Issue metadata
Sign in to add a comment
|
signal 11 SEGV_MAPERR 000000000000 in get /v8/src/objects/fixed-array-inl.h:64:10
Reported by
cdsrc2...@gmail.com,
May 24 2018
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36
Steps to reproduce the problem:
Version 68.0.3437.0 (Developer Build) (64-bit)
ubuntu version: 16.04
signal 11 SEGV_MAPERR 000000000000 in get /v8/src/objects/fixed-array-inl.h:64:10
1.Get new version chrome:
a) Build source code
config args.gn file as below:
use_sanitizer_coverage = true
is_asan = true
is_debug = false
enable_nacl = false
treat_warnings_as_errors = false
ninja -j16 -C out/chrome_asan chrome
2. ./crhome crash.html
3. then enter (ctrl+shift+i) to open Developer Tool,immediately get sig 11.
What is the expected behavior?
What went wrong?
Received signal 11 SEGV_MAPERR 000000000000
#0 0x55f02e70aa91 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3980:13
#1 0x55f0367c7ace in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
#2 0x55f0367c69e5 in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
#3 0x7fd1aee42390 in __funlockfile ??:?
#4 0x7fd1aee42390 in ?? ??:0
#5 0x55f03372b38a in get /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/objects/fixed-array-inl.h:64:10
#6 0x55f03372b38a in debug_context_id /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/contexts-inl.h:135:0
#7 0x55f03372b38a in v8::debug::GetContextId(v8::Local<v8::Context>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/api.cc:9040:0
#8 0x55f035157d2b in v8_inspector::V8InspectorImpl::contextGroupId(v8::Local<v8::Context>) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/inspector/v8-inspector-impl.cc:76:25
#9 0x55f0351253f2 in v8_inspector::V8Debugger::nearHeapLimitCallback(void*, unsigned long, unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/inspector/v8-debugger.cc:526:35
#10 0x55f03428b013 in v8::internal::Heap::InvokeNearHeapLimitCallback() /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/heap.cc:3468:25
#11 0x55f034286c39 in v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/heap.cc:1342:5
#12 0x55f0342a3022 in CollectAllGarbage /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/heap.cc:1156:3
#13 0x55f0342a3022 in v8::internal::Heap::FinalizeIncrementalMarkingIfComplete(v8::internal::GarbageCollectionReason) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/heap.cc:3092:0
#14 0x55f0342d53a8 in Step /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/incremental-marking-job.cc:39:9
#15 0x55f0342d53a8 in v8::internal::IncrementalMarkingJob::Task::RunInternal() /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/heap/incremental-marking-job.cc:63:0
#16 0x55f036590ec9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#17 0x55f036590ec9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#18 0x55f035399c60 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::SequencedTaskSource::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:170:21
#19 0x55f036590ec9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#20 0x55f036590ec9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#21 0x55f0365fa071 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#22 0x55f0365fb45c in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#23 0x55f0365fb45c in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#24 0x55f03660465b in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#25 0x55f036680421 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:131:14
#26 0x55f0469d261c in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:245:23
#27 0x55f035a73c8b in content::RunZygote(content::ContentMainDelegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:570:14
#28 0x55f035a7800f in content::ContentMainRunnerImpl::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:946:12
#29 0x55f035a997fd in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:452:29
#30 0x55f035a71fa8 in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
#31 0x55f02e793e34 in ChromeMain /home/cowboy/chromium/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12
#32 0x7fd1a80a4830 in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291:0
#33 0x55f02e6be02a in _start ??:0:0
r8: 00000000002b8926 r9: 000062d00004bd18 r10: 0000000000000000 r11: 000062d00004bd20
r12: 00000c5a000097a4 r13: 00000c2e00000be1 r14: 0000612000003040 r15: 0000617000005f08
di: 000000000000013f si: 0000000000000000 bp: 00007ffe6bae53c0 bx: 0000000000000000
dx: 00007fd19b87d000 ax: 0000000000000000 cx: 0000000000086a75 sp: 00007ffe6bae53b0
ip: 000055f03372b38a efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004
trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.
