================================================================= ==124251==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040003bc6b0 at pc 0x55f475366b11 bp 0x7ffd76638ed0 sp 0x7ffd76638ec8 WRITE of size 8 at 0x6040003bc6b0 thread T0 (chrome) #0 0x55f475366b10 in FileSelectionCanceled content/browser/frame_host/render_frame_host_impl.cc:603:12 #1 0x55f475366b10 in content::FileChooserImpl::ListenerProxy::FileSelectionCanceled() content/browser/frame_host/render_frame_host_impl.cc:645 #2 0x55f4824b7f23 in RunFileChooserEnd chrome/browser/file_select_helper.cc:660:16 #3 0x55f4824b7f23 in AbortIfWebContentsDestroyed chrome/browser/file_select_helper.cc:364 #4 0x55f4824b7f23 in FileSelectHelper::GetSanitizedFilenameOnUIThread(mojo::StructPtr) chrome/browser/file_select_helper.cc:530 #5 0x55f4824bca04 in Invoke), scoped_refptr, mojo::StructPtr > base/bind_internal.h:499:12 #6 0x55f4824bca04 in MakeItSo), scoped_refptr, mojo::StructPtr > base/bind_internal.h:599 #7 0x55f4824bca04 in RunImpl), std::__1::tuple, mojo::StructPtr >, 0, 1> base/bind_internal.h:672 #8 0x55f4824bca04 in base::internal::Invoker), scoped_refptr, mojo::StructPtr >, void ()>::RunOnce(base::internal::BindStateBase*) base/bind_internal.h:641 #9 0x55f47b34875b in Run base/callback.h:97:12 #10 0x55f47b34875b in base::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/task/common/task_annotator.cc:104 #11 0x55f47b34a757 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::sequence_manager::LazyNow*, bool*) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:336:21 #12 0x55f47b34b5cc in DoWork base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:252:7 #13 0x55f47b34b5cc in non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWork() base/task/sequence_manager/thread_controller_with_message_pump_impl.cc #14 0x55f47b262577 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:309:49 #15 0x55f47b34bfdb in Run base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:403:12 #16 0x55f47b34bfdb in non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc #17 0x55f47b2c9497 in base::RunLoop::Run() base/run_loop.cc:157:14 #18 0x55f47a53d481 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1860:15 #19 0x55f474de514b in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:989:29 #20 0x55f474decae5 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:165:15 #21 0x55f474ddc0e0 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:47:28 #22 0x55f47a3a4043 in RunBrowserProcessMain content/app/content_main_runner_impl.cc:555:10 #23 0x55f47a3a4043 in content::ContentMainRunnerImpl::RunServiceManager(content::MainFunctionParams&, bool) content/app/content_main_runner_impl.cc:980 #24 0x55f47a3a3414 in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:876:12 #25 0x55f47a4c83ab in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:416:29 #26 0x55f47a39e364 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 #27 0x55f471d4bba7 in ChromeMain chrome/app/chrome_main.cc:103:12 #28 0x7f86ed3582b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) 0x6040003bc6b0 is located 32 bytes inside of 48-byte region [0x6040003bc690,0x6040003bc6c0) freed by thread T0 (chrome) here: #0 0x55f471d49702 in operator delete(void*) /b/swarming/w/ir/k/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:166:3 #1 0x55f475365719 in operator() buildtools/third_party/libc++/trunk/include/memory:2338:5 #2 0x55f475365719 in reset buildtools/third_party/libc++/trunk/include/memory:2651 #3 0x55f475365719 in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2605 #4 0x55f475365719 in ~StrongBinding mojo/public/cpp/bindings/strong_binding.h:113 #5 0x55f475365719 in mojo::StrongBinding::Close() mojo/public/cpp/bindings/strong_binding.h:92 #6 0x55f475364f41 in mojo::StrongBinding::OnConnectionError(unsigned int, std::__1::basic_string, std::__1::allocator > const&) mojo/public/cpp/bindings/strong_binding.h:123:5 #7 0x55f47b569d5a in Run base/callback.h:97:12 #8 0x55f47b569d5a in mojo::InterfaceEndpointClient::NotifyError(base::Optional const&) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:342 #9 0x55f47b57a8ee in mojo::internal::MultiplexRouter::ProcessNotifyErrorTask(mojo::internal::MultiplexRouter::Task*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:793:13 #10 0x55f47b574c8a in mojo::internal::MultiplexRouter::ProcessTasks(mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:706:15 #11 0x55f47b570e38 in mojo::internal::MultiplexRouter::OnPipeConnectionError(bool) mojo/public/cpp/bindings/lib/multiplex_router.cc:678:3 #12 0x55f47b55d0e3 in Run base/callback.h:97:12 #13 0x55f47b55d0e3 in mojo::Connector::HandleError(bool, bool) mojo/public/cpp/bindings/lib/connector.cc:674 #14 0x55f47b5b5b9f in Run base/callback.h:127:12 #15 0x55f47b5b5b9f in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:293 #16 0x55f47b34875b in Run base/callback.h:97:12 #17 0x55f47b34875b in base::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/task/common/task_annotator.cc:104 #18 0x55f47b34a757 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::sequence_manager::LazyNow*, bool*) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:336:21 #19 0x55f47b34b807 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoDelayedWork(base::TimeTicks*) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:278:7 #20 0x55f47b262602 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:314:27 #21 0x55f47b34bfdb in Run base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:403:12 #22 0x55f47b34bfdb in non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc #23 0x55f47b2c9497 in base::RunLoop::Run() base/run_loop.cc:157:14 #24 0x55f47a53d481 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1860:15 #25 0x55f474de514b in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:989:29 #26 0x55f474decae5 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:165:15 #27 0x55f474ddc0e0 