=================================================================
==381004==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5060004389b8 at pc 0x5af07f854535 bp 0x7ffc0c469680 sp 0x7ffc0c469678
READ of size 8 at 0x5060004389b8 thread T0 (interactive_ui_)
    #0 0x5af07f854534 in std::__Cr::unique_ptr<TabGroup, std::__Cr::default_delete<TabGroup>>::get() const third_party/libc++/src/include/__memory/unique_ptr.h:260:101
    #1 0x5af07f854534 in TabGroupModel::GetTabGroup(tab_groups::TabGroupId const&) const chrome/browser/ui/tabs/tab_group_model.cc:50:35
    #2 0x5af06b919e73 in DetachToBrowserTabDragControllerTest_WaylandDragUAF_Test::RunTestOnMainThread() chrome/browser/ui/views/tabs/tab_drag_controller_interactive_uitest.cc:1358:16
    #3 0x5af08119c552 in content::BrowserTestBase::ProxyRunTestOnMainThreadLoop() content/public/test/browser_test_base.cc:941:9
    #4 0x5af08119fb33 in void base::internal::DecayedFunctorTraits<void (content::BrowserTestBase::*)(), content::BrowserTestBase*>::Invoke<void (content::BrowserTestBase::*)(), content::BrowserTestBase*>(void (content::BrowserTestBase::*)(), content::BrowserTestBase*&&) base/functional/bind_internal.h:738:12
    #5 0x5af08119fb33 in void base::internal::InvokeHelper<false, base::internal::FunctorTraits<void (content::BrowserTestBase::*&&)(), content::BrowserTestBase*>, void, 0ul>::MakeItSo<void (content::BrowserTestBase::*)(), std::__Cr::tuple<base::internal::UnretainedWrapper<content::BrowserTestBase, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>>(void (content::BrowserTestBase::*&&)(), std::__Cr::tuple<base::internal::UnretainedWrapper<content::BrowserTestBase, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>&&) base/functional/bind_internal.h:930:12
    #6 0x5af08119fb33 in void base::internal::Invoker<base::internal::FunctorTraits<void (content::BrowserTestBase::*&&)(), content::BrowserTestBase*>, base::internal::BindState<true, true, false, void (content::BrowserTestBase::*)(), base::internal::UnretainedWrapper<content::BrowserTestBase, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>, void ()>::RunImpl<void (content::BrowserTestBase::*)(), std::__Cr::tuple<base::internal::UnretainedWrapper<content::BrowserTestBase, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>, 0ul>(void (content::BrowserTestBase::*&&)(), std::__Cr::tuple<base::internal::UnretainedWrapper<content::BrowserTestBase, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>&&, std::__Cr::integer_sequence<unsigned long, 0ul>) base/functional/bind_internal.h:1067:14
    #7 0x5af08119fb33 in base::internal::Invoker<base::internal::FunctorTraits<void (content::BrowserTestBase::*&&)(), content::BrowserTestBase*>, base::internal::BindState<true, true, false, void (content::BrowserTestBase::*)(), base::internal::UnretainedWrapper<content::BrowserTestBase, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>, void ()>::RunOnce(base::internal::BindStateBase*) base/functional/bind_internal.h:980:12
    #8 0x5af075ea1e26 in base::OnceCallback<void ()>::Run() && base/functional/callback.h:156:12
    #9 0x5af075ea1e26 in content::BrowserMainLoop::InterceptMainMessageLoopRun() content/browser/browser_main_loop.cc:1076:36
    #10 0x5af075ea2045 in content::BrowserMainLoop::RunMainMessageLoop() content/browser/browser_main_loop.cc:1088:7
    #11 0x5af075ea97fc in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:159:15
    #12 0x5af075e990c8 in content::BrowserMain(content::MainFunctionParams) content/browser/browser_main.cc:34:28
    #13 0x5af07bbf6eb0 in content::RunBrowserProcessMain(content::MainFunctionParams, content::ContentMainDelegate*) content/app/content_main_runner_impl.cc:708:10
    #14 0x5af07bbfa8da in content::ContentMainRunnerImpl::RunBrowser(content::MainFunctionParams, bool) content/app/content_main_runner_impl.cc:1299:10