Did this work before? N/A
Chrome version: Version 68.0.3437.0 (Developer Build) (64-bit) Channel: dev
OS Version: Ubuntu 16.04
Flash Version:
,
May 25 2018
Over to Aleksey. Yang and Ulan to cc, any ideas maybe? The stack has nearHeapLimitCallback.
,
May 25 2018
,
May 25 2018
The entered context can be null if there no context was entered at nearHeapLimitCallback call site: v8::Local<v8::Context> context = thisPtr->m_isolate->GetEnteredContext(); https://cs.chromium.org/chromium/src/v8/src/inspector/v8-debugger.cc?rcl=44d7d7d6b1041b57644400a00cb3fee35f6c51b2&l=523 Aleksey, can we compute m_targetContextGroupId without getting the entered context?
,
May 25 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 25 2018
It is not a severe issue as the renderer would crash with out-of-memory if we didn't have the nearHeapLimitCallback. This crash should be always a null pointer exception. I am not sure why the ASAN is reporting use-after (it also says "Received signal 11 SEGV_MAPERR 000000000000" in the same log).
,
May 25 2018
Please do not remove Security_ labels, as these are for the security team's triage process. From the stack, I think the SEGV is from libgl_wrapper.so rather than devtools, so I'm dropping this to medium severity.
,
May 26 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 30 2018
,
Jun 8 2018
kozy: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 23 2018
kozy: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 3
,
Jul 10
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/82bb301f7b9c608adb1d5c2cf7ffa1d0b26cec01 commit 82bb301f7b9c608adb1d5c2cf7ffa1d0b26cec01 Author: Alexey Kozyatinskiy <kozyatinskiy@chromium.org> Date: Tue Jul 10 00:18:46 2018 [inspector] pause inside any context group after nearHeapLimitCallback If context is not available during nearHeapLimitCallback then request break inside any context group. R=dgozman@chromium.org Bug: chromium:846311 Cq-Include-Trybots: luci.chromium.try:linux_chromium_headless_rel;master.tryserver.blink:linux_trusty_blink_rel Change-Id: I2b7dcda8e9758672f27c15ce18620bd57c4152c0 Reviewed-on: https://chromium-review.googlesource.com/1129100 Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Cr-Commit-Position: refs/heads/master@{#54337} [modify] https://crrev.com/82bb301f7b9c608adb1d5c2cf7ffa1d0b26cec01/src/inspector/v8-debugger.cc
,
Jul 10
,
Jul 10
,
Jul 16
,
Jul 23
I'm afraid the VRP panel declined to award for this bug, as it appears to be an unexploitable null dereference.
,
Aug 3
,
Aug 3
This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 3
+awhalley@ (Security TPM) for merge review.
,
Aug 3
No merge needed.
