=================================================================
|
==6257==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000fb950 at pc 0x7f1f3a231bb3 bp 0x7fff8d195770 sp 0x7fff8d195768
|
READ of size 8 at 0x6040000fb950 thread T0 (chrome)
|
#0 0x7f1f3a231bb2 in WTF::RawPtr<blink::TreeScope>::operator*() const /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/RawPtr.h:120
|
#1 0x7f1f3a4e8906 in blink::StyleEngine::clearResolver() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/StyleEngine.cpp:504
|
#2 0x7f1f3a3ae0a8 in detach /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:2190
|
#3 0x7f1f3a3ae704 in blink::Document::prepareForDestruction() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:2224
|
#4 0x7f1f3acf5082 in setView /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:138
|
#5 0x7f1f3acf5505 in createView /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:161
|
#6 0x7f1f3a24cab7 in blink::WebLocalFrameImpl::createFrameView() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/web/WebLocalFrameImpl.cpp:1662
|
#7 0x7f1f3ae94743 in commitProvisionalLoad /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/loader/FrameLoader.cpp:940
|
#8 0x7f1f3ae7bac6 in dataReceived /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/loader/DocumentLoader.cpp:560
|
#9 0x7f1f3b113d0d in blink::RawResource::appendData(char const*, unsigned int) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/fetch/RawResource.cpp:48
|
#10 0x7f1f3ac805d5 in didReceiveData /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/fetch/ResourceLoader.cpp:457
|
#11 0x7f1f3f0eef60 in content::WebURLLoaderImpl::Context::OnReceivedData(char const*, int, int) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/child/web_url_loader_impl.cc:687
|
#12 0x7f1f3f0cdf62 in OnReceivedData /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/child/resource_dispatcher.cc:476
|
#13 0x7f1f3f0d0c28 in bool ResourceMsg_DataReceived::Dispatch<content::ResourceDispatcher, content::ResourceDispatcher, void, void (content::ResourceDispatcher::*)(int, int, int, int)>(IPC::Message const*, content::ResourceDispatcher*, content::ResourceDispatcher*, void*, void (content::ResourceDispatcher::*)(int, int, int, int)) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/common/resource_messages.h:324 (discriminator 1)
|
#14 0x7f1f3f0cbcac in content::ResourceDispatcher::DispatchMessage(IPC::Message const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/child/resource_dispatcher.cc:717
|
#15 0x7f1f3f0cafcd in OnMessageReceived /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/child/resource_dispatcher.cc:323
|
#16 0x7f1f3f08e68c in content::ChildThread::OnMessageReceived(IPC::Message const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/child/child_thread.cc:465
|
#17 0x7f1f381dd8c0 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../ipc/ipc_channel_proxy.cc:274
|
#18 0x7f1f381e5e70 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, void (IPC::ChannelProxy::Context* const&, IPC::Message const&)>::MakeItSo(base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, IPC::ChannelProxy::Context* const&, IPC::Message const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/bind_internal.h:898
|
#19 0x7f1f3791d03c in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/debug/task_annotator.cc:62
|
#20 0x7f1f3785e9d0 in base::MessageLoop::RunTask(base::PendingTask const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/message_loop/message_loop.cc:446
|
#21 0x7f1f3785f0ef in DeferOrRunPendingTask /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/message_loop/message_loop.cc:456
|
#22 0x7f1f3785f5ec in DoWork /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/message_loop/message_loop.cc:565
|
#23 0x7f1f3786799c in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/message_loop/message_pump_default.cc:32
|
#24 0x7f1f37891f7c in base::RunLoop::Run() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/run_loop.cc:54
|
#25 0x7f1f3785d732 in base::MessageLoop::Run() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/message_loop/message_loop.cc:308
|
#26 0x7f1f3f26b80b in RendererMain /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/renderer/renderer_main.cc:235
|
#27 0x7f1f377c79ee in RunZygote /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/app/content_main_runner.cc:343
|
#28 0x7f1f377c9dfb in Run /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/app/content_main_runner.cc:768
|
#29 0x7f1f377c6f44 in content::ContentMain(content::ContentMainParams const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/app/content_main.cc:19
|
#30 0x7f1f367fa522 in ChromeMain /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../chrome/app/chrome_main.cc:57
|
#31 0x7f1f2c58cde4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
|
|
0x6040000fb950 is located 0 bytes inside of 48-byte region [0x6040000fb950,0x6040000fb980)
|
freed by thread T0 (chrome) here:
|
#0 0x7f1f367dd66b in __interceptor_free ??:?
