Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
security_advisories/webkitgtk-2.36.0/
security_advisories/webkitgtk-2.36.0/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
poc
 
 
 
 

heap-buffer-overflow in WebCore::TextureMapperLayer::setContentsLayer

report id: Bug 237187

The attached file cause a heap buffer overflow in setContentsLayer().

version: webkitgtk 2.36.0

ASan report:

==16712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000d4ab8 at pc 0x7f79a33b83ff bp 0x7ffde8451be0 sp 0x7ffde8451bd8 WRITE of size 8 at 0x61b0000d4ab8 thread T0 #0 0x7f79a33b83fe in WebCore::TextureMapperLayer::setContentsLayer(WebCore::TextureMapperPlatformLayer*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:702:21 #1 0x7f79a33d29aa in WebCore::TextureMapperPlatformLayerProxy::~TextureMapperPlatformLayerProxy() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxy.cpp:56:24 #2 0x7f79a33d2ed8 in WebCore::TextureMapperPlatformLayerProxy::~TextureMapperPlatformLayerProxy() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxy.cpp:53:1 #3 0x7f79a3410b9f in WTF::ThreadSafeRefCounted<WebCore::TextureMapperPlatformLayerProxy, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13 #4 0x7f79a3410b9f in WTF::ThreadSafeRefCounted<WebCore::TextureMapperPlatformLayerProxy, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9 #5 0x7f79a3410b9f in WTF::Ref<WebCore::TextureMapperPlatformLayerProxy, WTF::RawPtrTraitsWebCore::TextureMapperPlatformLayerProxy >::~Ref() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/Ref.h:61:18 #6 0x7f79a3410b9f in Nicosia::ContentLayerTextureMapperImpl::~ContentLayerTextureMapperImpl() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaContentLayerTextureMapperImpl.cpp:58:1 #7 0x7f79a3410c48 in Nicosia::ContentLayerTextureMapperImpl::~ContentLayerTextureMapperImpl() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaContentLayerTextureMapperImpl.cpp:53:1 #8 0x7f79a34061ab in std::default_deleteNicosia::ContentLayer::Impl::operator()(Nicosia::ContentLayer::Impl*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #9 0x7f79a34061ab in std::unique_ptr<Nicosia::ContentLayer::Impl, std::default_deleteNicosia::ContentLayer::Impl >::~unique_ptr() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:292:4 #10 0x7f79a34061ab in Nicosia::ContentLayer::~ContentLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/NicosiaPlatformLayer.cpp:58:29 #11 0x7f79a3406388 in Nicosia::ContentLayer::~ContentLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/NicosiaPlatformLayer.cpp:58:29 #12 0x7f79a9447ea2 in WTF::ThreadSafeRefCounted<Nicosia::PlatformLayer, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13 #13 0x7f79a9447ea2 in WTF::ThreadSafeRefCounted<Nicosia::PlatformLayer, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9 #14 0x7f79a9447ea2 in WTF::Ref<Nicosia::ContentLayer, WTF::RawPtrTraitsNicosia::ContentLayer >::~Ref() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/Ref.h:61:18 #15 0x7f79a9447ea2 in Nicosia::GCGLLayer::~GCGLLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaGCGLLayer.cpp:60:1 #16 0x7f79a9447fa8 in Nicosia::GCGLLayer::~GCGLLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaGCGLLayer.cpp:58:1 #17 0x7f79a94201f2 in std::default_deleteNicosia::GCGLLayer::operator()(Nicosia::GCGLLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #18 0x7f79a94201f2 in std::unique_ptr<Nicosia::GCGLLayer, std::default_deleteNicosia::GCGLLayer >::~unique_ptr() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:292:4 #19 0x7f79a94201f2 in WebCore::GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapper.cpp:386:1 #20 0x7f79a9420918 in WebCore::GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapper.cpp:348:1 #21 0x7f79a6a9d7be in std::default_deleteWebCore::GraphicsContextGL::operator()(WebCore::GraphicsContextGL*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #22 0x7f79a6a9d7be in WTF::RefCounted<WebCore::GraphicsContextGL, std::default_deleteWebCore::GraphicsContextGL >::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefCounted.h:190:13 #23 0x7f79a6a9d7be in WTF::DefaultRefDerefTraitsWebCore::GraphicsContextGL::derefIfNotNull(WebCore::GraphicsContextGL*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #24 0x7f79a6a9d7be in WTF::RefPtr<WebCore::GraphicsContextGL, WTF::RawPtrTraitsWebCore::GraphicsContextGL, WTF::DefaultRefDerefTraitsWebCore::GraphicsContextGL >::operator=(std::nullptr_t) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:159:5 #25 0x7f79a6a9d7be in WebCore::WebGLRenderingContextBase::destroyGraphicsContextGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:1199:19 #26 0x7f79a6ae593a in WebCore::WebGLRenderingContextBase::~WebGLRenderingContextBase() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:1174:9 #27 0x7f79a6afbe1f in WebCore::WebGLRenderingContext::~WebGLRenderingContext() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContext.h:35:7 #28 0x7f79a6afbe1f in non-virtual thunk to WebCore::WebGLRenderingContext::~WebGLRenderingContext() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContext.h #29 0x7f79a65cbef4 in std::default_deleteWebCore::CanvasRenderingContext::operator()(WebCore::CanvasRenderingContext*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #30 