    #15 0x5af07bbf9f8e in content::ContentMainRunnerImpl::Run() content/app/content_main_runner_impl.cc:1144:12
    #16 0x5af07bbf4350 in content::RunContentProcess(content::ContentMainParams, content::ContentMainRunner*) content/app/content_main.cc:333:36
    #17 0x5af07bbf49cb in content::ContentMain(content::ContentMainParams) content/app/content_main.cc:346:10
    #18 0x5af08119a89f in content::BrowserTestBase::SetUp() content/public/test/browser_test_base.cc:608:3
    #19 0x5af07de99347 in InProcessBrowserTest::SetUp() chrome/test/base/in_process_browser_test.cc:637:20
    #20 0x5af06cc68f98 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
    #21 0x5af06cc68f98 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2705:3
    #22 0x5af06cc6b545 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2856:11
    #23 0x5af06cc6d193 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:3034:30
    #24 0x5af06cc92754 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5937:44
    #25 0x5af06cc9179e in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
    #26 0x5af06cc9179e in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:5516:10
    #27 0x5af082b3bf5b in base::TestSuite::Run() base/test/test_suite.cc:418:16
    #28 0x5af07de22ce4 in ChromeTestSuiteRunner::RunTestSuiteInternal(ChromeTestSuite*) chrome/test/base/chrome_test_launcher.cc:117:22
    #29 0x5af06b308d37 in InteractiveUITestSuiteRunner::RunTestSuite(int, char**) chrome/test/base/interactive_ui_tests_main.cc:139:12
    #30 0x5af08123d39e in content::LaunchTestsInternal(content::TestLauncherDelegate*, unsigned long, int, char**) content/public/test/test_launcher.cc:409:31
    #31 0x5af08123dde4 in content::LaunchTests(content::TestLauncherDelegate*, unsigned long, int, char**) content/public/test/test_launcher.cc:504:10
    #32 0x5af07de236c6 in LaunchChromeTests(unsigned long, content::TestLauncherDelegate*, int, char**) chrome/test/base/chrome_test_launcher.cc:365:10
    #33 0x5af06b308b78 in main chrome/test/base/interactive_ui_tests_main.cc:181:10
    #34 0x783a44c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

0x5060004389b8 is located 0 bytes after 56-byte region [0x506000438980,0x5060004389b8)
allocated by thread T0 (interactive_ui_) here:
    #0 0x5af06a9cc71d in operator new(unsigned long) /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cpp:86:3
    #1 0x5af07f865771 in std::__Cr::__unique_if<TabGroupModel>::__unique_single std::__Cr::make_unique<TabGroupModel, TabGroupController*&>(TabGroupController*&) third_party/libc++/src/include/__memory/unique_ptr.h:621:26
    #2 0x5af07f865771 in TabGroupModelFactory::Create(TabGroupController*) chrome/browser/ui/tabs/tab_strip_model.cc:206:10
    #3 0x5af07f865771 in TabStripModel::TabStripModel(TabStripModelDelegate*, Profile*, TabGroupModelFactory*) chrome/browser/ui/tabs/tab_strip_model.cc:266:41
    #4 0x5af07f6405bd in std::__Cr::__unique_if<TabStripModel>::__unique_single std::__Cr::make_unique<TabStripModel, TabStripModelDelegate*, base::raw_ptr<Profile, (partition_alloc::internal::RawPtrTraits)1> const&, TabGroupModelFactory*>(TabStripModelDelegate*&&, base::raw_ptr<Profile, (partition_alloc::internal::RawPtrTraits)1> const&, TabGroupModelFactory*&&) third_party/libc++/src/include/__memory/unique_ptr.h:621:30
    #5 0x5af07f6405bd in Browser::Browser(Browser::CreateParams const&) chrome/browser/ui/browser.cc:471:24
    #6 0x5af07f63ff38 in Browser::Create(Browser::CreateParams const&) chrome/browser/ui/browser.cc:461:14
    #7 0x5af07f7f9e9b in StartupBrowserCreatorImpl::OpenTabsInBrowser(Browser*, chrome::startup::IsProcessStartup, std::__Cr::vector<StartupTab, std::__Cr::allocator<StartupTab>> const&) chrome/browser/ui/startup/startup_browser_creator_impl.cc:273:15