|
#1 0x7f1f3a4e890e in blink::StyleEngine::clearResolver() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/StyleEngine.cpp:504
|
#2 0x7f1f3a3ae0a8 in detach /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:2190
|
#3 0x7f1f3a3ae704 in blink::Document::prepareForDestruction() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:2224
|
#4 0x7f1f3acf5082 in setView /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:138
|
#5 0x7f1f3acf6901 in detach /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/frame/LocalFrame.cpp:269
|
#6 0x7f1f3ac91ad7 in detachChildren /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/frame/Frame.cpp:94
|
#7 0x7f1f3ae945f1 in commitProvisionalLoad /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/loader/FrameLoader.cpp:929
|
#8 0x7f1f3ae7bac6 in dataReceived /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/loader/DocumentLoader.cpp:560
|
#9 0x7f1f3b113d0d in blink::RawResource::appendData(char const*, unsigned int) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/fetch/RawResource.cpp:48
|
#10 0x7f1f3ac805d5 in didReceiveData /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/fetch/ResourceLoader.cpp:457
|
#11 0x7f1f3f0eef60 in content::WebURLLoaderImpl::Context::OnReceivedData(char const*, int, int) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/child/web_url_loader_impl.cc:687
|
#12 0x7f1f3f0cdf62 in OnReceivedData /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/child/resource_dispatcher.cc:476
|
#13 0x7f1f3f0d0c28 in bool ResourceMsg_DataReceived::Dispatch<content::ResourceDispatcher, content::ResourceDispatcher, void, void (content::ResourceDispatcher::*)(int, int, int, int)>(IPC::Message const*, content::ResourceDispatcher*, content::ResourceDispatcher*, void*, void (content::ResourceDispatcher::*)(int, int, int, int)) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/common/resource_messages.h:324 (discriminator 1)
|
#14 0x7f1f3f0cbcac in content::ResourceDispatcher::DispatchMessage(IPC::Message const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/child/resource_dispatcher.cc:717
|
#15 0x7f1f3f0cafcd in OnMessageReceived /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/child/resource_dispatcher.cc:323
|
#16 0x7f1f3f08e68c in content::ChildThread::OnMessageReceived(IPC::Message const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/child/child_thread.cc:465
|
#17 0x7f1f381dd8c0 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../ipc/ipc_channel_proxy.cc:274
|
#18 0x7f1f381e5e70 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, void (IPC::ChannelProxy::Context* const&, IPC::Message const&)>::MakeItSo(base::internal::RunnableAdapter<void (IPC::ChannelProxy::Context::*)(IPC::Message const&)>, IPC::ChannelProxy::Context* const&, IPC::Message const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/bind_internal.h:898
|
#19 0x7f1f3791d03c in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/debug/task_annotator.cc:62
|
#20 0x7f1f3785e9d0 in base::MessageLoop::RunTask(base::PendingTask const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/message_loop/message_loop.cc:446
|
#21 0x7f1f3785f0ef in DeferOrRunPendingTask /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/message_loop/message_loop.cc:456
|
#22 0x7f1f3785f5ec in DoWork /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/message_loop/message_loop.cc:565
|
#23 0x7f1f3786799c in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/message_loop/message_pump_default.cc:32
|
#24 0x7f1f37891f7c in base::RunLoop::Run() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/run_loop.cc:54
|
#25 0x7f1f3785d732 in base::MessageLoop::Run() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../base/message_loop/message_loop.cc:308
|
#26 0x7f1f3f26b80b in RendererMain /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/renderer/renderer_main.cc:235
|
#27 0x7f1f377c79ee in RunZygote /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/app/content_main_runner.cc:343
|
#28 0x7f1f377c9dfb in Run /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/app/content_main_runner.cc:768
|
#29 0x7f1f377c6f44 in content::ContentMain(content::ContentMainParams const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../content/app/content_main.cc:19
|
|
previously allocated by thread T0 (chrome) here:
|
#0 0x7f1f367dd8eb in __interceptor_malloc ??:?