0x7f79a65cbef4 in std::unique_ptr<WebCore::CanvasRenderingContext, std::default_deleteWebCore::CanvasRenderingContext >::reset(WebCore::CanvasRenderingContext*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4 #31 0x7f79a65cbef4 in std::unique_ptr<WebCore::CanvasRenderingContext, std::default_deleteWebCore::CanvasRenderingContext >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2 #32 0x7f79a65cbef4 in WebCore::HTMLCanvasElement::~HTMLCanvasElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLCanvasElement.cpp:148:15 #33 0x7f79a65cc668 in WebCore::HTMLCanvasElement::~HTMLCanvasElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLCanvasElement.cpp:141:1 #34 0x7f79a5db5577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #35 0x7f79a5db5577 in WTF::DefaultRefDerefTraitsWebCore::Node::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #36 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #37 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #38 0x7f79a5db5577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #39 0x7f79a5d9b84e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #40 0x7f79a5d9b84e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #41 0x7f79a5d9d665 in WebCore::ContainerNode::~ContainerNode() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:316:5 #42 0x7f79a65c6518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #43 0x7f79a65c6518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #44 0x7f79a5db5577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #45 0x7f79a5db5577 in WTF::DefaultRefDerefTraitsWebCore::Node::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #46 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #47 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #48 0x7f79a5db5577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #49 0x7f79a5d9b84e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #50 0x7f79a5d9b84e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #51 0x7f79a5d9d665 in WebCore::ContainerNode::~ContainerNode() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:316:5 #52 0x7f79a666d2d8 in WebCore::HTMLHtmlElement::~HTMLHtmlElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLHtmlElement.h:30:7 #53 0x7f79a5db5577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #54 0x7f79a5db5577 in WTF::DefaultRefDerefTraitsWebCore::Node::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #55 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #56 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #57 0x7f79a5db5577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #58 0x7f79a5d9b84e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #59 0x7f79a5d9b84e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #60 0x7f79a5d9d665 in WebCore::ContainerNode::~ContainerNode() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:316:5 #61 0x7f79a65c6518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #62 0x7f79a65c6518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #63 0x7f79a5db5577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #64 0x7f79a5db5577 in WTF::DefaultRefDerefTraitsWebCore::Node::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #65 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #66 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #67 0x7f79a5db5577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #68 0x7f79a5d9b84e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #69 0x7f79a5d9b84e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #70 0x7f79a5d9d665 in WebCore::ContainerNode::~ContainerNode() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:316:5 #71 0x7f79a666d2d8 in WebCore::HTMLHtmlElement::~HTMLHtmlElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLHtmlElement.h:30:7 #72 0x7f79a5db5577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #73 0x7f79a5db5577 in WTF::DefaultRefDerefTraitsWebCore::Node::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #74 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #75 0x7f79a5db5577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #76 0x7f79a5db5577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #77 0x7f79a5d9b84e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #78 0x7f79a5d9b84e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #79 0x7f79a5e19b07 in WebCore::Document::removedLastRef() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Document.cpp:822:9 #80 0x7f79a65daabc in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #81 0x7f79a65daabc in WTF::Ref<WebCore::ContainerNode, WTF::RawPtrTraitsWebCore::ContainerNode >::~Ref() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/Ref.h:61:18 #82 0x7f79a65daabc in WebCore::HTMLCollection::~HTMLCollection() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLCollection.cpp:143:1 #83 0x7f79a5f02a59 in WebCore::CachedHTMLCollection<WebCore::GenericCachedHTMLCollection<(WebCore::CollectionTraversalType)0>, (WebCore::CollectionTraversalType)0>::~CachedHTMLCollection() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/CachedHTMLCollection.h:85:1 #84 0x7f79a5f02b78 in WebCore::GenericCachedHTMLCollection<(WebCore::CollectionTraversalType)0>::~GenericCachedHTMLCollection() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/GenericCachedHTMLCollection.h:33:7 #85 0x7f799df2bd84 in JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:38:9 #86 0x7f799df2bd84 in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedBlockInlines.h:260:13 #87 0x7f799df2bd84 in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedBlockInlines.h:294:17 #88 0x7f799df265d1 in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellTypeJSC::JSDestructibleObjectDestroyFunc(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedBlockInlines.h:403:21 #89 0x7f799df16158 in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellTypeJSC::JSDestructibleObjectDestroyFunc(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedBlockInlines.h:435:9 #90 0x7f799df049b8 in JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:53:12 #91 0x7f799cdb19d9 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedBlock.cpp:415:21 #92 0x7f799cd9d31f in JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocator.cpp:225:12 #93 0x7f799cd9d0fa in JSC::LocalAllocator::tryAllocateWithoutCollecting() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocator.cpp:191:28 #94 0x7f799cd9c662 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocator.cpp:132:20 #95 0x7f79a53ee008 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/LocalAllocatorInlines.h:40:43 #96 0x7f79a53ee008 in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'() const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/FreeListInlines.h:46:16 #97 0x7f79a53ee008 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/LocalAllocatorInlines.h:37:23 #98 0x7f79a53ee008 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/AllocatorInlines.h:35:30 #99 0x7f79a53ee008 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/IsoSubspaceInlines.h:34:30 #100 0x7f79a53ee008 in void* JSC::tryAllocateCellHelperWebCore::JSHTMLCollection(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/JSCellInlines.h:180:63 #101 0x7f79a53ee008 in void* JSC::allocateCellWebCore::JSHTMLCollection(JSC::Heap&, unsigned long) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/JavaScriptCore/PrivateHeaders/JavaScriptCore/JSCellInlines.h:194:12 #102 0x7f79a53e97f3 in WebCore::JSHTMLCollection::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraitsWebCore::HTMLCollection >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/DerivedSources/JSHTMLCollection.h:34:47 #103 0x7f79a53e97f3 in std::enable_if<std::is_same<WebCore::HTMLCollection, WebCore::HTMLCollection>::value, WebCore::JSDOMWrapperConverterTraitsWebCore::HTMLCollection::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLCollection, WebCore::HTMLCollection>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraitsWebCore::HTMLCollection >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMWrapperCache.h:190:21 #104 0x7f79a53e9caa in WebCore::toJSNewlyCreated(JSC::JSGlobalObject*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraitsWebCore::HTMLCollection >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSHTMLCollectionCustom.cpp:45:12 #105 0x7f79a53e9caa in JSC::JSValue WebCore::wrapWebCore::HTMLCollection(JSC::JSGlobalObject*, WebCore::JSDOMGlobalObject*, WebCore::HTMLCollection&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMWrapperCache.h:204:12 #106 0x7f79a35c6e00 in JSC::JSValue WebCore::JSConverter<WebCore::IDLInterfaceWebCore::HTMLCollection >::convert<WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraitsWebCore::HTMLCollection > >(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraitsWebCore::HTMLCollection > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMConvertInterface.h:81:16 #107 0x7f79a35c6e00 in JSC::JSValue WebCore::JSConverterOverloader<WebCore::IDLInterfaceWebCore::HTMLCollection, true, true>::convert<WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraitsWebCore::HTMLCollection > >(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraitsWebCore::HTMLCollection >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMConvertBase.h:109:16 #108 0x7f79a35c6e00 in JSC::JSValue WebCore::toJS<WebCore::IDLInterfaceWebCore::HTMLCollection, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraitsWebCore::HTMLCollection > >(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraitsWebCore::HTMLCollection >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMConvertBase.h:151:12 #109 0x7f79a35c6e00 in JSC::JSValue WebCore::toJS<WebCore::IDLInterfaceWebCore::HTMLCollection, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraitsWebCore::HTMLCollection > >(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WTF::Ref<WebCore::HTMLCollection, WTF::RawPtrTraitsWebCore::HTMLCollection >&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMConvertBase.h:215:20 #110 0x7f79a35c6e00 in WebCore::jsDocumentPrototypeFunction_getElementsByTagNameBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5294:5 #111 0x7f79a35c6e00 in long WebCore::IDLOperationWebCore::JSDocument::call<&(WebCore::jsDocumentPrototypeFunction_getElementsByTagNameBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMOperation.h:63:9 #112 0x7f79a35c6e00 in WebCore::jsDocumentPrototypeFunction_getElementsByTagName(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5299:12 #113 0x7f7952feb1d7 ()

