=================================================================
==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7fcb3f1a6f1a bp 0x7ffc11de98f0 sp 0x7ffc11de9880 T0)
==1==The signal is caused by a READ memory access.
==1==Hint: address points to the zero page.
#0 0x7fcb3f1a6f19 in clearContentFrame ./out/gn/../../third_party/WebKit/Source/web/RemoteFrameOwner.cpp:38:0
#1 0x7fcb30edd39e in disconnectOwnerElement ./out/gn/../../third_party/WebKit/Source/core/frame/Frame.cpp:83:14
#2 0x7fcb30edd39e in detach ./out/gn/../../third_party/WebKit/Source/core/frame/Frame.cpp:73:0
#3 0x7fcb30fe323e in detach ./out/gn/../../third_party/WebKit/Source/core/frame/RemoteFrame.cpp:112:10
#4 0x7fcb4da9a2ff in OnDeleteProxy ./out/gn/../../content/renderer/render_frame_proxy.cc:301:15
No clear repro steps :-( Happened when I was repeatedly clicking an extension browser action in an attempt to repro issue 655114 .
Comment 1 by lukasza@chromium.org
, Oct 18 2016I want to say that the access violation happens when trying to call clearContentFrame method below - this method is virtual and so the call requires looking at the virtual method dispatch table. void Frame::disconnectOwnerElement() { if (m_owner) { m_owner->clearContentFrame(); m_owner = nullptr; } } OTOH, this is weird, because |m_owner| is an OilPan smart pointer (properly traced in DEFINE_TRACE(Frame) + both LocalFrame and RemoteFrame's trace definitions correctly invoke the parent class's tracing method). So... maybe my analysis above is wrong... :-/