While using ASAN Nightly (https://hg.mozilla.org/mozilla-central/rev/c909c105f914f69054b9a7c6b189ee39fa1cad44), build ID 20190604034844, I loaded up https://en.wikipedia.org/wiki/List_of_companies_based_in_Oklahoma_City and middle clicked the link to https://en.wikipedia.org/wiki/Ackerman_McQueen and the https://en.wikipedia.org/wiki/Ackerman_McQueen tab crashed with the following ASAN output: ==3875==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000e9008 at pc 0x7f8c661af3d5 bp 0x7ffd62db0420 sp 0x7ffd62db0418 READ of size 8 at 0x6170000e9008 thread T0 (Web Content) #0 0x7f8c661af3d4 in end /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:501:12 #1 0x7f8c661af3d4 in EraseIf<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:94 #2 0x7f8c661af3d4 in js::GCMarker::severWeakDelegate(JSObject*, JSObject*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665 #3 0x7f8c657b4519 in delegatePreWriteBarrier /builds/worker/workspace/build/src/js/src/gc/Zone.h:409:7 #4 0x7f8c657b4519 in js::ProxyObject::nuke() /builds/worker/workspace/build/src/js/src/vm/ProxyObject.cpp:161 #5 0x7f8c65e08eae in NukeRemovedCrossCompartmentWrapper /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:381:30 #6 0x7f8c65e08eae in js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, JS::Realm*, js::NukeReferencesToWindow, js::NukeReferencesFromTarget) /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:499 #7 0x7f8c5a8dc4da in xpc::NukeAllWrappersForRealm(JSContext*, JS::Realm*, js::NukeReferencesToWindow) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:691:3 #8 0x7f8c5c46492f in mozilla::WindowDestroyedEvent::Run() /builds/worker/workspace/build/src/dom/base/WindowDestroyedEvent.cpp:120:13 #9 0x7f8c58e1e01a in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:331:22 #10 0x7f8c58e045a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14 #11 0x7f8c58e0a501 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10 #12 0x7f8c59e6c15d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21 #13 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10 #14 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308 #15 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290 #16 0x7f8c61216b1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27 #17 0x7f8c64e8387f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20 #18 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10 #19 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308 #20 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290 #21 0x7f8c64e831c8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34 #22 0x5646b849f3b7 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28 #23 0x5646b849f3b7 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263 #24 0x7f8c70f47412 in __libc_start_main (/lib64/libc.so.6+0x24412) #25 0x5646b83c0b08 in _start (/home/geeknik/firefox/firefox+0x2ab08) 0x6170000e9008 is located 8 bytes inside of 720-byte region [0x6170000e9000,0x6170000e92d0) freed by thread T0 (Web Content) here: #0 0x5646b846c192 in free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3 #1 0x7f8c654f18f6 in js_free /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:411:3 #2 0x7f8c654f18f6 in free_<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:83 #3 0x7f8c654f18f6 in freeData /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:634 #4 0x7f8c654f18f6 in js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::rehash(unsigned int) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:728 #5 0x7f8c654f0abd in bool js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::put<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry>(js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry&&) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:189:12 #6 0x7f8c65c51c4d in put<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy> > /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:811:17 #7 0x7f8c65c51c4d in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::addWeakEntry(js::GCMarker*, js::gc::Cell*, js::gc::WeakMarkable const&) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h:199 #8 0x7f8c65c4fc67 in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::postSeverDelegate(js::GCMarker*, js::gc::Cell*, JS::Compartment*) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h:260:5 #9 0x7f8c661af2de in operator() /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:669:25 #10 0x7f8c661af2de in RemoveIf<js::gc::WeakMarkable, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:84 #11 0x7f8c661af2de in EraseIf<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:93 #12 0x7f8c661af2de in js::GCMarker::severWeakDelegate(JSObject*, JSObject*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665 #13 0x7f8c657b4519 in delegatePreWriteBarrier /builds/worker/workspace/build/src/js/src/gc/Zone.h:409:7 #14 0x7f8c657b4519 in js::ProxyObject::nuke() /builds/worker/workspace/build/src/js/src/vm/ProxyObject.cpp:161 #15 0x7f8c65e08eae in NukeRemovedCrossCompartmentWrapper /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:381:30 #16 0x7f8c65e08eae in js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, JS::Realm*, js::NukeReferencesToWindow, js::NukeReferencesFromTarget) /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:499 #17 0x7f8c5a8dc4da in xpc::NukeAllWrappersForRealm(JSContext*, JS::Realm*, js::NukeReferencesToWindow) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:691:3 #18 0x7f8c5c46492f in mozilla::WindowDestroyedEvent::Run() /builds/worker/workspace/build/src/dom/base/WindowDestroyedEvent.cpp:120:13 #19 0x7f8c58e1e01a in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:331:22 #20 0x7f8c58e045a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14 #21 0x7f8c58e0a501 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10 #22 0x7f8c59e6c15d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21 #23 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10 #24 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308 #25 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290 #26 0x7f8c61216b1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27 #27 0x7f8c64e8387f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20 #28 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10 #29 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308 #30 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290 #31 0x7f8c64e831c8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34 #32 0x5646b849f3b7 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28 #33 0x5646b849f3b7 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263 previously allocated by thread T0 (Web Content) here: #0 0x5646b846c513 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3 #1 0x7f8c654f142e in js_arena_malloc /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:367:10 #2 0x7f8c654f142e in js_pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:572 #3 0x7f8c654f142e in maybe_pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:31 #4 0x7f8c654f142e in pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:44 #5 0x7f8c654f142e in pod_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:70 #6 0x7f8c654f142e in js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::rehash(unsigned int) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:709 #7 0x7f8c654f0abd in bool js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::put<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry>(js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry&&) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:189:12 #8 0x7f8c65c51c4d in put<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy> > /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:811:17 #9 0x7f8c65c51c4d in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::addWeakEntry(js::GCMarker*, js::gc::Cell*, js::gc::WeakMarkable const&) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h:199 #10 0x7f8c65c5043f in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::markEntries(js::GCMarker*) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h #11 0x7f8c661b59b4 in doTrace /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Class.h:872:3 #12 0x7f8c661b59b4 in CallTraceHook<(lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1849:7)> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1480 #13 0x7f8c661b59b4 in js::GCMarker::processMarkStackTop(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1848 #14 0x7f8c66187089 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1636:7 #15 0x7f8c6618fdb5 in markUntilBudgetExhausted /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6053:17 #16 0x7f8c6618fdb5 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, js::gc::AutoGCSession&) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7215 #17 0x7f8c66192a43 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7628:3 #18 0x7f8c66195936 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7808:9 #19 0x7f8c661966ba in js::gc::GCRuntime::gcSlice(JS::GCReason, long) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7912:3 #20 0x7f8c5c59842f in nsJSContext::GarbageCollectNow(JS::GCReason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1126:5 #21 0x7f8c5c5a60e2 in InterSliceGCRunnerFired(mozilla::TimeStamp, void*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1748:3 #22 0x7f8c58dc60b0 in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:2127:14 #23 0x7f8c58dc60b0 in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:58 #24 0x7f8c58e045a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14 #25 0x7f8c58e0a501 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10 #26 0x7f8c59e6c15d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21 #27 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10 #28 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308 #29 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290 #30 0x7f8c61216b1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27 #31 0x7f8c64e8387f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20 SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:501:12 in end Shadow bytes around the buggy address: 0x0c2e800151b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e800151c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e800151d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e800151e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e800151f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2e80015200: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80015210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80015220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80015230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80015240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80015250: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3875==ABORTING
Bug 1556933 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
While using ASAN Nightly (https://hg.mozilla.org/mozilla-central/rev/c909c105f914f69054b9a7c6b189ee39fa1cad44), build ID 20190604034844, I loaded up https://en.wikipedia.org/wiki/List_of_companies_based_in_Oklahoma_City and middle clicked the link to https://en.wikipedia.org/wiki/Ackerman_McQueen and the https://en.wikipedia.org/wiki/Ackerman_McQueen tab crashed with the following ASAN output: ``` ==3875==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000e9008 at pc 0x7f8c661af3d5 bp 0x7ffd62db0420 sp 0x7ffd62db0418 READ of size 8 at 0x6170000e9008 thread T0 (Web Content) #0 0x7f8c661af3d4 in end /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:501:12 #1 0x7f8c661af3d4 in EraseIf<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:94 #2 0x7f8c661af3d4 in js::GCMarker::severWeakDelegate(JSObject*, JSObject*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665 #3 0x7f8c657b4519 in delegatePreWriteBarrier /builds/worker/workspace/build/src/js/src/gc/Zone.h:409:7 #4 0x7f8c657b4519 in js::ProxyObject::nuke() /builds/worker/workspace/build/src/js/src/vm/ProxyObject.cpp:161 #5 0x7f8c65e08eae in NukeRemovedCrossCompartmentWrapper /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:381:30 #6 0x7f8c65e08eae in js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, JS::Realm*, js::NukeReferencesToWindow, js::NukeReferencesFromTarget) /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:499 #7 0x7f8c5a8dc4da in xpc::NukeAllWrappersForRealm(JSContext*, JS::Realm*, js::NukeReferencesToWindow) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:691:3 #8 0x7f8c5c46492f in mozilla::WindowDestroyedEvent::Run() /builds/worker/workspace/build/src/dom/base/WindowDestroyedEvent.cpp:120:13 #9 0x7f8c58e1e01a in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:331:22 #10 0x7f8c58e045a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14 #11 0x7f8c58e0a501 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10 #12 0x7f8c59e6c15d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21 #13 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10 #14 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308 #15 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290 #16 0x7f8c61216b1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27 #17 0x7f8c64e8387f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20 #18 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10 #19 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308 #20 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290 #21 0x7f8c64e831c8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34 #22 0x5646b849f3b7 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28 #23 0x5646b849f3b7 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263 #24 0x7f8c70f47412 in __libc_start_main (/lib64/libc.so.6+0x24412) #25 0x5646b83c0b08 in _start (/home/geeknik/firefox/firefox+0x2ab08) 0x6170000e9008 is located 8 bytes inside of 720-byte region [0x6170000e9000,0x6170000e92d0) freed by thread T0 (Web Content) here: #0 0x5646b846c192 in free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3 #1 0x7f8c654f18f6 in js_free /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:411:3 #2 0x7f8c654f18f6 in free_<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:83 #3 0x7f8c654f18f6 in freeData /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:634 #4 0x7f8c654f18f6 in js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::rehash(unsigned int) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:728 #5 0x7f8c654f0abd in bool