Address 0x61b0000d4ab8 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:702:21 in WebCore::TextureMapperLayer::setContentsLayer(WebCore::TextureMapperPlatformLayer*) Shadow bytes around the buggy address: 0x0c3680012900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c3680012950: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa 0x0c3680012960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3680012990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c36800129a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==16712==ABORTING

heap-use-after-free in setContentsLayer(WebCore::TextureMapperPlatformLayer*)

report id: Bug 237188

The attached file cause a heap use after free in setContentsLayer.

version: webkitgtk 2.36.0

ASan report:

==18385==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00012d7b8 at pc 0x7f751aa143ff bp 0x7ffcc1bb1f80 sp 0x7ffcc1bb1f78 WRITE of size 8 at 0x61b00012d7b8 thread T0 #0 0x7f751aa143fe in WebCore::TextureMapperLayer::setContentsLayer(WebCore::TextureMapperPlatformLayer*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:702:21 #1 0x7f751aa2e9aa in WebCore::TextureMapperPlatformLayerProxy::~TextureMapperPlatformLayerProxy() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxy.cpp:56:24 #2 0x7f751aa2eed8 in WebCore::TextureMapperPlatformLayerProxy::~TextureMapperPlatformLayerProxy() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxy.cpp:53:1 #3 0x7f751aa6cb9f in WTF::ThreadSafeRefCounted<WebCore::TextureMapperPlatformLayerProxy, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13 #4 0x7f751aa6cb9f in WTF::ThreadSafeRefCounted<WebCore::TextureMapperPlatformLayerProxy, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9 #5 0x7f751aa6cb9f in WTF::Ref<WebCore::TextureMapperPlatformLayerProxy, WTF::RawPtrTraitsWebCore::TextureMapperPlatformLayerProxy >::~Ref() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/Ref.h:61:18 #6 0x7f751aa6cb9f in Nicosia::ContentLayerTextureMapperImpl::~ContentLayerTextureMapperImpl() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaContentLayerTextureMapperImpl.cpp:58:1 #7 0x7f751aa6cc48 in Nicosia::ContentLayerTextureMapperImpl::~ContentLayerTextureMapperImpl() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaContentLayerTextureMapperImpl.cpp:53:1 #8 0x7f751aa621ab in std::default_deleteNicosia::ContentLayer::Impl::operator()(Nicosia::ContentLayer::Impl*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #9 0x7f751aa621ab in std::unique_ptr<Nicosia::ContentLayer::Impl, std::default_deleteNicosia::ContentLayer::Impl >::~unique_ptr() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:292:4 #10 0x7f751aa621ab in Nicosia::ContentLayer::~ContentLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/NicosiaPlatformLayer.cpp:58:29 #11 0x7f751aa62388 in Nicosia::ContentLayer::~ContentLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/NicosiaPlatformLayer.cpp:58:29 #12 0x7f7520aa3ea2 in WTF::ThreadSafeRefCounted<Nicosia::PlatformLayer, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:117:13 #13 0x7f7520aa3ea2 in WTF::ThreadSafeRefCounted<Nicosia::PlatformLayer, (WTF::DestructionThread)0>::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ThreadSafeRefCounted.h:129:9 #14 0x7f7520aa3ea2 in WTF::Ref<Nicosia::ContentLayer, WTF::RawPtrTraitsNicosia::ContentLayer >::~Ref() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/Ref.h:61:18 #15 0x7f7520aa3ea2 in Nicosia::GCGLLayer::~GCGLLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaGCGLLayer.cpp:60:1 #16 0x7f7520aa3fa8 in Nicosia::GCGLLayer::~GCGLLayer() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/nicosia/texmap/NicosiaGCGLLayer.cpp:58:1 #17 0x7f7520a7c1f2 in std::default_deleteNicosia::GCGLLayer::operator()(Nicosia::GCGLLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #18 0x7f7520a7c1f2 in std::unique_ptr<Nicosia::GCGLLayer, std::default_deleteNicosia::GCGLLayer >::~unique_ptr() /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:292:4 #19 0x7f7520a7c1f2 in WebCore::GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapper.cpp:386:1 #20 0x7f7520a7c918 in WebCore::GraphicsContextGLOpenGL::~GraphicsContextGLOpenGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/GraphicsContextGLTextureMapper.cpp:348:1 #21 0x7f751e0f97be in std::default_deleteWebCore::GraphicsContextGL::operator()(WebCore::GraphicsContextGL*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #22 0x7f751e0f97be in WTF::RefCounted<WebCore::GraphicsContextGL, std::default_deleteWebCore::GraphicsContextGL >::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefCounted.h:190:13 #23 0x7f751e0f97be in WTF::DefaultRefDerefTraitsWebCore::GraphicsContextGL::derefIfNotNull(WebCore::GraphicsContextGL*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #24 0x7f751e0f97be in WTF::RefPtr<WebCore::GraphicsContextGL, WTF::RawPtrTraitsWebCore::GraphicsContextGL, WTF::DefaultRefDerefTraitsWebCore::GraphicsContextGL >::operator=(std::nullptr_t) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:159:5 #25 0x7f751e0f97be in WebCore::WebGLRenderingContextBase::destroyGraphicsContextGL() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:1199:19 #26 0x7f751e14193a in WebCore::WebGLRenderingContextBase::~WebGLRenderingContextBase() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContextBase.cpp:1174:9 #27 0x7f751e157e1f in WebCore::WebGLRenderingContext::~WebGLRenderingContext() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContext.h:35:7 #28 0x7f751e157e1f in non-virtual thunk to WebCore::WebGLRenderingContext::~WebGLRenderingContext() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/canvas/WebGLRenderingContext.h #29 0x7f751dc27ef4 in std::default_deleteWebCore::CanvasRenderingContext::operator()(WebCore::CanvasRenderingContext*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #30 0x7f751dc27ef4 in std::unique_ptr<WebCore::CanvasRenderingContext, std::default_deleteWebCore::CanvasRenderingContext >::reset(WebCore::CanvasRenderingContext*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4 #31 0x7f751dc27ef4 in std::unique_ptr<WebCore::CanvasRenderingContext, std::default_deleteWebCore::CanvasRenderingContext >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2 #32 0x7f751dc27ef4 in