ASAN report is
=================================================================
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x62a000073c80 at pc 0x7f9636bb72a4 bp 0x7ffc62590270 sp 0x7ffc62590268
READ of size 8 at 0x62a000073c80 thread T0 (chrome)
==1==WARNING: invalid path to external symbolizer!
==1==WARNING: Failed to use and restart external symbolizer!
#0 0x7f9636bb72a3 in Enter v8/src/isolate.cc:2441:45
#1 0x7f9637bd2bd7 in Scope v8/include/v8.h:5630:16
#2 0x7f9637bd2bd7 in Scope gin/runner.cc:16:0
#3 0x7f963c1b80b3 in OnHandleReady mojo/edk/js/waiting_callback.cc:72:22
#4 0x7f963a5f8ef2 in Run base/callback.h:389:12
#5 0x7f963a5f8ef2 in OnHandleReady mojo/public/cpp/system/watcher.cc:122:0
#6 0x7f963a5f8ef2 in WillDestroyCurrentMessageLoop mojo/public/cpp/system/watcher.cc:32:0
#7 0x7f96421e241f in ~MessageLoop base/message_loop/message_loop.cc:174:3
#8 0x7f96421dcc7d in ?? base/message_loop/message_loop.cc:139:29
#9 0x7f963bdf33a0 in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13
#10 0x7f963bdf33a0 in reset buildtools/third_party/libc++/trunk/include/memory:2735:0
#11 0x7f963bdf33a0 in Shutdown content/renderer/render_thread_impl.cc:1009:0
#12 0x7f963a030e78 in ~ChildProcess content/child/child_process.cc:73:19
#13 0x7f963be81956 in RendererMain content/renderer/renderer_main.cc:207:3
#14 0x7f963c1bd515 in RunZygote content/app/content_main_runner.cc:343:14
#15 0x7f963c1c037d in Run content/app/content_main_runner.cc:785:12
#16 0x7f963c1bc7ba in ContentMain content/app/content_main.cc:20:28
#17 0x7f96439b5208 in ChromeMain chrome/app/chrome_main.cc:85:12
#18 0x7f962b982f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
0x62a000073c80 is located 6784 bytes inside of 22440-byte region [0x62a000072200,0x62a0000779a8)
freed by thread T0 (chrome) here:
#0 0x7f96439b348b in operator delete(void*) ??:?
#1 0x7f9636bb20a3 in TearDown v8/src/isolate.cc:1992:3
#2 0x7f9637bb8ebc in ~IsolateHolder gin/isolate_holder.cc:75:13
#3 0x7f9625c950fa in operator() buildtools/third_party/libc++/trunk/include/memory:2529:13
#4 0x7f9625c950fa in reset buildtools/third_party/libc++/trunk/include/memory:2735:0
#5 0x7f9625c950fa in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2703:0
#6 0x7f9625c950fa in ~V8PerIsolateData third_party/WebKit/Source/bindings/core/v8/V8PerIsolateData.cpp:78:0
#7 0x7f9625c95b17 in destroy third_party/WebKit/Source/bindings/core/v8/V8PerIsolateData.cpp:257:5
#8 0x7f9631f7a14c in shutdown third_party/WebKit/Source/web/WebKit.cpp:114:5
#9 0x7f963bdf3348 in Shutdown content/renderer/render_thread_impl.cc:998:5
#10 0x7f963a030e78 in ~ChildProcess content/child/child_process.cc:73:19
#11 0x7f963be81956 in RendererMain content/renderer/renderer_main.cc:207:3
#12 0x7f963c1bd515 in RunZygote content/app/content_main_runner.cc:343:14
#13 0x7f963c1c037d in Run content/app/content_main_runner.cc:785:12
#14 0x7f963c1bc7ba in ContentMain content/app/content_main.cc:20:28
#15 0x7f96439b5208 in ChromeMain chrome/app/chrome_main.cc:85:12
#16 0x7f962b982f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
previously allocated by thread T0 (chrome) here:
#0 0x7f96439b2e8b in operator new(unsigned long) ??:?
#1 0x7f9635f9bc07 in New v8/src/api.cc:7477:25
#2 0x7f9637bb8b65 in IsolateHolder gin/isolate_holder.cc:43:14
#3 0x7f9625c945e2 in V8PerIsolateData third_party/WebKit/Source/bindings/core/v8/V8PerIsolateData.cpp:58:38
#4 0x7f9625c9544f in initialize third_party/WebKit/Source/bindings/core/v8/V8PerIsolateData.cpp:88:34
#5 0x7f9625c7bfcc in initializeMainThread third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp:362:28
#6 0x7f9631f79cc3 in initialize third_party/WebKit/Source/web/WebKit.cpp:87:5
#7 0x7f963bdec3b7 in InitializeWebKit content/renderer/render_thread_impl.cc:1197:3
#8 0x7f963bde854b in Init content/renderer/render_thread_impl.cc:660:3
#9 0x7f963bde793f in RenderThreadImpl content/renderer/render_thread_impl.cc:634:3
#10 0x7f963bde7294 in Create content/renderer/render_thread_impl.cc:599:14
#11 0x7f963be8180d in RendererMain content/renderer/renderer_main.cc:186:5
#12 0x7f963c1bd515 in RunZygote content/app/content_main_runner.cc:343:14
#13 0x7f963c1c037d in Run content/app/content_main_runner.cc:785:12
#14 0x7f963c1bc7ba in ContentMain content/app/content_main.cc:20:28
#15 0x7f96439b5208 in ChromeMain chrome/app/chrome_main.cc:85:12
#16 0x7f962b982f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/local/google/home/eisinger/blink/src/out/Release/./libv8.so+0x10112a3)
Shadow bytes around the buggy address:
0x0c5480006740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5480006750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5480006760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5480006770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5480006780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5480006790:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c54800067a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c54800067b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c54800067c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c54800067d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c54800067e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1==ABORTING
Comment 1 by jochen@chromium.org
, Aug 22 2016Status: Duplicate (was: Untriaged)