js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::put<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry>(js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry&&) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:189:12 #6 0x7f8c65c51c4d in put<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy> > /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:811:17 #7 0x7f8c65c51c4d in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::addWeakEntry(js::GCMarker*, js::gc::Cell*, js::gc::WeakMarkable const&) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h:199 #8 0x7f8c65c4fc67 in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::postSeverDelegate(js::GCMarker*, js::gc::Cell*, JS::Compartment*) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h:260:5 #9 0x7f8c661af2de in operator() /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:669:25 #10 0x7f8c661af2de in RemoveIf<js::gc::WeakMarkable, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:84 #11 0x7f8c661af2de in EraseIf<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:93 #12 0x7f8c661af2de in js::GCMarker::severWeakDelegate(JSObject*, JSObject*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665 #13 0x7f8c657b4519 in delegatePreWriteBarrier /builds/worker/workspace/build/src/js/src/gc/Zone.h:409:7 #14 0x7f8c657b4519 in js::ProxyObject::nuke() /builds/worker/workspace/build/src/js/src/vm/ProxyObject.cpp:161 #15 0x7f8c65e08eae in NukeRemovedCrossCompartmentWrapper /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:381:30 #16 0x7f8c65e08eae in js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, JS::Realm*, js::NukeReferencesToWindow, js::NukeReferencesFromTarget) /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:499 #17 0x7f8c5a8dc4da in xpc::NukeAllWrappersForRealm(JSContext*, JS::Realm*, js::NukeReferencesToWindow) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:691:3 #18 0x7f8c5c46492f in mozilla::WindowDestroyedEvent::Run() /builds/worker/workspace/build/src/dom/base/WindowDestroyedEvent.cpp:120:13 #19 0x7f8c58e1e01a in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:331:22 #20 0x7f8c58e045a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14 #21 0x7f8c58e0a501 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10 #22 0x7f8c59e6c15d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21 #23 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10 #24 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308 #25 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290 #26 0x7f8c61216b1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27 #27 0x7f8c64e8387f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20 #28 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10 #29 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308 #30 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290 #31 0x7f8c64e831c8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34 #32 0x5646b849f3b7 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28 #33 0x5646b849f3b7 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263 previously allocated by thread T0 (Web Content) here: #0 0x5646b846c513 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3 #1 0x7f8c654f142e in js_arena_malloc /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:367:10 #2 0x7f8c654f142e in js_pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:572 #3 0x7f8c654f142e in maybe_pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:31 #4 0x7f8c654f142e in pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:44 #5 0x7f8c654f142e in pod_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:70 #6 0x7f8c654f142e in js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::rehash(unsigned int) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:709 #7 0x7f8c654f0abd in bool js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::put<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry>(js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry&&) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:189:12 #8 0x7f8c65c51c4d in put<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy> > /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:811:17 #9 0x7f8c65c51c4d in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::addWeakEntry(js::GCMarker*, js::gc::Cell*, js::gc::WeakMarkable const&) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h:199 #10 0x7f8c65c5043f in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::markEntries(js::GCMarker*) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h #11 0x7f8c661b59b4 in doTrace /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Class.h:872:3 #12 0x7f8c661b59b4 in CallTraceHook<(lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1849:7)> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1480 #13 0x7f8c661b59b4 in js::GCMarker::processMarkStackTop(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1848 #14 0x7f8c66187089 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1636:7 #15 0x7f8c6618fdb5 in markUntilBudgetExhausted /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6053:17 #16 0x7f8c6618fdb5 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, js::gc::AutoGCSession&) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7215 #17 0x7f8c66192a43 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7628:3 #18 0x7f8c66195936 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7808:9 #19 0x7f8c661966ba in js::gc::GCRuntime::gcSlice(JS::GCReason, long) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7912:3 #20 0x7f8c5c59842f in nsJSContext::GarbageCollectNow(JS::GCReason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1126:5 #21 0x7f8c5c5a60e2 in InterSliceGCRunnerFired(mozilla::TimeStamp, void*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1748:3 #22 0x7f8c58dc60b0 in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:2127:14 #23 0x7f8c58dc60b0 in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:58 #24 0x7f8c58e045a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14 #25 0x7f8c58e0a501 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10 #26 0x7f8c59e6c15d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21 #27 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10 #28 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308 #29 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290 #30 0x7f8c61216b1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27 #31 0x7f8c64e8387f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20 SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:501:12 in end Shadow bytes around the buggy address: 0x0c2e800151b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e800151c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e800151d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e800151e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e800151f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2e80015200: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80015210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80015220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80015230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80015240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e80015250: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3875==ABORTING ```