WebCore::HTMLCanvasElement::~HTMLCanvasElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLCanvasElement.cpp:148:15 #33 0x7f751dc28668 in WebCore::HTMLCanvasElement::~HTMLCanvasElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLCanvasElement.cpp:141:1 #34 0x7f751d411577 in WebCore::Node::deref() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/Node.h:804:34 #35 0x7f751d411577 in WTF::DefaultRefDerefTraitsWebCore::Node::derefIfNotNull(WebCore::Node*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:42:18 #36 0x7f751d411577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::~RefPtr() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:73:31 #37 0x7f751d411577 in WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node >::operator=(WTF::RefPtr<WebCore::Node, WTF::RawPtrTraitsWebCore::Node, WTF::DefaultRefDerefTraitsWebCore::Node > const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/RefPtr.h:137:1 #38 0x7f751d411577 in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:186:65 #39 0x7f751d3f784e in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:225:5 #40 0x7f751d3f784e in WebCore::ContainerNode::removeDetachedChildren() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:282:5 #41 0x7f751d3f9665 in WebCore::ContainerNode::~ContainerNode() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/dom/ContainerNode.cpp:316:5 #42 0x7f751dc22518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #43 0x7f751dc22518 in WebCore::HTMLBodyElement::~HTMLBodyElement() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/html/HTMLBodyElement.cpp:64:35 #44 0x7f751442eb3a in JSC::PreciseAllocation::sweep() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/PreciseAllocation.cpp:234:25 #45 0x7f7514414ff8 in JSC::MarkedSpace::sweepPreciseAllocations() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MarkedSpace.cpp:235:21 #46 0x7f7514387248 in JSC::Heap::sweepInFinalize() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:2116:19 #47 0x7f7514387248 in JSC::Heap::finalize() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:2061:9 #48 0x7f7514386195 in JSC::Heap::handleNeedFinalize(unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1997:9 #49 0x7f751437ac59 in JSC::Heap::handleNeedFinalize() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:2008:12 #50 0x7f751437ac59 in JSC::Heap::finishChangingPhase(JSC::GCConductor) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1604:17 #51 0x7f7514380ff0 in JSC::Heap::changePhase(JSC::GCConductor, JSC::CollectorPhase) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1578:12 #52 0x7f7514380ff0 in JSC::Heap::runEndPhase(JSC::GCConductor) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1568:12 #53 0x7f751437a58e in JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1221:18 #54 0x7f75143905fc in JSC::Heap::collectInMutatorThread()::$_0::operator()(JSC::CurrentThreadState&) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1835:52 #55 0x7f75143905fc in WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_0>::implFunction(void*, JSC::CurrentThreadState&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ScopedLambda.h:106:16 #56 0x7f75143fad1d in void WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()JSC::CurrentThreadState&(JSC::CurrentThreadState&) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/ScopedLambda.h:58:16 #57 0x7f75143fad1d in JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/MachineStackMarker.cpp:221:5 #58 0x7f751438638e in JSC::Heap::collectInMutatorThread() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1847:13 #59 0x7f7514385f45 in JSC::Heap::stopIfNecessarySlow(unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1816:9 #60 0x7f7514385f45 in JSC::Heap::stopIfNecessarySlow() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:1788:12 #61 0x7f751436ec6e in JSC::Heap::stopIfNecessary() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/HeapInlines.h:270:9 #62 0x7f751436ec6e in JSC::Heap::collectIfNecessaryOrDefer(JSC::GCDeferralContext*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/Heap.cpp:2599:13 #63 0x7f75143f8641 in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocator.cpp:125:10 #64 0x7f75125fdf09 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocatorInlines.h:40:43 #65 0x7f75125fdf09 in JSC::HeapCell* JSC::FreeList::allocate<JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()>(JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'() const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/FreeListInlines.h:46:16 #66 0x7f75125fdf09 in JSC::LocalAllocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/LocalAllocatorInlines.h:37:23 #67 0x7f75125fdf09 in JSC::Allocator::allocate(JSC::Heap&, JSC::GCDeferralContext*, JSC::AllocationFailureMode) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/AllocatorInlines.h:35:30 #68 0x7f75125fdf09 in JSC::IsoSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/heap/IsoSubspaceInlines.h:34:30 #69 0x7f75125fdf09 in void* JSC::tryAllocateCellHelperJSC::Structure(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSCellInlines.h:180:63 #70 0x7f75125fdf09 in void* JSC::allocateCellJSC::Structure(JSC::Heap&, unsigned long) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSCellInlines.h:194:12 #71 0x7f75125fdf09 in JSC::Structure::create(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue, JSC::TypeInfo const&, JSC::ClassInfo const*, unsigned char, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/StructureInlines.h:63:42 #72 0x7f75155beb22 in JSC::JSSloppyFunction::createStructure(JSC::VM&, JSC::JSGlobalObject*, JSC::JSValue) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSFunction.h:253:16 #73 0x7f75155beb22 in JSC::JSGlobalObject::init(JSC::VM&)::$_0::operator()(JSC::JSGlobalObject::FunctionStructures&) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:745:58 #74 0x7f75155a5a6a in JSC::JSGlobalObject::init(JSC::VM&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:748:5 #75 0x7f75155d42c9 in JSC::JSGlobalObject::finishCreation(JSC::VM&, JSC::JSObject*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/JavaScriptCore/runtime/JSGlobalObject.cpp:2590:5 #76 0x7f751c9e878e in