    #8 0x5af07f7fcec6 in StartupBrowserCreatorImpl::RestoreOrCreateBrowser(std::__Cr::vector<StartupTab, std::__Cr::allocator<StartupTab>> const&, StartupBrowserCreatorImpl::BrowserOpenBehavior, unsigned int, chrome::startup::IsProcessStartup, bool) chrome/browser/ui/startup/startup_browser_creator_impl.cc:683:13
    #9 0x5af07f7f8ed1 in StartupBrowserCreatorImpl::DetermineURLsAndLaunch(chrome::startup::IsProcessStartup, bool) chrome/browser/ui/startup/startup_browser_creator_impl.cc:476:22
    #10 0x5af07f7f7fbc in StartupBrowserCreatorImpl::Launch(Profile*, chrome::startup::IsProcessStartup, std::__Cr::unique_ptr<OldLaunchModeRecorder, std::__Cr::default_delete<OldLaunchModeRecorder>>, bool) chrome/browser/ui/startup/startup_browser_creator_impl.cc:194:7
    #11 0x5af07f7eec2a in StartupBrowserCreator::LaunchBrowser(base::CommandLine const&, Profile*, base::FilePath const&, chrome::startup::IsProcessStartup, chrome::startup::IsFirstRun, std::__Cr::unique_ptr<OldLaunchModeRecorder, std::__Cr::default_delete<OldLaunchModeRecorder>>, bool) chrome/browser/ui/startup/startup_browser_creator.cc:719:9
    #12 0x5af07f7efde2 in StartupBrowserCreator::LaunchBrowserForLastProfiles(base::CommandLine const&, base::FilePath const&, chrome::startup::IsProcessStartup, chrome::startup::IsFirstRun, StartupProfileInfo, std::__Cr::vector<Profile*, std::__Cr::allocator<Profile*>> const&, bool) chrome/browser/ui/startup/startup_browser_creator.cc:799:7
    #13 0x5af07f7ee5e0 in StartupBrowserCreator::ProcessCmdLineImpl(base::CommandLine const&, base::FilePath const&, chrome::startup::IsProcessStartup, StartupProfileInfo, std::__Cr::vector<Profile*, std::__Cr::allocator<Profile*>> const&) chrome/browser/ui/startup/startup_browser_creator.cc:1335:3
    #14 0x5af07f7ec6f3 in StartupBrowserCreator::Start(base::CommandLine const&, base::FilePath const&, StartupProfileInfo, std::__Cr::vector<Profile*, std::__Cr::allocator<Profile*>> const&) chrome/browser/ui/startup/startup_browser_creator.cc:670:10
    #15 0x5af07df60dfb in ChromeBrowserMainParts::PreMainMessageLoopRunImpl() chrome/browser/chrome_browser_main.cc:1774:25
    #16 0x5af07df5f92f in ChromeBrowserMainParts::PreMainMessageLoopRun() chrome/browser/chrome_browser_main.cc:1229:18
    #17 0x5af075e9f4ee in content::BrowserMainLoop::PreMainMessageLoopRun() content/browser/browser_main_loop.cc:1014:28
    #18 0x5af075ea6273 in int base::internal::DecayedFunctorTraits<int (content::BrowserMainLoop::*)(), content::BrowserMainLoop*>::Invoke<int (content::BrowserMainLoop::*)(), content::BrowserMainLoop*>(int (content::BrowserMainLoop::*)(), content::BrowserMainLoop*&&) base/functional/bind_internal.h:738:12
    #19 0x5af075ea6273 in int base::internal::InvokeHelper<false, base::internal::FunctorTraits<int (content::BrowserMainLoop::*&&)(), content::BrowserMainLoop*>, int, 0ul>::MakeItSo<int (content::BrowserMainLoop::*)(), std::__Cr::tuple<base::internal::UnretainedWrapper<content::BrowserMainLoop, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>>(int (content::BrowserMainLoop::*&&)(), std::__Cr::tuple<base::internal::UnretainedWrapper<content::BrowserMainLoop, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>&&) base/functional/bind_internal.h:930:12
    #20 0x5af075ea6273 in int base::internal::Invoker<base::internal::FunctorTraits<int (content::BrowserMainLoop::*&&)(), content::BrowserMainLoop*>, base::internal::BindState<true, true, false, int (content::BrowserMainLoop::*)(), base::internal::UnretainedWrapper<content::BrowserMainLoop, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>, int ()>::RunImpl<int (content::BrowserMainLoop::*)(), std::__Cr::tuple<base::internal::UnretainedWrapper<content::BrowserMainLoop, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>, 0ul>(int (content::BrowserMainLoop::*&&)(), std::__Cr::tuple<base::internal::UnretainedWrapper<content::BrowserMainLoop, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>&&, std::__Cr::integer_sequence<unsigned long, 0ul>) base/functional/bind_internal.h:1067:14