,
Oct 16
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, May 25 2018Components: Blink>JavaScript Platform>Apps>DevTools
Labels: -Pri-2 Security_Severity-High Security_Impact-Head Pri-1
Owner: dgozman@chromium.org
Status: Assigned (was: Unconfirmed)
I can repro this on tip of tree. +dgozman and V8 sheriffs to follow up. ==3824==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000269f8 at pc 0x7ffa8adf6201 bp 0x7ffd4e98de50 sp 0x7ffd4e98de48 READ of size 4 at 0x6070000269f8 thread T0 (chrome) ==3824==WARNING: invalid path to external symbolizer! ==3824==WARNING: Failed to use and restart external symbolizer! #0 0x7ffa8adf6200 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu_ipc_service.so+0x47200) #1 0x7ffaa75b453b (/work/repos/chromium-linux/src/out/LinuxASAN/./libgl_wrapper.so+0x1d653b) #2 0x7ffaa7631b6d (/work/repos/chromium-linux/src/out/LinuxASAN/./libgl_wrapper.so+0x253b6d) #3 0x7ffaa7631f02 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgl_wrapper.so+0x253f02) #4 0x7ffab8f93c6d (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x1afc6d) #5 0x7ffab9021dc9 (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x23ddc9) #6 0x7ffab9023592 (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x23f592) #7 0x7ffab902c089 (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x248089) #8 0x7ffa8e02df06 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4af06) 0x6070000269f8 is located 24 bytes inside of 80-byte region [0x6070000269e0,0x607000026a30) freed by thread T0 (chrome) here: #0 0x5562ba0cae02 (/work/repos/chromium-linux/src/out/LinuxASAN/chrome+0x2a87e02) #1 0x7ffa8adf7131 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu_ipc_service.so+0x48131) #2 0x7ffa8adf60d3 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu_ipc_service.so+0x470d3) #3 0x7ffaa75b453b (/work/repos/chromium-linux/src/out/LinuxASAN/./libgl_wrapper.so+0x1d653b) #4 0x7ffaa7631b6d (/work/repos/chromium-linux/src/out/LinuxASAN/./libgl_wrapper.so+0x253b6d) #5 0x7ffaa7631f02 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgl_wrapper.so+0x253f02) #6 0x7ffab8f93c6d (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x1afc6d) #7 0x7ffab9021dc9 (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x23ddc9) #8 0x7ffab9023592 (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x23f592) #9 0x7ffab902c089 (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x248089) #10 0x7ffa8e02df06 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4af06) previously allocated by thread T0 (chrome) here: #0 0x5562ba0cb143 (/work/repos/chromium-linux/src/out/LinuxASAN/chrome+0x2a88143) #1 0x7ffa8adf72ca (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu_ipc_service.so+0x482ca) #2 0x7ffa8adf6da7 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu_ipc_service.so+0x47da7) #3 0x7ffaa24cbfe8 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgles2.so+0x43efe8) #4 0x7ffaa241e150 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgles2.so+0x391150) #5 0x7ffaa2474dc8 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgles2.so+0x3e7dc8) #6 0x7ffaac2e52dd (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu.so+0xf02dd) #7 0x7ffa8addf7e1 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu_ipc_service.so+0x307e1) #8 0x7ffa8addeeaf (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu_ipc_service.so+0x2feaf) #9 0x7ffa8addaa58 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu_ipc_service.so+0x2ba58) #10 0x7ffa8ae02539 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu_ipc_service.so+0x53539) #11 0x7ffa8adfba6a (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu_ipc_service.so+0x4ca6a) #12 0x7ffaac2fb255 (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu.so+0x106255) #13 0x7ffab8f93c6d (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x1afc6d) #14 0x7ffab9021dc9 (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x23ddc9) #15 0x7ffab9023592 (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x23f592) #16 0x7ffab902c089 (/work/repos/chromium-linux/src/out/LinuxASAN/./libbase.so+0x248089) #17 0x7ffa8e02df06 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4af06) SUMMARY: AddressSanitizer: heap-use-after-free (/work/repos/chromium-linux/src/out/LinuxASAN/./libgpu_ipc_service.so+0x47200) Shadow bytes around the buggy address: 0x0c0e7fffcce0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0e7fffccf0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa 0x0c0e7fffcd00: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c0e7fffcd10: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0e7fffcd20: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd =>0x0c0e7fffcd30: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd[fd] 0x0c0e7fffcd40: fd fd fd fd fd fd fa fa fa fa 00 00 00 00 00 00 0x0c0e7fffcd50: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0e7fffcd60: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa 0x0c0e7fffcd70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fffcd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3824==ABORTING Received signal 11 SEGV_MAPERR 000000000000 #0 0x55963a942c31 (/work/repos/chromium-linux/src/out/LinuxASAN/chrome+0x2a2dc30) #1 0x7f5cf5dcd1ce (/work/repos/chromium-linux/src/out/LinuxASAN/libbase.so+0x48a1cd) #2 0x7f5cf5dcbfff (/work/repos/chromium-linux/src/out/LinuxASAN/libbase.so+0x488ffe) #3 0x7f5ccce800c0 (/lib/x86_64-linux-gnu/libpthread-2.24.so+0x110bf) #4 0x7f5cdb45e71a (/work/repos/chromium-linux/src/out/LinuxASAN/libv8.so+0x8ed719) #5 0x7f5cdd18907b (/work/repos/chromium-linux/src/out/LinuxASAN/libv8.so+0x261807a) #6 0x7f5cdd152052 (/work/repos/chromium-linux/src/out/LinuxASAN/libv8.so+0x25e1051) #7 0x7f5cdc1618aa (/work/repos/chromium-linux/src/out/LinuxASAN/libv8.so+0x15f08a9) #8 0x7f5cdc15ce23 (/work/repos/chromium-linux/src/out/LinuxASAN/libv8.so+0x15ebe22) #9 0x7f5cdc17bf20 (/work/repos/chromium-linux/src/out/LinuxASAN/libv8.so+0x160af1f) #10 0x7f5cdc1b6fc2 (/work/repos/chromium-linux/src/out/LinuxASAN/libv8.so+0x1645fc1) #11 0x7f5cf5af2c6e (/work/repos/chromium-linux/src/out/LinuxASAN/libbase.so+0x1afc6d) #12 0x7f5cd2c1bba4 (/work/repos/chromium-linux/src/out/LinuxASAN/libblink_platform.so+0x120bba3) #13 0x7f5cf5af2c6e (/work/repos/chromium-linux/src/out/LinuxASAN/libbase.so+0x1afc6d) #14 0x7f5cf5b80dca (/work/repos/chromium-linux/src/out/LinuxASAN/libbase.so+0x23ddc9) #15 0x7f5cf5b82593 (/work/repos/chromium-linux/src/out/LinuxASAN/libbase.so+0x23f592) #16 0x7f5cf5b88e2c (/work/repos/chromium-linux/src/out/LinuxASAN/libbase.so+0x245e2b) #17 0x7f5cf5c2af52 (/work/repos/chromium-linux/src/out/LinuxASAN/libbase.so+0x2e7f51) #18 0x7f5cee8e8c7c (/work/repos/chromium-linux/src/out/LinuxASAN/libcontent.so+0x4d03c7b) #19 0x7f5ceebbd968 (/work/repos/chromium-linux/src/out/LinuxASAN/libcontent.so+0x4fd8967) #20 0x7f5ceebc208f (/work/repos/chromium-linux/src/out/LinuxASAN/libcontent.so+0x4fdd08e) #21 0x7f5cf63676b5 (/work/repos/chromium-linux/src/out/LinuxASAN/libembedder.so+0x296b4) #22 0x7f5ceebbb948 (/work/repos/chromium-linux/src/out/LinuxASAN/libcontent.so+0x4fd6947) #23 0x55963a9cc044 (/work/repos/chromium-linux/src/out/LinuxASAN/chrome+0x2ab7043) #24 0x7f5cc8a0a2b1 (/lib/x86_64-linux-gnu/libc-2.24.so+0x202b0) #25 0x55963a8f602a (/work/repos/chromium-linux/src/out/LinuxASAN/chrome+0x29e1029) r8: 00000000005fa76d r9: 000062d00004bd18 r10: 00000c5a000097a2 r11: 0000000000000000 r12: 0000617000005800 r13: 0000612000002ec0 r14: 0000000080000000 r15: 0000617000005808 di: 000000000000013f si: 0000000000000000 bp: 00007fff354ce8e0 bx: 0000000000000000 dx: 00007f5cb51f4000 ax: 0000000000000000 cx: 0000000000169475 sp: 00007fff354ce8d0 ip: 00007f5cdb45e71a efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000