WebCore::JSDOMGlobalObject::finishCreation(JSC::VM&, JSC::JSObject*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMGlobalObject.cpp:255:11 #77 0x7f751ca0677f in WebCore::JSDOMWindowBase::finishCreation(JSC::VM&, WebCore::JSWindowProxy*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSDOMWindowBase.cpp:120:11 #78 0x7f751aaabfd0 in WebCore::JSDOMWindow::finishCreation(JSC::VM&, WebCore::JSWindowProxy*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/DerivedSources/JSDOMWindow.cpp:5744:11 #79 0x7f751ca901a4 in WebCore::JSDOMWindow::create(JSC::VM&, JSC::Structure*, WTF::Ref<WebCore::DOMWindow, WTF::RawPtrTraitsWebCore::DOMWindow >&&, WebCore::JSWindowProxy*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/DerivedSources/JSDOMWindow.h:41:14 #80 0x7f751ca901a4 in WebCore::JSWindowProxy::setWindow(WebCore::AbstractDOMWindow&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/JSWindowProxy.cpp:112:18 #81 0x7f751cb659a9 in WebCore::WindowProxy::setDOMWindow(WebCore::AbstractDOMWindow*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/bindings/js/WindowProxy.cpp:173:22 #82 0x7f751e7db91b in WebCore::FrameLoader::clear(WebCore::Document*, bool, bool, bool, WTF::Function<void ()>&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/FrameLoader.cpp:679:31 #83 0x7f751e770b00 in WebCore::DocumentWriter::begin(WTF::URL const&, bool, WebCore::Document*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/DocumentWriter.cpp:165:23 #84 0x7f751e75b5a4 in WebCore::DocumentLoader::commitData(unsigned char const*, unsigned long) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/DocumentLoader.cpp:1221:34 #85 0x7f751a83b7eb in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, unsigned char const*, int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:1156:17 #86 0x7f751e76fb0c in WebCore::DocumentLoader::commitLoad(unsigned char const*, int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/DocumentLoader.cpp:1188:27 #87 0x7f751e997bcd in WebCore::CachedRawResource::notifyClientsDataWasReceived(unsigned char const*, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/cache/CachedRawResource.cpp:138:12 #88 0x7f751e9972c3 in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/cache/CachedRawResource.cpp:75:9 #89 0x7f751e8e148f in WebCore::SubresourceLoader::didReceiveDataOrBuffer(unsigned char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::RawPtrTraitsWebCore::SharedBuffer, WTF::DefaultRefDerefTraitsWebCore::SharedBuffer >&&, long long, WebCore::DataPayloadType) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/SubresourceLoader.cpp:562:25 #90 0x7f751e8e1114 in WebCore::SubresourceLoader::didReceiveData(unsigned char const*, unsigned int, long long, WebCore::DataPayloadType) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/loader/SubresourceLoader.cpp:530:5 #91 0x7f751a73092b in WebKit::WebResourceLoader::didReceiveData(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:210:19 #92 0x7f7519591b4e in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long), std::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long>, 0ul, 1ul>(WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long), std::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long>&&, std::integer_sequence<unsigned long, 0ul, 1ul>) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/HandleMessage.h:125:5 #93 0x7f7519591b4e in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long), std::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long>, std::integer_sequence<unsigned long, 0ul, 1ul> >(std::tuple<IPC::ArrayReference<unsigned char, 18446744073709551615ul>, long>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long)) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/HandleMessage.h:131:5 #94 0x7f7519591b4e in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::)(IPC::ArrayReference<unsigned char, 18446744073709551615ul> const&, long)) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/HandleMessage.h:202:5 #95 0x7f7519591b4e in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/DerivedSources/WebKit/WebResourceLoaderMessageReceiver.cpp:54:16 #96 0x7f7519b71619 in IPC::Connection::dispatchMessage(IPC::Decoder&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/Connection.cpp:1058:14 #97 0x7f7519b71dbe in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_deleteIPC::Decoder >) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/Connection.cpp:1103:9 #98 0x7f7519b729c3 in IPC::Connection::dispatchOneIncomingMessage() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Platform/IPC/Connection.cpp:1172:5 #99 0x7f7516739dc7 in WTF::Function<void ()>::operator()() const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/Function.h:82:35 #100 0x7f7516739dc7 in WTF::RunLoop::performWork() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/RunLoop.cpp:133:9 #101 0x7f75168b8645 in WTF::RunLoop::RunLoop()::$_1::operator()(void) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:80:42 #102 0x7f75168b8645 in WTF::RunLoop::RunLoop()::$_1::__invoke(void*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:79:43 #103 0x7f75168b5c2c in WTF::RunLoop::$_0::operator()(_GSource*, int ()(void), void*) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28 #104 0x7f75168b5c2c in WTF::RunLoop::$_0::__invoke(_GSource*, int ()(void), void*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5 #105 0x7f750fc0304d in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5204d) #106 0x7f750fc033ff (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x523ff) #107 0x7f750fc036f2 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x526f2) #108 0x7f75168b7202 in WTF::RunLoop::run() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9 #109 0x7f751a9a3c4f in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/AuxiliaryProcessMain.h:70:9 #110 0x7f751a9a3c4f in int WebKit::AuxiliaryProcessMainWebKit::WebProcessMainGtk(int, char**) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/AuxiliaryProcessMain.h:96:27 #111 0x7f751a9a3c4f in WebKit::WebProcessMain(int, char**) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:87:12 #112 0x7f750f59f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #113 0x41d37d in _start (/root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/bin/WebKitWebProcess+0x41d37d)