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:47:28 #28 0x55f47a3a4043 in RunBrowserProcessMain content/app/content_main_runner_impl.cc:555:10 #29 0x55f47a3a4043 in content::ContentMainRunnerImpl::RunServiceManager(content::MainFunctionParams&, bool) content/app/content_main_runner_impl.cc:980 #30 0x55f47a3a3414 in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:876:12 #31 0x55f47a4c83ab in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:416:29 #32 0x55f47a39e364 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 #33 0x55f471d4bba7 in ChromeMain chrome/app/chrome_main.cc:103:12 #34 0x7f86ed3582b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) previously allocated by thread T0 (chrome) here: #0 0x55f471d48ac2 in operator new(unsigned long) /b/swarming/w/ir/k/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:105:3 #1 0x55f475348b8c in make_unique buildtools/third_party/libc++/trunk/include/memory:3131:28 #2 0x55f475348b8c in content::FileChooserImpl::Create(content::RenderFrameHostImpl*, mojo::InterfaceRequest) content/browser/frame_host/render_frame_host_impl.cc:518 #3 0x55f475390058 in Invoke), content::RenderFrameHostImpl *, mojo::InterfaceRequest > base/bind_internal.h:399:12 #4 0x55f475390058 in MakeItSo), content::RenderFrameHostImpl *, mojo::InterfaceRequest > base/bind_internal.h:599 #5 0x55f475390058 in RunImpl), const std::__1::tuple > &, 0> base/bind_internal.h:672 #6 0x55f475390058 in base::internal::Invoker), base::internal::UnretainedWrapper >, void (mojo::InterfaceRequest)>::Run(base::internal::BindStateBase*, mojo::InterfaceRequest&&) base/bind_internal.h:654 #7 0x55f475390589 in Run base/callback.h:127:12 #8 0x55f475390589 in RunCallback services/service_manager/public/cpp/interface_binder.h:69 #9 0x55f475390589 in service_manager::CallbackBinder::BindInterface(std::__1::basic_string, std::__1::allocator > const&, mojo::ScopedHandleBase) services/service_manager/public/cpp/interface_binder.h:62 #10 0x55f472a92d0a in service_manager::BinderRegistryWithArgs<>::BindInterface(std::__1::basic_string, std::__1::allocator > const&, mojo::ScopedHandleBase) services/service_manager/public/cpp/binder_registry.h:86:19 #11 0x55f47535bb32 in TryBindInterface services/service_manager/public/cpp/binder_registry.h:115:7 #12 0x55f47535bb32 in content::RenderFrameHostImpl::GetInterface(std::__1::basic_string, std::__1::allocator > const&, mojo::ScopedHandleBase) content/browser/frame_host/render_frame_host_impl.cc:5748 #13 0x55f47cb05c72 in service_manager::mojom::InterfaceProviderStubDispatch::Accept(service_manager::mojom::InterfaceProvider*, mojo::Message*) gen/services/service_manager/public/mojom/interface_provider.mojom.cc:131:13 #14 0x55f47b566ebe in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:433:32 #15 0x55f47b578e5e in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:873:42 #16 0x55f47b5775f7 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:594:38 #17 0x55f47b55edd2 in mojo::Connector::DispatchMessage(mojo::Message) mojo/public/cpp/bindings/lib/connector.cc:525:49 #18 0x55f47b560bf7 in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:600:12 #19 0x55f47b5b5b9f in Run base/callback.h:127:12 #20 0x55f47b5b5b9f in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:293 #21 0x55f47b34875b in Run base/callback.h:97:12 #22 0x55f47b34875b in base::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/task/common/task_annotator.cc:104 #23 0x55f47b34a757 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::sequence_manager::LazyNow*, bool*) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:336:21 #24 0x55f47b34b807 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoDelayedWork(base::TimeTicks*) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:278:7 #25 0x55f47b262602 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:314:27 #26 0x55f47b34bfdb in Run base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:403:12 #27 0x55f47b34bfdb in non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc #28 0x55f47b2c9497 in base::RunLoop::Run() base/run_loop.cc:157:14 #29 0x55f47a53d481 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1860:15 #30 0x55f474de514b in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:989:29 #31 0x55f474decae5 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:165:15 #32 0x55f474ddc0e0 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:47:28 #33 0x55f47a3a4043 in RunBrowserProcessMain content/app/content_main_runner_impl.cc:555:10 #34 0x55f47a3a4043 in content::ContentMainRunnerImpl::RunServiceManager(content::MainFunctionParams&, bool) content/app/content_main_runner_impl.cc:980 #35 0x55f47a3a3414 in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:876:12 #36 0x55f47a4c83ab in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:416:29 #37 0x55f47a39e364 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 #38 0x55f471d4bba7 in ChromeMain chrome/app/chrome_main.cc:103:12 #39 0x7f86ed3582b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: heap-use-after-free content/browser/frame_host/render_frame_host_impl.cc:603:12 in FileSelectionCanceled Shadow bytes around the buggy address: 0x0c088006f880: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c088006f890: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd 0x0c088006f8a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c088006f8b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c088006f8c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa =>0x0c088006f8d0: fa fa fd fd fd fd[fd]fd fa fa fd fd fd fd fd fa 0x0c088006f8e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c088006f8f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 0x0c088006f900: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd 0x0c088006f910: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa 0x0c088006f920: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==124251==ABORTING