8DE7C8: g_type_class_meta_marshal (gclosure.c:970) ==3268== by 0xA8DE113: g_closure_invoke (gclosure.c:777) ==3268== by 0xA8FAAE4: signal_emit_unlocked_R (gsignal.c:3663) ==3268== by 0xA8F9966: g_signal_emit_valist (gsignal.c:3296) ==3268== by 0xA8F9EAC: g_signal_emit (gsignal.c:3352) ==3268== by 0x39E50895CD: gtk_widget_dispose (gtkwidget.c:10666) ==3268== by 0x16829FAD: mail_browser_dispose (e-mail-browser.c:533) ==3268== Address 0x1bebfa10 is 16 bytes inside a block of size 24 free'd ==3268== at 0x4A0662E: free (vg_replace_malloc.c:366) ==3268== by 0xAD7C332: standard_free (gmem.c:98) ==3268== by 0xAD7C4F5: g_free (gmem.c:252) ==3268== by 0xAD945D7: g_slice_free1 (gslice.c:1111) ==3268== by 0x7E93FD7: WebKit::DOMObjectCache::forget(void*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x7EE1DA9: webkit_dom_document_finalize(_GObject*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0xA8EA32C: g_object_unref (gobject.c:3018) ==3268== by 0x7E93E20: WebKit::DOMObjectCache::clearByFrame(WebCore::Frame*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x7EBC301: webkit_web_frame_core_frame_gone (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x7EA44CC: WebKit::FrameLoaderClient::frameLoaderDestroyed() (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x83E9B61: WebCore::FrameLoader::~FrameLoader() (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x8478F3B: WebCore::Frame::~Frame() (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x84963EB: WebCore::Page::~Page() (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x7ED1347: webkit_web_view_dispose(_GObject*) (in /build/local/lib/libwebkitgtk-3.0.so.0.13.1) ==3268== by 0x57F8A16: web_view_dispose (e-web-view.c:796) ==3268== by 0x1682BAB6: mail_display_dispose (e-mail-display.c:318) ==3268== by 0xA8E52B9: g_object_run_dispose (gobject.c:1061) ==3268== by 0x39E4FB2E7D: gtk_scrolled_window_forall (gtkscrolledwindow.c:1265) ==3268== by 0x39E4ECE1CA: gtk_container_destroy (gtkcontainer.c:1370) ==3268== by 0xA8E10A3: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==3268== by 0xA8DE7C8: g_type_class_meta_marshal (gclosure.c:970) ==3268== by 0xA8DE113: g_closure_invoke (gclosure.c:777) ==3268== by 0xA8FAAE4: signal_emit_unlocked_R (gsignal.c:3663) ==3268== by 0xA8F9966: g_signal_emit_valist (gsignal.c:3296) ==3268== by 0xA8F9EAC: g_signal_emit (gsignal.c:3352) ==3268== by 0x39E50895CD: gtk_widget_dispose (gtkwidget.c:10666) ==3268== by 0xA8E52B9: g_object_run_dispose (gobject.c:1061) ==3268== by 0x39E4E8B923: gtk_box_forall (gtkbox.c:1856) ==3268== by 0x39E4ECE1CA: gtk_container_destroy (gtkcontainer.c:1370) ==3268== by 0xA8E10A3: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==3268== by 0xA8DE7C8: g_type_class_meta_marshal (gclosure.c:970) ==3268== by 0xA8DE113: g_closure_invoke (gclosure.c:777) ==3268== by 0xA8FAAE4: signal_emit_unlocked_R (gsignal.c:3663) ==3268== by 0xA8F9966: g_signal_emit_valist (gsignal.c:3296) ==3268== by 0xA8F9EAC: g_signal_emit (gsignal.c:3352) ==3268== by 0x39E50895CD: gtk_widget_dispose (gtkwidget.c:10666) ==3268== by 0x57E6783: preview_pane_dispose (e-preview-pane.c:143) ==3268== by 0xA8E52B9: g_object_run_dispose (gobject.c:1061) ==3268== by 0x39E4E8B923: gtk_box_forall (gtkbox.c:1856) ==3268== by 0x39E4ECE1CA: gtk_container_destroy (gtkcontainer.c:1370) ==3268== by 0xA8E10A3: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) ==3268== by 0xA8DE7C8: g_type_class_meta_marshal (gclosure.c:970) ==3268== by 0xA8DE113: g_closure_invoke (gclosure.c:777) ==3268== by 0xA8FAAE4: signal_emit_unlocked_R (gsignal.c:3663) ==3268== by 0xA8F9966: g_signal_emit_valist (gsignal.c:3296) ==3268== by 0xA8F9EAC: g_signal_emit (gsignal.c:3352) ==3268== by 0x39E50895CD: gtk_widget_dispose (gtkwidget.c:10666) ==3268== by 0xA8E52B9: g_object_run_dispose (gobject.c:1061) ==3268== by 0x39E4ECE1CA: gtk_container_destroy (gtkcontainer.c:1370) ==3268== by 0xA8E10A3: g_cclosure_marshal_VOID__VOID (gmarshal.c:85) 593339 1 135063 mcrha 2012-04-02 04:24:12 -0700 Created attachment 135063 proposed webkit patch for webkit; Basically, if everything goes correctly then the weakRefNotify() is never called, thus objectDead is always FALSE, thus the 'while' dereferences the 'data' which is already freed in the last loop cycle. I tested with valgrind and it is happy with this patch included. Just for a reference, here's the code I talk about (without patch applied): gboolean objectDead = FALSE; g_object_weak_ref(data->object, weakRefNotify, &objectDead); // We need to check objectDead first, otherwise the cache data // might be garbage already. while (!objectDead && data->timesReturned > 0) { // If this is the last unref we are going to do, // disconnect the weak ref. We cannot do it afterwards // because the object might be dead at that point. if (data->timesReturned == 1) g_object_weak_unref(data->object, weakRefNotify, &objectDead); data->timesReturned--; g_object_unref(data->object); } 638426 2 webkit.review.bot 2012-05-31 08:10:32 -0700 Attachment 135063 did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files']" exit_code: 1 Total errors found: 0 in 0 files If any of these errors are false positives, please file a bug against check-webkit-style. 702464 3 135063 eric 2012-08-22 15:44:34 -0700 Comment on attachment 135063 proposed webkit patch Needs a ChangeLog. 702735 4 mcrha 2012-08-22 23:42:17 -0700 Are you kidding me? This almost two-liner fixes not-so-obvious error in the code which is still there in 1.9.6, waiting for a review for almost 5 months, and you reject it because of missing ChangeLog? Come on... 744145 5 xan.lopez 2012-10-17 04:39:17 -0700 (In reply to comment #4) > Are you kidding me? This almost two-liner fixes not-so-obvious error in the code which is still there in 1.9.6, waiting for a review for almost 5 months, and you reject it because of missing ChangeLog? Come on... Writing a ChangeLog should be a matter of 5 minutes. If you don't do it someone else has to, I don't see what's so shocking about being strict in this regard. About the patch, one question: You mention "if everything goes correctly the weakRefNotify is never called", because we disable it before doing the last unref. Right? In that same block we'l decrease timesReturned, so while objectDead will still be FALSE timesReturned should be 0 (since we only do the last unref when it's 1). So we shouldn't really enter the loop again. I guess I'm missing something because there's indeed a valgrind warning, so what am I getting wrong? 