0x61b00012d7b8 is located 56 bytes inside of 1488-byte region [0x61b00012d780,0x61b00012dd50) freed by thread T44 (eadedCompositor) here: #0 0x4c2bd7 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7f7519cdf8ea in WebKit::CoordinatedGraphicsScene::updateSceneState()::$_0::operator()(Nicosia::Scene::State&) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:264:17 #2 0x7f7519cdf8ea in void Nicosia::Scene::accessStateWebKit::CoordinatedGraphicsScene::updateSceneState()::$_0(WebKit::CoordinatedGraphicsScene::updateSceneState()::$_0 const&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WebCore/PrivateHeaders/WebCore/NicosiaScene.h:66:9 #3 0x7f7519cdf8ea in WebKit::CoordinatedGraphicsScene::updateSceneState() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:235:22 #4 0x7f7519cde311 in WebKit::CoordinatedGraphicsScene::paintToCurrentGLContext(WebCore::TransformationMatrix const&, WebCore::FloatRect const&, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:65:5 #5 0x7f7519cef1e8 in WebKit::ThreadedCompositor::renderLayerTree() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:235:14 #6 0x7f75168b8774 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #7 0x7f75168b8774 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43

previously allocated by thread T44 (eadedCompositor) here: #0 0x4c2ecf in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f75168cc72a in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20 #2 0x7f7519cde311 in WebKit::CoordinatedGraphicsScene::paintToCurrentGLContext(WebCore::TransformationMatrix const&, WebCore::FloatRect const&, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:65:5 #3 0x7f7519cef1e8 in WebKit::ThreadedCompositor::renderLayerTree() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:235:14 #4 0x7f75168b8774 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #5 0x7f75168b8774 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43