    #21 0x5af075ea6273 in base::internal::Invoker<base::internal::FunctorTraits<int (content::BrowserMainLoop::*&&)(), content::BrowserMainLoop*>, base::internal::BindState<true, true, false, int (content::BrowserMainLoop::*)(), base::internal::UnretainedWrapper<content::BrowserMainLoop, base::unretained_traits::MayNotDangle, (partition_alloc::internal::RawPtrTraits)0>>, int ()>::RunOnce(base::internal::BindStateBase*) base/functional/bind_internal.h:980:12
    #22 0x5af07764e0d9 in base::OnceCallback<int ()>::Run() && base/functional/callback.h:156:12
    #23 0x5af07764e0d9 in content::StartupTaskRunner::RunAllTasksNow() content/browser/startup_task_runner.cc:42:29
    #24 0x5af075e9e5b0 in content::BrowserMainLoop::CreateStartupTasks() content/browser/browser_main_loop.cc:917:25
    #25 0x5af075ea8eea in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams) content/browser/browser_main_runner_impl.cc:140:15
    #26 0x5af075e9902f in content::BrowserMain(content::MainFunctionParams) content/browser/browser_main.cc:30:32
    #27 0x5af07bbf6eb0 in content::RunBrowserProcessMain(content::MainFunctionParams, content::ContentMainDelegate*) content/app/content_main_runner_impl.cc:708:10
    #28 0x5af07bbfa8da in content::ContentMainRunnerImpl::RunBrowser(content::MainFunctionParams, bool) content/app/content_main_runner_impl.cc:1299:10
    #29 0x5af07bbf9f8e in content::ContentMainRunnerImpl::Run() content/app/content_main_runner_impl.cc:1144:12
    #30 0x5af07bbf4350 in content::RunContentProcess(content::ContentMainParams, content::ContentMainRunner*) content/app/content_main.cc:333:36
    #31 0x5af07bbf49cb in content::ContentMain(content::ContentMainParams) content/app/content_main.cc:346:10
    #32 0x5af08119a89f in content::BrowserTestBase::SetUp() content/public/test/browser_test_base.cc:608:3
    #33 0x5af07de99347 in InProcessBrowserTest::SetUp() chrome/test/base/in_process_browser_test.cc:637:20
    #34 0x5af06cc68f98 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) third_party/googletest/src/googletest/src/gtest.cc
    #35 0x5af06cc68f98 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2705:3
    #36 0x5af06cc6b545 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2856:11
    #37 0x5af06cc6d193 in testing::TestSuite::Run() third_party/googletest/src/googletest/src/gtest.cc:3034:30

SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/libc++/src/include/__memory/unique_ptr.h:260:101 in std::__Cr::unique_ptr<TabGroup, std::__Cr::default_delete<TabGroup>>::get() const
Shadow bytes around the buggy address:
  0x506000438700: fd fd fd fd fa fa f7 fa fd fd fd fd fd fd fd fd
  0x506000438780: fa fa f7 fa fd fd fd fd fd fd fd fd fa fa f7 fa
  0x506000438800: fd fd fd fd fd fd fd fa fa fa f7 fa 00 00 00 00
  0x506000438880: 00 00 00 00 fa fa f7 fa 00 00 00 00 00 00 00 00
  0x506000438900: fa fa f7 fa 00 00 00 00 00 00 00 00 fa fa f7 fa
=>0x506000438980: 00 00 00 00 00 00 00[fa]fa fa f7 fa 00 00 00 00
  0x506000438a00: 00 00 00 fa fa fa f7 fa 00 00 00 00 00 00 00 fa
  0x506000438a80: fa fa f7 fa 00 00 00 00 00 00 00 fa fa fa f7 fa
  0x506000438b00: 00 00 00 00 00 00 00 fa fa fa f7 fa 00 00 00 00
  0x506000438b80: 00 00 00 00 fa fa f7 fa 00 00 00 00 00 00 00 fa
  0x506000438c00: fa fa f7 fa 00 00 00 00 00 00 00 fa fa fa f7 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

==381004==ADDITIONAL INFO

==381004==Note: Please include this section with the ASan report.
Task trace:


==381004==END OF ADDITIONAL INFO
==381004==ABORTING
[4/4] TabDragging/DetachToBrowserTabDragControllerTest.WaylandDragUAF/3 (CRASHED)