745026 6 mcrha 2012-10-18 00:03:21 -0700 (In reply to comment #5) > (In reply to comment #4) > > Are you kidding me? This almost two-liner fixes not-so-obvious error in the code which is still there in 1.9.6, waiting for a review for almost 5 months, and you reject it because of missing ChangeLog? Come on... > > Writing a ChangeLog should be a matter of 5 minutes. If you don't do it someone else has to, I don't see what's so shocking about being strict in this regard. It's "shocking" when asked doing so after 5 months of waiting for a review. I moved quite far away from this during those 5 months. > About the patch, one question: > > You mention "if everything goes correctly the weakRefNotify is never called", because we disable it before doing the last unref. Right? You didn't quote the right passage of the explanation from comment #1. (See below.) > In that same block we'l decrease timesReturned, so while objectDead will still be FALSE timesReturned should be 0 (since we only do the last unref when it's 1). So we shouldn't really enter the loop again. I guess I'm missing something because there's indeed a valgrind warning, so what am I getting wrong? That's what I thought about this too, the issue is not obvious on the first look. The issue is not with g_object_unref() call, valgrind doesn't claim on it, the issue is with the 'data' structure, which is freed together with data->object. Following your 'while' steps (see code in comment #1) it's like this: : let data->timesReturned be 1 : objectDead is FALSE the g_object_weak_unref() is called data->timesReturned is decreased to 0 g_object_unref() is called : so far so good, 'data->object' is freed, : together with 'data' itself, but objectDead is still FALSE : then it comes to the 'while' clause while (!objectDead && data->timesReturned > 0) : and because objectDead is FALSE, and 'data' is freed, then it dereferences freed memory 745112 7 xan.lopez 2012-10-18 02:56:58 -0700 (In reply to comment #6) > The issue is not with g_object_unref() call, valgrind doesn't claim on it, the issue is with the 'data' structure, which is freed together with data->object. Following your 'while' steps (see code in comment #1) it's like this: > : let data->timesReturned be 1 > : objectDead is FALSE > the g_object_weak_unref() is called > data->timesReturned is decreased to 0 > g_object_unref() is called > : so far so good, 'data->object' is freed, > : together with 'data' itself, but objectDead is still FALSE > : then it comes to the 'while' clause > while (!objectDead && data->timesReturned > 0) > : and because objectDead is FALSE, and 'data' is freed, then it dereferences freed memory Ah, indeed. 'data' is freed in the object's ::finalize, which calls the DOMObjectCache function 'forget'. Tricky. So I think the patch is OK, but I'd put an extra comment explaining what's going on here, since it's not really trivial to see. If you can do that plus a ChangeLog I'll be happy to r+, thanks a lot for figuring this out. 745309 8 mcrha 2012-10-18 09:09:46 -0700 I'm afraid it's as hard to spot as to explain, at least in a comment in the code. I would do the ChangeLog, but I do not have checkout of webkit handy, I really moved elsewhere between those 5 months. I'm sorry. 