Thread T44 (eadedCompositor) created by T0 here: #0 0x4348a6 in pthread_create /root/llvm/llvm-12/compiler-rt/lib/asan/asan_interceptors.cpp:205:3 #1 0x7f75168c0658 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, std::optional, WTF::Thread::QOS) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:275:17 #2 0x7f7516744b25 in WTF::Thread::create(char const*, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WTF/wtf/Threading.cpp:203:32 #3 0x7f7519ce966f in WebKit::createRunLoop() /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:46:5 #4 0x7f7519ce966f in WebKit::CompositingRunLoop::CompositingRunLoop(WTF::Function<void ()>&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/CompositingRunLoop.cpp:57:17 #5 0x7f7519ceb0af in std::_MakeUniqWebKit::CompositingRunLoop::__single_object std::make_unique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_6>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_6&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:857:34 #6 0x7f7519ceb0af in decltype(auto) WTF::makeUnique<WebKit::CompositingRunLoop, WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_6>(WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int)::$_6&&) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/WebKitBuild_Asan_RelWithDebug/GTK/Release/WTF/Headers/wtf/StdLibExtras.h:509:12 #7 0x7f7519ceb0af in WebKit::ThreadedCompositor::ThreadedCompositor(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:58:28 #8 0x7f7519ceae4e in WebKit::ThreadedCompositor::create(WebKit::ThreadedCompositor::Client&, WebKit::ThreadedDisplayRefreshMonitor::Client&, unsigned int, WebCore::IntSize const&, float, unsigned int) /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebKit/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:52:26

SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/webkit_trunck_clean_version/Safari-branch/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:702:21 in WebCore::TextureMapperLayer::setContentsLayer(WebCore::TextureMapperPlatformLayer*) Shadow bytes around the buggy address: 0x0c368001daa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001dab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001dac0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c368001dad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c368001dae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c368001daf0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd 0x0c368001db00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001db10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001db20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001db30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c368001db40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==18385==ABORTING