|
#1 0x7f1f39847034 in partitionAllocGenericFlags /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/PartitionAlloc.h:532
|
#2 0x7f1f3a503f23 in blink::ScopedStyleResolver::create(blink::TreeScope&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/css/resolver/ScopedStyleResolver.h:52
|
#3 0x7f1f3a503d96 in blink::TreeScope::ensureScopedStyleResolver() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/TreeScope.cpp:153
|
#4 0x7f1f3ab686d3 in blink::StyleResolver::appendCSSStyleSheet(blink::CSSStyleSheet*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:184
|
#5 0x7f1f3ab68efa in blink::StyleResolver::appendPendingAuthorStyleSheets() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:204
|
#6 0x7f1f3a3aaedf in blink::StyleEngine::ensureResolver() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/StyleEngine.h:148
|
#7 0x7f1f3a3aa538 in updateStyle /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:1863
|
#8 0x7f1f3a3a9b96 in updateRenderTree /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:1813
|
#9 0x7f1f3a3ab0e5 in updateLayout /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:1921
|
#10 0x7f1f3a3ab58f in blink::Document::updateLayoutIgnorePendingStylesheets(blink::Document::RunPostLayoutTasks) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:1983
|
#11 0x7f1f3a422c13 in blink::Element::scrollIntoView(bool) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/Element.cpp:449
|
#12 0x7f1f3b90b646 in blink::ElementV8Internal::scrollIntoViewMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/gen/blink/bindings/core/v8/V8Element.cpp:1641
|
#13 0x7f1f39ff8c2b in Call /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../v8/src/arguments.cc:33
|
#14 0x7f1f399bb1bf in HandleApiCallHelper<false> /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../v8/src/builtins.cc:1145
|
#15 0x7f1f399b45ab in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../v8/src/builtins.cc:1161
|
#16 0x7f1efe30843a (<unknown module>)
|
#17 0x7f1efe37b3a7 (<unknown module>)
|
#18 0x7f1efe37b0fd (<unknown module>)
|
#19 0x7f1efe33681f (<unknown module>)
|
#20 0x7f1efe331a70 (<unknown module>)
|
#16 0x7f1f39a929e5 in Invoke /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../v8/src/execution.cc:103
|
#17 0x7f1f39a91f4c in Call /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../v8/src/execution.cc:153
|
#18 0x7f1f3994d313 in Run /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../v8/src/api.cc:1688
|
#19 0x7f1f3b872e5f in runCompiledScript /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:182
|
#20 0x7f1f3b7e2984 in executeScriptAndReturnValue /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:203 (discriminator 3)
|
#21 0x7f1f3b7de4b7 in execute /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/bindings/core/v8/ScheduledAction.cpp:106
|
#22 0x7f1f3ac8b6ad in fired /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/frame/DOMTimer.cpp:158
|
#23 0x7f1f398329b2 in blink::ThreadTimers::sharedTimerFiredInternal() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/ThreadTimers.cpp:137
|
#24 0x7f1f3983239e in blink::ThreadTimers::sharedTimerFired() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/platform/ThreadTimers.cpp:107
|
|
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
|
Shadow bytes around the buggy address:
|
0x0c08800176d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
|
0x0c08800176e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
|
0x0c08800176f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
|
0x0c0880017700: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
|
0x0c0880017710: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
|
=>0x0c0880017720: fa fa fd fd fd fd fd fd fa fa[fd]fd fd fd fd fd
|
0x0c0880017730: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
|
0x0c0880017740: fa fa 00 00 00 00 00 06 fa fa 00 00 00 00 00 00
|
0x0c0880017750: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
|
0x0c0880017760: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
|
0x0c0880017770: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
ASan internal: fe
|
==6257==ABORTING
|