745642 9 169489 csaavedra 2012-10-18 15:33:35 -0700 Created attachment 169489 2012-10-18 Claudio Saavedra <csaavedra@igalia.com> [GTK] Invalid read from WebKit::DOMObjectCache::clearByFrame https://bugs.webkit.org/show_bug.cgi?id=82882 Reviewed by NOBODY (OOPS!). Based on a patch by Milan Crha <mcrha@redhat.com> Prevent an invalid access to a pointer while clearing the DOM object cache. * bindings/gobject/DOMObjectCache.cpp: (WebKit::DOMObjectCache::clearByFrame): Prevent an invalid access. 745650 10 169489 xan.lopez 2012-10-18 15:37:09 -0700 Comment on attachment 169489 2012-10-18 Claudio Saavedra <csaavedra@igalia.com> Looks good, thank you. 745695 11 169489 webkit.review.bot 2012-10-18 16:07:07 -0700 Comment on attachment 169489 2012-10-18 Claudio Saavedra <csaavedra@igalia.com> Clearing flags on attachment: 169489 Committed r131820: <http://trac.webkit.org/changeset/131820> 745696 12 webkit.review.bot 2012-10-18 16:07:11 -0700 All reviewed patches have been landed. Closing bug. 135063 2012-04-02 04:24:12 -0700 2012-08-22 15:44:33 -0700 proposed webkit patch wk.patch text/plain 934 mcrha ZGlmZiAtdXAgd2Via2l0LTEuOC4wL1NvdXJjZS9XZWJDb3JlL2JpbmRpbmdzL2dvYmplY3QvRE9N T2JqZWN0Q2FjaGUuY3BwLmludmFsaWQtcmVhZCB3ZWJraXQtMS44LjAvU291cmNlL1dlYkNvcmUv YmluZGluZ3MvZ29iamVjdC9ET01PYmplY3RDYWNoZS5jcHAKLS0tIHdlYmtpdC0xLjguMC9Tb3Vy Y2UvV2ViQ29yZS9iaW5kaW5ncy9nb2JqZWN0L0RPTU9iamVjdENhY2hlLmNwcC5pbnZhbGlkLXJl YWQJMjAxMi0wNC0wMiAxMzowMzowOS4yODU0OTgxNzIgKzAyMDAKKysrIHdlYmtpdC0xLjguMC9T b3VyY2UvV2ViQ29yZS9iaW5kaW5ncy9nb2JqZWN0L0RPTU9iamVjdENhY2hlLmNwcAkyMDEyLTA0 LTAyIDEzOjAzOjIwLjAwODYzMzQzOSArMDIwMApAQCAtOTcsOCArOTcsMTAgQEAgdm9pZCBET01P YmplY3RDYWNoZTo6Y2xlYXJCeUZyYW1lKFdlYkNvcgogICAgICAgICAgICAgLy8gSWYgdGhpcyBp cyB0aGUgbGFzdCB1bnJlZiB3ZSBhcmUgZ29pbmcgdG8gZG8sCiAgICAgICAgICAgICAvLyBkaXNj b25uZWN0IHRoZSB3ZWFrIHJlZi4gV2UgY2Fubm90IGRvIGl0IGFmdGVyd2FyZHMKICAgICAgICAg ICAgIC8vIGJlY2F1c2UgdGhlIG9iamVjdCBtaWdodCBiZSBkZWFkIGF0IHRoYXQgcG9pbnQuCi0g ICAgICAgICAgICBpZiAoZGF0YS0+dGltZXNSZXR1cm5lZCA9PSAxKQorICAgICAgICAgICAgaWYg KGRhdGEtPnRpbWVzUmV0dXJuZWQgPT0gMSkgewogICAgICAgICAgICAgICAgIGdfb2JqZWN0X3dl YWtfdW5yZWYoZGF0YS0+b2JqZWN0LCB3ZWFrUmVmTm90aWZ5LCAmb2JqZWN0RGVhZCk7CisgICAg ICAgICAgICAgICAgb2JqZWN0RGVhZCA9IFRSVUU7CisgICAgICAgICAgICB9CiAgICAgICAgICAg ICBkYXRhLT50aW1lc1JldHVybmVkLS07CiAgICAgICAgICAgICBnX29iamVjdF91bnJlZihkYXRh LT5vYmplY3QpOwogICAgICAgICB9Cg== 169489 2012-10-18 15:33:35 -0700 2012-10-18 16:07:07 -0700 2012-10-18 Claudio Saavedra <csaavedra@igalia.com> 2012-10-18-Claudio-Saavedra-csaavedraigaliacom.patch text/plain 2921 csaavedra RnJvbSBjOGI3YmMxYzRkZjk4MDMwZDliZTA4NzY5ZTg4MWIxZjkzMzAxMWMyIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBDbGF1ZGlvIFNhYXZlZHJhIDxjc2FhdmVkcmFAaWdhbGlhLmNv bT4KRGF0ZTogVGh1LCAxOCBPY3QgMjAxMiAxNTozMTowNyAtMDcwMApTdWJqZWN0OiBbUEFUQ0hd IDIwMTItMTAtMTggIENsYXVkaW8gU2FhdmVkcmEgIDxjc2FhdmVkcmFAaWdhbGlhLmNvbT4KCiAg ICAgICAgW0dUS10gSW52YWxpZCByZWFkIGZyb20gV2ViS2l0OjpET01PYmplY3RDYWNoZTo6Y2xl YXJCeUZyYW1lCiAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTgyODgyCgogICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgoKICAgICAgICBCYXNl ZCBvbiBhIHBhdGNoIGJ5IE1pbGFuIENyaGEgPG1jcmhhQHJlZGhhdC5jb20+CgogICAgICAgIFBy ZXZlbnQgYW4gaW52YWxpZCBhY2Nlc3MgdG8gYSBwb2ludGVyIHdoaWxlIGNsZWFyaW5nIHRoZSBE T00KICAgICAgICBvYmplY3QgY2FjaGUuCiAgICAgICAgKiBiaW5kaW5ncy9nb2JqZWN0L0RPTU9i amVjdENhY2hlLmNwcDoKICAgICAgICAoV2ViS2l0OjpET01PYmplY3RDYWNoZTo6Y2xlYXJCeUZy YW1lKTogUHJldmVudCBhbiBpbnZhbGlkIGFjY2Vzcy4KLS0tCiBTb3VyY2UvV2ViQ29yZS9DaGFu Z2VMb2cgICAgICAgICAgICAgICAgICAgICAgICAgICB8IDE0ICsrKysrKysrKysrKysrCiBTb3Vy Y2UvV2ViQ29yZS9iaW5kaW5ncy9nb2JqZWN0L0RPTU9iamVjdENhY2hlLmNwcCB8IDExICsrKysr KysrKystCiAyIGZpbGVzIGNoYW5nZWQsIDI0IGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkK CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cKaW5kZXggNjM4MzdlMC4uM2E3M2NmYyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE3 IEBACisyMDEyLTEwLTE4ICBDbGF1ZGlvIFNhYXZlZHJhICA8Y3NhYXZlZHJhQGlnYWxpYS5jb20+ CisKKyAgICAgICAgW0dUS10gSW52YWxpZCByZWFkIGZyb20gV2ViS2l0OjpET01PYmplY3RDYWNo ZTo6Y2xlYXJCeUZyYW1lCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD04Mjg4MgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisg ICAgICAgIEJhc2VkIG9uIGEgcGF0Y2ggYnkgTWlsYW4gQ3JoYSA8bWNyaGFAcmVkaGF0LmNvbT4K KworICAgICAgICBQcmV2ZW50IGFuIGludmFsaWQgYWNjZXNzIHRvIGEgcG9pbnRlciB3aGlsZSBj bGVhcmluZyB0aGUgRE9NCisgICAgICAgIG9iamVjdCBjYWNoZS4KKyAgICAgICAgKiBiaW5kaW5n cy9nb2JqZWN0L0RPTU9iamVjdENhY2hlLmNwcDoKKyAgICAgICAgKFdlYktpdDo6RE9NT2JqZWN0 Q2FjaGU6OmNsZWFyQnlGcmFtZSk6IFByZXZlbnQgYW4gaW52YWxpZCBhY2Nlc3MuCisKIDIwMTIt MTAtMTggIFRha2FzaGkgU2FrYW1vdG8gIDx0YXNha0Bnb29nbGUuY29tPgogCiAgICAgICAgIFJF R1JFU1NJT04ocjEzMTQ2NCk6IE51bGwtcG9pbnRlciBjcmFzaCBpbiBTdHlsZVJlc29sdmVyOjpz dHlsZUZvckVsZW1lbnQKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2JpbmRpbmdzL2dvYmpl Y3QvRE9NT2JqZWN0Q2FjaGUuY3BwIGIvU291cmNlL1dlYkNvcmUvYmluZGluZ3MvZ29iamVjdC9E T01PYmplY3RDYWNoZS5jcHAKaW5kZXggZGQ3ZDA0OS4uODc4ODc1MCAxMDA2NDQKLS0tIGEvU291 cmNlL1dlYkNvcmUvYmluZGluZ3MvZ29iamVjdC9ET01PYmplY3RDYWNoZS5jcHAKKysrIGIvU291 cmNlL1dlYkNvcmUvYmluZGluZ3MvZ29iamVjdC9ET01PYmplY3RDYWNoZS5jcHAKQEAgLTk3LDgg Kzk3LDE3IEBAIHZvaWQgRE9NT2JqZWN0Q2FjaGU6OmNsZWFyQnlGcmFtZShXZWJDb3JlOjpGcmFt ZSogZnJhbWUpCiAgICAgICAgICAgICAvLyBJZiB0aGlzIGlzIHRoZSBsYXN0IHVucmVmIHdlIGFy ZSBnb2luZyB0byBkbywKICAgICAgICAgICAgIC8vIGRpc2Nvbm5lY3QgdGhlIHdlYWsgcmVmLiBX ZSBjYW5ub3QgZG8gaXQgYWZ0ZXJ3YXJkcwogICAgICAgICAgICAgLy8gYmVjYXVzZSB0aGUgb2Jq ZWN0IG1pZ2h0IGJlIGRlYWQgYXQgdGhhdCBwb2ludC4KLSAgICAgICAgICAgIGlmIChkYXRhLT50 aW1lc1JldHVybmVkID09IDEpCisgICAgICAgICAgICBpZiAoZGF0YS0+dGltZXNSZXR1cm5lZCA9 PSAxKSB7CiAgICAgICAgICAgICAgICAgZ19vYmplY3Rfd2Vha191bnJlZihkYXRhLT5vYmplY3Qs IHdlYWtSZWZOb3RpZnksICZvYmplY3REZWFkKTsKKyAgICAgICAgICAgICAgICAvLyBBdCB0aGlz IHBvaW50LCB0aGUgbmV4dCB0aW1lIHRoZSBET01PYmplY3QgaXMKKyAgICAgICAgICAgICAgICAv LyB1bnJlZidlZCBpdCB3aWxsIGJlIGZpbmFsaXplZCwKKyAgICAgICAgICAgICAgICAvLyBET01P YmplY3Q6OmZpbmFsaXplKCkgd2lsbCBjYWxsCisgICAgICAgICAgICAgICAgLy8gRE9NT2JqZWN0 Q2FjaGU6OmZvcmdldCgpLCB3aGljaCB3aWxsIGZyZWUgJ2RhdGEnLgorICAgICAgICAgICAgICAg IC8vIFRvZ2dsaW5nICdvYmplY3REZWFkJyBoZXJlIHdpbGwgZW5zdXJlIHdlIGRvbid0CisgICAg ICAgICAgICAgICAgLy8gZGVyZWZlcmVuY2UgYW4gaW52YWxpZCBwb2ludGVyIGluIHRoZSBuZXh0 CisgICAgICAgICAgICAgICAgLy8gaXRlcmF0aW9uLgorICAgICAgICAgICAgICAgIG9iamVjdERl YWQgPSBUUlVFOworICAgICAgICAgICAgfQogICAgICAgICAgICAgZGF0YS0+dGltZXNSZXR1cm5l ZC0tOwogICAgICAgICAgICAgZ19vYmplY3RfdW5yZWYoZGF0YS0+b2JqZWN0KTsKICAgICAgICAg fQotLSAKMS43LjExLjc=